Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
6f0slJzOrF.exe

Overview

General Information

Sample name:6f0slJzOrF.exe
renamed because original name is a hash value
Original sample name:E0B31F24AA1B867B395D4F62F15DC51A.exe
Analysis ID:1582215
MD5:e0b31f24aa1b867b395d4f62f15dc51a
SHA1:f3c915a4d1ef71e74978e8f14c809e2d2012e8ad
SHA256:090e553ac4ce1567dddc7548139b14c7645bf1dae7ec608730d6894a783c0b89
Tags:exeValleyRATuser-abuse_ch
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Execution from Suspicious Folder
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 6f0slJzOrF.exe (PID: 4588 cmdline: "C:\Users\user\Desktop\6f0slJzOrF.exe" MD5: E0B31F24AA1B867B395D4F62F15DC51A)
    • cmd.exe (PID: 6952 cmdline: "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Update.exe (PID: 6544 cmdline: C:\Users\Public\Bilite\Axialis\Update.exe MD5: FB325C945A08D06FE91681179BDCCC66)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Execution from Suspicious Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Bilite\Axialis\Update.exe, CommandLine: C:\Users\Public\Bilite\Axialis\Update.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Bilite\Axialis\Update.exe, NewProcessName: C:\Users\Public\Bilite\Axialis\Update.exe, OriginalFileName: C:\Users\Public\Bilite\Axialis\Update.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6952, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\Public\Bilite\Axialis\Update.exe, ProcessId: 6544, ProcessName: Update.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\Public\Bilite\Axialis\Update.dllReversingLabs: Detection: 78%
Source: C:\Users\Public\Bilite\Axialis\Update.dllVirustotal: Detection: 63%Perma Link
Multi AV Scanner detection for submitted file
Source: 6f0slJzOrF.exeReversingLabs: Detection: 56%
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C1C5DCB CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,___std_exception_copy,CryptReleaseContext,___std_exception_copy,CryptDestroyKey,CryptReleaseContext,___std_exception_copy,CryptDestroyKey,CryptReleaseContext,___std_exception_copy,___std_exception_copy,3_2_6C1C5DCB
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C1C56FA CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptReleaseContext,___std_exception_copy,CryptDestroyHash,CryptReleaseContext,___std_exception_copy,CryptDestroyHash,CryptReleaseContext,___std_exception_copy,CryptReleaseContext,___std_exception_copy,CryptDestroyHash,CryptReleaseContext,___std_exception_copy,___std_exception_copy,3_2_6C1C56FA
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C1C556C CryptStringToBinaryA,CryptStringToBinaryA,___std_exception_copy,3_2_6C1C556C
Source: 6f0slJzOrF.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: \YSS\Release\Update.pdb source: 6f0slJzOrF.exe, 00000000.00000003.1765406621.0000000002AB3000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmp, Update.dll.0.dr
Source: Binary string: \YSS\Release\Update.pdb0 source: 6f0slJzOrF.exe, 00000000.00000003.1765406621.0000000002AB3000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmp, Update.dll.0.dr
Source: Binary string: D:\Projects\WinRAR\sfx\setup\build\sfxrar64\Release\sfxrar.pdb. source: winrar-x64-700scp.exe.0.dr
Source: Binary string: E:\agent\workspace\p-e3cf6c00cb1d4f41832c02872427999a\src\Ufo4WinMac\GamerUFO\ufo4Desktop\Output\bin\Release\UpdateApp.pdb source: 6f0slJzOrF.exe, 00000000.00000003.1765406621.0000000002AB3000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000000.1777653348.0000000000E22000.00000002.00000001.01000000.00000005.sdmp, Update.exe, 00000003.00000002.1780472190.0000000000E22000.00000002.00000001.01000000.00000005.sdmp, Update.exe.0.dr
Source: Binary string: E:\agent\workspace\p-e3cf6c00cb1d4f41832c02872427999a\src\Ufo4WinMac\GamerUFO\ufo4Desktop\Output\bin\Release\UpdateApp.pdb((& source: 6f0slJzOrF.exe, 00000000.00000003.1765406621.0000000002AB3000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000000.1777653348.0000000000E22000.00000002.00000001.01000000.00000005.sdmp, Update.exe, 00000003.00000002.1780472190.0000000000E22000.00000002.00000001.01000000.00000005.sdmp, Update.exe.0.dr
Source: Binary string: D:\Projects\WinRAR\sfx\setup\build\sfxrar64\Release\sfxrar.pdb source: winrar-x64-700scp.exe.0.dr
Source: C:\Users\user\Desktop\6f0slJzOrF.exeCode function: 0_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,0_2_0040301A
Source: C:\Users\user\Desktop\6f0slJzOrF.exeCode function: 0_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_00402B79
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C33813B FindFirstFileExW,3_2_6C33813B
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C3381EC FindFirstFileExW,RevokeDragDrop,FindNextFileW,FindClose,FindClose,3_2_6C3381EC
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C2216B5 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,3_2_6C2216B5
Source: winrar-x64-700scp.exe.0.dr, Update.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: winrar-x64-700scp.exe.0.dr, Update.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: winrar-x64-700scp.exe.0.dr, Update.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: winrar-x64-700scp.exe.0.dr, Update.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: winrar-x64-700scp.exe.0.dr, Update.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: winrar-x64-700scp.exe.0.dr, Update.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: winrar-x64-700scp.exe.0.dr, Update.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Update.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Update.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: winrar-x64-700scp.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: winrar-x64-700scp.exe.0.dr, Update.exe.0.drString found in binary or memory: http://ocsp.digicert.com0
Source: winrar-x64-700scp.exe.0.dr, Update.exe.0.drString found in binary or memory: http://ocsp.digicert.com0A
Source: winrar-x64-700scp.exe.0.dr, Update.exe.0.drString found in binary or memory: http://ocsp.digicert.com0C
Source: winrar-x64-700scp.exe.0.dr, Update.exe.0.drString found in binary or memory: http://ocsp.digicert.com0X
Source: winrar-x64-700scp.exe.0.dr, Update.exe.0.drString found in binary or memory: http://www.digicert.com/CPS0
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C22A73B GetKeyboardState,GetKeyboardLayout,MapVirtualKeyW,ToUnicodeEx,3_2_6C22A73B
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C1E64A2 GetKeyState,GetKeyState,GetKeyState,SendMessageW,3_2_6C1E64A2
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C1FD8C7 ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,3_2_6C1FD8C7
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C1C5DCB CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,___std_exception_copy,CryptReleaseContext,___std_exception_copy,CryptDestroyKey,CryptReleaseContext,___std_exception_copy,CryptDestroyKey,CryptReleaseContext,___std_exception_copy,___std_exception_copy,3_2_6C1C5DCB
Source: C:\Users\user\Desktop\6f0slJzOrF.exeCode function: 0_2_00404FAA0_2_00404FAA
Source: C:\Users\user\Desktop\6f0slJzOrF.exeCode function: 0_2_0041206B0_2_0041206B
Source: C:\Users\user\Desktop\6f0slJzOrF.exeCode function: 0_2_0041022D0_2_0041022D
Source: C:\Users\user\Desktop\6f0slJzOrF.exeCode function: 0_2_00411F910_2_00411F91
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C1D5C943_2_6C1D5C94
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C1C5DCB3_2_6C1C5DCB
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C1C56FA3_2_6C1C56FA
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C1D51033_2_6C1D5103
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C1E6EE33_2_6C1E6EE3
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C1CCFBE3_2_6C1CCFBE
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C20E9D73_2_6C20E9D7
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C3206AB3_2_6C3206AB
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C1CC6CC3_2_6C1CC6CC
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C1CE6EC3_2_6C1CE6EC
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C1F67953_2_6C1F6795
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C1F23133_2_6C1F2313
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C1CBFAC3_2_6C1CBFAC
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C31BFF03_2_6C31BFF0
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C1DD9D23_2_6C1DD9D2
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C329A963_2_6C329A96
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C323BF43_2_6C323BF4
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C20B6BB3_2_6C20B6BB
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C1E17013_2_6C1E1701
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C33F7F23_2_6C33F7F2
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C1C31923_2_6C1C3192
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C20518D3_2_6C20518D
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C3232703_2_6C323270
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C1D32423_2_6C1D3242
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C1D52E63_2_6C1D52E6
Source: Joe Sandbox ViewDropped File: C:\Users\Public\Bilite\Axialis\Update.exe 0C2CC4513EC9101A28A7988C72A46175EFD82F387BB3BCFB2612E808804282B5
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: String function: 6C1D9700 appears 63 times
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: String function: 6C1F6BF0 appears 67 times
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: String function: 6C1F8B2F appears 44 times
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: String function: 6C1F89DB appears 183 times
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: String function: 6C1F8A44 appears 45 times
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: String function: 6C1D80BA appears 31 times
Source: C:\Users\user\Desktop\6f0slJzOrF.exeCode function: String function: 0040243B appears 37 times
Source: 6f0slJzOrF.exeStatic PE information: invalid certificate
Source: 6f0slJzOrF.exe, 00000000.00000000.1665723164.0000000000432000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs 6f0slJzOrF.exe
Source: 6f0slJzOrF.exe, 00000000.00000000.1665723164.0000000000432000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename7zSfxNew.exe< vs 6f0slJzOrF.exe
Source: 6f0slJzOrF.exe, 00000000.00000003.1765406621.0000000002AB3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamensdksetupJ vs 6f0slJzOrF.exe
Source: 6f0slJzOrF.exe, 00000000.00000003.1765406621.0000000002AB3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUpdate.exe vs 6f0slJzOrF.exe
Source: 6f0slJzOrF.exe, 00000000.00000003.1666483004.000000000241D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs 6f0slJzOrF.exe
Source: 6f0slJzOrF.exe, 00000000.00000003.1666483004.000000000241D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename7zSfxNew.exe< vs 6f0slJzOrF.exe
Source: 6f0slJzOrF.exeBinary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs 6f0slJzOrF.exe
Source: 6f0slJzOrF.exeBinary or memory string: OriginalFilename7zSfxNew.exe< vs 6f0slJzOrF.exe
Source: 6f0slJzOrF.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal60.winEXE@6/6@0/0
Source: C:\Users\user\Desktop\6f0slJzOrF.exeCode function: 0_2_00407776 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,0_2_00407776
Source: C:\Users\user\Desktop\6f0slJzOrF.exeCode function: 0_2_0040118A GetDiskFreeSpaceExW,SendMessageW,0_2_0040118A
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C1D5103 CreateToolhelp32Snapshot,Process32FirstW,WideCharToMultiByte,_strlen,Process32NextW,CloseHandle,CloseHandle,SHGetFolderPathA,_strlen,DeleteFileA,3_2_6C1D5103
Source: C:\Users\user\Desktop\6f0slJzOrF.exeCode function: 0_2_004034C1 _wtol,_wtol,SHGetSpecialFolderPathW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,CoCreateInstance,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_004034C1
Source: C:\Users\user\Desktop\6f0slJzOrF.exeCode function: 0_2_00401BDF GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress,0_2_00401BDF
Source: C:\Users\user\Desktop\6f0slJzOrF.exeFile created: C:\Users\Public\BiliteJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6640:120:WilError_03
Source: 6f0slJzOrF.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\6f0slJzOrF.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: 6f0slJzOrF.exeReversingLabs: Detection: 56%
Source: C:\Users\user\Desktop\6f0slJzOrF.exeFile read: C:\Users\user\Desktop\6f0slJzOrF.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\6f0slJzOrF.exe "C:\Users\user\Desktop\6f0slJzOrF.exe"
Source: C:\Users\user\Desktop\6f0slJzOrF.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\Bilite\Axialis\Update.exe C:\Users\Public\Bilite\Axialis\Update.exe
Source: C:\Users\user\Desktop\6f0slJzOrF.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\Bilite\Axialis\Update.exe C:\Users\Public\Bilite\Axialis\Update.exeJump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: update.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32Jump to behavior
Source: winrar-x64-700scp.exe.lnk.3.drLNK file: ..\..\Public\Bilite\winrar-x64-700scp.exe
Source: 6f0slJzOrF.exeStatic file information: File size 73598737 > 1048576
Source: Binary string: \YSS\Release\Update.pdb source: 6f0slJzOrF.exe, 00000000.00000003.1765406621.0000000002AB3000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmp, Update.dll.0.dr
Source: Binary string: \YSS\Release\Update.pdb0 source: 6f0slJzOrF.exe, 00000000.00000003.1765406621.0000000002AB3000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmp, Update.dll.0.dr
Source: Binary string: D:\Projects\WinRAR\sfx\setup\build\sfxrar64\Release\sfxrar.pdb. source: winrar-x64-700scp.exe.0.dr
Source: Binary string: E:\agent\workspace\p-e3cf6c00cb1d4f41832c02872427999a\src\Ufo4WinMac\GamerUFO\ufo4Desktop\Output\bin\Release\UpdateApp.pdb source: 6f0slJzOrF.exe, 00000000.00000003.1765406621.0000000002AB3000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000000.1777653348.0000000000E22000.00000002.00000001.01000000.00000005.sdmp, Update.exe, 00000003.00000002.1780472190.0000000000E22000.00000002.00000001.01000000.00000005.sdmp, Update.exe.0.dr
Source: Binary string: E:\agent\workspace\p-e3cf6c00cb1d4f41832c02872427999a\src\Ufo4WinMac\GamerUFO\ufo4Desktop\Output\bin\Release\UpdateApp.pdb((& source: 6f0slJzOrF.exe, 00000000.00000003.1765406621.0000000002AB3000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000003.00000000.1777653348.0000000000E22000.00000002.00000001.01000000.00000005.sdmp, Update.exe, 00000003.00000002.1780472190.0000000000E22000.00000002.00000001.01000000.00000005.sdmp, Update.exe.0.dr
Source: Binary string: D:\Projects\WinRAR\sfx\setup\build\sfxrar64\Release\sfxrar.pdb source: winrar-x64-700scp.exe.0.dr
Source: C:\Users\user\Desktop\6f0slJzOrF.exeCode function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,0_2_00406D5D
Source: Update.dll.0.drStatic PE information: section name: .00cfg
Source: winrar-x64-700scp.exe.0.drStatic PE information: section name: .didat
Source: winrar-x64-700scp.exe.0.drStatic PE information: section name: _RDATA
Source: C:\Users\user\Desktop\6f0slJzOrF.exeCode function: 0_2_00411C20 push eax; ret 0_2_00411C4E
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C1F8AB3 push ecx; ret 3_2_6C1F8AC6
Source: C:\Users\user\Desktop\6f0slJzOrF.exeFile created: C:\Users\Public\Bilite\Axialis\Update.dllJump to dropped file
Source: C:\Users\user\Desktop\6f0slJzOrF.exeFile created: C:\Users\Public\Bilite\winrar-x64-700scp.exeJump to dropped file
Source: C:\Users\user\Desktop\6f0slJzOrF.exeFile created: C:\Users\Public\Bilite\Axialis\Update.exeJump to dropped file
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C1FC42D GetParent,IsIconic,GetParent,__EH_prolog3,3_2_6C1FC42D
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C1EC528 IsWindowVisible,IsIconic,3_2_6C1EC528
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C1E0523 IsIconic,IsWindowVisible,3_2_6C1E0523
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C1E7BB2 IsIconic,3_2_6C1E7BB2
Source: C:\Users\user\Desktop\6f0slJzOrF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exeDropped PE file which has not been started: C:\Users\Public\Bilite\winrar-x64-700scp.exeJump to dropped file
Source: C:\Users\Public\Bilite\Axialis\Update.exeAPI coverage: 5.0 %
Source: C:\Users\Public\Bilite\Axialis\Update.exe TID: 1068Thread sleep time: -73000s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\6f0slJzOrF.exeCode function: 0_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,0_2_0040301A
Source: C:\Users\user\Desktop\6f0slJzOrF.exeCode function: 0_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_00402B79
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C33813B FindFirstFileExW,3_2_6C33813B
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C3381EC FindFirstFileExW,RevokeDragDrop,FindNextFileW,FindClose,FindClose,3_2_6C3381EC
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C2216B5 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,3_2_6C2216B5
Source: C:\Users\Public\Bilite\Axialis\Update.exeThread delayed: delay time: 73000Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_00E215D0 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00E215D0
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C1DA257 OutputDebugStringA,GetLastError,3_2_6C1DA257
Source: C:\Users\user\Desktop\6f0slJzOrF.exeCode function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,0_2_00406D5D
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C1C1145 GetProcessHeap,3_2_6C1C1145
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_00E21764 SetUnhandledExceptionFilter,3_2_00E21764
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_00E215D0 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00E215D0
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_00E21A8F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00E21A8F
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C32AEDD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6C32AEDD
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C1F6AD6 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6C1F6AD6
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: 3_2_6C251B96 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_6C251B96
Source: C:\Users\user\Desktop\6f0slJzOrF.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\Bilite\Axialis\Update.exe C:\Users\Public\Bilite\Axialis\Update.exeJump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exeCode function: 0_2_0040D72E cpuid 0_2_0040D72E
Source: C:\Users\user\Desktop\6f0slJzOrF.exeCode function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,0_2_00401F9D
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: EnumSystemLocalesW,3_2_6C334C0B
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: EnumSystemLocalesW,3_2_6C33EDC4
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: GetLocaleInfoW,3_2_6C33EE23
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: EnumSystemLocalesW,3_2_6C33EEF8
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: GetLocaleInfoW,3_2_6C33EF43
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_6C33EFEA
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_6C33E885
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: EnumSystemLocalesW,3_2_6C33EAD6
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,3_2_6C33EB71
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: GetLocaleInfoW,3_2_6C3345EC
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: GetModuleHandleW,GetProcAddress,EncodePointer,DecodePointer,GetLocaleInfoW,3_2_6C1FF4A1
Source: C:\Users\Public\Bilite\Axialis\Update.exeCode function: GetLocaleInfoW,3_2_6C33F0F0
Source: C:\Users\Public\Bilite\Axialis\Update.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\6f0slJzOrF.exeCode function: 0_2_00401626 ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??2@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_00401626
Source: C:\Users\user\Desktop\6f0slJzOrF.exeCode function: 0_2_00404FAA GetVersionExW,GetCommandLineW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,memset,ShellExecuteExW,WaitForSingleObject,CloseHandle,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,0_2_00404FAA
Source: C:\Users\Public\Bilite\Axialis\Update.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Native API		1
DLL Side-Loading		11
Process Injection		1
Masquerading		21
Input Capture		1
System Time Discovery		Remote Services21
Input Capture		2
Encrypted Channel		Exfiltration Over Other Network Medium1
Data Encrypted for Impact
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		11
Virtualization/Sandbox Evasion		LSASS Memory13
Security Software Discovery		Remote Desktop Protocol11
Archive Collected Data		Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager11
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Deobfuscate/Decode Files or Information		NTDS2
Process Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials2
File and Directory Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync35
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1582215 Sample: 6f0slJzOrF.exe Startdate: 30/12/2024 Architecture: WINDOWS Score: 60 22 Multi AV Scanner detection for dropped file 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Sigma detected: Execution from Suspicious Folder 2->26 7 6f0slJzOrF.exe 10 2->7         started        process3 file4 16 C:\Users\Public\...\winrar-x64-700scp.exe, PE32+ 7->16 dropped 18 C:\Users\Public\Bilite\Axialis\Update.exe, PE32 7->18 dropped 20 C:\Users\Public\Bilite\Axialis\Update.dll, PE32 7->20 dropped 10 cmd.exe 1 7->10         started        process5 process6 12 Update.exe 2 10->12         started        14 conhost.exe 10->14         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
6f0slJzOrF.exe57%ReversingLabsWin32.Trojan.Generic

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\Public\Bilite\Axialis\Update.dll78%ReversingLabsWin32.Trojan.Generic
C:\Users\Public\Bilite\Axialis\Update.dll64%VirustotalBrowse
C:\Users\Public\Bilite\Axialis\Update.exe0%ReversingLabs
C:\Users\Public\Bilite\Axialis\Update.exe0%VirustotalBrowse
C:\Users\Public\Bilite\winrar-x64-700scp.exe0%ReversingLabs
C:\Users\Public\Bilite\winrar-x64-700scp.exe0%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1582215
Start date and time:2024-12-30 03:36:17 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 11s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:8
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:6f0slJzOrF.exe
renamed because original name is a hash value
Original Sample Name:E0B31F24AA1B867B395D4F62F15DC51A.exe
Detection:MAL
Classification:mal60.winEXE@6/6@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 99%
  • Number of executed functions: 79
  • Number of non-executed functions: 336
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
  • Excluded IPs from analysis (whitelisted): 4.175.87.197, 52.149.20.212, 13.107.246.45
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

TimeTypeDescription
21:37:18API Interceptor1x Sleep call for process: Update.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
C:\Users\Public\Bilite\Axialis\Update.exezPJUOck9wt.exeGet hashmaliciousGhostRatBrowse
    zPJUOck9wt.exeGet hashmaliciousUnknownBrowse
      MEuu1a2o6n.exeGet hashmaliciousGhostRatBrowse
        MEuu1a2o6n.exeGet hashmaliciousUnknownBrowse

          Created / dropped Files

          C:\Users\Public\Bilite\Axialis\IiViS

          Download File
          Process:C:\Users\user\Desktop\6f0slJzOrF.exe
          File Type:openssl enc'd data with salted password, base64 encoded
          Category:dropped
          Size (bytes):56
          Entropy (8bit):5.074862957617357
          Encrypted:false
          SSDEEP:3:iqkCdV1YgPPfShdDHqY:ilVgPPfSrDHj
          MD5:6E39ED9B20EC66F4A15F676643E817B7
          SHA1:00BB683B434109DB7F92D5EC0A8C1624B8DDD76A
          SHA-256:8B51398F2ECF48BE517D1C4D35A5A423E506EBD98A04666DDA316FA73EFD708F
          SHA-512:418E6D9EEBB9B5A01FD0DDCCD6A899DACACE55332157DE46F1835AB590CE9F6CC70A877CFA40236648925218FCDFB7A6C8E240A9772687F7B5D90A53BCD6D196
          Malicious:false
          Reputation:low
          Preview:U2FsdGVkX1/SU80PltnAuPjjzlWfLAoH0tdbM+zlnff/LmxqUYBY5A==

          C:\Users\Public\Bilite\Axialis\Update.dll

          Download File
          Process:C:\Users\user\Desktop\6f0slJzOrF.exe
          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
          Category:dropped
          Size (bytes):2180096
          Entropy (8bit):6.630734298081442
          Encrypted:false
          SSDEEP:49152:5s5wTerN66bKTfixsRJHmYOmsMUEQ8keZ4E/Q46H+be9BMH8kCU:u5wTep66bKTasRRVOtZ58keZ4ET6H+bB
          MD5:D4B2DBE4B2D1D05553F6A479AC91CC0B
          SHA1:2FF3DF81CD215C338EFA57FE7C9E84F7FD74BD81
          SHA-256:A3EF22F2D5F70B6ACE17DCD6B06F297E9D1B5D83708A14B457A47AA8322CF6AC
          SHA-512:54B58F2F102BAECD557725D710059E46947188292C9BFD380BDADD735A79BEDA44533C48C238A9F3A5304C5AA5DB5321330EE66A729A0584D42EE895A1F68B9E
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 78%
          • Antivirus: Virustotal, Detection: 64%, Browse
          Reputation:low
          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....kg...........!.........&................................................!...........@.........................XC..O....C..h....P...G.......................-...1...............................................N...............................text............................... ..`.rdata...M...0...N..................@..@.data...8........^...l..............@....00cfg.......0......................@..@.tls.........@......................@....rsrc....G...P...H..................@..@.reloc...-..........................@..B................................................................................................................................................................................................................................................................................................................................................................

          C:\Users\Public\Bilite\Axialis\Update.exe

          Download File
          Process:C:\Users\user\Desktop\6f0slJzOrF.exe
          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
          Category:dropped
          Size (bytes):395368
          Entropy (8bit):5.090673225697451
          Encrypted:false
          SSDEEP:6144:I0acLF3rgypB1Grf/TRfiJ7BePaEvLJggZy:Y/TRfi3ePtJRg
          MD5:FB325C945A08D06FE91681179BDCCC66
          SHA1:F5D91B7D75D34E156066AB4099E0FD0DF9227B32
          SHA-256:0C2CC4513EC9101A28A7988C72A46175EFD82F387BB3BCFB2612E808804282B5
          SHA-512:2BB588EBE2FA35D03652AEC4E5D51DABD3A24E996336A4D5EC9C762D6084862D5CD5F530F1DA0B98D2887BA88F4E077697D128071FF497D2967F9F42ADC2F533
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          • Antivirus: Virustotal, Detection: 0%, Browse
          Joe Sandbox View:
          • Filename: zPJUOck9wt.exe, Detection: malicious, Browse
          • Filename: zPJUOck9wt.exe, Detection: malicious, Browse
          • Filename: MEuu1a2o6n.exe, Detection: malicious, Browse
          • Filename: MEuu1a2o6n.exe, Detection: malicious, Browse
          Reputation:low
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:..[...[...[...#l..[.......[.......[.......[.......[..b....[..e....[...0...[...[...[..e....[..e....[...[h..[..e....[..Rich.[..........................PE..L...X..e............................\........ ....@..................................8....@.................................D(.......@..................h(...........!..T............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0.......$..............@....rsrc........@.......&..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

          C:\Users\Public\Bilite\Axialis\ypuvomgj.png

          Download File
          Process:C:\Users\user\Desktop\6f0slJzOrF.exe
          File Type:data
          Category:dropped
          Size (bytes):67743960
          Entropy (8bit):7.999995177123799
          Encrypted:true
          SSDEEP:1572864:m9dsnu4FYxGsrFKHPbGmHb6xX5JsSiD7LX:m9qnSePbfx7r
          MD5:095764E4AD28A2BBDEAA8165DDB32305
          SHA1:BAC7FE65D7A4D6D114778E45B9099735C041C9B4
          SHA-256:E9EEE49B8663B52ED03FE9344DE5225742D36C5FDEA82671C0887F221DD98C17
          SHA-512:7CEB023DBB39325896EC20920BE05C09C9A10B5B4499F9189E0056C320A5EC98BA1B1E42CA68E8C15EE303C3A94A46CB5A237BB52B84B215A018A396825F97CB
          Malicious:false
          Reputation:low
          Preview:..>..9..x...@....)..b.;.G.....k...L$Q....{C[..........*}......2.'.....d,........5..=1@.`o.R.4..E..N].ZG.;.W...G.._.Q<...7........p.>Nd.........>....y..........x..J.t.@K.W....=.7.@..u2=o..........y.'...Y..K.W.k.@}...Z.:.|........:...g.k.......#m.q.mU.'.d..!.......i?.....q..ZZ.<..p.q.......;..C..k.|F!L..........U|x.u...?....@yyL.%AG`.\.r.=.............MB.Fy"~..2s.h......a..,..0...Mo...H.yM&(I.Aq.:.3sH:.oC..i......S..._.^]...w.r...:..L......q.....1..h.....M....\....Q..V...2...~.w.D8UzQ.p.$.1l...'v.3..E........:.v...%MCp.c.W.B...=.NUW..Dl.Mg.,.......<..].....4%r..%.....l...T...z..4...f.e...#.6..-..+.o...M.].7...uP7..K.f......t1..f.......cH}/%1.~v&2*..8..(.F...A.2...D....VM.m.ZF.R....;z.pF@...,..[H..PU..I...BT...w......Y..N.m.f.l'....\.....l5.....ZwY.^c6 L..J~5...6K.!\....CL..r>..L....&.~.r..r$.C.%E..!.W...E#.".....}...4<;6^@........+..........~O..=..*...{m.t.WG..8J...m...X...........+;.P.....Ds..m.X......F.f.u.`t..<.smB.

          C:\Users\Public\Bilite\winrar-x64-700scp.exe

          Download File
          Process:C:\Users\user\Desktop\6f0slJzOrF.exe
          File Type:PE32+ executable (GUI) x86-64, for MS Windows
          Category:dropped
          Size (bytes):4106352
          Entropy (8bit):7.958994203647152
          Encrypted:false
          SSDEEP:98304:2WaVOBfKP4QT41wUbqTA0AxVSYIuU+LzmTOYOM2IJ7lETr3dwBkR173n:Xa7gQ1Oqk0AxVSN4zwl2IdlUNbRp
          MD5:213C4AD2CCE43FE07E748FA50D91BDAC
          SHA1:3FBE73E57594FDBCEA8A2C2631DE1F4789DC5293
          SHA-256:902098CA985B2E6703CFC53BDB0A41D01AB461130668694742B1BB8F1D149C36
          SHA-512:189B13030662CF3B58254519EE267CF832B98EC828BCB269D69DB32597583455EF2E6DDD9F87877CCF292D77E14D5C64720217E99992CCC3F53BAF98420A5051
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          • Antivirus: Virustotal, Detection: 0%, Browse
          Reputation:low
          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............u...u...u...v...u...p.P.u.J.....u.J.q...u.J.v...u.J.p...u...q...u...s...u...t...u...t...u.D.|...u.D.u...u.D.....u.D.w...u.Rich..u.........................PE..d....S.e.........."....!."..........`..........@.............................0........?...`.........................................PO..4....O..P.......dZ...`...?....>..(... ..D...@...T.......................(....M..@............@......,A.......................text...N!.......".................. ..`.rdata... ...@..."...&..............@..@.data........p.......H..............@....pdata...?...`...@...Z..............@..@.didat..8...........................@..._RDATA..\...........................@..@.rsrc....`.......\..................@..@.reloc..D.... ......................@..B................................................................................................................................

          C:\Users\user\Desktop\winrar-x64-700scp.exe.lnk

          Download File
          Process:C:\Users\Public\Bilite\Axialis\Update.exe
          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Dec 30 01:37:16 2024, mtime=Mon Dec 30 01:37:17 2024, atime=Thu Nov 21 08:19:09 2024, length=4106352, window=hide
          Category:dropped
          Size (bytes):1086
          Entropy (8bit):4.722715860461419
          Encrypted:false
          SSDEEP:12:82DIvlUlGI+WCICHqXoAXeACmqVzkfl5VN5lFEpOjAT5vz/G6EWavCXY44t2YZ/P:830GXWDWuE4AT5EjvCXHqyFm
          MD5:C2EECA27B93AA8EEE32A0EE537DB9171
          SHA1:DA4599F9152A7AB1B676BBA9DC57C4487ADD9C17
          SHA-256:3BB8C5E7557A7E7FD88DCDF85F510DCC5359181D24C272C67E3FAC4235F2FDC5
          SHA-512:88933A174DED4CAB19937D4C98F234C8689FDA6E503C1425C82FB877941949C069AF228567804612B2062388235AAD9564E14516BE71A70553E024116E6687BD
          Malicious:false
          Preview:L..................F.... ...1...cZ.....cZ..`,.k.;..p.>..........................P.O. .:i.....+00.../C:\...................x.1.....CW;^..Users.d......OwH.Y......................:.....K...U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....|.1......Y....Public..f......O.I.Y......+...............<......_a.P.u.b.l.i.c...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.6.....T.1......Y....Bilite..>......Y...Y...............................B.i.l.i.t.e.....x.2.p.>.uYeJ .WINRAR~1.EXE..\......Y...Y..............................Y.w.i.n.r.a.r.-.x.6.4.-.7.0.0.s.c.p...e.x.e.......[...............-.......Z............%2L.....C:\Users\Public\Bilite\winrar-x64-700scp.exe..).....\.....\.P.u.b.l.i.c.\.B.i.l.i.t.e.\.w.i.n.r.a.r.-.x.6.4.-.7.0.0.s.c.p...e.x.e..........v..*.cM.jVD.Es.!...`.......X.......760639...........hT..CrF.f4... .n.T..b...,.......hT..CrF.f4... .n.T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386, for MS Windows
          Entropy (8bit):7.99988625048371
          TrID:
          • Win32 Executable (generic) a (10002005/4) 99.96%
          • Generic Win/DOS Executable (2004/3) 0.02%
          • DOS Executable Generic (2002/1) 0.02%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:6f0slJzOrF.exe
          File size:73'598'737 bytes
          MD5:e0b31f24aa1b867b395d4f62f15dc51a
          SHA1:f3c915a4d1ef71e74978e8f14c809e2d2012e8ad
          SHA256:090e553ac4ce1567dddc7548139b14c7645bf1dae7ec608730d6894a783c0b89
          SHA512:adf922a11063cbf9a8c88e223bdc50c241b6b3aee13562a93fc0da700352ff9f7ca4aac4a1a8c167515d03f472b39d50d452e7e9b801eac1d40699a4596d6f0b
          SSDEEP:1572864:MK6Kz6KxLBN+7kTzc1hIrf0UpLE112AVK6Z6YYIuhi0l:1eOe7kTzg2pLEHV/ZyEg
          TLSH:6FF73343FB0E1DDDE396597A5CF483B411FFC6952AA9BE526AC344070ECA801964F0EE
          File Content Preview:MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...~.&L.....................................0....@..........................@...............................................P........................b..).

          File Icon

          Icon Hash:01e0f2ccd4d4c400

          Static PE Info

          General

          Entrypoint:0x411def
          Entrypoint Section:.text
          Digitally signed:true
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
          DLL Characteristics:
          Time Stamp:0x4C26F87E [Sun Jun 27 07:06:38 2010 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:4
          OS Version Minor:0
          File Version Major:4
          File Version Minor:0
          Subsystem Version Major:4
          Subsystem Version Minor:0
          Import Hash:b5a014d7eeb4c2042897567e1288a095

          Authenticode Signature

          Signature Valid:false
          Signature Issuer:CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
          Signature Validation Error:The digital signature of the object did not verify
          Error Number:-2146869232
          Not Before, Not After
          • 18/07/2022 01:00:00 18/07/2024 00:59:59
          Subject Chain
          • CN=Incredibuild Software Ltd., O=Incredibuild Software Ltd., S=Tel Aviv, C=IL
          Version:3
          Thumbprint MD5:8164525B12F9B6829CCD5054865F2D41
          Thumbprint SHA-1:583F01EE72450A9945FB1CFA539BAAB983D3F1D9
          Thumbprint SHA-256:2EBD549CFBD28201F8773F370E920A21BB010F577BA74B4726332D2CE7836F69
          Serial:7098774ED29B0565AB114EF2F2871CF7

          Entrypoint Preview

          Instruction
          push ebp
          mov ebp, esp
          push FFFFFFFFh
          push 00414C50h
          push 00411F80h
          mov eax, dword ptr fs:[00000000h]
          push eax
          mov dword ptr fs:[00000000h], esp
          sub esp, 68h
          push ebx
          push esi
          push edi
          mov dword ptr [ebp-18h], esp
          xor ebx, ebx
          mov dword ptr [ebp-04h], ebx
          push 00000002h
          call dword ptr [00413184h]
          pop ecx
          or dword ptr [00419924h], FFFFFFFFh
          or dword ptr [00419928h], FFFFFFFFh
          call dword ptr [00413188h]
          mov ecx, dword ptr [0041791Ch]
          mov dword ptr [eax], ecx
          call dword ptr [0041318Ch]
          mov ecx, dword ptr [00417918h]
          mov dword ptr [eax], ecx
          mov eax, dword ptr [00413190h]
          mov eax, dword ptr [eax]
          mov dword ptr [00419920h], eax
          call 00007FF3212F3602h
          cmp dword ptr [00417710h], ebx
          jne 00007FF3212F34EEh
          push 00411F78h
          call dword ptr [00413194h]
          pop ecx
          call 00007FF3212F35D4h
          push 00417048h
          push 00417044h
          call 00007FF3212F35BFh
          mov eax, dword ptr [00417914h]
          mov dword ptr [ebp-6Ch], eax
          lea eax, dword ptr [ebp-6Ch]
          push eax
          push dword ptr [00417910h]
          lea eax, dword ptr [ebp-64h]
          push eax
          lea eax, dword ptr [ebp-70h]
          push eax
          lea eax, dword ptr [ebp-60h]
          push eax
          call dword ptr [0041319Ch]
          push 00417040h
          push 00417000h
          call 00007FF3212F358Ch

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0x150dc0xb4.rdata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x1a0000x190d7.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x462ddf90x2918
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x130000x310.rdata
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000x113170x11400797279c5ab1a163aed1f2a528f9fe3ceFalse0.6174988677536232data6.576987441854239IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .rdata0x130000x30ea0x32001359639b02bcb8f0a8743e6ead1c0030False0.43828125data5.549434098115495IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .data0x170000x292c0x8009415c9c8dea3245d6d73c23393e27d8eFalse0.431640625data3.6583182363171756IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .rsrc0x1a0000x190d70x19200aedf42f084dabb70902985d8cb8d4f42False0.14223802860696516data4.481844282645869IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountryZLIB Complexity
          RT_ICON0x1a2080x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088RussianRussia0.42819148936170215
          RT_ICON0x1a6700x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224RussianRussia0.2767354596622889
          RT_ICON0x1b7180x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600RussianRussia0.2513485477178423
          RT_ICON0x1dcc00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896RussianRussia0.17170524326877656
          RT_ICON0x21ee80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584RussianRussia0.09922512717378446
          RT_GROUP_ICON0x327100x4cdataRussianRussia0.7763157894736842
          RT_VERSION0x3275c0x350dataEnglishUnited States0.47523584905660377
          RT_VERSION0x32aac0x3b0dataChineseChina0.4523305084745763
          RT_MANIFEST0x32e5c0x27bASCII text, with very long lines (635), with no line terminatorsEnglishUnited States0.5118110236220472

          Imports

          DLLImport
          COMCTL32.dll
          KERNEL32.dllGetFileAttributesW, CreateDirectoryW, WriteFile, GetStdHandle, VirtualFree, GetModuleHandleW, GetProcAddress, LoadLibraryA, LockResource, LoadResource, SizeofResource, FindResourceExA, MulDiv, GlobalFree, GlobalAlloc, lstrcmpiA, GetSystemDefaultLCID, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, MultiByteToWideChar, GetLocaleInfoW, lstrlenA, lstrcmpiW, GetEnvironmentVariableW, lstrcmpW, GlobalMemoryStatusEx, VirtualAlloc, WideCharToMultiByte, ExpandEnvironmentStringsW, RemoveDirectoryW, FindClose, FindNextFileW, DeleteFileW, FindFirstFileW, SetThreadLocale, GetLocalTime, GetSystemTimeAsFileTime, lstrlenW, GetTempPathW, SetEnvironmentVariableW, CloseHandle, CreateFileW, GetDriveTypeW, SetCurrentDirectoryW, GetModuleFileNameW, GetCommandLineW, GetVersionExW, CreateEventW, SetEvent, ResetEvent, InitializeCriticalSection, TerminateThread, ResumeThread, SuspendThread, IsBadReadPtr, LocalFree, lstrcpyW, FormatMessageW, GetSystemDirectoryW, DeleteCriticalSection, GetFileSize, SetFilePointer, ReadFile, SetFileTime, SetEndOfFile, EnterCriticalSection, LeaveCriticalSection, WaitForMultipleObjects, GetModuleHandleA, SystemTimeToFileTime, GetLastError, CreateThread, WaitForSingleObject, GetExitCodeThread, Sleep, SetLastError, SetFileAttributesW, GetDiskFreeSpaceExW, lstrcatW, ExitProcess, CompareFileTime, GetStartupInfoA
          USER32.dllCharUpperW, EndDialog, DestroyWindow, KillTimer, ReleaseDC, DispatchMessageW, GetMessageW, SetTimer, CreateWindowExW, ScreenToClient, GetWindowRect, wsprintfW, GetParent, GetSystemMenu, EnableMenuItem, EnableWindow, MessageBeep, LoadIconW, LoadImageW, wvsprintfW, IsWindow, DefWindowProcW, CallWindowProcW, DrawIconEx, DialogBoxIndirectParamW, GetWindow, ClientToScreen, GetDC, DrawTextW, ShowWindow, SystemParametersInfoW, SetFocus, SetWindowLongW, GetSystemMetrics, GetClientRect, GetDlgItem, GetKeyState, MessageBoxA, wsprintfA, SetWindowTextW, GetSysColor, GetWindowTextLengthW, GetWindowTextW, GetClassNameA, GetWindowLongW, GetMenu, SetWindowPos, CopyImage, SendMessageW, GetWindowDC
          GDI32.dllGetCurrentObject, StretchBlt, SetStretchBltMode, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, GetObjectW, GetDeviceCaps, DeleteObject, CreateFontIndirectW, DeleteDC
          SHELL32.dllSHGetFileInfoW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetMalloc, ShellExecuteExW, SHGetSpecialFolderPathW, ShellExecuteW
          ole32.dllCoInitialize, CreateStreamOnHGlobal, CoCreateInstance
          OLEAUT32.dllVariantClear, OleLoadPicture, SysAllocString
          MSVCRT.dll__set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ??1type_info@@UAE@XZ, _onexit, __dllonexit, _CxxThrowException, _beginthreadex, _EH_prolog, memset, _wcsnicmp, strncmp, malloc, memmove, _wtol, memcpy, free, memcmp, _purecall, ??2@YAPAXI@Z, ??3@YAXPAX@Z, _except_handler3, _controlfp

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          RussianRussia
          EnglishUnited States
          ChineseChina

          Network Behavior

          No network behavior found

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:21:37:07
          Start date:29/12/2024
          Path:C:\Users\user\Desktop\6f0slJzOrF.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\6f0slJzOrF.exe"
          Imagebase:0x400000
          File size:73'598'737 bytes
          MD5 hash:E0B31F24AA1B867B395D4F62F15DC51A
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:true

          General

          Target ID:1
          Start time:21:37:17
          Start date:29/12/2024
          Path:C:\Windows\SysWOW64\cmd.exe
          Wow64 process (32bit):true
          Commandline:"C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\Update.exe
          Imagebase:0x240000
          File size:236'544 bytes
          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:2
          Start time:21:37:18
          Start date:29/12/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7699e0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:3
          Start time:21:37:18
          Start date:29/12/2024
          Path:C:\Users\Public\Bilite\Axialis\Update.exe
          Wow64 process (32bit):true
          Commandline:C:\Users\Public\Bilite\Axialis\Update.exe
          Imagebase:0xe20000
          File size:395'368 bytes
          MD5 hash:FB325C945A08D06FE91681179BDCCC66
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Antivirus matches:
          • Detection: 0%, ReversingLabs
          • Detection: 0%, Virustotal, Browse
          Reputation:low
          Has exited:true

          Disassembly

          Reset < >

            Execution Graph

            Execution Coverage:18%
            Dynamic/Decrypted Code Coverage:0%
            Signature Coverage:26.8%
            Total number of Nodes:1423
            Total number of Limit Nodes:15
            execution_graph 9093 410e7f 9094 410e9a 9093->9094 9095 410eb5 9094->9095 9097 40f42d 9094->9097 9098 40f445 free 9097->9098 9099 40f437 9097->9099 9100 4024e7 46 API calls 9098->9100 9099->9098 9101 40f456 9099->9101 9100->9101 9101->9095 9089 40e63c 9090 40e5d3 6 API calls 9089->9090 9091 40e644 9090->9091 8241 4024c4 8242 40245a 45 API calls 8241->8242 8243 4024cd 8242->8243 8244 4024d2 8243->8244 8245 4024d3 VirtualAlloc 8243->8245 8246 4096c7 _EH_prolog 8260 4096fa 8246->8260 8247 40971c 8248 409827 8281 40118a 8248->8281 8250 409851 8255 40985e ??2@YAPAXI 8250->8255 8251 40983c 8332 409425 8251->8332 8252 4094e0 _CxxThrowException ??2@YAPAXI memcpy ??3@YAXPAX 8252->8260 8254 40969d 8 API calls 8254->8260 8256 409878 8255->8256 8261 409925 ??2@YAPAXI 8256->8261 8262 4098c2 8256->8262 8266 409530 3 API calls 8256->8266 8268 409425 ctype 3 API calls 8256->8268 8270 4099a2 8256->8270 8275 409a65 8256->8275 8291 409fb4 8256->8291 8295 408ea4 8256->8295 8338 409c13 ??2@YAPAXI 8256->8338 8340 409f49 8256->8340 8258 40e959 VirtualFree ??3@YAXPAX free free ctype 8258->8260 8260->8247 8260->8248 8260->8252 8260->8254 8260->8258 8325 4095b7 8260->8325 8329 409403 8260->8329 8261->8256 8335 409530 8262->8335 8266->8256 8268->8256 8271 409530 3 API calls 8270->8271 8272 4099c7 8271->8272 8273 409425 ctype 3 API calls 8272->8273 8273->8247 8277 409530 3 API calls 8275->8277 8278 409a84 8277->8278 8279 409425 ctype 3 API calls 8278->8279 8279->8247 8282 401198 GetDiskFreeSpaceExW 8281->8282 8283 4011ee SendMessageW 8281->8283 8282->8283 8284 4011b0 8282->8284 8289 4011d6 8283->8289 8284->8283 8285 401f9d 19 API calls 8284->8285 8286 4011c9 8285->8286 8287 407717 25 API calls 8286->8287 8288 4011cf 8287->8288 8288->8289 8290 4011e7 8288->8290 8289->8250 8289->8251 8290->8283 8292 409fdd 8291->8292 8344 409dff 8292->8344 8618 40aef3 8295->8618 8298 408ec1 8298->8256 8300 408fd5 8636 408b7c 8300->8636 8301 408f0d ??2@YAPAXI 8310 408ef5 8301->8310 8303 408f31 ??2@YAPAXI 8303->8310 8310->8300 8310->8301 8310->8303 8681 40cdb8 ??2@YAPAXI 8310->8681 8326 4095c6 8325->8326 8328 4095cc 8325->8328 8326->8260 8327 4095e2 _CxxThrowException 8327->8326 8328->8326 8328->8327 8330 40e8e2 4 API calls 8329->8330 8331 40940b 8330->8331 8331->8260 8333 40e8da ctype 3 API calls 8332->8333 8334 409433 8333->8334 8336 408963 ctype 3 API calls 8335->8336 8337 40953b 8336->8337 8339 409c45 8338->8339 8339->8256 8341 409f4e 8340->8341 8342 409f75 8341->8342 8343 409cde 110 API calls 8341->8343 8342->8256 8343->8341 8346 409e04 8344->8346 8345 409e3a 8345->8256 8346->8345 8348 409cde 8346->8348 8349 409cf8 8348->8349 8353 40db1f 8349->8353 8356 401626 8349->8356 8350 409d2c 8350->8346 8419 40da56 8353->8419 8357 401642 8356->8357 8363 401638 8356->8363 8427 40a62f _EH_prolog 8357->8427 8359 40166f 8495 40eca9 8359->8495 8360 401411 2 API calls 8362 401688 8360->8362 8364 401962 ??3@YAXPAX 8362->8364 8365 40169d 8362->8365 8363->8350 8369 40eca9 VariantClear 8364->8369 8453 401329 8365->8453 8368 4016a8 8457 401454 8368->8457 8369->8363 8372 401362 2 API calls 8373 4016c7 ??3@YAXPAX 8372->8373 8378 4016d9 8373->8378 8405 401928 ??3@YAXPAX 8373->8405 8375 40eca9 VariantClear 8375->8363 8376 4016fa 8377 40eca9 VariantClear 8376->8377 8379 401702 ??3@YAXPAX 8377->8379 8378->8376 8380 401764 8378->8380 8393 401725 8378->8393 8379->8359 8382 4017a2 8380->8382 8383 401789 8380->8383 8381 40eca9 VariantClear 8384 401737 ??3@YAXPAX 8381->8384 8386 4017c4 GetLocalTime SystemTimeToFileTime 8382->8386 8387 4017aa 8382->8387 8385 40eca9 VariantClear 8383->8385 8384->8359 8388 401791 ??3@YAXPAX 8385->8388 8386->8387 8389 4017e1 8387->8389 8390 4017f8 8387->8390 8387->8393 8388->8359 8462 403354 lstrlenW 8389->8462 8486 40301a GetFileAttributesW 8390->8486 8393->8381 8395 401934 GetLastError 8395->8405 8396 401818 ??2@YAPAXI 8398 401824 8396->8398 8397 40192a 8397->8395 8499 40db53 8398->8499 8401 40190f 8404 40eca9 VariantClear 8401->8404 8402 40185f GetLastError 8502 4012f7 8402->8502 8404->8405 8405->8375 8406 401871 8407 403354 86 API calls 8406->8407 8411 40187f ??3@YAXPAX 8406->8411 8409 4018cc 8407->8409 8409->8411 8412 40db53 2 API calls 8409->8412 8410 40189c 8413 40eca9 VariantClear 8410->8413 8411->8410 8414 4018f1 8412->8414 8415 4018aa ??3@YAXPAX 8413->8415 8416 4018f5 GetLastError 8414->8416 8417 401906 ??3@YAXPAX 8414->8417 8415->8359 8416->8411 8417->8401 8424 40d985 8419->8424 8422 40da65 CreateFileW 8423 40da8a 8422->8423 8423->8350 8425 40d98f CloseHandle 8424->8425 8426 40d99a 8424->8426 8425->8426 8426->8422 8426->8423 8428 40a738 8427->8428 8429 40a66a 8427->8429 8430 40a687 8428->8430 8431 40a73d 8428->8431 8429->8430 8432 40a704 8429->8432 8433 40a679 8429->8433 8440 40a6ad 8430->8440 8531 40a3b0 8430->8531 8434 40a6f2 8431->8434 8437 40a747 8431->8437 8438 40a699 8431->8438 8432->8440 8505 40e69c 8432->8505 8433->8434 8435 40a67e 8433->8435 8527 40ed34 8434->8527 8439 40a6b2 8435->8439 8444 40a684 8435->8444 8437->8434 8437->8439 8438->8440 8519 40ed59 8438->8519 8439->8440 8523 40ed79 8439->8523 8514 40ecae 8440->8514 8443 40a71a 8508 40eced 8443->8508 8444->8430 8444->8438 8450 40eca9 VariantClear 8452 40166b 8450->8452 8452->8359 8452->8360 8454 401340 8453->8454 8455 40112b 2 API calls 8454->8455 8456 40134b 8455->8456 8456->8368 8458 4012f7 2 API calls 8457->8458 8459 401462 8458->8459 8546 4013e2 8459->8546 8461 40146d 8461->8372 8463 4024fc 2 API calls 8462->8463 8464 403375 8463->8464 8465 40112b 2 API calls 8464->8465 8468 403385 8464->8468 8465->8468 8467 4033d3 GetSystemTimeAsFileTime GetFileAttributesW 8469 4033e8 8467->8469 8470 4033f2 8467->8470 8468->8467 8476 403477 8468->8476 8549 401986 CreateDirectoryW 8468->8549 8471 40301a 22 API calls 8469->8471 8472 401986 4 API calls 8470->8472 8483 4033f8 ??3@YAXPAX 8470->8483 8471->8470 8485 403405 8472->8485 8473 4034a7 8474 407776 55 API calls 8473->8474 8479 4034b1 ??3@YAXPAX 8474->8479 8475 40340a 8555 407776 8475->8555 8476->8473 8476->8483 8477 40346b ??3@YAXPAX 8482 4034bc 8477->8482 8478 40341d memcpy 8478->8485 8479->8482 8482->8393 8483->8482 8484 401986 4 API calls 8484->8485 8485->8475 8485->8477 8485->8478 8485->8484 8487 403037 8486->8487 8493 401804 8486->8493 8488 403048 8487->8488 8489 40303b SetLastError 8487->8489 8490 403051 8488->8490 8492 40305f FindFirstFileW 8488->8492 8488->8493 8489->8493 8574 402fed 8490->8574 8492->8490 8494 403072 FindClose CompareFileTime 8492->8494 8493->8395 8493->8396 8493->8397 8494->8490 8494->8493 8496 40ec65 8495->8496 8497 40ec86 VariantClear 8496->8497 8498 40ec9d 8496->8498 8497->8363 8498->8363 8615 40db3c 8499->8615 8503 40112b 2 API calls 8502->8503 8504 401311 8503->8504 8504->8406 8506 4012f7 2 API calls 8505->8506 8507 40e6a9 8506->8507 8507->8443 8535 40ecd7 8508->8535 8511 40ed12 8512 40a726 ??3@YAXPAX 8511->8512 8513 40ed17 _CxxThrowException 8511->8513 8512->8440 8513->8512 8538 40ec65 8514->8538 8516 40ecba 8517 40a7b2 8516->8517 8518 40ecbe memcpy 8516->8518 8517->8450 8518->8517 8520 40ed62 8519->8520 8521 40ed67 8519->8521 8522 40ecd7 VariantClear 8520->8522 8521->8440 8522->8521 8524 40ed82 8523->8524 8525 40ed87 8523->8525 8526 40ecd7 VariantClear 8524->8526 8525->8440 8526->8525 8528 40ed42 8527->8528 8529 40ed3d 8527->8529 8528->8440 8530 40ecd7 VariantClear 8529->8530 8530->8528 8532 40a3c2 8531->8532 8533 40a3de 8532->8533 8542 40eda0 8532->8542 8533->8440 8536 40eca9 VariantClear 8535->8536 8537 40ecdf SysAllocString 8536->8537 8537->8511 8537->8512 8539 40ec6d 8538->8539 8540 40ec86 VariantClear 8539->8540 8541 40ec9d 8539->8541 8540->8516 8541->8516 8543 40edae 8542->8543 8544 40eda9 8542->8544 8543->8533 8545 40ecd7 VariantClear 8544->8545 8545->8543 8547 401398 2 API calls 8546->8547 8548 4013f2 8547->8548 8548->8461 8550 4019c7 8549->8550 8551 401997 GetLastError 8549->8551 8550->8468 8552 4019b1 GetFileAttributesW 8551->8552 8554 4019a6 8551->8554 8552->8550 8552->8554 8553 4019a7 SetLastError 8553->8468 8554->8550 8554->8553 8556 401f9d 19 API calls 8555->8556 8557 40778a wvsprintfW 8556->8557 8558 407859 8557->8558 8559 4077ab GetLastError FormatMessageW 8557->8559 8562 4076a8 25 API calls 8558->8562 8560 4077d9 FormatMessageW 8559->8560 8561 4077ee lstrlenW lstrlenW ??2@YAPAXI lstrcpyW lstrcpyW 8559->8561 8560->8558 8560->8561 8566 4076a8 8561->8566 8564 407865 8562->8564 8564->8483 8567 407715 ??3@YAXPAX LocalFree 8566->8567 8568 4076b7 8566->8568 8567->8564 8569 40661a 2 API calls 8568->8569 8570 4076c6 IsWindow 8569->8570 8571 4076ef 8570->8571 8572 4076dd IsBadReadPtr 8570->8572 8573 4073d1 21 API calls 8571->8573 8572->8571 8573->8567 8580 402c86 8574->8580 8576 402ff6 8577 403017 8576->8577 8578 402ffb GetLastError 8576->8578 8577->8493 8579 403006 8578->8579 8579->8493 8581 402c93 GetFileAttributesW 8580->8581 8582 402c8f 8580->8582 8583 402ca4 8581->8583 8584 402ca9 8581->8584 8582->8576 8583->8576 8585 402cc7 8584->8585 8586 402cad SetFileAttributesW 8584->8586 8591 402b79 8585->8591 8588 402cc3 8586->8588 8589 402cba DeleteFileW 8586->8589 8588->8576 8589->8576 8592 4024fc 2 API calls 8591->8592 8593 402b90 8592->8593 8594 40254d 2 API calls 8593->8594 8595 402b9d FindFirstFileW 8594->8595 8596 402c55 SetFileAttributesW 8595->8596 8609 402bbf 8595->8609 8598 402c60 RemoveDirectoryW 8596->8598 8599 402c78 ??3@YAXPAX 8596->8599 8597 401329 2 API calls 8597->8609 8598->8599 8600 402c6d ??3@YAXPAX 8598->8600 8601 402c80 8599->8601 8600->8601 8601->8576 8603 40254d 2 API calls 8603->8609 8604 402c24 SetFileAttributesW 8604->8599 8606 402c2d DeleteFileW 8604->8606 8605 402bef lstrcmpW 8607 402c05 lstrcmpW 8605->8607 8608 402c38 FindNextFileW 8605->8608 8606->8609 8607->8608 8607->8609 8608->8609 8610 402c4e FindClose 8608->8610 8609->8597 8609->8599 8609->8603 8609->8604 8609->8605 8609->8608 8611 402b79 2 API calls 8609->8611 8612 401429 8609->8612 8610->8596 8611->8609 8613 401398 2 API calls 8612->8613 8614 401433 8613->8614 8614->8609 8616 40db1f 2 API calls 8615->8616 8617 401857 8616->8617 8617->8401 8617->8402 8619 40af0c 8618->8619 8634 408ebd 8618->8634 8619->8634 8711 40ac7a 8619->8711 8621 40af3f 8622 40ac7a 7 API calls 8621->8622 8623 40b0cb 8621->8623 8627 40af96 8622->8627 8625 40e959 ctype 4 API calls 8623->8625 8624 40afbd 8718 40e959 8624->8718 8625->8634 8627->8623 8627->8624 8628 40b043 8631 40e959 ctype 4 API calls 8628->8631 8629 408761 _CxxThrowException ??2@YAPAXI memcpy ??3@YAXPAX 8630 40afc6 8629->8630 8630->8628 8630->8629 8632 40b07f 8631->8632 8633 40e959 ctype 4 API calls 8632->8633 8633->8634 8634->8298 8635 4065ea InitializeCriticalSection 8634->8635 8635->8310 8730 4086f0 8636->8730 8682 40cdc7 8681->8682 8683 408761 4 API calls 8682->8683 8684 40cdde 8683->8684 8684->8310 8712 40e8da ctype 3 API calls 8711->8712 8713 40ac86 8712->8713 8722 40e811 8713->8722 8715 40aca2 8715->8621 8716 409403 4 API calls 8717 40ac90 8716->8717 8717->8715 8717->8716 8719 40e93b 8718->8719 8720 40e8da ctype 3 API calls 8719->8720 8721 40e943 ??3@YAXPAX 8720->8721 8721->8630 8723 40e8a5 8722->8723 8724 40e824 8722->8724 8723->8717 8725 40e833 _CxxThrowException 8724->8725 8726 40e863 ??2@YAPAXI 8724->8726 8727 40e895 ??3@YAXPAX 8724->8727 8725->8724 8726->8724 8728 40e879 memcpy 8726->8728 8727->8723 8728->8727 8731 40e8da ctype 3 API calls 8730->8731 8732 4086f8 8731->8732 8733 40e8da ctype 3 API calls 8732->8733 8734 408700 8733->8734 8735 40e8da ctype 3 API calls 8734->8735 8736 408708 8735->8736 9102 40dace 9105 40daac 9102->9105 9108 40da8f 9105->9108 9109 40da56 2 API calls 9108->9109 9110 40daa9 9109->9110 9092 40dadc ReadFile 9111 411def __set_app_type __p__fmode __p__commode 9112 411e5e 9111->9112 9113 411e72 9112->9113 9114 411e66 __setusermatherr 9112->9114 9123 411f66 _controlfp 9113->9123 9114->9113 9116 411e77 _initterm __getmainargs _initterm 9117 411ecb GetStartupInfoA 9116->9117 9119 411eff GetModuleHandleA 9117->9119 9124 4064af _EH_prolog 9119->9124 9123->9116 9127 404faa 9124->9127 9432 401b37 GetModuleHandleW CreateWindowExW 9127->9432 9130 404fdc 9131 40648e MessageBoxA 9130->9131 9133 404ff6 9130->9133 9132 4064a5 exit _XcptFilter 9131->9132 9134 401411 2 API calls 9133->9134 9135 40502d 9134->9135 9136 401411 2 API calls 9135->9136 9137 405035 9136->9137 9435 403e23 9137->9435 9142 40254d 2 API calls 9143 405073 9142->9143 9444 402a69 9143->9444 9145 40507c 9458 403d71 9145->9458 9149 40509b _wtol 9151 4050b1 9149->9151 9150 4050d6 9152 403d71 6 API calls 9150->9152 9463 404405 9151->9463 9153 4050e1 9152->9153 9154 4050e7 9153->9154 9155 405118 9153->9155 9620 404996 9154->9620 9156 405130 GetModuleFileNameW 9155->9156 9158 40112b 2 API calls 9155->9158 9159 405151 9156->9159 9160 405142 9156->9160 9158->9156 9165 403d71 6 API calls 9159->9165 9161 407776 55 API calls 9160->9161 9170 4050ec 9161->9170 9162 4050ee ??3@YAXPAX 9638 403e70 9162->9638 9164 4050ff ??3@YAXPAX ??3@YAXPAX 9164->9132 9178 405173 9165->9178 9166 4052d5 9167 401362 2 API calls 9166->9167 9168 4052e5 9167->9168 9169 401362 2 API calls 9168->9169 9173 4052f2 9169->9173 9170->9162 9171 4051fa 9171->9170 9172 40522a 9171->9172 9175 405213 _wtol 9171->9175 9176 403d71 6 API calls 9172->9176 9174 40538d ??2@YAPAXI 9173->9174 9177 401329 2 API calls 9173->9177 9184 405399 9174->9184 9175->9172 9182 405289 9176->9182 9179 405327 9177->9179 9178->9166 9178->9170 9178->9171 9178->9172 9181 401429 2 API calls 9178->9181 9180 401329 2 API calls 9179->9180 9186 40533d 9180->9186 9181->9178 9182->9166 9183 404594 2 API calls 9182->9183 9185 4052ba 9183->9185 9187 4053cf 9184->9187 9191 407776 55 API calls 9184->9191 9185->9166 9189 401362 2 API calls 9185->9189 9190 401362 2 API calls 9186->9190 9488 4025ae 9187->9488 9189->9166 9193 405367 9190->9193 9191->9187 9195 401f9d 19 API calls 9193->9195 9194 4025ae 2 API calls 9196 4053f6 9194->9196 9197 40536e 9195->9197 9198 4025ae 2 API calls 9196->9198 9199 40254d 2 API calls 9197->9199 9201 4053fe 9198->9201 9200 405377 9199->9200 9200->9174 9491 404e3f 9201->9491 9206 40546f 9207 405534 9206->9207 9210 403d71 6 API calls 9206->9210 9209 40e8da ctype 3 API calls 9207->9209 9208 402844 10 API calls 9211 405441 9208->9211 9212 40553c 9209->9212 9213 405493 9210->9213 9211->9206 9214 407776 55 API calls 9211->9214 9215 405573 9212->9215 9669 403093 9212->9669 9213->9207 9224 40549d 9213->9224 9216 405450 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9214->9216 9218 405506 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9215->9218 9219 40557c 9215->9219 9216->9206 9218->9162 9218->9170 9222 405588 wsprintfW 9219->9222 9223 4055ed 9219->9223 9230 401411 2 API calls 9219->9230 9232 401329 ??2@YAPAXI ??3@YAXPAX 9219->9232 9234 401f9d 19 API calls 9219->9234 9703 402f6c ??2@YAPAXI 9219->9703 9709 402425 ??3@YAXPAX ??3@YAXPAX 9219->9709 9221 405556 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9225 4054f5 9221->9225 9226 401411 2 API calls 9222->9226 9519 404603 9223->9519 9224->9218 9643 404cbc 9224->9643 9225->9218 9226->9219 9229 4054cc 9229->9218 9231 407776 55 API calls 9229->9231 9230->9219 9233 4054da ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9231->9233 9232->9219 9233->9225 9234->9219 9235 40584a 9236 404603 26 API calls 9235->9236 9268 40586a 9236->9268 9240 405933 9581 404034 9240->9581 9241 4024fc 2 API calls 9241->9268 9245 4059d8 CoInitialize 9251 40243b lstrcmpW 9245->9251 9246 40595a 9249 40243b lstrcmpW 9246->9249 9247 405935 ??3@YAXPAX 9247->9240 9250 405969 9249->9250 9252 405979 9250->9252 9255 401f9d 19 API calls 9250->9255 9253 4059fe 9251->9253 9736 403b40 9252->9736 9256 405a12 9253->9256 9259 401329 2 API calls 9253->9259 9254 401411 ??2@YAPAXI ??3@YAXPAX 9254->9268 9255->9252 9587 403b59 9256->9587 9258 401362 2 API calls 9258->9268 9259->9256 9263 4073d1 21 API calls 9267 40599c ctype 9263->9267 9264 401329 2 API calls 9264->9268 9265 4055f6 9265->9235 9275 403b94 lstrlenW lstrlenW _wcsnicmp 9265->9275 9279 4057dd _wtol 9265->9279 9294 405878 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9265->9294 9710 40484d 9265->9710 9721 40408b 9265->9721 9266 405a4d 9272 405a2b ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9266->9272 9308 405a61 9266->9308 9756 4082e9 9266->9756 9273 4059a7 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9267->9273 9268->9240 9268->9241 9268->9247 9268->9254 9268->9258 9268->9264 9271 402f6c 7 API calls 9268->9271 9578 40243b 9268->9578 9735 402425 ??3@YAXPAX ??3@YAXPAX 9268->9735 9271->9268 9272->9266 9273->9170 9275->9265 9276 405910 ??3@YAXPAX 9276->9268 9277 401411 2 API calls 9277->9308 9279->9265 9280 405bd8 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9301 405bf3 9280->9301 9281 405a9f GetKeyState 9281->9308 9282 405c6c 9285 405ca2 9282->9285 9286 405c74 9282->9286 9283 401329 ??2@YAPAXI ??3@YAXPAX 9283->9308 9284 40243b lstrcmpW 9284->9308 9289 4012f7 2 API calls 9285->9289 9798 403f85 9286->9798 9292 405cb0 9289->9292 9295 403b59 15 API calls 9292->9295 9293 401362 2 API calls 9299 405c91 ??3@YAXPAX 9293->9299 9294->9170 9297 405cb9 9295->9297 9296 407776 55 API calls 9298 405c13 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9296->9298 9300 405cca ??3@YAXPAX 9297->9300 9304 401362 2 API calls 9297->9304 9298->9301 9305 405cd9 9299->9305 9300->9305 9301->9296 9302 405c4a ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9301->9302 9302->9301 9303 405bcd ??3@YAXPAX 9303->9308 9304->9300 9306 405d24 9305->9306 9307 405d16 9305->9307 9811 40786b 9306->9811 9594 404a44 9307->9594 9308->9277 9308->9280 9308->9281 9308->9282 9308->9283 9308->9284 9308->9301 9308->9302 9308->9303 9311 401429 ??2@YAPAXI ??3@YAXPAX 9308->9311 9783 407613 9308->9783 9792 407674 9308->9792 9311->9308 9312 405d20 9313 405d65 9312->9313 9817 403e0d 9312->9817 9314 404034 21 API calls 9313->9314 9316 405d77 9314->9316 9318 406373 9316->9318 9319 401411 2 API calls 9316->9319 9321 4063f7 ctype 9318->9321 9324 40243b lstrcmpW 9318->9324 9320 405d95 9319->9320 9364 405da8 9320->9364 9821 40453e 9320->9821 9323 40643a ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9321->9323 9329 40243b lstrcmpW 9321->9329 9325 406461 9323->9325 9326 406467 ??3@YAXPAX 9323->9326 9327 4063a4 9324->9327 9325->9326 9328 403e70 ctype 4 API calls 9326->9328 9327->9321 9848 403f48 9327->9848 9330 406478 ??3@YAXPAX ??3@YAXPAX 9328->9330 9332 406416 9329->9332 9330->9132 9331 401411 ??2@YAPAXI ??3@YAXPAX 9331->9364 9332->9323 9336 406423 9332->9336 9335 405dd8 9338 405de5 9335->9338 9339 4061fa ??3@YAXPAX ??3@YAXPAX 9335->9339 9341 4012f7 2 API calls 9336->9341 9337 4073d1 21 API calls 9342 4063e0 ??3@YAXPAX 9337->9342 9830 4043c6 9338->9830 9343 406312 9339->9343 9340 40243b lstrcmpW 9340->9364 9345 406432 9341->9345 9342->9321 9349 40636a ??3@YAXPAX 9343->9349 9350 404034 21 API calls 9343->9350 9853 404aff 9345->9853 9348 405e45 9352 401329 2 API calls 9348->9352 9349->9318 9354 406321 9350->9354 9355 405e4e 9352->9355 9353 4043c6 2 API calls 9356 405e0e 9353->9356 9838 4048ab 9354->9838 9360 403b7f 19 API calls 9355->9360 9361 401362 2 API calls 9356->9361 9358 40626b ??3@YAXPAX ??3@YAXPAX 9358->9343 9359 401329 2 API calls 9359->9364 9378 405e57 9360->9378 9362 405e1a ??3@YAXPAX ??3@YAXPAX GetFileAttributesW 9361->9362 9365 406211 9362->9365 9366 405e41 9362->9366 9363 40633a SetCurrentDirectoryW 9367 4048ab 4 API calls 9363->9367 9364->9331 9364->9335 9364->9340 9364->9348 9364->9358 9364->9359 9368 401429 2 API calls 9364->9368 9371 403e0d 16 API calls 9365->9371 9366->9348 9369 406362 9367->9369 9370 405ee5 ??3@YAXPAX ??3@YAXPAX 9368->9370 9372 403e0d 16 API calls 9369->9372 9370->9364 9373 406216 9371->9373 9372->9349 9374 407776 55 API calls 9373->9374 9375 40621f 7 API calls 9374->9375 9376 40625e 9375->9376 9376->9358 9377 403bce lstrlenW lstrlenW _wcsnicmp 9377->9378 9378->9377 9379 405f61 _wtol 9378->9379 9380 406025 9378->9380 9379->9378 9381 406080 9380->9381 9382 40602e 9380->9382 9383 401362 2 API calls 9381->9383 9384 406053 9382->9384 9385 406034 9382->9385 9386 40607e 9383->9386 9388 401329 2 API calls 9384->9388 9387 401329 2 API calls 9385->9387 9389 40254d 2 API calls 9386->9389 9390 40603f 9387->9390 9391 406051 9388->9391 9392 406092 9389->9392 9393 40254d 2 API calls 9390->9393 9394 40243b lstrcmpW 9391->9394 9395 401411 2 API calls 9392->9395 9396 406048 9393->9396 9397 406068 9394->9397 9398 40609a 9395->9398 9399 40254d 2 API calls 9396->9399 9397->9392 9401 40254d 2 API calls 9397->9401 9400 401411 2 API calls 9398->9400 9399->9391 9402 4060a2 memset 9400->9402 9401->9386 9403 4060e1 9402->9403 9404 404594 2 API calls 9403->9404 9405 4060fe 9404->9405 9406 401329 2 API calls 9405->9406 9407 406109 9406->9407 9408 403b7f 19 API calls 9407->9408 9409 406112 9408->9409 9410 4061b1 9409->9410 9614 4021ed 9409->9614 9412 4062ee ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9410->9412 9414 4061c5 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9410->9414 9412->9343 9414->9339 9415 406150 9417 403b7f 19 API calls 9415->9417 9416 401429 2 API calls 9418 406147 9416->9418 9419 406168 ShellExecuteExW 9417->9419 9420 40254d 2 API calls 9418->9420 9422 406282 9419->9422 9423 40618c 9419->9423 9420->9415 9426 407776 55 API calls 9422->9426 9424 4061a0 CloseHandle 9423->9424 9425 406192 WaitForSingleObject 9423->9425 9835 402185 9424->9835 9425->9424 9428 40628c 9426->9428 9429 403e0d 16 API calls 9428->9429 9430 406291 9 API calls 9429->9430 9431 4062e1 9430->9431 9431->9412 9433 401b6c SetTimer GetMessageW DispatchMessageW KillTimer KiUserCallbackDispatcher 9432->9433 9434 401b9f GetVersionExW 9432->9434 9433->9434 9434->9130 9434->9131 9436 40112b 2 API calls 9435->9436 9437 403e38 GetCommandLineW 9436->9437 9438 404594 9437->9438 9439 4045ce 9438->9439 9441 4045a2 9438->9441 9440 4045c6 9439->9440 9443 401429 2 API calls 9439->9443 9440->9142 9441->9440 9442 401429 2 API calls 9441->9442 9442->9441 9443->9439 9445 401411 2 API calls 9444->9445 9453 402a79 9445->9453 9446 401362 2 API calls 9447 402b6c ??3@YAXPAX 9446->9447 9447->9145 9448 402b5f 9448->9446 9450 401411 2 API calls 9450->9453 9451 401429 ??2@YAPAXI ??3@YAXPAX 9451->9453 9453->9448 9453->9450 9453->9451 9454 401362 2 API calls 9453->9454 9892 4025c6 9453->9892 9895 40272e 9453->9895 9455 402ad9 ??3@YAXPAX 9454->9455 9456 4013e2 2 API calls 9455->9456 9457 402aee ??3@YAXPAX ??3@YAXPAX 9456->9457 9457->9453 9459 403d80 9458->9459 9460 403dbd 9459->9460 9461 403d9a lstrlenW lstrlenW 9459->9461 9460->9149 9460->9151 9906 401a85 9461->9906 9464 401f47 3 API calls 9463->9464 9465 404416 9464->9465 9466 401f9d 19 API calls 9465->9466 9467 40441d 9466->9467 9468 401f9d 19 API calls 9467->9468 9469 404429 9468->9469 9470 401f9d 19 API calls 9469->9470 9471 404435 9470->9471 9472 401f9d 19 API calls 9471->9472 9473 404441 9472->9473 9474 401f9d 19 API calls 9473->9474 9475 40444d 9474->9475 9476 401f9d 19 API calls 9475->9476 9477 404459 9476->9477 9478 401f9d 19 API calls 9477->9478 9479 404465 9478->9479 9480 404480 SHGetSpecialFolderPathW 9479->9480 9483 404533 #17 9479->9483 9484 401411 2 API calls 9479->9484 9485 401329 ??2@YAPAXI ??3@YAXPAX 9479->9485 9487 402f6c 7 API calls 9479->9487 9911 402425 ??3@YAXPAX ??3@YAXPAX 9479->9911 9480->9479 9481 40449a wsprintfW 9480->9481 9482 401411 2 API calls 9481->9482 9482->9479 9483->9150 9484->9479 9485->9479 9487->9479 9489 4022b0 2 API calls 9488->9489 9490 4025c2 9489->9490 9490->9194 9912 403e86 9491->9912 9493 404e56 9494 403e86 2 API calls 9493->9494 9495 404e65 9494->9495 9916 404343 9495->9916 9499 404e82 ??3@YAXPAX 9500 404343 3 API calls 9499->9500 9501 404e9d 9500->9501 9502 403ec1 2 API calls 9501->9502 9503 404ea8 ??3@YAXPAX wsprintfA 9502->9503 9932 403ef6 9503->9932 9505 404ed0 9506 403ef6 2 API calls 9505->9506 9507 404edb 9506->9507 9508 402844 9507->9508 9509 402851 9508->9509 9517 40dcfb 3 API calls 9509->9517 9510 402863 lstrlenA lstrlenA 9515 402890 9510->9515 9511 40296e 9511->9206 9511->9208 9512 40293b memmove 9512->9511 9512->9515 9513 4028db memcmp 9513->9511 9513->9515 9514 402918 memcmp 9514->9515 9515->9511 9515->9512 9515->9513 9515->9514 9518 40dcc7 GetLastError 9515->9518 9943 402640 9515->9943 9517->9510 9518->9515 9520 40243b lstrcmpW 9519->9520 9521 40461c 9520->9521 9522 40466c 9521->9522 9524 401329 2 API calls 9521->9524 9523 40243b lstrcmpW 9522->9523 9525 40468a 9523->9525 9526 404633 9524->9526 9528 40243b lstrcmpW 9525->9528 9527 401f9d 19 API calls 9526->9527 9529 40463a 9527->9529 9531 4046a2 9528->9531 9530 40254d 2 API calls 9529->9530 9532 404643 9530->9532 9533 40243b lstrcmpW 9531->9533 9534 401329 2 API calls 9532->9534 9535 4046ba 9533->9535 9536 40465c 9534->9536 9538 40243b lstrcmpW 9535->9538 9537 401f9d 19 API calls 9536->9537 9539 404663 9537->9539 9540 4046d2 9538->9540 9541 40254d 2 API calls 9539->9541 9542 4046e9 9540->9542 9543 4046d9 lstrcmpiW 9540->9543 9541->9522 9544 40243b lstrcmpW 9542->9544 9543->9542 9545 4046ff 9544->9545 9546 40243b lstrcmpW 9545->9546 9547 40472c 9546->9547 9550 404739 9547->9550 9946 403d1f 9547->9946 9549 40243b lstrcmpW 9554 40474d 9549->9554 9550->9549 9551 40476d 9553 40243b lstrcmpW 9551->9553 9559 404780 9553->9559 9554->9551 9555 40243b lstrcmpW 9554->9555 9950 403cc6 9554->9950 9555->9554 9556 4047a0 9558 40243b lstrcmpW 9556->9558 9560 4047ac 9558->9560 9559->9556 9561 40243b lstrcmpW 9559->9561 9954 403cf7 9559->9954 9562 40243b lstrcmpW 9560->9562 9561->9559 9563 4047bd 9562->9563 9564 40243b lstrcmpW 9563->9564 9565 4047ce 9564->9565 9566 4047e4 9565->9566 9567 4047db _wtol 9565->9567 9568 40243b lstrcmpW 9566->9568 9567->9566 9569 4047f0 9568->9569 9570 404800 9569->9570 9571 4047f7 _wtol 9569->9571 9572 40243b lstrcmpW 9570->9572 9571->9570 9573 40480c 9572->9573 9574 40243b lstrcmpW 9573->9574 9575 404824 9574->9575 9576 40243b lstrcmpW 9575->9576 9577 40483c 9576->9577 9577->9265 9962 4023dd 9578->9962 9582 404045 9581->9582 9583 404088 9581->9583 9584 4012f7 2 API calls 9582->9584 9585 403b7f 19 API calls 9582->9585 9583->9245 9583->9246 9584->9582 9586 404062 SetEnvironmentVariableW ??3@YAXPAX 9585->9586 9586->9582 9586->9583 9588 40393b 7 API calls 9587->9588 9589 403b69 9588->9589 9590 4039f6 7 API calls 9589->9590 9591 403b74 9590->9591 9592 4027c7 6 API calls 9591->9592 9593 403b7a 9592->9593 9593->9266 9739 4083b6 9593->9739 9966 408676 9594->9966 9596 404a55 ??2@YAPAXI 9597 404a64 9596->9597 9611 40dcfb 3 API calls 9597->9611 9598 404a85 9968 40a7de _EH_prolog 9598->9968 9984 40b2fc 9598->9984 9599 404a95 9600 404ab3 9599->9600 9601 404a99 9599->9601 9603 404ada ??2@YAPAXI 9600->9603 9607 403354 86 API calls 9600->9607 9602 407776 55 API calls 9601->9602 9606 404aa1 9602->9606 9604 404ae6 9603->9604 9605 404aed 9603->9605 10009 404292 9604->10009 9990 40150b 9605->9990 9606->9312 9609 404ac6 9607->9609 9609->9603 9609->9606 9611->9598 9615 402200 LoadLibraryA GetProcAddress 9614->9615 9616 4021fb 9614->9616 9617 40221b 9615->9617 9618 402223 9615->9618 9616->9410 9616->9415 9616->9416 9617->9616 9618->9617 10472 4021b9 LoadLibraryA GetProcAddress 9618->10472 9621 40661a 2 API calls 9620->9621 9622 4049af 9621->9622 9623 401f9d 19 API calls 9622->9623 9624 4049bd 9623->9624 9625 4024fc 2 API calls 9624->9625 9626 4049c7 9625->9626 9627 4049fd 9626->9627 9629 40254d ??2@YAPAXI ??3@YAXPAX 9626->9629 9628 40254d 2 API calls 9627->9628 9630 404a0a 9628->9630 9629->9626 9631 401f9d 19 API calls 9630->9631 9632 404a11 9631->9632 9633 40254d 2 API calls 9632->9633 9634 404a1b 9633->9634 9635 4073d1 21 API calls 9634->9635 9636 404a30 ??3@YAXPAX 9635->9636 9637 404a41 ctype 9636->9637 9637->9170 9639 40e8da ctype 3 API calls 9638->9639 9640 403e7e 9639->9640 9641 40e8da ctype 3 API calls 9640->9641 9642 40e943 ??3@YAXPAX 9641->9642 9642->9164 9644 40db53 2 API calls 9643->9644 9645 404ce8 9644->9645 9646 404d44 9645->9646 9648 4024fc 2 API calls 9645->9648 9647 4025ae 2 API calls 9646->9647 9649 404d4c 9647->9649 9650 404cf7 9648->9650 9651 403e86 2 API calls 9649->9651 9654 404db5 ??3@YAXPAX 9650->9654 9656 403354 86 API calls 9650->9656 9652 404d59 9651->9652 9653 403ef6 2 API calls 9652->9653 9655 404d66 9653->9655 9668 404db1 9654->9668 9657 403ef6 2 API calls 9655->9657 9658 404d1b 9656->9658 9659 404d73 9657->9659 9658->9654 9661 40db53 2 API calls 9658->9661 9660 403ef6 2 API calls 9659->9660 9662 404d80 9660->9662 9663 404d37 9661->9663 9664 40dd5f 2 API calls 9662->9664 9663->9654 9665 404d3b ??3@YAXPAX 9663->9665 9666 404d94 9664->9666 9665->9646 9666->9654 9667 404d9d ??3@YAXPAX 9666->9667 9667->9668 9668->9229 9670 4025ae 2 API calls 9669->9670 9686 4030a8 9670->9686 9671 403301 9672 403344 ??3@YAXPAX 9671->9672 9673 40334e 9672->9673 9673->9215 9673->9221 9674 401411 ??2@YAPAXI ??3@YAXPAX 9674->9686 9676 40272e ??2@YAPAXI ??3@YAXPAX MultiByteToWideChar 9676->9686 9677 401362 2 API calls 9678 4030f3 ??3@YAXPAX ??3@YAXPAX 9677->9678 9679 403303 9678->9679 9678->9686 10480 4029c3 9679->10480 9683 40331c ??3@YAXPAX 9683->9673 9684 4031e5 strncmp 9685 4031d0 strncmp 9684->9685 9684->9686 9685->9684 9685->9686 9686->9671 9686->9674 9686->9676 9686->9677 9686->9679 9686->9684 9687 401362 2 API calls 9686->9687 9688 402640 2 API calls 9686->9688 9691 402640 ??2@YAPAXI ??3@YAXPAX 9686->9691 9693 4023dd lstrcmpW 9686->9693 9694 402f6c 7 API calls 9686->9694 9696 403330 9686->9696 9697 4032b2 lstrcmpW 9686->9697 9701 401329 2 API calls 9686->9701 10474 402986 9686->10474 10479 402425 ??3@YAXPAX ??3@YAXPAX 9686->10479 9689 403252 ??3@YAXPAX 9687->9689 9688->9685 9690 402a69 9 API calls 9689->9690 9692 403263 lstrcmpW 9690->9692 9691->9686 9692->9686 9693->9686 9694->9686 9699 402f6c 7 API calls 9696->9699 9697->9686 9698 4032c0 lstrcmpW 9697->9698 9698->9686 9700 40333c 9699->9700 10498 402425 ??3@YAXPAX ??3@YAXPAX 9700->10498 9701->9686 9704 402f86 9703->9704 9705 402f7b 9703->9705 9707 408761 4 API calls 9704->9707 10500 402668 9705->10500 9708 402f92 9707->9708 9708->9219 9709->9219 9711 4024fc 2 API calls 9710->9711 9712 40485f 9711->9712 9713 40254d 2 API calls 9712->9713 9714 40486c 9713->9714 9715 404888 9714->9715 9716 401429 2 API calls 9714->9716 9717 40254d 2 API calls 9715->9717 9716->9714 9718 404892 9717->9718 9719 40408b 94 API calls 9718->9719 9720 40489d ??3@YAXPAX 9719->9720 9720->9265 9722 4040a2 lstrlenW 9721->9722 9723 4040ce 9721->9723 9724 401a85 4 API calls 9722->9724 9723->9265 9725 4040b8 9724->9725 9725->9722 9725->9723 9726 4040d5 9725->9726 9727 4024fc 2 API calls 9726->9727 9730 4040de 9727->9730 10505 402776 9730->10505 9731 403093 84 API calls 9732 40414c 9731->9732 9733 404156 ??3@YAXPAX ??3@YAXPAX 9732->9733 9734 40416d ??3@YAXPAX ??3@YAXPAX 9732->9734 9733->9723 9734->9723 9735->9276 9737 40661a 2 API calls 9736->9737 9738 403b48 9737->9738 9738->9263 9740 408646 9739->9740 9752 4083d5 ctype 9739->9752 9740->9272 9741 40661a 2 API calls 9741->9752 9742 40243b lstrcmpW 9742->9752 9743 40786b 23 API calls 9743->9752 9745 407674 23 API calls 9745->9752 9746 407613 23 API calls 9746->9752 9747 403b40 2 API calls 9747->9752 9748 401f9d 19 API calls 9748->9752 9749 403f48 4 API calls 9749->9752 9750 4073d1 21 API calls 9750->9752 9751 407776 55 API calls 9751->9752 9752->9740 9752->9741 9752->9742 9752->9743 9752->9745 9752->9746 9752->9747 9752->9748 9752->9749 9752->9750 9752->9751 9753 407717 25 API calls 9752->9753 9754 4073d1 21 API calls 9752->9754 10515 40744b 9752->10515 9753->9752 9755 408476 ??3@YAXPAX 9754->9755 9755->9752 9757 40243b lstrcmpW 9756->9757 9758 4082fd 9757->9758 9759 40830b 9758->9759 10519 4019f0 GetStdHandle WriteFile 9758->10519 9761 40831e 9759->9761 10520 4019f0 GetStdHandle WriteFile 9759->10520 9763 408333 9761->9763 10521 4019f0 GetStdHandle WriteFile 9761->10521 9767 408344 9763->9767 10522 4019f0 GetStdHandle WriteFile 9763->10522 9765 40243b lstrcmpW 9769 408351 9765->9769 9767->9765 9768 40835f 9771 40243b lstrcmpW 9768->9771 9769->9768 10523 4019f0 GetStdHandle WriteFile 9769->10523 9772 40836c 9771->9772 9773 40837a 9772->9773 10524 4019f0 GetStdHandle WriteFile 9772->10524 9775 40243b lstrcmpW 9773->9775 9776 408387 9775->9776 9777 408395 9776->9777 10525 4019f0 GetStdHandle WriteFile 9776->10525 9779 40243b lstrcmpW 9777->9779 9780 4083a2 9779->9780 9781 4083b2 9780->9781 10526 4019f0 GetStdHandle WriteFile 9780->10526 9781->9266 9784 407636 9783->9784 9785 407658 9784->9785 9786 40764b 9784->9786 10530 407186 9785->10530 10527 407154 9786->10527 9789 407653 9790 4073d1 21 API calls 9789->9790 9791 407671 9790->9791 9791->9308 9793 407689 9792->9793 9794 40716d 2 API calls 9793->9794 9795 407694 9794->9795 9796 4073d1 21 API calls 9795->9796 9797 4076a5 9796->9797 9797->9308 9799 401411 2 API calls 9798->9799 9800 403f96 9799->9800 9801 402535 2 API calls 9800->9801 9802 403f9f GetTempPathW 9801->9802 9803 403fb8 9802->9803 9808 403fcf 9802->9808 9804 402535 2 API calls 9803->9804 9805 403fc3 GetTempPathW 9804->9805 9805->9808 9806 402535 2 API calls 9807 403ff2 wsprintfW 9806->9807 9807->9808 9808->9806 9809 404009 GetFileAttributesW 9808->9809 9810 40402d 9808->9810 9809->9808 9809->9810 9810->9293 9812 40787e 9811->9812 10536 40719f 9812->10536 9815 4073d1 21 API calls 9816 4078b3 9815->9816 9816->9312 9818 403e21 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9817->9818 9819 403e16 9817->9819 9818->9313 9820 402c86 16 API calls 9819->9820 9820->9818 9822 40243b lstrcmpW 9821->9822 9823 40455d 9822->9823 9824 404592 9823->9824 9825 401329 2 API calls 9823->9825 9824->9364 9826 40456c 9825->9826 9827 403b7f 19 API calls 9826->9827 9828 404572 9827->9828 9828->9824 9829 401429 2 API calls 9828->9829 9829->9824 9831 4012f7 2 API calls 9830->9831 9832 4043d4 9831->9832 9833 40254d 2 API calls 9832->9833 9834 4043df 9833->9834 9834->9353 9836 4021a9 9835->9836 9837 40218e LoadLibraryA GetProcAddress 9835->9837 9836->9410 9837->9836 9839 401411 2 API calls 9838->9839 9846 4048bc 9839->9846 9840 401329 2 API calls 9840->9846 9841 40494e 9842 404988 ??3@YAXPAX 9841->9842 9844 4048ab 3 API calls 9841->9844 9842->9363 9843 401429 2 API calls 9843->9846 9845 404985 9844->9845 9845->9842 9846->9840 9846->9841 9846->9843 9847 40243b lstrcmpW 9846->9847 9847->9846 9849 40661a 2 API calls 9848->9849 9850 403f50 9849->9850 9851 401411 2 API calls 9850->9851 9852 403f5e 9851->9852 9852->9337 9854 404cb1 ??3@YAXPAX 9853->9854 9855 404b15 9853->9855 9857 404cb7 9854->9857 9855->9854 9856 404b29 GetDriveTypeW 9855->9856 9856->9854 9858 404b55 9856->9858 9857->9323 9859 403f85 6 API calls 9858->9859 9860 404b63 CreateFileW 9859->9860 9861 404b89 9860->9861 9862 404c7b ??3@YAXPAX ??3@YAXPAX 9860->9862 9863 401411 2 API calls 9861->9863 9862->9857 9864 404b92 9863->9864 9865 401329 2 API calls 9864->9865 9866 404b9f 9865->9866 9867 40254d 2 API calls 9866->9867 9868 404bad 9867->9868 9869 4013e2 2 API calls 9868->9869 9870 404bb9 9869->9870 9871 40254d 2 API calls 9870->9871 9872 404bc7 9871->9872 9873 40254d 2 API calls 9872->9873 9874 404bd4 9873->9874 9875 4013e2 2 API calls 9874->9875 9876 404be0 9875->9876 9877 40254d 2 API calls 9876->9877 9878 404bed 9877->9878 9879 40254d 2 API calls 9878->9879 9880 404bf6 9879->9880 9881 4013e2 2 API calls 9880->9881 9882 404c02 9881->9882 9883 40254d 2 API calls 9882->9883 9884 404c0b 9883->9884 9885 402776 3 API calls 9884->9885 9886 404c1d WriteFile ??3@YAXPAX CloseHandle 9885->9886 9887 404c4b 9886->9887 9888 404c8c 9886->9888 9887->9888 9889 404c53 SetFileAttributesW ShellExecuteW ??3@YAXPAX 9887->9889 9890 402c86 16 API calls 9888->9890 9889->9862 9891 404c94 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9890->9891 9891->9857 9901 4022b0 9892->9901 9896 401411 2 API calls 9895->9896 9897 40273a 9896->9897 9898 402772 9897->9898 9899 402535 2 API calls 9897->9899 9898->9453 9900 402757 MultiByteToWideChar 9899->9900 9900->9898 9902 4022be ??2@YAPAXI 9901->9902 9903 4022ea 9901->9903 9902->9903 9904 4022cf ??3@YAXPAX 9902->9904 9903->9453 9904->9903 9907 401ae3 9906->9907 9910 401a97 9906->9910 9907->9460 9908 401abc CharUpperW CharUpperW 9909 401af3 CharUpperW CharUpperW 9908->9909 9908->9910 9909->9907 9910->9907 9910->9908 9911->9479 9913 403e9e 9912->9913 9914 4022b0 2 API calls 9913->9914 9915 403eac 9914->9915 9915->9493 9917 40435e 9916->9917 9918 404375 9917->9918 9919 40436a 9917->9919 9920 4025ae 2 API calls 9918->9920 9936 4025f6 9919->9936 9922 40437e 9920->9922 9923 4022b0 2 API calls 9922->9923 9924 404387 9923->9924 9926 4025f6 2 API calls 9924->9926 9925 404373 9928 403ec1 9925->9928 9927 4043b5 ??3@YAXPAX 9926->9927 9927->9925 9929 403ecd 9928->9929 9931 403ede 9928->9931 9930 4022b0 2 API calls 9929->9930 9930->9931 9931->9499 9933 403f06 9932->9933 9933->9933 9939 4022fc 9933->9939 9935 403f13 9935->9505 9937 4022b0 2 API calls 9936->9937 9938 402610 9937->9938 9938->9925 9940 402340 9939->9940 9941 402310 9939->9941 9940->9935 9942 4022b0 2 API calls 9941->9942 9942->9940 9944 4022fc 2 API calls 9943->9944 9945 40264a 9944->9945 9945->9515 9947 403d3d 9946->9947 9958 403c63 9947->9958 9951 403cd3 9950->9951 9952 403c63 _wtol 9951->9952 9953 403cf4 9952->9953 9953->9554 9955 403d04 9954->9955 9956 403c63 _wtol 9955->9956 9957 403d1c 9956->9957 9957->9559 9959 403c6d 9958->9959 9960 403c88 _wtol 9959->9960 9961 403cc1 9959->9961 9960->9959 9961->9550 9963 4023e8 9962->9963 9964 4023f4 lstrcmpW 9963->9964 9965 402411 9963->9965 9964->9963 9964->9965 9965->9268 9967 408679 9966->9967 9967->9596 9969 40a7fe 9968->9969 9970 40b2fc 11 API calls 9969->9970 9971 40a823 9970->9971 9972 40a845 9971->9972 9973 40a82c 9971->9973 10014 40cc59 _EH_prolog 9972->10014 10017 40a3fe 9973->10017 9985 40b30d 9984->9985 9989 40dcfb 3 API calls 9985->9989 9986 40b321 9987 40b331 9986->9987 10453 40b163 9986->10453 9987->9599 9989->9986 9991 40151e 9990->9991 9992 401329 2 API calls 9991->9992 9993 40152b 9992->9993 9994 401429 2 API calls 9993->9994 9995 401534 CreateThread 9994->9995 9996 401563 9995->9996 9997 401568 WaitForSingleObject 9995->9997 10466 40129c 9995->10466 9998 40786b 23 API calls 9996->9998 9999 401585 9997->9999 10000 4015b7 9997->10000 9998->9997 10003 4015a3 9999->10003 10006 401594 9999->10006 10001 4015b3 10000->10001 10002 4015bf GetExitCodeThread 10000->10002 10001->9606 10004 4015d6 10002->10004 10005 407776 55 API calls 10003->10005 10004->10001 10004->10006 10007 401605 SetLastError 10004->10007 10005->10001 10006->10001 10008 407776 55 API calls 10006->10008 10007->10006 10008->10001 10010 401411 2 API calls 10009->10010 10011 4042ab 10010->10011 10012 401411 2 API calls 10011->10012 10013 4042b7 10012->10013 10013->9605 10025 40c9fc 10014->10025 10436 40a28e 10017->10436 10047 40a0bf 10025->10047 10181 40a030 10047->10181 10182 40e8da ctype 3 API calls 10181->10182 10183 40a039 10182->10183 10184 40e8da ctype 3 API calls 10183->10184 10185 40a041 10184->10185 10186 40e8da ctype 3 API calls 10185->10186 10187 40a049 10186->10187 10188 40e8da ctype 3 API calls 10187->10188 10189 40a051 10188->10189 10190 40e8da ctype 3 API calls 10189->10190 10191 40a059 10190->10191 10192 40e8da ctype 3 API calls 10191->10192 10193 40a061 10192->10193 10194 40e8da ctype 3 API calls 10193->10194 10195 40a06b 10194->10195 10196 40e8da ctype 3 API calls 10195->10196 10197 40a073 10196->10197 10198 40e8da ctype 3 API calls 10197->10198 10199 40a080 10198->10199 10200 40e8da ctype 3 API calls 10199->10200 10201 40a088 10200->10201 10202 40e8da ctype 3 API calls 10201->10202 10203 40a095 10202->10203 10204 40e8da ctype 3 API calls 10203->10204 10205 40a09d 10204->10205 10206 40e8da ctype 3 API calls 10205->10206 10207 40a0aa 10206->10207 10208 40e8da ctype 3 API calls 10207->10208 10209 40a0b2 10208->10209 10437 40e8da ctype 3 API calls 10436->10437 10438 40a29c 10437->10438 10454 40f0b6 GetLastError 10453->10454 10456 40b17e 10454->10456 10455 40b192 10455->9987 10456->10455 10457 40adc3 3 API calls 10456->10457 10458 40b1b6 memcpy 10457->10458 10463 40b1d9 10458->10463 10459 40b297 ??3@YAXPAX 10459->10455 10460 40b2a2 ??3@YAXPAX 10460->10455 10462 40b27a memmove 10462->10463 10463->10459 10463->10460 10463->10462 10464 40b2ac memcpy 10463->10464 10465 40dcfb 3 API calls 10464->10465 10465->10460 10467 4012a5 10466->10467 10468 4012b8 10466->10468 10467->10468 10469 4012a7 Sleep 10467->10469 10470 4012f1 10468->10470 10471 4012e3 EndDialog 10468->10471 10469->10467 10471->10470 10473 4021db 10472->10473 10473->9617 10475 4025ae 2 API calls 10474->10475 10476 402992 10475->10476 10477 4029be 10476->10477 10478 402640 2 API calls 10476->10478 10477->9686 10478->10476 10479->9686 10481 4029d2 10480->10481 10482 4029de 10480->10482 10499 4019f0 GetStdHandle WriteFile 10481->10499 10484 4025ae 2 API calls 10482->10484 10488 4029e8 10484->10488 10485 4029d9 10497 402425 ??3@YAXPAX ??3@YAXPAX 10485->10497 10486 402a13 10487 40272e 3 API calls 10486->10487 10489 402a25 10487->10489 10488->10486 10492 402640 2 API calls 10488->10492 10490 402a33 10489->10490 10491 402a47 10489->10491 10493 407776 55 API calls 10490->10493 10494 407776 55 API calls 10491->10494 10492->10488 10495 402a42 ??3@YAXPAX ??3@YAXPAX 10493->10495 10494->10495 10495->10485 10497->9683 10498->9672 10499->10485 10501 4012f7 2 API calls 10500->10501 10502 402676 10501->10502 10503 4012f7 2 API calls 10502->10503 10504 402682 10503->10504 10504->9704 10506 4025ae 2 API calls 10505->10506 10507 402785 10506->10507 10508 4027c1 10507->10508 10511 402628 10507->10511 10508->9731 10512 402634 10511->10512 10513 40263a WideCharToMultiByte 10511->10513 10514 4022b0 2 API calls 10512->10514 10513->10508 10514->10513 10516 407456 10515->10516 10517 40745b 10515->10517 10516->9752 10517->10516 10518 4073d1 21 API calls 10517->10518 10518->10516 10519->9759 10520->9761 10521->9763 10522->9767 10523->9768 10524->9773 10525->9777 10526->9781 10528 40661a 2 API calls 10527->10528 10529 40715c 10528->10529 10529->9789 10533 40716d 10530->10533 10534 40661a 2 API calls 10533->10534 10535 407175 10534->10535 10535->9789 10537 40661a 2 API calls 10536->10537 10538 4071a7 10537->10538 10538->9815 8035 40f3f1 8038 4024e7 8035->8038 8043 40245a 8038->8043 8041 4024f5 8042 4024f6 malloc 8044 40246a 8043->8044 8050 402466 8043->8050 8045 40247a GlobalMemoryStatusEx 8044->8045 8044->8050 8046 402488 8045->8046 8045->8050 8046->8050 8051 401f9d 8046->8051 8050->8041 8050->8042 8052 401fb4 8051->8052 8053 401fe5 GetLastError wsprintfW GetEnvironmentVariableW GetLastError 8052->8053 8057 401fdb 8052->8057 8054 402095 SetLastError 8053->8054 8055 40201d ??2@YAPAXI GetEnvironmentVariableW 8053->8055 8054->8057 8058 4020ac 8054->8058 8056 40204c GetLastError 8055->8056 8069 40207e ??3@YAXPAX 8055->8069 8059 402052 8056->8059 8056->8069 8071 407717 8057->8071 8061 4020cb lstrlenA ??2@YAPAXI 8058->8061 8078 401f47 8058->8078 8064 402081 8059->8064 8065 40205c lstrcmpiW 8059->8065 8062 402136 MultiByteToWideChar 8061->8062 8063 4020fc GetLocaleInfoW 8061->8063 8062->8057 8063->8062 8067 402123 _wtol 8063->8067 8064->8054 8068 40206b ??3@YAXPAX 8065->8068 8065->8069 8067->8062 8068->8064 8069->8064 8070 4020c1 8070->8061 8085 40661a 8071->8085 8074 40774e 8089 4073d1 8074->8089 8075 40773c IsBadReadPtr 8075->8074 8079 401f51 GetUserDefaultUILanguage 8078->8079 8080 401f95 8078->8080 8081 401f72 GetSystemDefaultUILanguage 8079->8081 8082 401f6e 8079->8082 8080->8070 8081->8080 8083 401f7e GetSystemDefaultLCID 8081->8083 8082->8070 8083->8080 8084 401f8e 8083->8084 8084->8080 8086 406643 8085->8086 8087 40666f IsWindow 8085->8087 8086->8087 8088 40664b GetSystemMetrics GetSystemMetrics 8086->8088 8087->8074 8087->8075 8088->8087 8090 407444 8089->8090 8091 4073e0 8089->8091 8090->8050 8091->8090 8101 4024fc 8091->8101 8093 4073f1 8094 4024fc 2 API calls 8093->8094 8095 4073fc 8094->8095 8105 403b7f 8095->8105 8098 403b7f 19 API calls 8099 40740e ??3@YAXPAX ??3@YAXPAX 8098->8099 8099->8090 8102 402513 8101->8102 8114 40112b 8102->8114 8104 40251e 8104->8093 8178 403880 8105->8178 8107 403b59 8119 40393b 8107->8119 8109 403b69 8142 4039f6 8109->8142 8111 403b74 8165 4027c7 8111->8165 8115 401177 8114->8115 8116 401139 ??2@YAPAXI 8114->8116 8115->8104 8116->8115 8118 40115a 8116->8118 8117 40116f ??3@YAXPAX 8117->8115 8118->8117 8118->8118 8201 401411 8119->8201 8123 403954 8208 40254d 8123->8208 8125 403961 8126 4024fc 2 API calls 8125->8126 8127 40396e 8126->8127 8212 403805 8127->8212 8130 401362 2 API calls 8131 403992 8130->8131 8132 40254d 2 API calls 8131->8132 8133 40399f 8132->8133 8134 4024fc 2 API calls 8133->8134 8135 4039ac 8134->8135 8136 403805 3 API calls 8135->8136 8137 4039bc ??3@YAXPAX 8136->8137 8138 4024fc 2 API calls 8137->8138 8139 4039d3 8138->8139 8140 403805 3 API calls 8139->8140 8141 4039e2 ??3@YAXPAX ??3@YAXPAX 8140->8141 8141->8109 8143 401411 2 API calls 8142->8143 8144 403a04 8143->8144 8145 401362 2 API calls 8144->8145 8146 403a0f 8145->8146 8147 40254d 2 API calls 8146->8147 8148 403a1c 8147->8148 8149 4024fc 2 API calls 8148->8149 8150 403a29 8149->8150 8151 403805 3 API calls 8150->8151 8152 403a39 ??3@YAXPAX 8151->8152 8153 401362 2 API calls 8152->8153 8154 403a4d 8153->8154 8155 40254d 2 API calls 8154->8155 8156 403a5a 8155->8156 8157 4024fc 2 API calls 8156->8157 8158 403a67 8157->8158 8159 403805 3 API calls 8158->8159 8160 403a77 ??3@YAXPAX 8159->8160 8161 4024fc 2 API calls 8160->8161 8162 403a8e 8161->8162 8163 403805 3 API calls 8162->8163 8164 403a9d ??3@YAXPAX ??3@YAXPAX 8163->8164 8164->8111 8166 401411 2 API calls 8165->8166 8167 4027d5 8166->8167 8168 4027e5 ExpandEnvironmentStringsW 8167->8168 8171 40112b 2 API calls 8167->8171 8169 402809 8168->8169 8170 4027fe ??3@YAXPAX 8168->8170 8237 402535 8169->8237 8172 402840 8170->8172 8171->8168 8172->8098 8175 402824 8176 401362 2 API calls 8175->8176 8177 402838 ??3@YAXPAX 8176->8177 8177->8172 8179 401411 2 API calls 8178->8179 8180 40388e 8179->8180 8181 401362 2 API calls 8180->8181 8182 403899 8181->8182 8183 40254d 2 API calls 8182->8183 8184 4038a6 8183->8184 8185 4024fc 2 API calls 8184->8185 8186 4038b3 8185->8186 8187 403805 3 API calls 8186->8187 8188 4038c3 ??3@YAXPAX 8187->8188 8189 401362 2 API calls 8188->8189 8190 4038d7 8189->8190 8191 40254d 2 API calls 8190->8191 8192 4038e4 8191->8192 8193 4024fc 2 API calls 8192->8193 8194 4038f1 8193->8194 8195 403805 3 API calls 8194->8195 8196 403901 ??3@YAXPAX 8195->8196 8197 4024fc 2 API calls 8196->8197 8198 403918 8197->8198 8199 403805 3 API calls 8198->8199 8200 403927 ??3@YAXPAX ??3@YAXPAX 8199->8200 8200->8107 8202 40112b 2 API calls 8201->8202 8203 401425 8202->8203 8204 401362 8203->8204 8205 40136e 8204->8205 8207 401380 8204->8207 8206 40112b 2 API calls 8205->8206 8206->8207 8207->8123 8209 40255a 8208->8209 8217 401398 8209->8217 8211 402565 8211->8125 8213 40381b 8212->8213 8214 403817 ??3@YAXPAX 8212->8214 8213->8214 8221 4026b1 8213->8221 8225 402f96 8213->8225 8214->8130 8218 4013dc 8217->8218 8219 4013ac 8217->8219 8218->8211 8220 40112b 2 API calls 8219->8220 8220->8218 8222 4026c7 8221->8222 8223 4026db 8222->8223 8229 402346 memmove 8222->8229 8223->8213 8226 402fa5 8225->8226 8228 402fbe 8226->8228 8230 4026e6 8226->8230 8228->8213 8229->8223 8231 4026f6 8230->8231 8232 401398 2 API calls 8231->8232 8233 402702 8232->8233 8236 402346 memmove 8233->8236 8235 40270f 8235->8228 8236->8235 8238 402541 8237->8238 8239 402547 ExpandEnvironmentStringsW 8237->8239 8240 40112b 2 API calls 8238->8240 8239->8175 8240->8239 11204 40e4f9 11205 40e516 11204->11205 11206 40e506 11204->11206 11209 40de46 11206->11209 11212 401b1f VirtualFree 11209->11212 11211 40de81 ??3@YAXPAX 11211->11205 11212->11211 9087 411388 ??2@YAPAXI 9088 411397 9087->9088

            Executed Functions

            Function 00404FAA Relevance: 250.2, APIs: 103, Strings: 39, Instructions: 1671keyboardsynchronizationwindowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00401B37: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
              • Part of subcall function 00401B37: CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
              • Part of subcall function 00401B37: SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
              • Part of subcall function 00401B37: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
              • Part of subcall function 00401B37: DispatchMessageW.USER32(?), ref: 00401B89
              • Part of subcall function 00401B37: KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
              • Part of subcall function 00401B37: KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99
            • GetVersionExW.KERNEL32(?,?,?,00000000), ref: 00404FCE
            • GetCommandLineW.KERNEL32(?,00000020,?,?,00000000), ref: 0040505C
              • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402ADC
              • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?), ref: 00402AF7
              • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C), ref: 00402AFF
              • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402B6F
              • Part of subcall function 00403D71: lstrlenW.KERNEL32(?,00000000,00000020,?,0040508F,?,?,00000000,?,00000000), ref: 00403DA5
              • Part of subcall function 00403D71: lstrlenW.KERNEL32(?,?,00000000), ref: 00403DAD
            • _wtol.MSVCRT ref: 0040509F
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004050F1
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405102
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 0040510A
            • GetModuleFileNameW.KERNEL32(00000000,00000208,00000000,?,00000000), ref: 00405138
            • _wtol.MSVCRT ref: 00405217
            • ??2@YAPAXI@Z.MSVCRT(00000010,004177C4,004177C4,?,00000000), ref: 0040538F
              • Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000024,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404E85
              • Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000024,004177C4,004177C4,00000000,00000024,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404EAB
              • Part of subcall function 00404E3F: wsprintfA.USER32 ref: 00404EBC
              • Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
              • Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
              • Part of subcall function 00402844: memcmp.MSVCRT(?,?,?), ref: 004028E4
              • Part of subcall function 00402844: memcmp.MSVCRT(?,?,?,?,00000000), ref: 00402921
              • Part of subcall function 00402844: memmove.MSVCRT(?,?,00000000,?,00000000), ref: 00402953
            • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405453
            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 0040545B
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405463
            • ??3@YAXPAX@Z.MSVCRT(?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054DD
            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054E5
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054ED
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405509
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405511
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405519
              • Part of subcall function 00403093: ??3@YAXPAX@Z.MSVCRT(0040414C,?), ref: 00403347
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405559
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405561
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405569
              • Part of subcall function 00403B94: lstrlenW.KERNEL32(?,00000020,?,?,00405650,?,00414668,?,00000000,?), ref: 00403BA1
              • Part of subcall function 00403B94: lstrlenW.KERNEL32(?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00403BAA
              • Part of subcall function 00403B94: _wcsnicmp.MSVCRT ref: 00403BB6
            • wsprintfW.USER32 ref: 00405595
            • _wtol.MSVCRT ref: 004057DE
            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 0040587B
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00405883
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 0040588B
            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,0000003D,00000000,00000000,?,?,00000000,?), ref: 00405913
            • ??3@YAXPAX@Z.MSVCRT(?,0000003D,00000000,00000000,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4), ref: 00405938
            • ??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059AA
            • ??3@YAXPAX@Z.MSVCRT(?,?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059B2
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059BA
            • CoInitialize.OLE32(00000000), ref: 004059E9
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405A30
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?), ref: 00405A38
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405A40
            • GetKeyState.USER32(00000010), ref: 00405AA1
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405BCD
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BDB
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BE3
            • ??3@YAXPAX@Z.MSVCRT(?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C16
            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C1E
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C26
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C2E
            • memset.MSVCRT ref: 004060AE
            • ShellExecuteExW.SHELL32(?), ref: 0040617E
            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?), ref: 0040619A
            • CloseHandle.KERNEL32(?,?,?,?), ref: 004061A6
            • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?), ref: 004061D4
            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?), ref: 004061DC
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?), ref: 004061E4
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 004061EA
            • ??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 004061FD
            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000), ref: 00406205
            • ??3@YAXPAX@Z.MSVCRT(?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406222
            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 0040622A
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406232
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 0040623A
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406242
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall), ref: 0040624A
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall), ref: 00406252
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 0040626E
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00406276
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BEB
              • Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
              • Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
              • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
              • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
              • Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
              • Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
              • Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
              • Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
              • Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
              • Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
              • Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405C4A
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?), ref: 00405C52
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C5A
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C62
            • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C94
            • ??3@YAXPAX@Z.MSVCRT(?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405CD4
            • ??3@YAXPAX@Z.MSVCRT(?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D41
            • ??3@YAXPAX@Z.MSVCRT(?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D49
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D51
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D59
            • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E20
            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E28
            • GetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E32
            • ??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405EEC
            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000), ref: 00405EF4
            • _wtol.MSVCRT ref: 00405F65
            • ??3@YAXPAX@Z.MSVCRT(?,00000001,00000010,?,?,?,?), ref: 00406294
            • ??3@YAXPAX@Z.MSVCRT(?,?,00000001,00000010,?,?,?,?), ref: 0040629C
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000001,00000010,?,?,?,?), ref: 004062A4
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062AA
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062B2
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062BA
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062C2
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062CA
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062D2
            • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?), ref: 004062F1
            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?), ref: 004062F9
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?), ref: 00406301
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 00406307
            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406343
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 0040636D
            • ??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,?,?,?,?,?,?,00000000,?,?,?), ref: 004063E6
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 0040643D
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,?,?,?), ref: 00406445
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,?,?,?), ref: 0040644D
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406455
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 0040646A
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 0040647B
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406483
            • MessageBoxA.USER32(00000000,Sorry, this program requires Microsoft Windows 2000 or later.,7-Zip SFX,00000010), ref: 0040649C
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: ??3@$lstrlen$Message$_wtol$??2@FileFormatHandleModuleTimerlstrcpymemcmpwsprintf$AttributesCallbackCloseCommandCreateCurrentDirectoryDispatchDispatcherErrorExecuteFreeInitializeKillLastLineLocalNameObjectShellSingleStateUserVersionWaitWindow_wcsnicmpmemmovememsetwvsprintf
            • String ID: 4AA$4DA$7-Zip SFX$7ZipSfx.%03x$7zSfxString%d$;!@Install@!UTF-8!$;!@InstallEnd@!$@DA$AutoInstall$BeginPrompt$Delete$ExecuteFile$ExecuteParameters$FinishMessage$GUIFlags$GUIMode$HelpText$InstallPath$MiscFlags$OverwriteMode$RunProgram$SelfDelete$SetEnvironment$Shortcut$Sorry, this program requires Microsoft Windows 2000 or later.$XpA$amd64$del$forcenowait$hidcon$i386$nowait$setup.exe$sfxconfig$sfxversion$shc$x64$x86$IA
            • API String ID: 154539431-3058303289
            • Opcode ID: cabb4e2e52945036c720e1880f7d789d9992fedd99c9f327f88584105f760328
            • Instruction ID: bd55e9a5e2f2b8c77b34d16bce6880ff8bafa7c96c93ceffa7f521d25999041e
            • Opcode Fuzzy Hash: cabb4e2e52945036c720e1880f7d789d9992fedd99c9f327f88584105f760328
            • Instruction Fuzzy Hash: 65C2E231904619AADF21AF61DC45AEF3769EF00708F54403BF906B61E2EB7C9981CB5D
            Function 00401626 Relevance: 22.8, APIs: 15, Instructions: 304COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 651 401626-401636 652 401642-40166d call 40874d call 40a62f 651->652 653 401638-40163d 651->653 658 401680-40168c call 401411 652->658 659 40166f 652->659 654 401980-401983 653->654 665 401962-40197d ??3@YAXPAX@Z call 40eca9 658->665 666 401692-401697 658->666 660 401671-40167b call 40eca9 659->660 667 40197f 660->667 665->667 666->665 668 40169d-4016d3 call 401329 call 401454 call 401362 ??3@YAXPAX@Z 666->668 667->654 678 401948-40194b 668->678 679 4016d9-4016f8 668->679 680 40194d-401960 ??3@YAXPAX@Z call 40eca9 678->680 683 401713-401717 679->683 684 4016fa-40170e call 40eca9 ??3@YAXPAX@Z 679->684 680->667 687 401719-40171c 683->687 688 40171e-401723 683->688 684->660 690 40174b-401762 687->690 691 401745-401748 688->691 692 401725 688->692 690->684 695 401764-401787 690->695 691->690 693 401727-40172d 692->693 697 40172f-401740 call 40eca9 ??3@YAXPAX@Z 693->697 700 4017a2-4017a8 695->700 701 401789-40179d call 40eca9 ??3@YAXPAX@Z 695->701 697->660 704 4017c4-4017d6 GetLocalTime SystemTimeToFileTime 700->704 705 4017aa-4017ad 700->705 701->660 709 4017dc-4017df 704->709 707 4017b6-4017c2 705->707 708 4017af-4017b1 705->708 707->709 708->693 710 4017e1-4017e3 call 403354 709->710 711 4017f8-4017ff call 40301a 709->711 714 4017e8-4017eb 710->714 715 401804-401809 711->715 714->697 716 4017f1-4017f3 714->716 717 401934-401943 GetLastError 715->717 718 40180f-401812 715->718 716->693 717->678 719 401818-401822 ??2@YAPAXI@Z 718->719 720 40192a-40192d 718->720 722 401833 719->722 723 401824-401831 719->723 720->717 724 401835-401859 call 4010e2 call 40db53 722->724 723->724 729 40190f-401928 call 408726 call 40eca9 724->729 730 40185f-40187d GetLastError call 4012f7 call 402d5a 724->730 729->680 739 4018ba-4018cf call 403354 730->739 740 40187f-401886 730->740 746 4018d1-4018d9 739->746 747 4018db-4018f3 call 40db53 739->747 742 40188a-40189a ??3@YAXPAX@Z 740->742 744 4018a2-4018b5 call 40eca9 ??3@YAXPAX@Z 742->744 745 40189c-40189e 742->745 744->660 745->744 746->742 753 4018f5-401904 GetLastError 747->753 754 401906-40190e ??3@YAXPAX@Z 747->754 753->742 754->729
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f637a799f1653e3b63fa741730d3cbaf64608c0369243d42a1217ae41316ed6c
            • Instruction ID: 8ae67fe93764504dd4472983a8ee98937692ca3eac7777145cc28303e79798ac
            • Opcode Fuzzy Hash: f637a799f1653e3b63fa741730d3cbaf64608c0369243d42a1217ae41316ed6c
            • Instruction Fuzzy Hash: 8DB17C71900205EFCB14EFA5D8849AEB7B5FF44304B24842BF512BB2F1EB39A945CB58
            Function 0040301A Relevance: 7.5, APIs: 5, Instructions: 45COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1082 40301a-403031 GetFileAttributesW 1083 403033-403035 1082->1083 1084 403037-403039 1082->1084 1085 403090-403092 1083->1085 1086 403048-40304f 1084->1086 1087 40303b-403046 SetLastError 1084->1087 1088 403051-403058 call 402fed 1086->1088 1089 40305a-40305d 1086->1089 1087->1085 1088->1085 1091 40308d-40308f 1089->1091 1092 40305f-403070 FindFirstFileW 1089->1092 1091->1085 1092->1088 1094 403072-40308b FindClose CompareFileTime 1092->1094 1094->1088 1094->1091
            APIs
            • GetFileAttributesW.KERNELBASE(?,-00000001), ref: 00403028
            • SetLastError.KERNEL32(00000010), ref: 0040303D
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: AttributesErrorFileLast
            • String ID:
            • API String ID: 1799206407-0
            • Opcode ID: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
            • Instruction ID: 32a2c072cbeca167af0ba40feded167abd8377b8b15159977275e4e23b0806bf
            • Opcode Fuzzy Hash: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
            • Instruction Fuzzy Hash: 42018B30102004AADF206F749C4CAAB3BACAB0136BF108632F621F11D8D738DB46965E
            Function 0040118A Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
            Download Yara Rule
            APIs
            • GetDiskFreeSpaceExW.KERNELBASE(?,00000000,00000000), ref: 004011A6
            • SendMessageW.USER32(00008001,00000000,?), ref: 004011FF
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: DiskFreeMessageSendSpace
            • String ID:
            • API String ID: 696007252-0
            • Opcode ID: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
            • Instruction ID: 9edb1a80411cac00ba33afe52a6c86c35bfa08927eae57e7515b94cd88b359ae
            • Opcode Fuzzy Hash: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
            • Instruction Fuzzy Hash: 1C014B30654209ABEB18EB90DD85F9A3BE9EB05704F108436F611F91F0CB79BA408B1D
            Function 00411DEF Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 111COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 757 411def-411e64 __set_app_type __p__fmode __p__commode call 411f7b 760 411e72-411ec9 call 411f66 _initterm __getmainargs _initterm 757->760 761 411e66-411e71 __setusermatherr 757->761 764 411f05-411f08 760->764 765 411ecb-411ed3 760->765 761->760 766 411ee2-411ee6 764->766 767 411f0a-411f0e 764->767 768 411ed5-411ed7 765->768 769 411ed9-411edc 765->769 770 411ee8-411eea 766->770 771 411eec-411efd GetStartupInfoA 766->771 767->764 768->765 768->769 769->766 772 411ede-411edf 769->772 770->771 770->772 773 411f10-411f12 771->773 774 411eff-411f03 771->774 772->766 775 411f13-411f40 GetModuleHandleA call 4064af exit _XcptFilter 773->775 774->775
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
            • String ID: HpA
            • API String ID: 801014965-2938899866
            • Opcode ID: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
            • Instruction ID: 158ffaedae0d42993a529c42e252781da09b2560f8e529a8c548a3e081932a5e
            • Opcode Fuzzy Hash: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
            • Instruction Fuzzy Hash: 254192B0944344AFDB20DFA4DC45AEA7BB8FB09711F20452FFA51973A1D7784981CB58
            Function 00401B37 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47timewindowCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
            • CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
            • SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
            • DispatchMessageW.USER32(?), ref: 00401B89
            • KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
            • KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: MessageTimer$CallbackCreateDispatchDispatcherHandleKillModuleUserWindow
            • String ID: Static
            • API String ID: 2479445380-2272013587
            • Opcode ID: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
            • Instruction ID: f02a6d563a0a994406544e3b77250aae51f77c8b940714b819f60fd1d37dc764
            • Opcode Fuzzy Hash: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
            • Instruction Fuzzy Hash: 10F03C3250212476CA203FA69C4DEEF7E6CDB86BA2F008160B615A10D1DAB88241C6B9
            Function 0040B163 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 160COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 781 40b163-40b183 call 40f0b6 784 40b2f6-40b2f9 781->784 785 40b189-40b190 call 40ac2d 781->785 788 40b192-40b194 785->788 789 40b199-40b1d6 call 40adc3 memcpy 785->789 788->784 792 40b1d9-40b1dd 789->792 793 40b202-40b221 792->793 794 40b1df-40b1f2 792->794 800 40b2a2 793->800 801 40b223-40b22b 793->801 795 40b297-40b2a0 ??3@YAXPAX@Z 794->795 796 40b1f8 794->796 799 40b2f4-40b2f5 795->799 796->793 797 40b1fa-40b1fc 796->797 797->793 797->795 799->784 802 40b2a4-40b2a5 800->802 803 40b2a7-40b2aa 801->803 804 40b22d-40b231 801->804 805 40b2ed-40b2f2 ??3@YAXPAX@Z 802->805 803->802 804->793 806 40b233-40b243 804->806 805->799 807 40b245 806->807 808 40b27a-40b292 memmove 806->808 809 40b254-40b258 807->809 808->792 810 40b25a 809->810 811 40b24c-40b24e 809->811 812 40b25c 810->812 811->812 813 40b250-40b251 811->813 812->808 814 40b25e-40b267 call 40ac2d 812->814 813->809 817 40b269-40b278 814->817 818 40b2ac-40b2e5 memcpy call 40dcfb 814->818 817->808 819 40b247-40b24a 817->819 820 40b2e8-40b2eb 818->820 819->809 820->805
            APIs
            • memcpy.MSVCRT(00000000,?,0000001F,00010000), ref: 0040B1C5
            • memmove.MSVCRT(00000000,-000000C1,00000020,?,00010000), ref: 0040B289
            • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040B298
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: ??3@memcpymemmove
            • String ID:
            • API String ID: 3549172513-3916222277
            • Opcode ID: 5bad17cc77e2d39d7f6897ae69eb46f7fe1422127806d73b42e5b41d987a673b
            • Instruction ID: 201babb0cc669d9fea5df8a163075e687156198648327345136f7fe875bf0058
            • Opcode Fuzzy Hash: 5bad17cc77e2d39d7f6897ae69eb46f7fe1422127806d73b42e5b41d987a673b
            • Instruction Fuzzy Hash: 495181B1A00205ABDF14DB95C889AAE7BB4EF49354F1441BAE905B7381D338DD81CB9D
            Function 00403354 Relevance: 10.6, APIs: 7, Instructions: 145stringtimeCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 822 403354-40337a lstrlenW call 4024fc 825 403385-403391 822->825 826 40337c-403380 call 40112b 822->826 828 403393-403397 825->828 829 403399-40339f 825->829 826->825 828->829 830 4033a2-4033a4 828->830 829->830 831 4033c8-4033d1 call 401986 830->831 834 4033d3-4033e6 GetSystemTimeAsFileTime GetFileAttributesW 831->834 835 4033b7-4033b9 831->835 838 4033e8-4033f6 call 40301a 834->838 839 4033ff-403408 call 401986 834->839 836 4033a6-4033ae 835->836 837 4033bb-4033bd 835->837 836->837 844 4033b0-4033b4 836->844 840 4033c3 837->840 841 403477-40347d 837->841 838->839 851 4033f8-4033fa 838->851 852 403419-40341b 839->852 853 40340a-403417 call 407776 839->853 840->831 847 4034a7-4034ba call 407776 ??3@YAXPAX@Z 841->847 848 40347f-40348a 841->848 844->837 849 4033b6 844->849 864 4034bc-4034c0 847->864 848->847 854 40348c-403490 848->854 849->835 858 40349c-4034a5 ??3@YAXPAX@Z 851->858 855 40346b-403475 ??3@YAXPAX@Z 852->855 856 40341d-40343c memcpy 852->856 853->851 854->847 860 403492-403497 854->860 855->864 862 403451-403455 856->862 863 40343e 856->863 858->864 860->847 861 403499-40349b 860->861 861->858 867 403440-403448 862->867 868 403457-403464 call 401986 862->868 866 403450 863->866 866->862 867->868 869 40344a-40344e 867->869 868->853 872 403466-403469 868->872 869->866 869->868 872->855 872->856
            APIs
            • lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
            • GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
            • GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
            • ??3@YAXPAX@Z.MSVCRT(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 0040349D
              • Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
              • Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171
            • memcpy.MSVCRT(-00000001,00404AC6,?,?,?,?,?,00404AC6,?), ref: 0040342F
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 0040346C
            • ??3@YAXPAX@Z.MSVCRT(?,00000001,0000000C,00404AC6,00404AC6,?,?,?,?,00404AC6,?), ref: 004034B2
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: ??3@$FileTime$??2@AttributesSystemlstrlenmemcpy
            • String ID:
            • API String ID: 846840743-0
            • Opcode ID: 59d4a2ad1293f13bca9fbc2cc36a10c810479fd21a5ed498f46fbcb1fa619914
            • Instruction ID: c1b9adc2f16cc45d244a7c0b75b8b4a4f89234fa72cd4c12ee41ca3d86f3c48f
            • Opcode Fuzzy Hash: 59d4a2ad1293f13bca9fbc2cc36a10c810479fd21a5ed498f46fbcb1fa619914
            • Instruction Fuzzy Hash: 8F41C836904611AADB216F998881ABF7F6CEF40716F80403BED01B61D5DB3C9B4282DD
            Function 00404405 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
            Download Yara Rule

            Control-flow Graph

            APIs
              • Part of subcall function 00401F47: GetUserDefaultUILanguage.KERNEL32(00404416,00000000,00000020,?), ref: 00401F51
              • Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
              • Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
              • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
              • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
              • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
              • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
              • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
              • Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
              • Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
              • Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
              • Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
              • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
              • Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
              • Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000020), ref: 0040208F
              • Part of subcall function 00401F9D: _wtol.MSVCRT ref: 0040212A
              • Part of subcall function 00401F9D: MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A
            • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,?,?,?,00000000,00000020,?), ref: 0040448C
            • wsprintfW.USER32 ref: 004044A7
              • Part of subcall function 00402F6C: ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004044E9,?,?,?,?,?,?,?,?,?,?,00000000,00000020,?), ref: 00402F71
            • #17.COMCTL32(?,?,?,?,00000000,00000020,?), ref: 00404533
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: ErrorLast$??2@$??3@EnvironmentVariablewsprintf$ByteCharDefaultFolderInfoLanguageLocaleMultiPathSpecialUserWide_wtollstrcmpilstrlen
            • String ID: 7zSfxFolder%02d$IA
            • API String ID: 3387708999-1317665167
            • Opcode ID: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
            • Instruction ID: c443879f351b6d6d2b07c84fde6f3777072453d7374e8d7fc75fcfd2f507d9dd
            • Opcode Fuzzy Hash: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
            • Instruction Fuzzy Hash: E03140B19042199BDB10FFA2DC86AEE7B78EB44308F40407FF619B21E1EB785644DB58
            Function 00408EA4 Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 464COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 913 408ea4-408ebf call 40aef3 916 408ec1-408ecb 913->916 917 408ece-408f07 call 4065ea call 408726 913->917 922 408fd5-408ffb call 408d21 call 408b7c 917->922 923 408f0d-408f17 ??2@YAPAXI@Z 917->923 935 408ffd-409013 call 408858 922->935 936 40901e 922->936 925 408f26 923->925 926 408f19-408f24 923->926 927 408f28-408f61 call 4010e2 ??2@YAPAXI@Z 925->927 926->927 933 408f73 927->933 934 408f63-408f71 927->934 937 408f75-408fae call 4010e2 call 408726 call 40cdb8 933->937 934->937 944 409199-4091b0 935->944 945 409019-40901c 935->945 939 409020-409035 call 40e8da call 40874d 936->939 965 408fb0-408fb2 937->965 966 408fb6-408fbb 937->966 954 409037-409044 ??2@YAPAXI@Z 939->954 955 40906d-40907d 939->955 952 4091b6 944->952 953 40934c-409367 call 4087ea 944->953 945->939 957 4091b9-4091e9 952->957 975 409372-409375 953->975 976 409369-40936f 953->976 958 409046-40904d call 408c96 954->958 959 40904f 954->959 970 4090ad-4090b3 955->970 971 40907f 955->971 978 409219-40925f call 40e811 * 2 957->978 979 4091eb-4091f1 957->979 963 409051-409061 call 408726 958->963 959->963 987 409063-409066 963->987 988 409068 963->988 965->966 968 408fc3-408fcf 966->968 969 408fbd-408fbf 966->969 968->922 968->923 969->968 981 409187-409196 call 408e83 970->981 982 4090b9-4090d9 call 40d94b 970->982 977 409081-4090a7 call 40e959 call 408835 call 408931 call 408963 971->977 975->977 983 40937b-4093a2 call 40e811 975->983 976->975 977->970 1016 409261-409264 978->1016 1017 4092c9 978->1017 985 4091f7-409209 979->985 986 4092b9-4092bb 979->986 981->944 997 4090de-4090e6 982->997 999 4093a4-4093b8 call 408761 983->999 1000 4093ba-4093d6 983->1000 1013 409293-409295 985->1013 1014 40920f-409211 985->1014 1001 4092bf-4092c4 986->1001 994 40906a 987->994 988->994 994->955 1005 409283-409288 997->1005 1006 4090ec-4090f3 997->1006 999->1000 1080 4093d7 call 40ce70 1000->1080 1081 4093d7 call 40f160 1000->1081 1001->977 1011 409290 1005->1011 1012 40928a-40928c 1005->1012 1007 409121-409124 1006->1007 1008 4090f5-4090f9 1006->1008 1022 4092b2-4092b7 1007->1022 1023 40912a-409138 call 408726 1007->1023 1008->1007 1018 4090fb-4090fe 1008->1018 1011->1013 1012->1011 1025 409297-409299 1013->1025 1026 40929d-4092a0 1013->1026 1014->978 1024 409213-409215 1014->1024 1027 409267-40927f call 408761 1016->1027 1030 4092cc-4092d2 1017->1030 1028 409104-409112 call 408726 1018->1028 1029 4092a5-4092aa 1018->1029 1020 4093da-4093e4 call 40e959 1020->977 1022->986 1022->1001 1046 409145-409156 call 40cdb8 1023->1046 1047 40913a-409140 call 40d6f0 1023->1047 1024->978 1025->1026 1026->977 1049 409281 1027->1049 1028->1046 1050 409114-40911f call 40d6cb 1028->1050 1029->1001 1041 4092ac-4092ae 1029->1041 1036 4092d4-4092e0 call 408a55 1030->1036 1037 40931d-409346 call 40e959 * 2 1030->1037 1057 4092e2-4092ec 1036->1057 1058 4092ee-4092fa call 408aa0 1036->1058 1037->953 1037->957 1041->1022 1059 409158-40915a 1046->1059 1060 40915e-409163 1046->1060 1047->1046 1049->1030 1050->1046 1063 409303-40931b call 408761 1057->1063 1074 409300 1058->1074 1075 4093e9-4093fe call 40e959 * 2 1058->1075 1059->1060 1065 409165-409167 1060->1065 1066 40916b-409170 1060->1066 1063->1036 1063->1037 1065->1066 1071 409172-409174 1066->1071 1072 409178-409181 1066->1072 1071->1072 1072->981 1072->982 1074->1063 1075->977 1080->1020 1081->1020
            APIs
            • ??2@YAPAXI@Z.MSVCRT(00000018,?,?,00000000,?), ref: 00408F0F
            • ??2@YAPAXI@Z.MSVCRT(00000028,00000000,?,?,00000000,?), ref: 00408F59
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: ??2@
            • String ID: IA$IA
            • API String ID: 1033339047-1400641299
            • Opcode ID: 6a22e71803ea0f4d69e2f58a84b042c4ce0c016d1f42beed39b79896576e25f5
            • Instruction ID: ddcf9de22f7a46eeefc4975c1fab543939f34ce9f972055b0c78c556d294e1f5
            • Opcode Fuzzy Hash: 6a22e71803ea0f4d69e2f58a84b042c4ce0c016d1f42beed39b79896576e25f5
            • Instruction Fuzzy Hash: EF123671A00209DFCB14EFA5C98489ABBB5FF48304B10456EF95AA7392DB39ED85CF44
            Function 00410CD0 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 23COMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1095 410cd0-410d1a call 410b9a free 1098 410d22-410d23 1095->1098 1099 410d1c-410d1e 1095->1099 1099->1098
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: free
            • String ID: $KA$4KA$HKA$\KA
            • API String ID: 1294909896-3316857779
            • Opcode ID: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
            • Instruction ID: 889df95fe732b3a4b2d84b4ab476e7a54c7f97cead7299b76f73e2708a1c6c0a
            • Opcode Fuzzy Hash: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
            • Instruction Fuzzy Hash: C5F09271409B109FC7319F55E405AC6B7F4AE447183058A2EA89A5BA11D3B8F989CB9C
            Function 004096C7 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 388COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1100 4096c7-40970f _EH_prolog call 4010e2 1103 409711-409714 1100->1103 1104 409717-40971a 1100->1104 1103->1104 1105 409730-409755 1104->1105 1106 40971c-409721 1104->1106 1109 409757-40975d 1105->1109 1107 409723-409725 1106->1107 1108 409729-40972b 1106->1108 1107->1108 1110 409b93-409ba4 1108->1110 1111 409763-409767 1109->1111 1112 409827-40983a call 40118a 1109->1112 1113 409769-40976c 1111->1113 1114 40976f-40977e 1111->1114 1120 409851-409876 call 408e4e ??2@YAPAXI@Z 1112->1120 1121 40983c-409846 call 409425 1112->1121 1113->1114 1116 409780-409796 call 4094e0 call 40969d call 40e959 1114->1116 1117 4097a3-4097a8 1114->1117 1137 40979b-4097a1 1116->1137 1118 4097b6-4097f0 call 4094e0 call 40969d call 40e959 call 4095b7 1117->1118 1119 4097aa-4097b4 1117->1119 1124 4097f3-409809 1118->1124 1119->1118 1119->1124 1133 409881-40989a call 4010e2 call 40eb24 1120->1133 1134 409878-40987f call 40ebf7 1120->1134 1144 40984a-40984c 1121->1144 1129 40980c-409814 1124->1129 1136 409816-409825 call 409403 1129->1136 1129->1137 1153 40989d-4098c0 call 40eb19 1133->1153 1134->1133 1136->1129 1137->1109 1144->1110 1157 4098c2-4098c7 1153->1157 1158 4098f6-4098f9 1153->1158 1161 4098c9-4098cb 1157->1161 1162 4098cf-4098e7 call 409530 call 409425 1157->1162 1159 409925-409949 ??2@YAPAXI@Z 1158->1159 1160 4098fb-409900 1158->1160 1163 409954 1159->1163 1164 40994b-409952 call 409c13 1159->1164 1165 409902-409904 1160->1165 1166 409908-40991e call 409530 call 409425 1160->1166 1161->1162 1179 4098e9-4098eb 1162->1179 1180 4098ef-4098f1 1162->1180 1170 409956-40996d call 4010e2 1163->1170 1164->1170 1165->1166 1166->1159 1181 40997b-4099a0 call 409fb4 1170->1181 1182 40996f-409978 1170->1182 1179->1180 1180->1110 1186 4099a2-4099a7 1181->1186 1187 4099e3-4099e6 1181->1187 1182->1181 1190 4099a9-4099ab 1186->1190 1191 4099af-4099b4 1186->1191 1188 4099ec-409a49 call 409603 call 4094b1 call 408ea4 1187->1188 1189 409b4e-409b53 1187->1189 1205 409a4e-409a53 1188->1205 1194 409b55-409b56 1189->1194 1195 409b5b-409b7f 1189->1195 1190->1191 1192 4099b6-4099b8 1191->1192 1193 4099bc-4099d4 call 409530 call 409425 1191->1193 1192->1193 1206 4099d6-4099d8 1193->1206 1207 4099dc-4099de 1193->1207 1194->1195 1195->1153 1208 409ab5-409abb 1205->1208 1209 409a55 1205->1209 1206->1207 1207->1110 1211 409ac1-409ac3 1208->1211 1212 409abd-409abf 1208->1212 1210 409a57 1209->1210 1213 409a5a-409a63 call 409f49 1210->1213 1214 409a65-409a67 1211->1214 1215 409ac5-409ad1 1211->1215 1212->1210 1213->1214 1225 409aa2-409aa4 1213->1225 1217 409a69-409a6a 1214->1217 1218 409a6f-409a71 1214->1218 1219 409ad3-409ad5 1215->1219 1220 409ad7-409add 1215->1220 1217->1218 1222 409a73-409a75 1218->1222 1223 409a79-409a91 call 409530 call 409425 1218->1223 1219->1213 1220->1195 1224 409adf-409ae5 1220->1224 1222->1223 1223->1144 1233 409a97-409a9d 1223->1233 1224->1195 1228 409aa6-409aa8 1225->1228 1229 409aac-409ab0 1225->1229 1228->1229 1229->1195 1233->1144
            APIs
            • _EH_prolog.MSVCRT ref: 004096D0
            • ??2@YAPAXI@Z.MSVCRT(00000038,00000001), ref: 0040986E
            • ??2@YAPAXI@Z.MSVCRT(00000038,?,00000000,00000000,00000001), ref: 00409941
              • Part of subcall function 00409C13: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,?,00409952,?,00000000,00000000,00000001), ref: 00409C3B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: ??2@$H_prolog
            • String ID: HIA
            • API String ID: 3431946709-2712174624
            • Opcode ID: 3a91edc2a80342029bdf13785710b8021a7be55c7c109f54d8d38dfd795fbdbc
            • Instruction ID: da3614a8b55b1d80bdf53177d95d0cff5abf3d9c279f99a440b99522f39c568d
            • Opcode Fuzzy Hash: 3a91edc2a80342029bdf13785710b8021a7be55c7c109f54d8d38dfd795fbdbc
            • Instruction Fuzzy Hash: 53F13971610249DFCB24DF69C884AAA77F4BF48314F24416AF829AB392DB39ED41CF54
            Function 00402844 Relevance: 6.4, APIs: 5, Instructions: 118stringCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1236 402844-40288e call 411c20 call 40dcfb lstrlenA * 2 1240 402893-4028af call 40dcc7 1236->1240 1242 4028b5-4028ba 1240->1242 1243 40297f 1240->1243 1242->1243 1244 4028c0-4028ca 1242->1244 1245 402981-402985 1243->1245 1246 4028cd-4028d2 1244->1246 1247 402911-402916 1246->1247 1248 4028d4-4028d9 1246->1248 1249 40293b-40295f memmove 1247->1249 1251 402918-40292b memcmp 1247->1251 1248->1249 1250 4028db-4028ee memcmp 1248->1250 1256 402961-402968 1249->1256 1257 40296e-402979 1249->1257 1252 4028f4-4028fe 1250->1252 1253 40297b-40297d 1250->1253 1254 40290b-40290f 1251->1254 1255 40292d-402939 1251->1255 1252->1243 1258 402900-402906 call 402640 1252->1258 1253->1245 1254->1246 1255->1246 1256->1257 1259 402890 1256->1259 1257->1245 1258->1254 1259->1240
            APIs
            • lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
            • lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
            • memcmp.MSVCRT(?,?,?), ref: 004028E4
            • memcmp.MSVCRT(?,?,?,?,00000000), ref: 00402921
            • memmove.MSVCRT(?,?,00000000,?,00000000), ref: 00402953
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: lstrlenmemcmp$memmove
            • String ID:
            • API String ID: 3251180759-0
            • Opcode ID: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
            • Instruction ID: d4955105e7b234ce255a009ef61331e6eb412850de833d0a73495bfba1f32545
            • Opcode Fuzzy Hash: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
            • Instruction Fuzzy Hash: 4A417F72E00209AFCF01DFA4C9889EEBBB5EF08344F04447AE945B3291D3B49E55CB55
            Function 0040150B Relevance: 6.1, APIs: 4, Instructions: 100synchronizationthreadCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1263 40150b-401561 call 408726 call 401329 call 401429 CreateThread 1270 401563 call 40786b 1263->1270 1271 401568-401583 WaitForSingleObject 1263->1271 1270->1271 1273 401585-401588 1271->1273 1274 4015b7-4015bd 1271->1274 1277 40158a-40158d 1273->1277 1278 4015ab 1273->1278 1275 40161b 1274->1275 1276 4015bf-4015d4 GetExitCodeThread 1274->1276 1280 401620-401623 1275->1280 1281 4015d6-4015d8 1276->1281 1282 4015de-4015e9 1276->1282 1283 4015a7-4015a9 1277->1283 1284 40158f-401592 1277->1284 1279 4015ad-4015b5 call 407776 1278->1279 1279->1275 1281->1282 1286 4015da-4015dc 1281->1286 1287 4015f1-4015fa 1282->1287 1288 4015eb-4015ec 1282->1288 1283->1279 1289 4015a3-4015a5 1284->1289 1290 401594-401597 1284->1290 1286->1280 1293 401605-401611 SetLastError 1287->1293 1294 4015fc-401603 1287->1294 1292 4015ee-4015ef 1288->1292 1289->1279 1295 401599-40159c 1290->1295 1296 40159e-4015a1 1290->1296 1297 401613-401618 call 407776 1292->1297 1293->1297 1294->1275 1294->1293 1295->1275 1295->1296 1296->1292 1297->1275
            APIs
            • CreateThread.KERNELBASE(00000000,00000000,0040129C,00000000,00000000,?), ref: 0040154F
            • WaitForSingleObject.KERNEL32(000000FF,?,00404AFB,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401570
              • Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
              • Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
              • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
              • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
              • Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
              • Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
              • Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
              • Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
              • Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
              • Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
              • Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: FormatMessagelstrcpylstrlen$??2@??3@CreateErrorFreeLastLocalObjectSingleThreadWaitwvsprintf
            • String ID:
            • API String ID: 359084233-0
            • Opcode ID: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
            • Instruction ID: 87277f5b9ffc23463226fd0df2644328d4cfb3d5af9d6e9341eee715f5e270ad
            • Opcode Fuzzy Hash: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
            • Instruction Fuzzy Hash: 8231F171644200BBDA305B15DC86EBB37B9EBC5350F24843BF522F92F0CA79A941DA5E
            Function 00401986 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1300 401986-401995 CreateDirectoryW 1301 4019c7-4019cb 1300->1301 1302 401997-4019a4 GetLastError 1300->1302 1303 4019b1-4019be GetFileAttributesW 1302->1303 1304 4019a6 1302->1304 1303->1301 1306 4019c0-4019c2 1303->1306 1305 4019a7-4019b0 SetLastError 1304->1305 1306->1301 1307 4019c4-4019c5 1306->1307 1307->1305
            APIs
            • CreateDirectoryW.KERNELBASE(004033CE,00000000,-00000001,004033CE,?,00404AC6,?,?,?,?,00404AC6,?), ref: 0040198D
            • GetLastError.KERNEL32(?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401997
            • SetLastError.KERNEL32(000000B7,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019A7
            • GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019B5
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: ErrorLast$AttributesCreateDirectoryFile
            • String ID:
            • API String ID: 635176117-0
            • Opcode ID: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
            • Instruction ID: 5ae0be16486f509c6b40768ba71a6c1c2cea9be4331c5fc90c1b41dbeb0419e3
            • Opcode Fuzzy Hash: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
            • Instruction Fuzzy Hash: D5E09AB0518250AFDE142BB4BD187DB3AA5AF46362F508932F495E02F0C33888428A89
            Function 00404A44 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 81COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1308 404a44-404a62 call 408676 ??2@YAPAXI@Z 1311 404a64-404a6b call 40a9f8 1308->1311 1312 404a6d 1308->1312 1314 404a6f-404a91 call 408726 call 40dcfb 1311->1314 1312->1314 1341 404a92 call 40b2fc 1314->1341 1342 404a92 call 40a7de 1314->1342 1319 404a95-404a97 1320 404ab3-404abd 1319->1320 1321 404a99-404aa9 call 407776 1319->1321 1323 404ada-404ae4 ??2@YAPAXI@Z 1320->1323 1324 404abf-404ac1 call 403354 1320->1324 1337 404aae-404ab2 1321->1337 1325 404ae6-404aed call 404292 1323->1325 1326 404aef 1323->1326 1331 404ac6-404ac9 1324->1331 1330 404af1-404af6 call 40150b 1325->1330 1326->1330 1336 404afb-404afd 1330->1336 1331->1323 1335 404acb 1331->1335 1338 404ad0-404ad8 1335->1338 1336->1338 1338->1337 1341->1319 1342->1319
            APIs
            • ??2@YAPAXI@Z.MSVCRT(000001E8,00000000,?,ExecuteFile,00000015,?,00405D20,?,00417788,00417788), ref: 00404A5A
            • ??2@YAPAXI@Z.MSVCRT(00000040,?,?,?,?,?,?,?,?,00000000,?), ref: 00404ADC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: ??2@
            • String ID: ExecuteFile
            • API String ID: 1033339047-323923146
            • Opcode ID: 612dc6f8e3fe8df0745ed42aa02adea807ab2e0a0b71f5bf8dc2b3d1454147a6
            • Instruction ID: 446d0bd8c70a379003bbf02419fa435b46014474c8a02eb0da5acec479ce97d7
            • Opcode Fuzzy Hash: 612dc6f8e3fe8df0745ed42aa02adea807ab2e0a0b71f5bf8dc2b3d1454147a6
            • Instruction Fuzzy Hash: EA1184B5340104BFD710AB659C85D6B73A8EF80355724443FF602B72D1DA789D418A6D
            Function 0040ADC3 Relevance: 4.5, APIs: 3, Instructions: 35COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1343 40adc3-40adce 1344 40add0-40add3 1343->1344 1345 40ae0d-40ae0f 1343->1345 1346 40add5-40ade3 ??2@YAPAXI@Z 1344->1346 1347 40adfb 1344->1347 1348 40adfd-40ae0c ??3@YAXPAX@Z 1346->1348 1349 40ade5-40ade7 1346->1349 1347->1348 1348->1345 1350 40ade9 1349->1350 1351 40adeb-40adf9 memmove 1349->1351 1350->1351 1351->1348
            APIs
            • ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
            • memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: ??2@??3@memmove
            • String ID:
            • API String ID: 3828600508-0
            • Opcode ID: 2c1e852e3357fe345785b0ad8426fcfe448c8ec3a37487201466d82e595bf6a2
            • Instruction ID: a8ce0a3cb4653ecb547b1a3698f229d81d6147035ad3680bc60947505803a3f4
            • Opcode Fuzzy Hash: 2c1e852e3357fe345785b0ad8426fcfe448c8ec3a37487201466d82e595bf6a2
            • Instruction Fuzzy Hash: 74F089763047016FC3205B1ADC80857BBABDFC4715311883FE55E93A50D634F891965A
            Function 0040245A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON
            Download Yara Rule
            APIs
            • GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 0040247E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: GlobalMemoryStatus
            • String ID: @
            • API String ID: 1890195054-2766056989
            • Opcode ID: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
            • Instruction ID: 9ce3ff159218229c34eda893c3d8d64f83397f3f2cddac743d7c565554413103
            • Opcode Fuzzy Hash: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
            • Instruction Fuzzy Hash: AAF0AF30A042048ADF15AB719E8DA5A37A4BB00348F10853AF516F52D4D7BCE9048B5D
            Function 0040C9FC Relevance: 3.2, APIs: 2, Instructions: 184COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0040AAAB: _CxxThrowException.MSVCRT(?,00414EF8), ref: 0040AAC5
              • Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
              • Part of subcall function 0040ADC3: memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
              • Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,004149F0,?,004149B0), ref: 0040CAF2
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,004149F0,?,004149B0), ref: 0040CC4A
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: ??3@$??2@ExceptionThrowmemmove
            • String ID:
            • API String ID: 4269121280-0
            • Opcode ID: 55a34ad2a1bb823cdc9ec8962d94a78352b48210c79ef81d7d99dd1713e8f51f
            • Instruction ID: 88480e7f7e551c391a26326ce122d220a9eefc885560dc6ed21150e7f5ba8ef6
            • Opcode Fuzzy Hash: 55a34ad2a1bb823cdc9ec8962d94a78352b48210c79ef81d7d99dd1713e8f51f
            • Instruction Fuzzy Hash: 00712571A00209EFCB24DFA5C8D1AAEBBB1FF08314F10463AE545A3291D739A945CF99
            Function 0040A62F Relevance: 3.1, APIs: 2, Instructions: 135COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: ??3@H_prolog
            • String ID:
            • API String ID: 1329742358-0
            • Opcode ID: 6656e43d2981dee3a96cb881ff7527404ad10ce0abe68b4cdaafc38c009261e5
            • Instruction ID: 956102545b91a7c0cba0a64d671320761176ea25dc816e9057e3d4af94f09eda
            • Opcode Fuzzy Hash: 6656e43d2981dee3a96cb881ff7527404ad10ce0abe68b4cdaafc38c009261e5
            • Instruction Fuzzy Hash: 0D411F32800204AFCB09DB65CD45EBE7B35EF50304B18883BF402B72E2D63E9E21965B
            Function 0040112B Relevance: 3.0, APIs: 2, Instructions: 42COMMON
            Download Yara Rule
            APIs
            • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
            • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: ??2@??3@
            • String ID:
            • API String ID: 1936579350-0
            • Opcode ID: ebac23084a16b944365a47061f6b21e986bd860b63916dd214b45b095081060c
            • Instruction ID: 063e94d8e06ff9613a5b681c15dc067c338ae4066a9753272274ce5f9f11bd0f
            • Opcode Fuzzy Hash: ebac23084a16b944365a47061f6b21e986bd860b63916dd214b45b095081060c
            • Instruction Fuzzy Hash: 71F0A476210612ABC334DF2DC581867B3E4EF88711710893FE6C7C72B1DA31A881C754
            Function 0040D9F0 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
            Download Yara Rule
            APIs
            • SetFilePointer.KERNELBASE(?,?,?,?), ref: 0040DA0B
            • GetLastError.KERNEL32(?,?,?,?), ref: 0040DA19
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: ErrorFileLastPointer
            • String ID:
            • API String ID: 2976181284-0
            • Opcode ID: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
            • Instruction ID: d86f9e507f4e039952bd1031b0dc001be1b0661bb6f0ed5f18f0f7cd7a7605a3
            • Opcode Fuzzy Hash: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
            • Instruction Fuzzy Hash: FCF0B2B8A04208FFCB04CFA8D8448AE7BB9EB49314B2085A9F815A7390D735DA04DF64
            Function 0040ECED Relevance: 3.0, APIs: 2, Instructions: 24memoryCOMMON
            Download Yara Rule
            APIs
            • SysAllocString.OLEAUT32(?), ref: 0040ED05
            • _CxxThrowException.MSVCRT(?,00415010), ref: 0040ED28
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: AllocExceptionStringThrow
            • String ID:
            • API String ID: 3773818493-0
            • Opcode ID: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
            • Instruction ID: 896a1b371a95ab63a3f889c911e7bff8eb1facf706b7c8fcc1dab20228dace7a
            • Opcode Fuzzy Hash: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
            • Instruction Fuzzy Hash: CDE06D71600309ABDB10AF66D8419D67BE8EF00380B00C83FF948CA250E779E590C7D9
            Function 0040E73A Relevance: 2.5, APIs: 2, Instructions: 34COMMON
            Download Yara Rule
            APIs
            • EnterCriticalSection.KERNEL32(?), ref: 0040E745
            • LeaveCriticalSection.KERNEL32(?,?,?,?,?), ref: 0040E764
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: CriticalSection$EnterLeave
            • String ID:
            • API String ID: 3168844106-0
            • Opcode ID: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
            • Instruction ID: 086d926b78662e0ab04275255430a857868cdabe8091615e808f779c17768b54
            • Opcode Fuzzy Hash: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
            • Instruction Fuzzy Hash: 76F05436200214FBCB119F95DC08E9BBBB9FF49761F14842AF945E7260C771E821DBA4
            Function 0040A7DE Relevance: 1.6, APIs: 1, Instructions: 74COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: H_prolog
            • String ID:
            • API String ID: 3519838083-0
            • Opcode ID: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
            • Instruction ID: 39d544f4fee3d18347c8ea8d59cce7c7d4ef222c74644271f89bd24cd9d44c54
            • Opcode Fuzzy Hash: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
            • Instruction Fuzzy Hash: 4B2180316003099BCB14EFA5C945AAE73B5EF40344F14843EF806BB291DB38DD16CB1A
            Function 0040120B Relevance: 1.5, APIs: 1, Instructions: 28COMMON
            Download Yara Rule
            APIs
            • SetFileAttributesW.KERNELBASE(?,?), ref: 0040124F
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: AttributesFile
            • String ID:
            • API String ID: 3188754299-0
            • Opcode ID: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
            • Instruction ID: 5817d5120c2da98d16edaa91ace5ca285f5b3ff1e58b2ffd557e42fef7bfdc6e
            • Opcode Fuzzy Hash: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
            • Instruction Fuzzy Hash: 66F05E72100201DBC720AF98C840BA777F5BB84314F04483EE583F2AA0D778B885CB59
            Function 00411A2D Relevance: 1.5, APIs: 1, Instructions: 25COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: H_prolog
            • String ID:
            • API String ID: 3519838083-0
            • Opcode ID: 05aa82fd4493c2954843b58147a6e12e638aaadf2772ca9641b0bace8f10624d
            • Instruction ID: 375caa893e42e0daca7b158ffe4b4b415bc54d3572d418f3e5e61c8e5be1c541
            • Opcode Fuzzy Hash: 05aa82fd4493c2954843b58147a6e12e638aaadf2772ca9641b0bace8f10624d
            • Instruction Fuzzy Hash: 30F0F272500109BBCF029F85D901AEEBB36EB48354F00811ABA1161160D33A9961AB99
            Function 0040DA56 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0040D985: CloseHandle.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990
            • CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50), ref: 0040DA78
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: CloseCreateFileHandle
            • String ID:
            • API String ID: 3498533004-0
            • Opcode ID: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
            • Instruction ID: 040011ad7fb3de3f437c6c7e3ebc1dcda5640d8293b7e84d035d3e38099293ab
            • Opcode Fuzzy Hash: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
            • Instruction Fuzzy Hash: A1E04F32140219ABCF215FA49C01BCA7B96AF09760F144526BE11A61E0C672D465AF94
            Function 0040DB97 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
            Download Yara Rule
            APIs
            • WriteFile.KERNELBASE(?,?,00000001,00000000,00000000,?,?,0040DD78,00000001,00000000,00000000,00413330,?,00404D94,?,?), ref: 0040DBBA
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: FileWrite
            • String ID:
            • API String ID: 3934441357-0
            • Opcode ID: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
            • Instruction ID: ec3d056ad33d5175d1bee219b94afd5900c8108b90431a53c6143dcb1d381838
            • Opcode Fuzzy Hash: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
            • Instruction Fuzzy Hash: D7E0C275600208FBCB00CF95C801B9E7BBABB49755F10C069F918AA2A0D739AA10DF54
            Function 0040653F Relevance: 1.5, APIs: 1, Instructions: 19COMMON
            Download Yara Rule
            APIs
            • _beginthreadex.MSVCRT ref: 00406552
              • Part of subcall function 00406501: GetLastError.KERNEL32(00406563,00000000), ref: 004064F5
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: ErrorLast_beginthreadex
            • String ID:
            • API String ID: 4034172046-0
            • Opcode ID: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
            • Instruction ID: fe95790bd269afcad05a26a3721163fc0b830ac61c9b3c5b6bbddf8a66cf2d64
            • Opcode Fuzzy Hash: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
            • Instruction Fuzzy Hash: 12D05EF6400208BFDF01DFE0DC05CAB3BADEB08204B004464FD05C2150E632DA108B60
            Function 0040CC59 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: H_prolog
            • String ID:
            • API String ID: 3519838083-0
            • Opcode ID: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
            • Instruction ID: 312fbe8762c42e8d4a239ae194adb86e93363bc1e5443e54fb58aca6058f63a2
            • Opcode Fuzzy Hash: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
            • Instruction Fuzzy Hash: 70D05EB2A04108FBE7109F85D946BEEFB78EB80399F10823FB506B1150D7BC5A0196AD
            Function 0040DADC Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
            Download Yara Rule
            APIs
            • ReadFile.KERNELBASE(?,?,?,00000000,00000000), ref: 0040DAF2
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: FileRead
            • String ID:
            • API String ID: 2738559852-0
            • Opcode ID: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
            • Instruction ID: c05821c64f4412cbb188b0f884d423eaa3d686fb1c941f6ac6705c8b1bb703da
            • Opcode Fuzzy Hash: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
            • Instruction Fuzzy Hash: 58E0EC75211208FFDB01CF90CD01FDE7BBDFB49755F208058E90596160C7759A10EB54
            Function 0040DB6A Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON
            Download Yara Rule
            APIs
            • SetFileTime.KERNELBASE(?,?,?,?,0040DB94,00000000,00000000,?,0040123C,?), ref: 0040DB78
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: FileTime
            • String ID:
            • API String ID: 1425588814-0
            • Opcode ID: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
            • Instruction ID: c6000770aa4fb4c72b4925fc402daec6625791e8065b7518697746b49206ca3e
            • Opcode Fuzzy Hash: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
            • Instruction Fuzzy Hash: 40C04C3A199105FF8F020F70CD04C1ABBA2AB95722F10C918B199C4070CB328424EB02
            Function 0040E9F7 Relevance: 1.3, APIs: 1, Instructions: 65COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: memmove
            • String ID:
            • API String ID: 2162964266-0
            • Opcode ID: 97bd8de7a7fe9ad43a3345e9333d2138b4beb196f0434672ce39f7d09e0e15cd
            • Instruction ID: f56dbf57367ec124b55c1fed62106b1dafce564086f6503587e0b0fbfa293862
            • Opcode Fuzzy Hash: 97bd8de7a7fe9ad43a3345e9333d2138b4beb196f0434672ce39f7d09e0e15cd
            • Instruction Fuzzy Hash: EA21A271A00B009FC724CFAAC88485BF7F9FF88724764896EE49A93A40E774B945CB54
            Function 0040E5D3 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
            Download Yara Rule
            APIs
            • _CxxThrowException.MSVCRT(?,00414F84), ref: 0040E616
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: ExceptionThrow
            • String ID:
            • API String ID: 432778473-0
            • Opcode ID: 85c4e5dde0f8cee934fbe77132b2d5831568e55a053817787dcfc8e06ea2b7f6
            • Instruction ID: f2b552c6dcb6979234feea5fe890f572eb9d388e9264680fa6f26452196acfb0
            • Opcode Fuzzy Hash: 85c4e5dde0f8cee934fbe77132b2d5831568e55a053817787dcfc8e06ea2b7f6
            • Instruction Fuzzy Hash: 20017171600701AFDB28CFBAD805997BBF8EF85314704496EE482D3651E374F946CB50
            Function 0040F42D Relevance: 1.3, APIs: 1, Instructions: 25COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: free
            • String ID:
            • API String ID: 1294909896-0
            • Opcode ID: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
            • Instruction ID: 8ccd5c106adaedd21fdabd868c2a091acccb285e2c6396e7c66228af9079aab7
            • Opcode Fuzzy Hash: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
            • Instruction Fuzzy Hash: 68E0ED311087008BEB74DA38A941F97B3DAAB14314F15893FE89AE7690EB74FC448A59
            Function 00402F6C Relevance: 1.3, APIs: 1, Instructions: 17COMMON
            Download Yara Rule
            APIs
            • ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004044E9,?,?,?,?,?,?,?,?,?,?,00000000,00000020,?), ref: 00402F71
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: ??2@
            • String ID:
            • API String ID: 1033339047-0
            • Opcode ID: 76c2607c9262a084594b8968e60506e1095ba5b3921c342d3f15f01c827a8030
            • Instruction ID: 194059228ff5733793a196764ebf5a0b63d959e09992ce12dff2d54d27d13516
            • Opcode Fuzzy Hash: 76c2607c9262a084594b8968e60506e1095ba5b3921c342d3f15f01c827a8030
            • Instruction Fuzzy Hash: 67D0A9313083121ADA5432320A09AAF84848B503A0F10083FB800A32D1DCBE8C81A299
            Function 0040D985 Relevance: 1.3, APIs: 1, Instructions: 16COMMON
            Download Yara Rule
            APIs
            • CloseHandle.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: CloseHandle
            • String ID:
            • API String ID: 2962429428-0
            • Opcode ID: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
            • Instruction ID: 71cfb53d0268b44c797f7400575dcc0518408263689e7c465582b3111ebcfb94
            • Opcode Fuzzy Hash: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
            • Instruction Fuzzy Hash: 95D0127251422156CF646E7CB8849C277D85A06334335176AF0B4E32E4D3749DCB5698
            Function 004024C4 Relevance: 1.3, APIs: 1, Instructions: 12memoryCOMMON
            Download Yara Rule
            APIs
            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,0040E4D6,00020000,00000000,?,00000000,?,0040D92B,?,?,00000000,?,0040D96E), ref: 004024E0
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: AllocVirtual
            • String ID:
            • API String ID: 4275171209-0
            • Opcode ID: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
            • Instruction ID: 23ad038ad5ccaf642d49e1102795c1c714580f299e31bec6e074b0e2bc220d86
            • Opcode Fuzzy Hash: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
            • Instruction Fuzzy Hash: D3C080301443007DED115F505E06B463A916B44717F508065F344540D0C7F484009509
            Function 00411388 Relevance: 1.3, APIs: 1, Instructions: 9COMMON
            Download Yara Rule
            APIs
            • ??2@YAPAXI@Z.MSVCRT(000000D0), ref: 0041138D
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: ??2@
            • String ID:
            • API String ID: 1033339047-0
            • Opcode ID: 08d588780a3caab37cf70573278ad1822b03e6a84bf609910ea5ba04e31b1b9c
            • Instruction ID: d5b8b2b556814232dc2945b8f7e5995fed121ff751d048b21687cc00dda573f5
            • Opcode Fuzzy Hash: 08d588780a3caab37cf70573278ad1822b03e6a84bf609910ea5ba04e31b1b9c
            • Instruction Fuzzy Hash: B4B0123438914504FE5413B208013FB01800F40303F10087B5B02E4DF9FD0884805139
            Function 00401B1F Relevance: 1.3, APIs: 1, Instructions: 5COMMON
            Download Yara Rule
            APIs
            • VirtualFree.KERNELBASE(00000000,00000000,00008000,0040E561,?,00000004,0040E5B0,?,?,004117E5,?), ref: 00401B2A
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: FreeVirtual
            • String ID:
            • API String ID: 1263568516-0
            • Opcode ID: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
            • Instruction ID: 5381ed20748db0b7fd93371e38984c83fa4171db9cf80dc6a42123bab5888d64
            • Opcode Fuzzy Hash: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
            • Instruction Fuzzy Hash: 45A002305446007ADE515B10DD05F457F516744B11F20C5547155540E586755654DA09
            Function 0040F3FC Relevance: 1.3, APIs: 1, Instructions: 4COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: free
            • String ID:
            • API String ID: 1294909896-0
            • Opcode ID: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
            • Instruction ID: 7baee4be7330d58fba6a4d3e6254b3dabd4481adb37f3967e502ba2394f26960
            • Opcode Fuzzy Hash: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
            • Instruction Fuzzy Hash:

            Non-executed Functions

            Function 004034C1 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 290comCOMMON
            Download Yara Rule
            APIs
            • _wtol.MSVCRT ref: 004034E5
            • SHGetSpecialFolderPathW.SHELL32(00000000,?,CC5BE863,00000000,004177A0,00000000,00417794), ref: 00403588
            • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 004035F9
            • ??3@YAXPAX@Z.MSVCRT(?,?,?), ref: 00403601
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00403609
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?), ref: 00403611
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?), ref: 00403619
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00403621
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403629
            • _wtol.MSVCRT ref: 0040367F
            • CoCreateInstance.OLE32(00414BF4,00000000,00000001,00414BE4,00404F9B,.lnk,?,0000005C), ref: 00403720
            • ??3@YAXPAX@Z.MSVCRT(?,0000005C), ref: 004037B8
            • ??3@YAXPAX@Z.MSVCRT(?,?,0000005C), ref: 004037C0
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,0000005C), ref: 004037C8
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0000005C), ref: 004037D0
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,0000005C), ref: 004037D8
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,0000005C), ref: 004037E0
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,0000005C), ref: 004037E8
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,0000005C), ref: 004037EE
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,0000005C), ref: 004037F6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: ??3@$_wtol$CreateFolderInstancePathSpecial
            • String ID: .lnk
            • API String ID: 408529070-24824748
            • Opcode ID: cb1a116a375c0276f3cc47ebae34f017b071fc5c88c5a353f484599fe5934efa
            • Instruction ID: c4a1d47ac56633071a1bd2db01059e5edb54ffe0bccc65637149caefe5d2277b
            • Opcode Fuzzy Hash: cb1a116a375c0276f3cc47ebae34f017b071fc5c88c5a353f484599fe5934efa
            • Instruction Fuzzy Hash: 8EA18A71910219ABDF04EFA1CC46DEEBB79EF44705F50442AF502B71A1EB79AA81CB18
            Function 00401F9D Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 150stringCOMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
            • wsprintfW.USER32 ref: 00401FFD
            • GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
            • GetLastError.KERNEL32 ref: 00402017
            • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
            • GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
            • GetLastError.KERNEL32 ref: 0040204C
            • lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
            • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
            • ??3@YAXPAX@Z.MSVCRT(00000020), ref: 0040208F
            • SetLastError.KERNEL32(00000000), ref: 00402098
            • lstrlenA.KERNEL32(00413FD0), ref: 004020CC
            • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
            • GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
            • _wtol.MSVCRT ref: 0040212A
            • MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: ErrorLast$??2@??3@EnvironmentVariable$ByteCharInfoLocaleMultiWide_wtollstrcmpilstrlenwsprintf
            • String ID: 7zSfxString%d$XpA$\3A
            • API String ID: 2117570002-3108448011
            • Opcode ID: 332d11925e247980b34bd098e8b038dc96ba1155979fc83484f9ac8f636b93aa
            • Instruction ID: 5c0681f152172bce6659d4e02be164ba9bb36eab7c70e8d4f1a0ed4420d73572
            • Opcode Fuzzy Hash: 332d11925e247980b34bd098e8b038dc96ba1155979fc83484f9ac8f636b93aa
            • Instruction Fuzzy Hash: 11518471604305AFDB209F74DD899DBBBB9EB08345B11407AF646E62E0E774AA44CB18
            Function 00401BDF Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 85libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
            • FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
            • FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
            • SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
            • LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
            • LockResource.KERNEL32(00000000), ref: 00401C41
            • LoadLibraryA.KERNEL32(kernel32,SetProcessPreferredUILanguages), ref: 00401C6D
            • GetProcAddress.KERNEL32(00000000), ref: 00401C76
            • wsprintfW.USER32 ref: 00401C95
            • LoadLibraryA.KERNEL32(kernel32,SetThreadPreferredUILanguages), ref: 00401CAA
            • GetProcAddress.KERNEL32(00000000), ref: 00401CAD
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: Resource$Load$AddressFindLibraryProc$HandleLockModuleSizeofwsprintf
            • String ID: %04X%c%04X%c$SetProcessPreferredUILanguages$SetThreadPreferredUILanguages$kernel32
            • API String ID: 2639302590-365843014
            • Opcode ID: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
            • Instruction ID: 1b367ad183524107b1556f539f271e2bfa11f4d2ebd4ebc35158efee647c5c94
            • Opcode Fuzzy Hash: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
            • Instruction Fuzzy Hash: 002153B1944318BBDB109FA59D48F9B7FBCEB48751F118036FA05B72D1D678DA008BA8
            Function 00407776 Relevance: 16.6, APIs: 11, Instructions: 96stringwindowCOMMON
            Download Yara Rule
            APIs
            • wvsprintfW.USER32(?,00000000,?), ref: 0040779A
            • GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
            • FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
            • FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
            • lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
            • lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
            • ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
            • lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
            • lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
            • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
            • LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: FormatMessagelstrcpylstrlen$??2@??3@ErrorFreeLastLocalwvsprintf
            • String ID:
            • API String ID: 829399097-0
            • Opcode ID: bf60f95a6a1f59c2bb6c04e2e113b9a1b5cd8de0030c6a868400c9436056581d
            • Instruction ID: 98041b7e574f1f1c61a73cce3db0a13ad597614178cae5aaf21d0c5f67190c53
            • Opcode Fuzzy Hash: bf60f95a6a1f59c2bb6c04e2e113b9a1b5cd8de0030c6a868400c9436056581d
            • Instruction Fuzzy Hash: 85218172804209BEDF14AFA0DC85CEB7BACEB04355B10847BF506A7150EB34EE848BA4
            Function 00402B79 Relevance: 16.6, APIs: 11, Instructions: 90filestringCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?,00413454,?,?,?,00000000), ref: 00402BA8
            • lstrcmpW.KERNEL32(?,00413450,?,0000005C,?,?,?,00000000), ref: 00402BFB
            • lstrcmpW.KERNEL32(?,00413448,?,?,00000000), ref: 00402C11
            • SetFileAttributesW.KERNEL32(?,00000000,?,0000005C,?,?,?,00000000), ref: 00402C27
            • DeleteFileW.KERNEL32(?,?,?,00000000), ref: 00402C2E
            • FindNextFileW.KERNEL32(00000000,00000010,?,?,00000000), ref: 00402C40
            • FindClose.KERNEL32(00000000,?,?,00000000), ref: 00402C4F
            • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000000), ref: 00402C5A
            • RemoveDirectoryW.KERNEL32(?,?,?,00000000), ref: 00402C63
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402C6E
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402C79
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: File$Find$??3@Attributeslstrcmp$CloseDeleteDirectoryFirstNextRemove
            • String ID:
            • API String ID: 1862581289-0
            • Opcode ID: 3adc14f40e23b1cdad4e4199877390cf68653eec517b691feb080405b1435fa2
            • Instruction ID: 7ffcf375551190f92b7aba4ef5ef3cd4ed0286f9dec59b0789af02bc25bdcc12
            • Opcode Fuzzy Hash: 3adc14f40e23b1cdad4e4199877390cf68653eec517b691feb080405b1435fa2
            • Instruction Fuzzy Hash: A321A230500209BAEB10AF61DE4CFBF7B7C9B0470AF14417AB505B11E0EB78DB459A6C
            Function 00406D5D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(uxtheme,?,00407F57,000004B1,00000000,?,?,?,?,?,0040803E), ref: 00406D65
            • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00406D76
            • GetWindow.USER32(?,00000005), ref: 00406D8F
            • GetWindow.USER32(00000000,00000002), ref: 00406DA5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: Window$AddressLibraryLoadProc
            • String ID: SetWindowTheme$\EA$uxtheme
            • API String ID: 324724604-1613512829
            • Opcode ID: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
            • Instruction ID: f2e0bdee1e376373ef12be0a37c87caa708c4cf78f5ebad58458586032015049
            • Opcode Fuzzy Hash: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
            • Instruction Fuzzy Hash: 47F0A73274172537C6312A6A6C4CF9B6B9C9FC6B51B070176B905F7280DA6CCD0045BC
            Function 0041022D Relevance: .5, Instructions: 501COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
            • Instruction ID: 2cf66fefa79674a345482580870fbecf2b771b639b37e27eb1fc897e4fc9b441
            • Opcode Fuzzy Hash: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
            • Instruction Fuzzy Hash: 44126E31E00129DFDF08CF68C6945ECBBB2EF85345F2585AAD856AB280D6749EC1DF84
            Function 0041206B Relevance: .1, Instructions: 70COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
            • Instruction ID: 8743f1180a29be23716da9caa70fae7f7856ace610ba4dfa2102d12747f13ae8
            • Opcode Fuzzy Hash: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
            • Instruction Fuzzy Hash: D12129725104255BC711DF1DE8887B7B3E1FFC4319F678A36DA81CB281C629D894C6A0
            Function 00411F91 Relevance: .1, Instructions: 70COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
            • Instruction ID: 7cc7f0f00d3fdf34bc0739e2af2c3edfb6ca911da6c9eaecf720caf4c907201e
            • Opcode Fuzzy Hash: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
            • Instruction Fuzzy Hash: 0621F53290062587CB12CE6EE4845A7F392FBC436AF134727EE84A3291C62CA855C6A0
            Function 0040D72E Relevance: .0, Instructions: 28COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
            • Instruction ID: 0032c0c3dd355d3b1328166acc4be040b7821e5e83bc1fe28c274bced218c28f
            • Opcode Fuzzy Hash: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
            • Instruction Fuzzy Hash: 4EF074B5A05209EFCB09CFA9C49199EFBF5FF48304B1084A9E819E7350E731AA11CF50
            Function 00404AFF Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 144fileCOMMON
            Download Yara Rule
            APIs
            • GetDriveTypeW.KERNEL32(?,?,?), ref: 00404B46
            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404B77
            • WriteFile.KERNEL32(004177C4,?,?,00406437,00000000,del ",:Repeat,00000000), ref: 00404C2C
            • ??3@YAXPAX@Z.MSVCRT(?), ref: 00404C37
            • CloseHandle.KERNEL32(004177C4), ref: 00404C40
            • SetFileAttributesW.KERNEL32(00406437,00000000), ref: 00404C57
            • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00404C69
            • ??3@YAXPAX@Z.MSVCRT(?), ref: 00404C72
            • ??3@YAXPAX@Z.MSVCRT(?), ref: 00404C7E
            • ??3@YAXPAX@Z.MSVCRT(00406437,?), ref: 00404C84
            • ??3@YAXPAX@Z.MSVCRT(00406437,?,?,?,?,?,?,?,?,?,?,?,?,?,00406437,004177C4), ref: 00404CB2
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: ??3@$File$AttributesCloseCreateDriveExecuteHandleShellTypeWrite
            • String ID: "$" goto Repeat$7ZSfx%03x.cmd$:Repeat$del "$if exist "$open
            • API String ID: 3007203151-3467708659
            • Opcode ID: 867eebb51e1b750364ee620a5f1ec15cba4384e9a655442323ea2c3f34152715
            • Instruction ID: 7a4c4b622d76ac6c1822c64a370ea4e05d699ec4102568342bfcf68b8c9639ad
            • Opcode Fuzzy Hash: 867eebb51e1b750364ee620a5f1ec15cba4384e9a655442323ea2c3f34152715
            • Instruction Fuzzy Hash: DE416171D01119BADB00EBA5ED85DEEBB78EF44358F50803AF511720E1EB78AE85CB58
            Function 00404603 Relevance: 35.2, APIs: 3, Strings: 17, Instructions: 207stringCOMMON
            Download Yara Rule
            APIs
            • lstrcmpiW.KERNEL32(00000000,0041442C,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004046DF
              • Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
              • Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
              • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
              • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
              • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
              • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
              • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
              • Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
              • Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
              • Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
              • Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
              • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
              • Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
            • _wtol.MSVCRT ref: 004047DC
            • _wtol.MSVCRT ref: 004047F8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: ErrorLast$??2@EnvironmentVariable_wtollstrcmpi$??3@InfoLocalelstrlenwsprintf
            • String ID: CancelPrompt$ErrorTitle$ExtractCancelText$ExtractDialogText$ExtractDialogWidth$ExtractPathText$ExtractPathTitle$ExtractPathWidth$ExtractTitle$GUIFlags$GUIMode$MiscFlags$OverwriteMode$Progress$Title$WarningTitle$|wA
            • API String ID: 2725485552-3187639848
            • Opcode ID: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
            • Instruction ID: a5d789275b7dd46d140941e9fd319bf554fc7ea6ad5da08365fcb0f0a182a74d
            • Opcode Fuzzy Hash: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
            • Instruction Fuzzy Hash: 4251B5F1A402047EDB10BB619D86EFF36ACDA85308B64443BF904F32C1E6BC5E854A6D
            Function 00402DC0 Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 123windowlibrarystringCOMMON
            Download Yara Rule
            APIs
            • GetClassNameA.USER32(?,?,00000040), ref: 00402DD3
            • lstrcmpiA.KERNEL32(?,STATIC), ref: 00402DE6
            • GetWindowLongW.USER32(?,000000F0), ref: 00402DF3
              • Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
              • Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB
              • Part of subcall function 00401A85: CharUpperW.USER32(?,74DEE0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
              • Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
            • ??3@YAXPAX@Z.MSVCRT(?), ref: 00402E20
            • GetParent.USER32(?), ref: 00402E2E
            • LoadLibraryA.KERNEL32(riched20), ref: 00402E42
            • GetMenu.USER32(?), ref: 00402E55
            • SetThreadLocale.KERNEL32(00000419), ref: 00402E62
            • CreateWindowExW.USER32(00000000,RichEdit20W,0041335C,50000804,?,?,?,?,?,00000000,00000000,00000000), ref: 00402E92
            • DestroyWindow.USER32(?), ref: 00402EA3
            • SendMessageW.USER32(00000000,00000459,00000022,00000000), ref: 00402EB8
            • GetSysColor.USER32(0000000F), ref: 00402EBC
            • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00402ECA
            • SendMessageW.USER32(00000000,00000461,?,?), ref: 00402EF5
            • ??3@YAXPAX@Z.MSVCRT(?), ref: 00402EFA
            • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00402F02
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: Window$??3@MessageSend$CharTextUpper$ClassColorCreateDestroyLengthLibraryLoadLocaleLongMenuNameParentThreadlstrcmpi
            • String ID: RichEdit20W$STATIC$riched20${\rtf
            • API String ID: 1731037045-2281146334
            • Opcode ID: 2b38b22499d69b5ca28c01525db5cb238b78fd2564d1ef548c56061806c72a13
            • Instruction ID: c7c9ca1f65d7473fe19c29f8272bdbb18bb8b251efb89c9ee4785ec66c96c850
            • Opcode Fuzzy Hash: 2b38b22499d69b5ca28c01525db5cb238b78fd2564d1ef548c56061806c72a13
            • Instruction Fuzzy Hash: FE316072A40119BFDB01AFA5DD49DEF7BBCEF08745F104036F601B21D1DA789A008B68
            Function 00401CC8 Relevance: 31.6, APIs: 21, Instructions: 121windowCOMMON
            Download Yara Rule
            APIs
            • GetWindowDC.USER32(00000000), ref: 00401CD4
            • GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
            • MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
            • GetObjectW.GDI32(?,00000018,?), ref: 00401D28
            • MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
            • MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
            • CreateCompatibleDC.GDI32(?), ref: 00401D4B
            • CreateCompatibleDC.GDI32(?), ref: 00401D52
            • SelectObject.GDI32(00000000,?), ref: 00401D60
            • CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
            • SelectObject.GDI32(00000000,00000000), ref: 00401D76
            • SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
            • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
            • GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
            • SelectObject.GDI32(00000000,?), ref: 00401DB3
            • SelectObject.GDI32(00000000,?), ref: 00401DB9
            • DeleteDC.GDI32(00000000), ref: 00401DC2
            • DeleteDC.GDI32(00000000), ref: 00401DC5
            • ReleaseDC.USER32(00000000,?), ref: 00401DCC
            • ReleaseDC.USER32(00000000,?), ref: 00401DDB
            • CopyImage.USER32(?,00000000,00000000,00000000,00000000), ref: 00401DE8
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: Object$Select$CompatibleCreate$DeleteReleaseStretch$BitmapCapsCopyCurrentDeviceImageModeWindow
            • String ID:
            • API String ID: 3462224810-0
            • Opcode ID: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
            • Instruction ID: 24730f8ff9b6a3f8d7f0600a39c6f646a54ca28d21b12e05547a6914d757f366
            • Opcode Fuzzy Hash: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
            • Instruction Fuzzy Hash: 00313976D00208BBDF215FA19C48EEFBFBDEB48752F108066F604B21A0C6758A50EB64
            Function 00401DF3 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 120windowcommemoryCOMMON
            Download Yara Rule
            APIs
            • GetClassNameA.USER32(?,?,00000040), ref: 00401E05
            • lstrcmpiA.KERNEL32(?,STATIC), ref: 00401E1C
            • GetWindowLongW.USER32(?,000000F0), ref: 00401E2F
            • GetMenu.USER32(?), ref: 00401E44
              • Part of subcall function 00401BDF: GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
              • Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
              • Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
              • Part of subcall function 00401BDF: SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
              • Part of subcall function 00401BDF: LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
              • Part of subcall function 00401BDF: LockResource.KERNEL32(00000000), ref: 00401C41
            • GlobalAlloc.KERNEL32(00000040,00000010), ref: 00401E76
            • memcpy.MSVCRT(00000000,00000000,00000010), ref: 00401E83
            • CoInitialize.OLE32(00000000), ref: 00401E8C
            • CreateStreamOnHGlobal.OLE32(00000000,00000000,?), ref: 00401E98
            • OleLoadPicture.OLEAUT32(?,00000000,00000000,00414C14,?), ref: 00401EBD
            • GlobalFree.KERNEL32(00000000), ref: 00401ECD
              • Part of subcall function 00401CC8: GetWindowDC.USER32(00000000), ref: 00401CD4
              • Part of subcall function 00401CC8: GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
              • Part of subcall function 00401CC8: MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
              • Part of subcall function 00401CC8: GetObjectW.GDI32(?,00000018,?), ref: 00401D28
              • Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
              • Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
              • Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D4B
              • Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D52
              • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401D60
              • Part of subcall function 00401CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
              • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,00000000), ref: 00401D76
              • Part of subcall function 00401CC8: SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
              • Part of subcall function 00401CC8: StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
              • Part of subcall function 00401CC8: GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
              • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB3
              • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB9
              • Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC2
              • Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC5
              • Part of subcall function 00401CC8: ReleaseDC.USER32(00000000,?), ref: 00401DCC
            • GetObjectW.GDI32(00000000,00000018,?), ref: 00401EFF
            • SetWindowPos.USER32(00000010,00000000,00000000,00000000,?,?,00000006), ref: 00401F13
            • SendMessageW.USER32(00000010,00000172,00000000,?), ref: 00401F25
            • GlobalFree.KERNEL32(00000000), ref: 00401F3A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: Object$Resource$CreateGlobalSelect$CompatibleWindow$DeleteFindFreeLoadStretch$AllocBitmapCapsClassCurrentDeviceHandleInitializeLockLongMenuMessageModeModuleNamePictureReleaseSendSizeofStreamlstrcmpimemcpy
            • String ID: IMAGES$STATIC
            • API String ID: 4202116410-1168396491
            • Opcode ID: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
            • Instruction ID: 08c73d75f8249df6a552952f3d33af28cabbedea74541c6d0cfd8ce2793c0c4e
            • Opcode Fuzzy Hash: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
            • Instruction Fuzzy Hash: C7417C71A00218BFCB11DFA1DC49DEEBF7DEF08742B008076FA05A61A0DB758A41DB68
            Function 0040813D Relevance: 27.1, APIs: 18, Instructions: 147windowcomtimeCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
              • Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950
            • GetDlgItem.USER32(?,000004B8), ref: 0040816A
            • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00408179
            • GetDlgItem.USER32(?,000004B5), ref: 004081C0
            • GetWindowLongW.USER32(00000000,000000F0), ref: 004081C5
            • GetDlgItem.USER32(?,000004B5), ref: 004081D5
            • SetWindowLongW.USER32(00000000), ref: 004081D8
            • GetSystemMenu.USER32(?,00000000,000004B4,00000000), ref: 004081FE
            • EnableMenuItem.USER32(00000000,0000F060,00000001), ref: 00408210
            • GetDlgItem.USER32(?,000004B4), ref: 0040821A
            • SetFocus.USER32(00000000), ref: 0040821D
            • SetTimer.USER32(?,00000001,00000000,00000000), ref: 0040824C
            • CoCreateInstance.OLE32(00414C34,00000000,00000001,00414808,00000000), ref: 00408277
            • GetDlgItem.USER32(?,00000002), ref: 00408294
            • IsWindow.USER32(00000000), ref: 00408297
            • GetDlgItem.USER32(?,00000002), ref: 004082A7
            • EnableWindow.USER32(00000000), ref: 004082AA
            • GetDlgItem.USER32(?,000004B5), ref: 004082BE
            • ShowWindow.USER32(00000000), ref: 004082C1
              • Part of subcall function 00407134: GetDlgItem.USER32(?,000004B6), ref: 00407142
              • Part of subcall function 00407B33: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00407B6D
              • Part of subcall function 00407B33: GetDlgItem.USER32(?,000004B8), ref: 00407B8B
              • Part of subcall function 00407B33: SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
              • Part of subcall function 00407B33: wsprintfW.USER32 ref: 00407BBB
              • Part of subcall function 00407B33: ??3@YAXPAX@Z.MSVCRT(?), ref: 00407C53
              • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
              • Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
              • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
              • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
              • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
              • Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
              • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
              • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
              • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
              • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: Item$Window$MessageSend$System$EnableHandleLoadLongMenuMetricsModuleShow$??3@CreateFocusIconImageInstanceTimerUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
            • String ID:
            • API String ID: 855516470-0
            • Opcode ID: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
            • Instruction ID: 3ce0214ef3d03b0ee840dd4ab9c121ae631e901bc0d6870238ad5b6e85178a64
            • Opcode Fuzzy Hash: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
            • Instruction Fuzzy Hash: 014174B0644748ABDA206F65DD49F5B7BADEB40B05F00847DF552A62E1CB79B800CA1C
            Function 00403093 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 244stringCOMMON
            Download Yara Rule
            APIs
            • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,hAA,00000000), ref: 004030F6
            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,hAA,00000000), ref: 004030FE
            • strncmp.MSVCRT ref: 004031F1
            • ??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 00403255
            • lstrcmpW.KERNEL32(?,SetEnvironment,00000000), ref: 00403273
            • ??3@YAXPAX@Z.MSVCRT(0040414C,?), ref: 00403347
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: ??3@$lstrcmpstrncmp
            • String ID: GUIFlags$MiscFlags$SetEnvironment$hAA${\rtf
            • API String ID: 2881732429-172299233
            • Opcode ID: 436b0b5fdcd0fc7850317bda0c1040a654aafe726af0558e82b6743448b11ef5
            • Instruction ID: da55d09168dcf28f6e950782b6654b171f18f9ca5632fa18d2c46afc5d57570a
            • Opcode Fuzzy Hash: 436b0b5fdcd0fc7850317bda0c1040a654aafe726af0558e82b6743448b11ef5
            • Instruction Fuzzy Hash: 23819D31900218ABDF11DFA1CD55BEE7B78AF14305F1040ABE8017B2E6DB78AB05DB59
            Function 00406A47 Relevance: 24.3, APIs: 16, Instructions: 270COMMON
            Download Yara Rule
            APIs
            • GetDlgItem.USER32(?,000004B3), ref: 00406A69
            • GetWindowLongW.USER32(00000000,000000F0), ref: 00406A6E
            • GetDlgItem.USER32(?,000004B4), ref: 00406AA5
            • GetWindowLongW.USER32(00000000,000000F0), ref: 00406AAA
            • GetSystemMetrics.USER32(00000010), ref: 00406B0B
            • GetSystemMetrics.USER32(00000011), ref: 00406B11
            • GetSystemMetrics.USER32(00000008), ref: 00406B18
            • GetSystemMetrics.USER32(00000007), ref: 00406B1F
            • GetParent.USER32(?), ref: 00406B43
            • GetClientRect.USER32(00000000,?), ref: 00406B55
            • ClientToScreen.USER32(?,?), ref: 00406B68
            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00406BCE
            • GetClientRect.USER32(?,?), ref: 00406C55
            • ClientToScreen.USER32(?,?), ref: 00406B71
              • Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B
            • GetSystemMetrics.USER32(00000008), ref: 00406CD6
            • GetSystemMetrics.USER32(00000007), ref: 00406CDD
              • Part of subcall function 00406A18: GetDlgItem.USER32(?,?), ref: 00406A36
              • Part of subcall function 00406A18: SetWindowPos.USER32(00000000), ref: 00406A3D
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: MetricsSystem$ClientItemWindow$LongRectScreen$Parent
            • String ID:
            • API String ID: 747815384-0
            • Opcode ID: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
            • Instruction ID: 701d8c843d4ec3579feae24e97f284edc15b0bac0439a5efdbaa5111af673c9b
            • Opcode Fuzzy Hash: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
            • Instruction Fuzzy Hash: 7B912D71A00209AFDB14DFB9CD85AEEB7F9EF48704F148529E642F6290D778E9008B64
            Function 00407D06 Relevance: 22.7, APIs: 15, Instructions: 231windowCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
            • LoadIconW.USER32(00000000), ref: 00407D33
            • GetSystemMetrics.USER32(00000032), ref: 00407D43
            • GetSystemMetrics.USER32(00000031), ref: 00407D48
            • GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
            • LoadImageW.USER32(00000000), ref: 00407D54
            • SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
            • SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
            • GetWindow.USER32(?,00000005), ref: 00407E76
            • GetWindow.USER32(?,00000005), ref: 00407E92
            • GetWindow.USER32(?,00000005), ref: 00407EAA
            • GetModuleHandleW.KERNEL32(00000000,00000065,000004B4,00000000,000004B3,00000000,000004B2,?,000004B7,?,?,?,?,?,0040803E), ref: 00407F0A
            • LoadIconW.USER32(00000000), ref: 00407F0D
            • GetDlgItem.USER32(?,000004B1), ref: 00407F28
            • SendMessageW.USER32(00000000), ref: 00407F2F
              • Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
              • Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B
              • Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
              • Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: Window$HandleItemLoadMessageModuleSend$IconMetricsSystem$ImageLengthShowText
            • String ID:
            • API String ID: 1889686859-0
            • Opcode ID: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
            • Instruction ID: b6a50195b8a608de49edc5b96f3e83ee8a9b90890169e94b1220211b89b9884f
            • Opcode Fuzzy Hash: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
            • Instruction Fuzzy Hash: E861D47064C7096AE9257B61DC4AF3B3699AB40B05F10447FF642B92D2DBBCBC0056AF
            Function 00406F37 Relevance: 16.6, APIs: 11, Instructions: 87windowCOMMON
            Download Yara Rule
            APIs
            • GetParent.USER32(?), ref: 00406F45
            • GetWindowLongW.USER32(00000000), ref: 00406F4C
            • DefWindowProcW.USER32(?,?,?,?), ref: 00406F62
            • CallWindowProcW.USER32(?,?,?,?,?), ref: 00406F7F
            • GetSystemMetrics.USER32(00000031), ref: 00406F91
            • GetSystemMetrics.USER32(00000032), ref: 00406F98
            • GetWindowDC.USER32(?), ref: 00406FAA
            • GetWindowRect.USER32(?,?), ref: 00406FB7
            • DrawIconEx.USER32(00000000,?,?,?,?,?,00000000,00000000,00000003), ref: 00406FEB
            • ReleaseDC.USER32(?,00000000), ref: 00406FF3
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: Window$MetricsProcSystem$CallDrawIconLongParentRectRelease
            • String ID:
            • API String ID: 2586545124-0
            • Opcode ID: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
            • Instruction ID: b1ff7c23223d170b9333fa97acec74f2c9230ee3eabfe87d0be763292bfdf634
            • Opcode Fuzzy Hash: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
            • Instruction Fuzzy Hash: 8E210C7650021ABFCF01AFA8DD48DDF7F69FB08351F008565FA15E21A0C775EA209B64
            Function 0040677A Relevance: 13.5, APIs: 9, Instructions: 47windowCOMMON
            Download Yara Rule
            APIs
            • GetDlgItem.USER32(?,000004B3), ref: 0040678E
            • SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067A1
            • GetDlgItem.USER32(?,000004B4), ref: 004067AB
            • SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067B3
            • SendMessageW.USER32(?,00000401,?,00000000), ref: 004067C3
            • GetDlgItem.USER32(?,?), ref: 004067CC
            • SendMessageW.USER32(00000000,000000F4,00000001,00000001), ref: 004067D4
            • GetDlgItem.USER32(?,?), ref: 004067DD
            • SetFocus.USER32(00000000,?,000004B4,74DF0E50,00407E06,000004B4,000004B3,00000000,000004B4,00000000,000004B2,?,000004B7), ref: 004067E0
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: ItemMessageSend$Focus
            • String ID:
            • API String ID: 3946207451-0
            • Opcode ID: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
            • Instruction ID: e7a8c5b21de344c7c4c5496bf688f1d5cc3ba414acf11b32f4788b893cc62525
            • Opcode Fuzzy Hash: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
            • Instruction Fuzzy Hash: 6FF04F712403087BEA212B61DD86F5BBA6EEF81B45F018425F340650F0CBF7EC109A28
            Function 0040C3D8 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 480COMMON
            Download Yara Rule
            APIs
            • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,00000000), ref: 0040C603
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: ??3@
            • String ID: IA$IA$IA$IA$IA$IA
            • API String ID: 613200358-3743982587
            • Opcode ID: 6e54149e8c3d77333b16b378dc95c38791a09178c73359331ff936fd258cd747
            • Instruction ID: 4cebfcab61734def35128a955d6a3e34031d8899c11ca8f9bd2aeb72941b6852
            • Opcode Fuzzy Hash: 6e54149e8c3d77333b16b378dc95c38791a09178c73359331ff936fd258cd747
            • Instruction Fuzzy Hash: D2221671900248DFCB24EF65C8D09EEBBB5FF48304F50852EE91AA7291DB38A945CF58
            Function 004083B6 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 196COMMON
            Download Yara Rule
            APIs
            • ??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,00417788,00000000,SetEnvironment), ref: 00408479
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: ??3@
            • String ID: BeginPrompt$ErrorTitle$FinishMessage$HelpText$SetEnvironment$WarningTitle
            • API String ID: 613200358-994561823
            • Opcode ID: 971dcdd12a827a4034ed94f9ba1d623efd1f14b2bcca4d73e06b44b648e667ed
            • Instruction ID: 5566f9f9667118f06bc812855c9affabb63102f3a10b3971892d5eca1131561f
            • Opcode Fuzzy Hash: 971dcdd12a827a4034ed94f9ba1d623efd1f14b2bcca4d73e06b44b648e667ed
            • Instruction Fuzzy Hash: CA51D47080420AAACF24AB559E85AFB7774EB20348F54443FF881722E1EF7D5D82D64E
            Function 00406DB2 Relevance: 12.1, APIs: 8, Instructions: 69COMMON
            Download Yara Rule
            APIs
            • memcpy.MSVCRT(?,00417410,00000160), ref: 00406DD1
            • SystemParametersInfoW.USER32(00000029,00000000,?,00000000), ref: 00406DF0
            • GetDC.USER32(00000000), ref: 00406DFB
            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00406E07
            • MulDiv.KERNEL32(?,00000048,00000000), ref: 00406E16
            • ReleaseDC.USER32(00000000,?), ref: 00406E24
            • GetModuleHandleW.KERNEL32(00000000), ref: 00406E4C
            • DialogBoxIndirectParamW.USER32(00000000,?,?,Function_0000667A), ref: 00406E81
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: CapsDeviceDialogHandleIndirectInfoModuleParamParametersReleaseSystemmemcpy
            • String ID:
            • API String ID: 2693764856-0
            • Opcode ID: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
            • Instruction ID: b2c1943609947f3a034a1f42a4fd453b3666a2b5c4d4ccfd9a1c2059c5c1cb6f
            • Opcode Fuzzy Hash: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
            • Instruction Fuzzy Hash: C32184B5500218BFDB215F61DC45EEB7B7CFB08746F0040B6F609A1190D7748E948B65
            Function 0040695E Relevance: 12.1, APIs: 8, Instructions: 68COMMON
            Download Yara Rule
            APIs
            • GetDC.USER32(?), ref: 0040696E
            • GetSystemMetrics.USER32(0000000B), ref: 0040698A
            • GetSystemMetrics.USER32(0000003D), ref: 00406993
            • GetSystemMetrics.USER32(0000003E), ref: 0040699B
            • SelectObject.GDI32(?,?), ref: 004069B8
            • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 004069D3
            • SelectObject.GDI32(?,?), ref: 004069F9
            • ReleaseDC.USER32(?,?), ref: 00406A08
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: MetricsSystem$ObjectSelect$DrawReleaseText
            • String ID:
            • API String ID: 2466489532-0
            • Opcode ID: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
            • Instruction ID: 7c755332e1b278278a0584394201b19561512224090c74d51841a9ad660c27ee
            • Opcode Fuzzy Hash: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
            • Instruction Fuzzy Hash: 6B216871900209EFCB119F65DD84A8EBFF4EF08321F10C46AE559A72A0C7359A50DF40
            Function 00407B33 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102windowCOMMON
            Download Yara Rule
            APIs
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00407B6D
            • GetDlgItem.USER32(?,000004B8), ref: 00407B8B
            • SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
            • wsprintfW.USER32 ref: 00407BBB
            • ??3@YAXPAX@Z.MSVCRT(?), ref: 00407C53
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: ??3@ItemMessageSendUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
            • String ID: %d%%
            • API String ID: 3753976982-1518462796
            • Opcode ID: 0b792d7adb6174ba2d50e5ca9cf87896ffea0db59519718aa7dbff65f529ef39
            • Instruction ID: b955b8041d8a67620c3180d4911c799512bd6939d195f5b55c3092177650065a
            • Opcode Fuzzy Hash: 0b792d7adb6174ba2d50e5ca9cf87896ffea0db59519718aa7dbff65f529ef39
            • Instruction Fuzzy Hash: 1D31D371904208BBDB11AFA0CC45EDA7BB9EF48708F10847AFA42B61E1D779B904CB59
            Function 0040408B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96stringCOMMON
            Download Yara Rule
            APIs
            • lstrlenW.KERNEL32(hAA,00000020,?,?,00405838,?,?,?,00000000,?), ref: 004040A4
              • Part of subcall function 00401A85: CharUpperW.USER32(?,74DEE0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
              • Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00404156
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 0040415E
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 0040416D
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00404175
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: ??3@$CharUpper$lstrlen
            • String ID: hAA
            • API String ID: 2587799592-1362906312
            • Opcode ID: f1afb06a12cfea52e195ddd9e8ddb158cdff932f9735d488ba252034b153affa
            • Instruction ID: 7f7e13310b21401de90169bcc26cd057e2afddf23eedd5de54135d69024cf91c
            • Opcode Fuzzy Hash: f1afb06a12cfea52e195ddd9e8ddb158cdff932f9735d488ba252034b153affa
            • Instruction Fuzzy Hash: D7212772D40215AACF20ABA4CC46AEB77B9DF90354F10407BEB41BB2E1E7789D848658
            Function 00404CBC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 92COMMON
            Download Yara Rule
            APIs
            • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000001,00000000,00000000,00000001,?,00000000), ref: 00404D3E
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,004054CC,?,;!@InstallEnd@!,004054CC,;!@Install@!UTF-8!,00417400,00000000,00000001,?,00000000), ref: 00404DA0
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,004054CC,?,;!@InstallEnd@!,004054CC,;!@Install@!UTF-8!,00417400,00000000,00000001,?,00000000), ref: 00404DB8
              • Part of subcall function 00403354: lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
              • Part of subcall function 00403354: GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
              • Part of subcall function 00403354: GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
              • Part of subcall function 00403354: ??3@YAXPAX@Z.MSVCRT(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 0040349D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: ??3@$FileTime$AttributesSystemlstrlen
            • String ID: 03A$;!@Install@!UTF-8!$;!@InstallEnd@!
            • API String ID: 4038993085-2279431206
            • Opcode ID: 1e5f1ef11ab3d9e84330ff60a8d60345b5fdf25d940142a54a900a3d947b53ea
            • Instruction ID: 637b7b13a9bcd1d52ea1019587bfa2fb4435f6835f564ae220b3123002230846
            • Opcode Fuzzy Hash: 1e5f1ef11ab3d9e84330ff60a8d60345b5fdf25d940142a54a900a3d947b53ea
            • Instruction Fuzzy Hash: CE312D71D0021EEACF05EF92CD429EEBBB4BF44318F10042BE911762E1DB785649DB98
            Function 0040755F Relevance: 10.6, APIs: 7, Instructions: 63timethreadinjectionCOMMON
            Download Yara Rule
            APIs
            • EndDialog.USER32(?,00000000), ref: 00407579
            • KillTimer.USER32(?,00000001), ref: 0040758A
            • SetTimer.USER32(?,00000001,00000000,00000000), ref: 004075B4
            • SuspendThread.KERNEL32(00000290), ref: 004075CD
            • ResumeThread.KERNEL32(00000290), ref: 004075EA
            • EndDialog.USER32(?,00000000), ref: 0040760C
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: DialogThreadTimer$KillResumeSuspend
            • String ID:
            • API String ID: 4151135813-0
            • Opcode ID: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
            • Instruction ID: ebb94c5c4675b2e6542c2b2cb7d5652cccd5624f9a00d71f737e39ca63bd9789
            • Opcode Fuzzy Hash: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
            • Instruction Fuzzy Hash: 9811BF70A08618BBD7212F15EE849E77BBDFB00756B00843AF523A05A0CB39BD00DA1D
            Function 00404E3F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 60COMMON
            Download Yara Rule
            APIs
            • ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000024,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404E85
              • Part of subcall function 00404343: ??3@YAXPAX@Z.MSVCRT(?,?,?,004177C4,004177C4,?,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 004043B6
            • ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000024,004177C4,004177C4,00000000,00000024,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404EAB
            • wsprintfA.USER32 ref: 00404EBC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: ??3@$wsprintf
            • String ID: :Language:%u!$;!@Install@!UTF-8!$;!@InstallEnd@!
            • API String ID: 2704270482-1550708412
            • Opcode ID: b3a647dc230e6375ba5304378dede3f86871d19815b7720c308d82744c7d9f3d
            • Instruction ID: afe26c372a183c0ca4a1b7edc16cb7be903c3e4040aad79e05e22cec791dc9d0
            • Opcode Fuzzy Hash: b3a647dc230e6375ba5304378dede3f86871d19815b7720c308d82744c7d9f3d
            • Instruction Fuzzy Hash: D8115E71B00018BBCF00FB95CC42EFE77ADAB84705B10402EBA15E3182DB78AB028799
            Function 00403880 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON
            Download Yara Rule
            APIs
            • ??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000,00000000), ref: 004038C6
            • ??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000), ref: 00403904
            • ??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405), ref: 0040392A
            • ??3@YAXPAX@Z.MSVCRT(00000000,00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788), ref: 00403932
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: ??3@
            • String ID: %%T/$%%T\
            • API String ID: 613200358-2679640699
            • Opcode ID: 9eec194740abc4bee078c15c8dc217b66edb47652cee4dab90ed516c3b80c8f9
            • Instruction ID: 53c9ca64f2466311d4136dbbff57d229d1af9e29f5fa76e56e45344ae10c91f3
            • Opcode Fuzzy Hash: 9eec194740abc4bee078c15c8dc217b66edb47652cee4dab90ed516c3b80c8f9
            • Instruction Fuzzy Hash: 5011DD3190410EBACF05FFA1D857CEDBB79AE00708F50806AB511760E1EF79A785DB98
            Function 0040393B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON
            Download Yara Rule
            APIs
            • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403981
            • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 004039BF
            • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405), ref: 004039E5
            • ??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784), ref: 004039ED
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: ??3@
            • String ID: %%S/$%%S\
            • API String ID: 613200358-358529586
            • Opcode ID: c94d4b60668bfb9eedf3143ce332dc4c41685f87d495a97f985edcc2faf71bca
            • Instruction ID: c240205f9e12946546b7747d8fd44f392230bc1153c6614d6b8016afa5fd7689
            • Opcode Fuzzy Hash: c94d4b60668bfb9eedf3143ce332dc4c41685f87d495a97f985edcc2faf71bca
            • Instruction Fuzzy Hash: 1D11AD3190410EBACF05FFA1D856CEDBB79AE00708F51806AB511760E1EF78A789DB98
            Function 004039F6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON
            Download Yara Rule
            APIs
            • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403A3C
            • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 00403A7A
            • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405), ref: 00403AA0
            • ??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784), ref: 00403AA8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: ??3@
            • String ID: %%M/$%%M\
            • API String ID: 613200358-4143866494
            • Opcode ID: 3eb134fca1680c0093703720a533bafa1d2fd801437f3d80c27f205d784cf8f2
            • Instruction ID: 5f6947e2f47a7d655e02fb84317d9747a35bc7200d49f7273ebe403b31479b31
            • Opcode Fuzzy Hash: 3eb134fca1680c0093703720a533bafa1d2fd801437f3d80c27f205d784cf8f2
            • Instruction Fuzzy Hash: C911AD3190410EBACF05FFA1D956CEDBB79AE00708F51806AB511760E1EF78A789DB58
            Function 0040E456 Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 42COMMON
            Download Yara Rule
            APIs
            • _CxxThrowException.MSVCRT(00000000,00414CFC), ref: 0040E4EE
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: ExceptionThrow
            • String ID: $JA$4JA$DJA$TJA$hJA$xJA
            • API String ID: 432778473-803145960
            • Opcode ID: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
            • Instruction ID: 5492ea6659e041f1bcf420c4685f7038b08242b420f8f2c51a6428b2159ddc92
            • Opcode Fuzzy Hash: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
            • Instruction Fuzzy Hash: 7211A5F0541B419BC7308F16E544587FBF8AF907587218A1FD0AA9BA51D3F8A1888B9C
            Function 0040C0DC Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 243COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0040BA46: ??2@YAPAXI@Z.MSVCRT(0000000C,?,0040C20C,004149B0,00000001,?,?,00000000), ref: 0040BA4B
            • ??3@YAXPAX@Z.MSVCRT(00000000,004149B0,00000001,?,?,00000000), ref: 0040C20D
              • Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
              • Part of subcall function 0040ADC3: memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
              • Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00
            • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,004149B0,00000001,?,?,00000000), ref: 0040C245
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: ??2@$??3@$memmove
            • String ID: IA$IA$IA
            • API String ID: 4294387087-924693538
            • Opcode ID: 3ef1446a3f9eae3cfdc2853b922aca3bc2f9cc2cd28dfb990552d7283ffc15f1
            • Instruction ID: 38d37476858cbe2739f158cf8086d9562841ccd83740beefedbf55b6536d6dac
            • Opcode Fuzzy Hash: 3ef1446a3f9eae3cfdc2853b922aca3bc2f9cc2cd28dfb990552d7283ffc15f1
            • Instruction Fuzzy Hash: 20B1C1B1900209DFCB54EFAAC8819DEBBB5BF48304F50852EF919A7291DB38A945CF54
            Function 0040E811 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON
            Download Yara Rule
            APIs
            • _CxxThrowException.MSVCRT(00100EC3,00414CFC), ref: 0040E83C
            • ??2@YAPAXI@Z.MSVCRT(?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?,?,?), ref: 0040E864
            • memcpy.MSVCRT(00000000,?,?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?), ref: 0040E88D
            • ??3@YAXPAX@Z.MSVCRT(?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?,?,?), ref: 0040E898
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: ??2@??3@ExceptionThrowmemcpy
            • String ID: IA
            • API String ID: 3462485524-3293647318
            • Opcode ID: 6b78721643db57d5e00a8af36ebe01533f1ba9cf87e040577b2ff72779c9c95d
            • Instruction ID: e9362666a157510f6fc1816af10740f0f0ab3f4ff6eb75305f8b2a096945a613
            • Opcode Fuzzy Hash: 6b78721643db57d5e00a8af36ebe01533f1ba9cf87e040577b2ff72779c9c95d
            • Instruction Fuzzy Hash: 6811E5736003009BCB28AF57D880D6BFBE9AB84354714C83FEA59A7290D779E8954794
            Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44stringCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: wsprintf$ExitProcesslstrcat
            • String ID: 0x%p
            • API String ID: 2530384128-1745605757
            • Opcode ID: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
            • Instruction ID: 6c9eba3c29ae2a0cc7ccd16f79f39b6d6218d418ab2b897ff95ca6c62132cda7
            • Opcode Fuzzy Hash: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
            • Instruction Fuzzy Hash: CF019E7580020CAFDB20AFA0DC45FDA777CBF44305F04486AF945A2081D738F6948FAA
            Function 00407A3A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000B), ref: 004071E0
              • Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000C), ref: 004071E9
            • GetSystemMetrics.USER32(00000007), ref: 00407A51
            • GetSystemMetrics.USER32(00000007), ref: 00407A62
            • ??3@YAXPAX@Z.MSVCRT(?,000004B8,?,?), ref: 00407B29
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: MetricsSystem$??3@
            • String ID: 100%%
            • API String ID: 2562992111-568723177
            • Opcode ID: 8625fd62ee8a1587f51b59dec5492359d41c9a7e7955315cbfbb4a3169dab2fe
            • Instruction ID: d2e8aa6d75c6757367bbc63d1236441fd7733528c0e5853e38aed7656a5d7d9b
            • Opcode Fuzzy Hash: 8625fd62ee8a1587f51b59dec5492359d41c9a7e7955315cbfbb4a3169dab2fe
            • Instruction Fuzzy Hash: 0D31D771A047059FCB24DFA9C9419AEB7F4EF40308B00012EE542A26E1DB78FE44CF99
            Function 00407998 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON
            Download Yara Rule
            APIs
            • wsprintfW.USER32 ref: 00407A12
              • Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
              • Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B
            • GetDlgItem.USER32(?,000004B3), ref: 004079C6
              • Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
              • Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB
            • ??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 004079E4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: TextWindow$ItemLength$??3@wsprintf
            • String ID: (%u%s)
            • API String ID: 3595513934-2496177969
            • Opcode ID: 81108d5736a162b6d9564d3eb7a2e93f5e39dd0108d0485d36b03b99dec63073
            • Instruction ID: 1b031bef2a273fddd3247fbc9e57f9590cc69a100d620b238320e5a3a24b3f72
            • Opcode Fuzzy Hash: 81108d5736a162b6d9564d3eb7a2e93f5e39dd0108d0485d36b03b99dec63073
            • Instruction Fuzzy Hash: 1401C8B15042147FDB107B65DC46EAF777CAF44708F10807FF516A21E2DB7CA9448A68
            Function 004021ED Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32,GetNativeSystemInfo,0000003C,?,?,?,?,?,?,00406130,?,00000000,?,?,?), ref: 0040220A
            • GetProcAddress.KERNEL32(00000000), ref: 00402211
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: GetNativeSystemInfo$kernel32
            • API String ID: 2574300362-3846845290
            • Opcode ID: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
            • Instruction ID: b757a3d5c4c17e34abb063926c294d8abaed4bc4edbc3347b9308a3de004b423
            • Opcode Fuzzy Hash: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
            • Instruction Fuzzy Hash: 88F0B432E1521495CF20BBF48B0D6EF66E89A19349B1004BBD852F31D0E5FCCE8141EE
            Function 00402185 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32,Wow64RevertWow64FsRedirection,004061B1,?,?,?), ref: 00402198
            • GetProcAddress.KERNEL32(00000000), ref: 0040219F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: Wow64RevertWow64FsRedirection$kernel32
            • API String ID: 2574300362-3900151262
            • Opcode ID: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
            • Instruction ID: b94e249185ae4a70534d65e1a66e6cdcdba3a47a1e4784fabdbc91f5644b18b3
            • Opcode Fuzzy Hash: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
            • Instruction Fuzzy Hash: AFD0C934294201DBDB125FA0EE0E7EA3AB9FB04B0BF458035A920A00F0CBBC9644CA5C
            Function 004021B9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32,Wow64DisableWow64FsRedirection,0040223A), ref: 004021CA
            • GetProcAddress.KERNEL32(00000000), ref: 004021D1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: Wow64DisableWow64FsRedirection$kernel32
            • API String ID: 2574300362-736604160
            • Opcode ID: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
            • Instruction ID: 817513c890d082da38b6284c2862a66e2f32a8da2897575df7e5c1eb8648f331
            • Opcode Fuzzy Hash: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
            • Instruction Fuzzy Hash: 0DD012342443009BDB515FA09E0D7DA3EB4B705B07F508076A520E11D1CBFCA244C7AC
            Function 00402A69 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
            Download Yara Rule
            APIs
            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402B6F
              • Part of subcall function 0040272E: MultiByteToWideChar.KERNEL32(00000020,00000000,00000024,?,00000000,?,?,00000020,00000024,00000000,00402ACD,?,?,00000000,00000000,00000000), ref: 00402760
            • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402ADC
            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?), ref: 00402AF7
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C), ref: 00402AFF
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: ??3@$ByteCharMultiWide
            • String ID:
            • API String ID: 1731127917-0
            • Opcode ID: ae4930b9035af11edc18eb83865398ea889af843cb2bb96c85f7d9ecca2ecb95
            • Instruction ID: 3903ebf3ba6088976d83fc344d3b185d6a20d7f45533e28e7dbc13297377a7b4
            • Opcode Fuzzy Hash: ae4930b9035af11edc18eb83865398ea889af843cb2bb96c85f7d9ecca2ecb95
            • Instruction Fuzzy Hash: 2831B3729041156ACB14FFA6DD81DEFB3BCEF00714B51403FF952B31E1EA38AA458658
            Function 00403F85 Relevance: 6.1, APIs: 4, Instructions: 66COMMON
            Download Yara Rule
            APIs
            • GetTempPathW.KERNEL32(00000001,00000000,00000002,00000000,00406437,00000000,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FA8
            • GetTempPathW.KERNEL32(00000001,00000000,00000001,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FC5
            • wsprintfW.USER32 ref: 00403FFB
            • GetFileAttributesW.KERNEL32(?), ref: 00404016
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: PathTemp$AttributesFilewsprintf
            • String ID:
            • API String ID: 1746483863-0
            • Opcode ID: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
            • Instruction ID: 4b01c17e8612d334da970e7aef70975a1f373095b445c13461924cc76c43a46f
            • Opcode Fuzzy Hash: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
            • Instruction Fuzzy Hash: 1B113672100204BFCB01AF59CC85AADB7F8FF88755F50802EF905972E1DB78AA008B88
            Function 00401A85 Relevance: 6.1, APIs: 4, Instructions: 65COMMON
            Download Yara Rule
            APIs
            • CharUpperW.USER32(?,74DEE0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
            • CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
            • CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B03
            • CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B13
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: CharUpper
            • String ID:
            • API String ID: 9403516-0
            • Opcode ID: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
            • Instruction ID: 0ba0c8867aa888139ba8faa8f8ff432121b60ad667f2455bf366b55ac651d143
            • Opcode Fuzzy Hash: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
            • Instruction Fuzzy Hash: 02112E34A11269ABCF108F99C8446BAB7E8FF44356B504467F881E3290D77CDE51EB64
            Function 00407FA5 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B
              • Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
              • Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950
            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00407FED
            • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000103), ref: 0040800D
            • GetDlgItem.USER32(?,000004B7), ref: 00408020
            • SetWindowLongW.USER32(00000000,000000FC,Function_00006F37), ref: 0040802E
              • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
              • Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
              • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
              • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
              • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
              • Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
              • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
              • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
              • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
              • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92
              • Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
              • Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: ItemWindow$System$HandleLoadMessageMetricsModuleSend$DirectoryFileFocusIconImageInfoLongShow
            • String ID:
            • API String ID: 2538916108-0
            • Opcode ID: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
            • Instruction ID: 9218ed989044434557cb474aaa53437228351995edfdd36a91d94446a14b3a18
            • Opcode Fuzzy Hash: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
            • Instruction Fuzzy Hash: 7D1186B1A402146BCB10BBB99D09F9EB7FDEB84B04F00446EB652E31C0D6B8DA008B54
            Function 004067ED Relevance: 6.1, APIs: 4, Instructions: 56COMMON
            Download Yara Rule
            APIs
            • SystemParametersInfoW.USER32(00000029,000001F4,?,00000000), ref: 00406814
            • GetSystemMetrics.USER32(00000031), ref: 0040683A
            • CreateFontIndirectW.GDI32(?), ref: 00406849
            • DeleteObject.GDI32(00000000), ref: 00406878
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: System$CreateDeleteFontIndirectInfoMetricsObjectParameters
            • String ID:
            • API String ID: 1900162674-0
            • Opcode ID: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
            • Instruction ID: e152b01862f646c7a4819b14062263d5307cf72e2961abd6127bac75ebed32e6
            • Opcode Fuzzy Hash: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
            • Instruction Fuzzy Hash: A9116376A00205AFDB10DF94DC88FEAB7B8EB08300F0180AAED06A7291DB74DE54CF54
            Function 0040748A Relevance: 6.1, APIs: 4, Instructions: 55COMMON
            Download Yara Rule
            APIs
            • memset.MSVCRT ref: 0040749F
            • SHBrowseForFolderW.SHELL32(?), ref: 004074B8
            • SHGetPathFromIDListW.SHELL32(00000000,00000000), ref: 004074D4
            • SHGetMalloc.SHELL32(00000000), ref: 004074FE
              • Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
              • Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: BrowseFocusFolderFromItemListMallocPathmemset
            • String ID:
            • API String ID: 1557639607-0
            • Opcode ID: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
            • Instruction ID: 30b51fec80d89fd3ac1614d0428bedaa433d1aa4d1a510c8e8bcd0531de43efe
            • Opcode Fuzzy Hash: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
            • Instruction Fuzzy Hash: 43112171A00114ABDB10EBA5DD48BDE77FCAB84715F1040A9E505E7280DB78EF05CB75
            Function 004027C7 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
            Download Yara Rule
            APIs
            • ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,00000000), ref: 004027F8
            • ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00402801
              • Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
              • Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171
            • ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,00000001,00000000,?,00000000,00000000,00000000), ref: 00402819
            • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 00402839
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: ??3@$EnvironmentExpandStrings$??2@
            • String ID:
            • API String ID: 612612615-0
            • Opcode ID: 1bf054f2ccdc3be335b048ff77a64ac4bdb67295ffe3aca3d2c9ccbf2cc91127
            • Instruction ID: 71972da321696c7643696fa2d61077c4bfdb6251f9c85b9dd911fab2e4c9aeed
            • Opcode Fuzzy Hash: 1bf054f2ccdc3be335b048ff77a64ac4bdb67295ffe3aca3d2c9ccbf2cc91127
            • Instruction Fuzzy Hash: EF017976D00118BADB04AB55DD41DDEB7BCEF48714B10417BF901B31D1EB746A4086A8
            Function 00403AB1 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
              • Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00413550,00413558), ref: 00403AFD
            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00413550,00413558), ref: 00403B05
            • SetWindowTextW.USER32(?,?), ref: 00403B12
            • ??3@YAXPAX@Z.MSVCRT(?), ref: 00403B1D
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: ??3@TextWindow$Length
            • String ID:
            • API String ID: 2308334395-0
            • Opcode ID: 8119ca7b33955cbac21e87e4fe12ba773d40effc5d925a3b7e480b00d6a2293b
            • Instruction ID: 2cc122b1f520d7f8021a056a959bf32eecafdcf33a956e59961b1277582e5a57
            • Opcode Fuzzy Hash: 8119ca7b33955cbac21e87e4fe12ba773d40effc5d925a3b7e480b00d6a2293b
            • Instruction Fuzzy Hash: 2EF0FF32D0410DBACF01FBA5DD46CDE7B79EF04705B10406BF501720A1EA79AB559B98
            Function 0040702A Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON
            Download Yara Rule
            APIs
            • GetObjectW.GDI32(?,0000005C,?), ref: 00407045
            • CreateFontIndirectW.GDI32(?), ref: 0040705B
            • GetDlgItem.USER32(?,000004B5), ref: 0040706F
            • SendMessageW.USER32(00000000,00000030,00000000,00000000), ref: 0040707B
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: CreateFontIndirectItemMessageObjectSend
            • String ID:
            • API String ID: 2001801573-0
            • Opcode ID: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
            • Instruction ID: 5c236ef126686a3da9008926c30106754acf3bfa0ff8e01310dffb34f405da6a
            • Opcode Fuzzy Hash: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
            • Instruction Fuzzy Hash: 35F05475900704ABDB209BA4DC09F8B7BFCAB48B01F048139BD51E11D4D7B4E5018B19
            Function 00401BA3 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
            Download Yara Rule
            APIs
            • GetParent.USER32(?), ref: 00401BA8
            • GetWindowRect.USER32(?,?), ref: 00401BC1
            • ScreenToClient.USER32(00000000,?), ref: 00401BCF
            • ScreenToClient.USER32(00000000,?), ref: 00401BD6
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: ClientScreen$ParentRectWindow
            • String ID:
            • API String ID: 2099118873-0
            • Opcode ID: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
            • Instruction ID: 3a6f634f9500a9f0e676680e31990ed58166cb62974d534a535afb1fb6b8d00a
            • Opcode Fuzzy Hash: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
            • Instruction Fuzzy Hash: 09E04F722052116BCB10AFA5AC88C8BBF6DDFC5723700447AF941A2220D7709D109A61
            Function 00403C63 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: _wtol
            • String ID: GUIFlags$[G@
            • API String ID: 2131799477-2126219683
            • Opcode ID: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
            • Instruction ID: b6302b9691b8fcfec91ee3c39af82f4337802e9cb3a6f407b943601295de961a
            • Opcode Fuzzy Hash: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
            • Instruction Fuzzy Hash: 6DF03C3611C1635AFB342E0994187B6AA9CEB05793FE4443BE9C3F12D0C37C8E82825D
            Function 00402F10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
            Download Yara Rule
            APIs
            • GetEnvironmentVariableW.KERNEL32(?O@,?,00000001,004177A0,00000000,00417794,?,?,00404F3F,?,?,?,?,?), ref: 00402F26
            • GetEnvironmentVariableW.KERNEL32(?,00000000,?,00000001,00000002,?,?,00404F3F,?,?,?,?,?), ref: 00402F52
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1778436836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.1778416321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778456912.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778473927.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1778490103.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_6f0slJzOrF.jbxd
            Similarity
            • API ID: EnvironmentVariable
            • String ID: ?O@
            • API String ID: 1431749950-3511380453
            • Opcode ID: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
            • Instruction ID: 315e17eccb05daff3adc91fa9074d23558c2207180d60d9b2b56ce26dbf77fcb
            • Opcode Fuzzy Hash: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
            • Instruction Fuzzy Hash: 24F06272200118BFDB00AFA9DC458AEB7EDEF88764B51402BF904D72A1D7B4AD008B98

            Execution Graph

            Execution Coverage:3.2%
            Dynamic/Decrypted Code Coverage:0%
            Signature Coverage:9.9%
            Total number of Nodes:1343
            Total number of Limit Nodes:59
            execution_graph 53187 6c1d6fdc 53188 6c1d7033 53187->53188 53205 6c32f21b 53188->53205 53190 6c1d705a 53191 6c1d707e ___CxxFrameHandler 53190->53191 53193 6c1d7262 53190->53193 53192 6c1d70d1 CreateThread 53191->53192 53194 6c1d71a1 53192->53194 53278 6c1d50f3 Sleep 53192->53278 53219 6c32ae8c 53193->53219 53218 6c1d6958 32 API calls 2 library calls 53194->53218 53198 6c1d71c6 53206 6c32f233 53205->53206 53207 6c32f229 53205->53207 53224 6c32f285 53206->53224 53208 6c33c139 16 API calls 53207->53208 53210 6c32f230 53208->53210 53210->53190 53214 6c32f261 53217 6c32f27f 53214->53217 53237 6c3323b7 14 API calls __dosmaperr 53214->53237 53217->53190 53218->53198 53276 6c32b0cb 29 API calls 2 library calls 53219->53276 53221 6c32ae9b 53277 6c32aea9 11 API calls std::locale::_Setgloballocale 53221->53277 53223 6c32aea8 53238 6c31def8 53224->53238 53227 6c32f24d 53229 6c31dff2 53227->53229 53250 6c31e04a 53229->53250 53232 6c33c139 DeleteFileW 53233 6c33c14b GetLastError 53232->53233 53234 6c33c15d 53232->53234 53275 6c31ea2f 14 API calls __dosmaperr 53233->53275 53234->53214 53236 6c33c157 53236->53214 53237->53217 53239 6c31df16 53238->53239 53245 6c31df0f 53238->53245 53239->53245 53247 6c332643 39 API calls 3 library calls 53239->53247 53241 6c31df37 53248 6c332c52 39 API calls __Getctype 53241->53248 53243 6c31df4d 53249 6c332c7f 39 API calls __wsopen_s 53243->53249 53245->53227 53246 6c33441d 5 API calls std::_Lockit::_Lockit 53245->53246 53246->53227 53247->53241 53248->53243 53249->53245 53251 6c31e072 53250->53251 53252 6c31e058 53250->53252 53254 6c31e079 53251->53254 53255 6c31e098 53251->53255 53268 6c31dfd8 14 API calls ___free_lconv_mon 53252->53268 53259 6c31e00a 53254->53259 53269 6c31df99 15 API calls __wsopen_s 53254->53269 53270 6c33243f MultiByteToWideChar __fread_nolock 53255->53270 53257 6c31e0a7 53260 6c31e0ae GetLastError 53257->53260 53262 6c31e0d4 53257->53262 53273 6c31df99 15 API calls __wsopen_s 53257->53273 53259->53214 53259->53232 53271 6c31ea2f 14 API calls __dosmaperr 53260->53271 53262->53259 53274 6c33243f MultiByteToWideChar __fread_nolock 53262->53274 53263 6c31e0ba 53272 6c31ea09 14 API calls __dosmaperr 53263->53272 53266 6c31e0eb 53266->53259 53266->53260 53268->53259 53269->53259 53270->53257 53271->53263 53272->53259 53273->53262 53274->53266 53275->53236 53276->53221 53277->53223 53279 e210e0 53280 e210ec ___scrt_is_nonwritable_in_current_image 53279->53280 53303 e212dc 53280->53303 53282 e210f3 53283 e21246 53282->53283 53286 e2111d 53282->53286 53321 e215d0 6 API calls 53283->53321 53285 e2124d exit 53287 e21253 _exit 53285->53287 53288 e21121 _initterm_e 53286->53288 53291 e2116a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 53286->53291 53289 e2113c 53288->53289 53290 e2114d _initterm 53288->53290 53290->53291 53292 e211be 53291->53292 53295 e211b6 _register_thread_local_exe_atexit_callback 53291->53295 53307 e216eb memset GetStartupInfoW 53292->53307 53294 e211c3 _get_narrow_winmain_command_line 53308 e21c50 GetCommandLineW CommandLineToArgvW 53294->53308 53295->53292 53297 e211d8 53320 e21721 GetModuleHandleW 53297->53320 53299 e211df 53299->53285 53300 e211e3 53299->53300 53301 e211e7 _cexit 53300->53301 53302 e211ec ___scrt_uninitialize_crt 53300->53302 53301->53302 53302->53289 53304 e212e5 53303->53304 53322 e218a4 IsProcessorFeaturePresent 53304->53322 53306 e212f1 ___scrt_uninitialize_crt 53306->53282 53307->53294 53309 e21c82 53308->53309 53310 e21c78 53308->53310 53323 e21d6f 53309->53323 53310->53297 53312 e21ca0 53313 e21d1c LocalFree 53312->53313 53314 e21cc1 WideCharToMultiByte 53312->53314 53333 e21000 TCGamerUpdateMain 53313->53333 53316 e21d6f 4 API calls 53314->53316 53318 e21ce1 WideCharToMultiByte 53316->53318 53317 e21d35 53317->53297 53318->53314 53319 e21d14 53318->53319 53319->53313 53320->53299 53321->53285 53322->53306 53324 e21d7d 53323->53324 53325 e21d8f malloc 53324->53325 53326 e21d82 _callnewh 53325->53326 53327 e21d9c 53325->53327 53326->53325 53330 e21d9e 53326->53330 53327->53312 53328 e21e9f 53329 e21ead _CxxThrowException 53328->53329 53331 e21ec3 53329->53331 53330->53328 53332 e21e90 _CxxThrowException 53330->53332 53331->53312 53332->53328 53333->53317 53334 6c1d8bff 53339 6c1f7421 53334->53339 53336 6c1d8c09 53343 6c1d9700 53336->53343 53340 6c1f742d __EH_prolog3 53339->53340 53346 6c1f777d 53340->53346 53342 6c1f7616 Concurrency::details::ExternalContextBase::~ExternalContextBase 53342->53336 53667 6c1d9715 53343->53667 53347 6c1f779e _memcpy_s 53346->53347 53348 6c1f7825 53346->53348 53350 6c1f77ce VerSetConditionMask VerSetConditionMask VerifyVersionInfoW GetSystemMetrics 53347->53350 53520 6c1f89cd 5 API calls ___raise_securityfailure 53348->53520 53357 6c1f783a 53350->53357 53351 6c1f7838 53351->53342 53353 6c1f7817 53434 6c1f7c58 53353->53434 53521 6c1f89db 53357->53521 53359 6c1f7846 GetSysColor 53360 6c1f785b GetSysColor 53359->53360 53361 6c1f7867 GetSysColor 53359->53361 53360->53361 53363 6c1f788a 53361->53363 53364 6c1f787e GetSysColor 53361->53364 53522 6c1dd1dc 53363->53522 53364->53363 53366 6c1f78a0 22 API calls 53367 6c1f79ca 53366->53367 53368 6c1f79d3 GetSysColor 53366->53368 53369 6c1f79e5 GetSysColorBrush 53367->53369 53368->53369 53370 6c1f7c52 53369->53370 53371 6c1f7a01 GetSysColorBrush 53369->53371 53560 6c1f0b00 20 API calls CallUnexpected 53370->53560 53371->53370 53372 6c1f7a14 GetSysColorBrush 53371->53372 53372->53370 53375 6c1f7a27 53372->53375 53374 6c1f7c57 53530 6c1dc4fe 53375->53530 53377 6c1f7a34 CreateSolidBrush 53535 6c1dc4a8 53377->53535 53379 6c1f7a45 53380 6c1dc4fe 21 API calls 53379->53380 53381 6c1f7a52 CreateSolidBrush 53380->53381 53382 6c1dc4a8 20 API calls 53381->53382 53383 6c1f7a63 53382->53383 53384 6c1dc4fe 21 API calls 53383->53384 53385 6c1f7a70 CreateSolidBrush 53384->53385 53386 6c1dc4a8 20 API calls 53385->53386 53387 6c1f7a81 53386->53387 53388 6c1dc4fe 21 API calls 53387->53388 53389 6c1f7a8e CreateSolidBrush 53388->53389 53390 6c1dc4a8 20 API calls 53389->53390 53391 6c1f7aa2 53390->53391 53392 6c1dc4fe 21 API calls 53391->53392 53393 6c1f7aaf CreateSolidBrush 53392->53393 53394 6c1dc4a8 20 API calls 53393->53394 53395 6c1f7ac0 53394->53395 53396 6c1dc4fe 21 API calls 53395->53396 53397 6c1f7acd CreateSolidBrush 53396->53397 53398 6c1dc4a8 20 API calls 53397->53398 53399 6c1f7ade 53398->53399 53400 6c1dc4fe 21 API calls 53399->53400 53401 6c1f7aeb CreateSolidBrush 53400->53401 53402 6c1dc4a8 20 API calls 53401->53402 53403 6c1f7afc 53402->53403 53404 6c1dc4fe 21 API calls 53403->53404 53405 6c1f7b09 CreatePen 53404->53405 53406 6c1dc4a8 20 API calls 53405->53406 53407 6c1f7b22 53406->53407 53408 6c1dc4fe 21 API calls 53407->53408 53409 6c1f7b2f CreatePen 53408->53409 53410 6c1dc4a8 20 API calls 53409->53410 53411 6c1f7b46 53410->53411 53412 6c1dc4fe 21 API calls 53411->53412 53413 6c1f7b53 CreatePen 53412->53413 53414 6c1dc4a8 20 API calls 53413->53414 53415 6c1f7b6a 53414->53415 53416 6c1f7b81 53415->53416 53419 6c1dc4fe 21 API calls 53415->53419 53417 6c1f7bee 53416->53417 53418 6c1f7b8a CreateSolidBrush 53416->53418 53556 6c1f8808 7 API calls 2 library calls 53417->53556 53420 6c1dc4a8 20 API calls 53418->53420 53419->53416 53423 6c1f7bec 53420->53423 53422 6c1f7bf8 53422->53370 53424 6c1f7bfc 53422->53424 53539 6c22b409 53423->53539 53425 6c1dc4a8 20 API calls 53424->53425 53427 6c1f7c15 CreatePatternBrush 53425->53427 53429 6c1dc4a8 20 API calls 53427->53429 53431 6c1f7c26 53429->53431 53557 6c1d7f12 53431->53557 53432 6c1f7c4c Concurrency::details::ExternalContextBase::~ExternalContextBase 53432->53353 53435 6c1f7c67 __EH_prolog3_GS 53434->53435 53436 6c1dd1dc 21 API calls 53435->53436 53437 6c1f7c76 GetDeviceCaps 53436->53437 53438 6c1f7cb0 53437->53438 53439 6c1f7ce4 53438->53439 53442 6c1dc4d4 20 API calls 53438->53442 53440 6c1f7d02 53439->53440 53443 6c1dc4d4 20 API calls 53439->53443 53441 6c1f7d20 53440->53441 53446 6c1dc4d4 20 API calls 53440->53446 53448 6c1f7d3e 53441->53448 53451 6c1dc4d4 20 API calls 53441->53451 53444 6c1f7cdd DeleteObject 53442->53444 53445 6c1f7cfb DeleteObject 53443->53445 53444->53439 53445->53440 53450 6c1f7d19 DeleteObject 53446->53450 53447 6c1f7d5c 53449 6c1f7d7a 53447->53449 53456 6c1dc4d4 20 API calls 53447->53456 53448->53447 53452 6c1dc4d4 20 API calls 53448->53452 53453 6c1f7d98 53449->53453 53460 6c1dc4d4 20 API calls 53449->53460 53450->53441 53454 6c1f7d37 DeleteObject 53451->53454 53455 6c1f7d55 DeleteObject 53452->53455 53457 6c1f7db6 53453->53457 53463 6c1dc4d4 20 API calls 53453->53463 53454->53448 53455->53447 53459 6c1f7d73 DeleteObject 53456->53459 53458 6c1f7dd4 53457->53458 53465 6c1dc4d4 20 API calls 53457->53465 53461 6c1f7df2 53458->53461 53468 6c1dc4d4 20 API calls 53458->53468 53459->53449 53462 6c1f7d91 DeleteObject 53460->53462 53628 6c1f8709 53461->53628 53462->53453 53464 6c1f7daf DeleteObject 53463->53464 53464->53457 53467 6c1f7dcd DeleteObject 53465->53467 53467->53458 53470 6c1f7deb DeleteObject 53468->53470 53469 6c1f7e0a _memcpy_s 53471 6c1f7e17 GetTextCharsetInfo 53469->53471 53470->53461 53472 6c1f7e51 lstrcpyW 53471->53472 53474 6c1f7e85 53472->53474 53475 6c1f7ef1 CreateFontIndirectW 53472->53475 53474->53475 53476 6c1f7e8e EnumFontFamiliesW 53474->53476 53477 6c1dc4a8 20 API calls 53475->53477 53478 6c1f7ebf EnumFontFamiliesW 53476->53478 53479 6c1f7eaa lstrcpyW 53476->53479 53483 6c1f7f03 53477->53483 53480 6c1f7ede lstrcpyW 53478->53480 53479->53475 53480->53475 53482 6c1f7f39 CreateFontIndirectW 53484 6c1dc4a8 20 API calls 53482->53484 53483->53482 53485 6c1f7f4b 53484->53485 53486 6c1f8709 SystemParametersInfoW 53485->53486 53487 6c1f7f66 CreateFontIndirectW 53486->53487 53488 6c1dc4a8 20 API calls 53487->53488 53489 6c1f7f8e CreateFontIndirectW 53488->53489 53490 6c1dc4a8 20 API calls 53489->53490 53491 6c1f7fba CreateFontIndirectW 53490->53491 53492 6c1dc4a8 20 API calls 53491->53492 53493 6c1f7fdb GetSystemMetrics lstrcpyW CreateFontIndirectW 53492->53493 53494 6c1dc4a8 20 API calls 53493->53494 53495 6c1f8017 GetStockObject 53494->53495 53496 6c1f810f 53495->53496 53497 6c1f8045 GetObjectW 53495->53497 53631 6c1f874a 53496->53631 53497->53496 53499 6c1f805a lstrcpyW CreateFontIndirectW 53497->53499 53500 6c1dc4a8 20 API calls 53499->53500 53501 6c1f80a9 CreateFontIndirectW 53500->53501 53502 6c1dc4a8 20 API calls 53501->53502 53504 6c1f80c2 GetObjectW CreateFontIndirectW 53502->53504 53503 6c1f814b 53505 6c1d7f12 21 API calls 53503->53505 53508 6c1dc4a8 20 API calls 53504->53508 53509 6c1f8160 53505->53509 53506 6c1f8116 53506->53503 53507 6c1f8171 53506->53507 53649 6c1e4029 20 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 53506->53649 53653 6c1f0b00 20 API calls CallUnexpected 53507->53653 53512 6c1f80ee CreateFontIndirectW 53508->53512 53513 6c1dd231 22 API calls 53509->53513 53515 6c1dc4a8 20 API calls 53512->53515 53516 6c1f816b 53513->53516 53514 6c1f8176 53515->53496 53650 6c1f8ac7 53516->53650 53520->53351 53521->53359 53523 6c1dd1e8 __EH_prolog3 53522->53523 53524 6c1dd20b GetWindowDC 53523->53524 53561 6c1dc68a 53524->53561 53526 6c1dd21d 53527 6c1dd221 Concurrency::details::ExternalContextBase::~ExternalContextBase 53526->53527 53565 6c1dbe2f RaiseException CallUnexpected 53526->53565 53527->53366 53531 6c1dc504 53530->53531 53532 6c1dc507 53530->53532 53531->53377 53567 6c1dc4d4 53532->53567 53534 6c1dc50c DeleteObject 53534->53377 53536 6c1dc4b5 53535->53536 53538 6c1dc4bf 53535->53538 53537 6c1dd3a4 20 API calls 53536->53537 53537->53538 53538->53379 53540 6c22b412 53539->53540 53550 6c1f7c3a 53539->53550 53540->53550 53613 6c25bc22 21 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 53540->53613 53542 6c22b425 53614 6c25bc22 21 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 53542->53614 53544 6c22b42f 53615 6c25bc22 21 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 53544->53615 53546 6c22b439 53616 6c25bc22 21 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 53546->53616 53548 6c22b443 53617 6c25bc22 21 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 53548->53617 53551 6c1dd231 53550->53551 53618 6c1dc6cc 53551->53618 53553 6c1dd261 ReleaseDC 53622 6c1dcf7e 53553->53622 53556->53422 53558 6c1dc4fe 21 API calls 53557->53558 53559 6c1d7f53 53558->53559 53559->53423 53560->53374 53562 6c1dc6a2 53561->53562 53563 6c1dc697 53561->53563 53562->53526 53566 6c1dd333 20 API calls 3 library calls 53563->53566 53566->53562 53568 6c1dc4df 53567->53568 53569 6c1dc4e6 53567->53569 53571 6c1dd3a4 53568->53571 53569->53534 53572 6c1dd3b0 __EH_prolog3 53571->53572 53579 6c1f0247 53572->53579 53574 6c1dd3fb Concurrency::details::ExternalContextBase::~ExternalContextBase 53574->53569 53575 6c1dd3b5 Concurrency::details::ExternalContextBase::~ExternalContextBase 53575->53574 53586 6c1d95d7 53575->53586 53581 6c1f024c 53579->53581 53581->53575 53582 6c204e06 53581->53582 53583 6c204dff 53581->53583 53599 6c31b6f1 RaiseException 53581->53599 53582->53581 53585 6c204e13 SendMessageW 53582->53585 53600 6c204f97 20 API calls 53582->53600 53583->53575 53585->53575 53588 6c1d95dc 53586->53588 53589 6c1d95f6 53588->53589 53591 6c1d95f8 53588->53591 53601 6c32f1bd 53588->53601 53608 6c328beb EnterCriticalSection LeaveCriticalSection ___CxxFrameHandler 53588->53608 53589->53574 53598 6c1fa349 20 API calls 2 library calls 53589->53598 53592 6c1f6778 ___CxxFrameHandler 53591->53592 53593 6c1f5bb6 Concurrency::cancel_current_task 53591->53593 53610 6c31b6f1 RaiseException 53592->53610 53609 6c31b6f1 RaiseException 53593->53609 53596 6c1f6794 53597 6c1f5bd2 53598->53574 53599->53581 53600->53582 53606 6c3323f1 _unexpected 53601->53606 53602 6c33242f 53612 6c31ea09 14 API calls __dosmaperr 53602->53612 53604 6c33241a RtlAllocateHeap 53605 6c33242d 53604->53605 53604->53606 53605->53588 53606->53602 53606->53604 53611 6c328beb EnterCriticalSection LeaveCriticalSection ___CxxFrameHandler 53606->53611 53608->53588 53609->53597 53610->53596 53611->53606 53612->53605 53613->53542 53614->53544 53615->53546 53616->53548 53617->53550 53619 6c1dc6d8 53618->53619 53621 6c1dc6df 53618->53621 53627 6c1dd333 20 API calls 3 library calls 53619->53627 53621->53553 53623 6c1dcfac 53622->53623 53624 6c1dcfb8 53622->53624 53625 6c1dc6cc 20 API calls 53623->53625 53624->53432 53626 6c1dcfb1 DeleteDC 53625->53626 53626->53624 53627->53621 53629 6c1f871e SystemParametersInfoW 53628->53629 53630 6c1f8718 53628->53630 53629->53469 53630->53629 53632 6c1f8756 __EH_prolog3_GS 53631->53632 53633 6c1dd1dc 21 API calls 53632->53633 53634 6c1f8762 53633->53634 53654 6c1dc827 53634->53654 53637 6c1f877f GetTextMetricsW 53639 6c1dc827 22 API calls 53637->53639 53638 6c1f8802 53662 6c1f0b00 20 API calls CallUnexpected 53638->53662 53641 6c1f87bf GetTextMetricsW 53639->53641 53643 6c1dc827 22 API calls 53641->53643 53642 6c1f8807 53644 6c1f87f4 53643->53644 53645 6c1dd231 22 API calls 53644->53645 53646 6c1f87fc 53645->53646 53647 6c1f8ac7 5 API calls 53646->53647 53648 6c1f8801 53647->53648 53648->53506 53649->53506 53666 6c1f89cd 5 API calls ___raise_securityfailure 53650->53666 53652 6c1f8ad1 53652->53652 53653->53514 53655 6c1dc84d 53654->53655 53656 6c1dc83e SelectObject 53654->53656 53658 6c1dc863 53655->53658 53659 6c1dc859 SelectObject 53655->53659 53656->53655 53663 6c1dc496 53658->53663 53659->53658 53661 6c1dc869 53661->53637 53661->53638 53662->53642 53664 6c1dd3a4 20 API calls 53663->53664 53665 6c1dc4a0 53664->53665 53666->53652 53668 6c1d972b 53667->53668 53669 6c1d9724 53667->53669 53674 6c3292f7 32 API calls 53668->53674 53673 6c329368 32 API calls 53669->53673 53672 6c1d8c13 53673->53672 53674->53672 53675 6c1d4efe 53683 6c1c5dcb 53675->53683 53677 6c1d4f61 ___CxxFrameHandler 53678 6c32ae8c ___CxxFrameHandler 29 API calls 53677->53678 53679 6c1d5004 ___CxxFrameHandler 53677->53679 53680 6c1d502b 53678->53680 53737 6c1c2572 31 API calls ___CxxFrameHandler 53680->53737 53682 6c1d503a 53738 6c1c556c 53683->53738 53685 6c1c5e08 53690 6c1c5e49 ___CxxFrameHandler 53685->53690 53760 6c1c68a0 56 API calls ___CxxFrameHandler 53685->53760 53686 6c1c5e9c CryptAcquireContextW 53688 6c1c62dd 53686->53688 53689 6c1c5ec8 CryptImportKey 53686->53689 53764 6c31bcce 30 API calls 3 library calls 53688->53764 53692 6c1c5f0c CryptSetKeyParam 53689->53692 53693 6c1c632b CryptReleaseContext 53689->53693 53690->53686 53695 6c1c637e CryptDestroyKey CryptReleaseContext 53692->53695 53696 6c1c5f24 CryptSetKeyParam 53692->53696 53766 6c31bcce 30 API calls 3 library calls 53693->53766 53694 6c1c6308 53765 6c31b6f1 RaiseException 53694->53765 53768 6c31bcce 30 API calls 3 library calls 53695->53768 53699 6c1c63dc CryptDestroyKey CryptReleaseContext 53696->53699 53700 6c1c5f43 53696->53700 53770 6c31bcce 30 API calls 3 library calls 53699->53770 53706 6c1c5fb0 CryptDecrypt CryptDestroyKey CryptReleaseContext 53700->53706 53713 6c1c5f7f 53700->53713 53714 6c1c5f74 53700->53714 53719 6c1c6490 53700->53719 53701 6c1c635b 53767 6c31b6f1 RaiseException 53701->53767 53703 6c1c63b9 53769 6c31b6f1 RaiseException 53703->53769 53705 6c1c6323 53774 6c1c22c0 31 API calls 2 library calls 53705->53774 53709 6c1c6437 53706->53709 53720 6c1c5fe4 53706->53720 53772 6c31bcce 30 API calls 3 library calls 53709->53772 53710 6c1c6417 53771 6c31b6f1 RaiseException 53710->53771 53718 6c1d95d7 ___CxxFrameHandler 16 API calls 53713->53718 53761 6c1c1ba0 31 API calls ___CxxFrameHandler 53714->53761 53716 6c1c645f 53773 6c31b6f1 RaiseException 53716->53773 53728 6c1c5f7a ___CxxFrameHandler 53718->53728 53775 6c1c56fa 53719->53775 53720->53719 53725 6c1c6047 53720->53725 53726 6c1c6071 53720->53726 53736 6c1c5ff4 _memcpy_s ___CxxFrameHandler 53720->53736 53723 6c1c616a 53731 6c1d95d7 ___CxxFrameHandler 16 API calls 53723->53731 53724 6c1c615a 53763 6c1c1ba0 31 API calls ___CxxFrameHandler 53724->53763 53762 6c1c1ba0 31 API calls ___CxxFrameHandler 53725->53762 53727 6c1d95d7 ___CxxFrameHandler 16 API calls 53726->53727 53727->53736 53728->53706 53729 6c1c64b0 53729->53677 53734 6c1c610e ___CxxFrameHandler 53731->53734 53733 6c32ae8c ___CxxFrameHandler 29 API calls 53733->53688 53734->53733 53735 6c1c62b3 ___CxxFrameHandler 53734->53735 53735->53677 53736->53705 53736->53723 53736->53724 53736->53734 53737->53682 53739 6c1c55a8 53738->53739 53740 6c1c55aa CryptStringToBinaryA 53738->53740 53739->53740 53741 6c1c564a 53740->53741 53743 6c1c55c3 53740->53743 53823 6c1c56be 30 API calls ___std_exception_copy 53741->53823 53745 6c1c56a2 53743->53745 53750 6c1c55ed 53743->53750 53751 6c1c55e5 53743->53751 53756 6c1c55eb _memcpy_s 53743->53756 53744 6c1c5659 53824 6c31b6f1 RaiseException 53744->53824 53757 6c1c56fa 72 API calls 53745->53757 53746 6c1c5620 CryptStringToBinaryA 53747 6c1c5664 53746->53747 53748 6c1c5637 53746->53748 53825 6c31bcce 30 API calls 3 library calls 53747->53825 53748->53685 53754 6c1d95d7 ___CxxFrameHandler 16 API calls 53750->53754 53822 6c1c1ba0 31 API calls ___CxxFrameHandler 53751->53822 53754->53756 53755 6c1c5687 53826 6c31b6f1 RaiseException 53755->53826 53756->53746 53759 6c1c56b9 53757->53759 53759->53685 53760->53690 53761->53728 53762->53736 53763->53734 53764->53694 53765->53705 53766->53701 53767->53705 53768->53703 53769->53705 53770->53710 53771->53705 53772->53716 53773->53705 53774->53719 53776 6c1c5703 53775->53776 53777 6c1c571c ___CxxFrameHandler 53775->53777 53776->53777 53778 6c32ae8c ___CxxFrameHandler 29 API calls 53776->53778 53777->53729 53779 6c1c573c CryptAcquireContextW 53778->53779 53780 6c1c5d4a 53779->53780 53821 6c1c57a7 _memcpy_s ___CxxFrameHandler 53779->53821 53839 6c31bcce 30 API calls 3 library calls 53780->53839 53782 6c1c5d72 53840 6c31b6f1 RaiseException 53782->53840 53783 6c1c5a30 CryptReleaseContext 53806 6c1c5a4f ___CxxFrameHandler 53783->53806 53784 6c1c57f1 CryptCreateHash 53786 6c1c5c82 CryptReleaseContext 53784->53786 53784->53821 53835 6c31bcce 30 API calls 3 library calls 53786->53835 53788 6c1c5bbe 53794 6c1c56fa 56 API calls 53788->53794 53789 6c1c5812 CryptHashData 53791 6c1c5cde CryptDestroyHash CryptReleaseContext 53789->53791 53789->53821 53790 6c1c5cb4 53836 6c31b6f1 RaiseException 53790->53836 53837 6c31bcce 30 API calls 3 library calls 53791->53837 53796 6c1c5da2 53794->53796 53795 6c1c5d19 53838 6c31b6f1 RaiseException 53795->53838 53797 6c1c56fa 56 API calls 53796->53797 53799 6c1c5daa 53797->53799 53799->53729 53800 6c1c5881 CryptHashData 53803 6c1c589e CryptGetHashParam 53800->53803 53804 6c1c5bc6 CryptDestroyHash CryptReleaseContext 53800->53804 53801 6c1c5b51 ___CxxFrameHandler 53801->53729 53802 6c32ae8c ___CxxFrameHandler 29 API calls 53802->53780 53807 6c1c5c24 CryptDestroyHash CryptReleaseContext 53803->53807 53803->53821 53831 6c31bcce 30 API calls 3 library calls 53804->53831 53806->53801 53806->53802 53833 6c31bcce 30 API calls 3 library calls 53807->53833 53808 6c1c5c01 53832 6c31b6f1 RaiseException 53808->53832 53811 6c1c5c5f 53834 6c31b6f1 RaiseException 53811->53834 53812 6c1c59e1 CryptGetHashParam CryptDestroyHash 53813 6c1c5b74 CryptReleaseContext 53812->53813 53812->53821 53829 6c31bcce 30 API calls 3 library calls 53813->53829 53817 6c1c5ba3 53830 6c31b6f1 RaiseException 53817->53830 53819 6c1d95d7 ___CxxFrameHandler 16 API calls 53819->53821 53821->53783 53821->53784 53821->53789 53821->53800 53821->53806 53821->53812 53821->53819 53827 6c1c1ba0 31 API calls ___CxxFrameHandler 53821->53827 53828 6c1c68a0 56 API calls ___CxxFrameHandler 53821->53828 53822->53756 53823->53744 53824->53747 53825->53755 53826->53745 53827->53821 53828->53821 53829->53817 53830->53788 53831->53808 53832->53788 53833->53811 53834->53788 53835->53790 53836->53788 53837->53795 53838->53788 53839->53782 53840->53788 53841 6c1e07f9 53842 6c1e0807 53841->53842 53844 6c1e0814 53841->53844 53842->53844 53845 6c1e081b 53842->53845 53843 6c1d7efc 16 API calls 53846 6c1e0866 53843->53846 53844->53843 53845->53846 53849 6c1e0835 53845->53849 53867 6c1d88b0 53846->53867 53874 6c1d9b51 16 API calls 53849->53874 53850 6c1d88b0 53862 6c1d7efc 53850->53862 53851 6c1e0880 53854 6c1e0842 53875 6c1da1c4 29 API calls 3 library calls 53854->53875 53855 6c1d88ba 53857 6c1d7c9a 42 API calls 53855->53857 53859 6c1d88c4 53857->53859 53858 6c1e0851 53860 6c1d9700 32 API calls 53859->53860 53861 6c1d88ce 53860->53861 53863 6c1d7f0c 53862->53863 53864 6c1d7f07 53862->53864 53877 6c1f0c8f 16 API calls 2 library calls 53863->53877 53876 6c1f0acc RaiseException CallUnexpected 53864->53876 53868 6c1d7efc 16 API calls 53867->53868 53869 6c1d88ba 53868->53869 53878 6c1d7c9a 53869->53878 53872 6c1d9700 32 API calls 53873 6c1d88ce SysAllocStringLen 53872->53873 53873->53850 53873->53851 53874->53854 53875->53858 53883 6c1e2829 53878->53883 53880 6c1d7cd4 53897 6c1f3a37 GetModuleHandleW 53880->53897 53884 6c1e2838 __EH_prolog3_GS 53883->53884 53900 6c1f1666 53884->53900 53886 6c1e284e 53888 6c1e2863 53886->53888 53904 6c32bea7 30 API calls 3 library calls 53886->53904 53889 6c1e287a 53888->53889 53890 6c1e2983 53888->53890 53889->53890 53892 6c1e288f GetCurrentThread GetCurrentThreadId GetVersionExW 53889->53892 53905 6c1f0b00 20 API calls CallUnexpected 53890->53905 53893 6c1e2946 53892->53893 53895 6c1f8ac7 5 API calls 53893->53895 53894 6c1e2988 53894->53880 53896 6c1e2980 53895->53896 53896->53880 53898 6c1f3a4c GetProcAddress 53897->53898 53899 6c1d7ce7 53897->53899 53898->53899 53899->53872 53901 6c1f1672 __EH_prolog3 53900->53901 53906 6c1f1a67 22 API calls 53901->53906 53903 6c1f1694 Concurrency::details::ExternalContextBase::~ExternalContextBase 53903->53886 53904->53888 53905->53894 53906->53903 53907 6c1d5c94 53908 6c1d95d7 ___CxxFrameHandler 16 API calls 53907->53908 53909 6c1d5ce1 53908->53909 53910 6c1d664a 53909->53910 53911 6c1d5db4 53909->53911 53912 6c1d5d77 53909->53912 53923 6c1d5d84 ___CxxFrameHandler 53909->53923 53967 6c1c22c0 31 API calls 2 library calls 53910->53967 53915 6c1d95d7 ___CxxFrameHandler 16 API calls 53911->53915 53962 6c1c1ba0 31 API calls ___CxxFrameHandler 53912->53962 53915->53923 53916 6c1d6656 53968 6c1c22c0 31 API calls 2 library calls 53916->53968 53918 6c1d5e3d GetFileAttributesA 53920 6c1d5e4d SHGetFolderPathA 53918->53920 53957 6c1d643f ___CxxFrameHandler 53918->53957 53919 6c1d6662 53969 6c1c22c0 31 API calls 2 library calls 53919->53969 53929 6c1d5e6f _strlen 53920->53929 53920->53957 53922 6c1d65fa ___CxxFrameHandler 53923->53918 53924 6c1d666e 53970 6c1c22c0 31 API calls 2 library calls 53924->53970 53926 6c1d667a 53971 6c1c22c0 31 API calls 2 library calls 53926->53971 53928 6c32ae8c ___CxxFrameHandler 29 API calls 53928->53910 53929->53916 53932 6c1d5edb 53929->53932 53933 6c1d5ee6 53929->53933 53938 6c1d5e96 ___CxxFrameHandler 53929->53938 53930 6c1d6686 53972 6c1c2572 31 API calls ___CxxFrameHandler 53930->53972 53963 6c1c1ba0 31 API calls ___CxxFrameHandler 53932->53963 53934 6c1d95d7 ___CxxFrameHandler 16 API calls 53933->53934 53934->53938 53935 6c1d6698 53937 6c1d5f3f 53964 6c1c1ba0 31 API calls ___CxxFrameHandler 53937->53964 53938->53919 53938->53937 53940 6c1d6634 53938->53940 53942 6c1d5f48 ___CxxFrameHandler 53938->53942 53941 6c1d95d7 ___CxxFrameHandler 16 API calls 53940->53941 53941->53942 53942->53924 53943 6c1d60ba 53942->53943 53945 6c1d6526 53942->53945 53949 6c1d60c7 ___CxxFrameHandler 53942->53949 53942->53957 53965 6c1c1ba0 31 API calls ___CxxFrameHandler 53943->53965 53946 6c1d95d7 ___CxxFrameHandler 16 API calls 53945->53946 53946->53949 53947 6c1d623a 53966 6c1c1ba0 31 API calls ___CxxFrameHandler 53947->53966 53949->53926 53949->53947 53950 6c1d6549 53949->53950 53956 6c1d624a ___CxxFrameHandler 53949->53956 53949->53957 53951 6c1d95d7 ___CxxFrameHandler 16 API calls 53950->53951 53951->53956 53952 6c1d6433 GetFileAttributesA 53953 6c1d648b CoInitialize CoCreateInstance 53952->53953 53952->53957 53954 6c1d6594 CoUninitialize 53953->53954 53955 6c1d64b3 MultiByteToWideChar 53953->53955 53954->53957 53960 6c1d64ed 53955->53960 53956->53952 53956->53957 53957->53922 53957->53928 53959 6c1d6582 53959->53954 53960->53959 53961 6c1d655d MultiByteToWideChar 53960->53961 53961->53959 53962->53923 53963->53938 53964->53942 53965->53949 53966->53956 53967->53916 53968->53919 53969->53924 53970->53926 53971->53930 53972->53935 53973 6c1c8f70 53974 6c1c8fb3 53973->53974 53975 6c1c8f82 53973->53975 53979 6c1c9a82 53975->53979 53980 6c1c9a8a 53979->53980 53982 6c1c8fa7 53979->53982 53980->53982 53987 6c32ec6d 69 API calls swprintf 53980->53987 53983 6c32d953 53982->53983 53984 6c32d966 swprintf 53983->53984 53988 6c32da11 53984->53988 53986 6c32d972 swprintf 53986->53974 53987->53982 53989 6c32da1d ___scrt_is_nonwritable_in_current_image 53988->53989 53990 6c32da27 53989->53990 53991 6c32da4a 53989->53991 54014 6c32b025 29 API calls 2 library calls 53990->54014 53998 6c32da42 53991->53998 53999 6c31e8cd EnterCriticalSection 53991->53999 53994 6c32da68 54000 6c32d983 53994->54000 53996 6c32da75 54015 6c32daa0 LeaveCriticalSection __fread_nolock 53996->54015 53998->53986 53999->53994 54001 6c32d9b3 54000->54001 54002 6c32d990 54000->54002 54012 6c32d9ab 54001->54012 54016 6c32db69 54001->54016 54040 6c32b025 29 API calls 2 library calls 54002->54040 54009 6c32d9df 54033 6c33a5b0 54009->54033 54012->53996 54014->53998 54015->53998 54017 6c32db82 54016->54017 54018 6c32d9cb 54016->54018 54017->54018 54019 6c32a18d __fread_nolock 29 API calls 54017->54019 54022 6c336cec 54018->54022 54020 6c32db9e 54019->54020 54042 6c33aa56 64 API calls 3 library calls 54020->54042 54023 6c336d03 54022->54023 54024 6c32d9d3 54022->54024 54023->54024 54043 6c3323b7 14 API calls __dosmaperr 54023->54043 54026 6c32a18d 54024->54026 54027 6c32a199 54026->54027 54028 6c32a1ae 54026->54028 54044 6c31ea09 14 API calls __dosmaperr 54027->54044 54028->54009 54030 6c32a19e 54045 6c32ae7c 29 API calls _memcpy_s 54030->54045 54032 6c32a1a9 54032->54009 54034 6c33a5d9 54033->54034 54039 6c32d9e6 54033->54039 54035 6c33a628 54034->54035 54037 6c33a600 54034->54037 54054 6c32b025 29 API calls 2 library calls 54035->54054 54046 6c33a653 54037->54046 54039->54012 54041 6c3323b7 14 API calls __dosmaperr 54039->54041 54040->54012 54041->54012 54042->54018 54043->54024 54044->54030 54045->54032 54047 6c33a65f ___scrt_is_nonwritable_in_current_image 54046->54047 54055 6c32a9c1 EnterCriticalSection 54047->54055 54049 6c33a66d 54050 6c33a69e 54049->54050 54056 6c33a510 54049->54056 54069 6c33a6d8 LeaveCriticalSection __wsopen_s 54050->54069 54053 6c33a6c1 54053->54039 54054->54039 54055->54049 54070 6c32a5d3 54056->54070 54058 6c33a526 54083 6c32a750 15 API calls 2 library calls 54058->54083 54060 6c33a520 54060->54058 54062 6c32a5d3 __fread_nolock 29 API calls 54060->54062 54068 6c33a558 54060->54068 54061 6c33a57e __fread_nolock 54061->54050 54064 6c33a54f 54062->54064 54063 6c32a5d3 __fread_nolock 29 API calls 54065 6c33a564 CloseHandle 54063->54065 54066 6c32a5d3 __fread_nolock 29 API calls 54064->54066 54065->54058 54067 6c33a570 GetLastError 54065->54067 54066->54068 54067->54058 54068->54058 54068->54063 54069->54053 54071 6c32a5e0 54070->54071 54072 6c32a5f5 54070->54072 54084 6c31ea1c 14 API calls __dosmaperr 54071->54084 54078 6c32a61a 54072->54078 54086 6c31ea1c 14 API calls __dosmaperr 54072->54086 54075 6c32a5e5 54085 6c31ea09 14 API calls __dosmaperr 54075->54085 54076 6c32a625 54087 6c31ea09 14 API calls __dosmaperr 54076->54087 54078->54060 54080 6c32a5ed 54080->54060 54081 6c32a62d 54088 6c32ae7c 29 API calls _memcpy_s 54081->54088 54083->54061 54084->54075 54085->54080 54086->54076 54087->54081 54088->54080 54089 6c1d6d4f 54090 6c1d6d52 54089->54090 54097 6c1d486c 54090->54097 54092 6c1d6e59 54093 6c1d70d1 CreateThread 54092->54093 54094 6c1d71a1 54093->54094 54578 6c1d50f3 Sleep 54093->54578 54126 6c1d6958 32 API calls 2 library calls 54094->54126 54096 6c1d71c6 54098 6c1d48b3 54097->54098 54127 6c1caab6 54098->54127 54105 6c1d4a61 54105->54092 54107 6c1d491e 54111 6c1d497b 54107->54111 54112 6c1d4986 54107->54112 54116 6c1d4923 _memcpy_s 54107->54116 54108 6c1d4a77 54155 6c1c22c0 31 API calls 2 library calls 54108->54155 54110 6c1d4a7c 54113 6c32ae8c ___CxxFrameHandler 29 API calls 54110->54113 54151 6c1c1ba0 31 API calls ___CxxFrameHandler 54111->54151 54115 6c1d95d7 ___CxxFrameHandler 16 API calls 54112->54115 54117 6c1d4a81 54113->54117 54115->54116 54152 6c1d4d7e 76 API calls 54116->54152 54156 6c1c8e22 72 API calls std::ios_base::_Ios_base_dtor 54117->54156 54119 6c1d4a99 54119->54092 54121 6c1d49d4 54122 6c1d4a3d 54121->54122 54123 6c1d49ec 54121->54123 54153 6c1c8bb0 81 API calls 54122->54153 54123->54110 54125 6c1d4944 ___CxxFrameHandler 54123->54125 54154 6c1c8e22 72 API calls std::ios_base::_Ios_base_dtor 54125->54154 54126->54096 54128 6c1caae8 54127->54128 54157 6c1cac12 54128->54157 54134 6c1cab95 54135 6c1cabc0 54134->54135 54172 6c1c1f46 54134->54172 54135->54125 54137 6c1d4abc 54135->54137 54481 6c1caf66 54137->54481 54140 6c1d48e5 54142 6c1d4be8 54140->54142 54143 6c1c1f46 39 API calls 54142->54143 54144 6c1d4c44 54143->54144 54145 6c1caf66 76 API calls 54144->54145 54146 6c1d4c4f 54145->54146 54147 6c1d4c86 54146->54147 54150 6c1c9824 70 API calls 54146->54150 54148 6c1c1f46 39 API calls 54147->54148 54149 6c1d4904 54148->54149 54149->54107 54149->54108 54150->54147 54151->54116 54152->54121 54153->54125 54154->54105 54155->54110 54156->54119 54158 6c1cac4c 54157->54158 54181 6c1ca486 54158->54181 54161 6c1ca346 54251 6c1ca69a 54161->54251 54164 6c1ca3ae 54165 6c1ca3f9 54164->54165 54171 6c1ca3e4 54164->54171 54256 6c1f5aa5 54165->54256 54169 6c1ca418 54265 6c1c9e57 68 API calls 2 library calls 54169->54265 54171->54134 54173 6c1c1f6b 54172->54173 54174 6c1c1f63 54172->54174 54175 6c1c1f7b 54173->54175 54478 6c31b6f1 RaiseException 54173->54478 54174->54135 54479 6c1c20e9 38 API calls 54175->54479 54178 6c1c1fa3 54480 6c31b6f1 RaiseException 54178->54480 54180 6c1c1fc6 54180->54135 54190 6c1ca55e 54181->54190 54186 6c1ca4c4 54187 6c1ca4ce 54186->54187 54199 6c1f55ed 9 API calls 2 library calls 54186->54199 54187->54161 54188 6c1c1f46 39 API calls 54188->54186 54191 6c1d95d7 ___CxxFrameHandler 16 API calls 54190->54191 54192 6c1ca5b5 54191->54192 54200 6c1f5985 54192->54200 54194 6c1ca498 54195 6c1ca5f0 54194->54195 54196 6c1ca62d 54195->54196 54232 6c1c418c 54196->54232 54199->54187 54201 6c1f5991 __EH_prolog3 54200->54201 54212 6c1f5514 54201->54212 54206 6c1f59af 54226 6c1f5a18 41 API calls std::locale::_Setgloballocale 54206->54226 54207 6c1f59cd 54218 6c1f5545 54207->54218 54208 6c1f5a0a Concurrency::details::ExternalContextBase::~ExternalContextBase 54208->54194 54210 6c1f59b7 54227 6c1f580f 15 API calls 3 library calls 54210->54227 54213 6c1f552a 54212->54213 54214 6c1f5523 54212->54214 54216 6c1f5528 54213->54216 54229 6c22189f EnterCriticalSection 54213->54229 54228 6c32b59f 6 API calls std::_Lockit::_Lockit 54214->54228 54216->54207 54225 6c1f588e 16 API calls 2 library calls 54216->54225 54219 6c1f554f 54218->54219 54220 6c32b5ad 54218->54220 54221 6c1f5562 54219->54221 54230 6c2218ad LeaveCriticalSection 54219->54230 54231 6c32b588 LeaveCriticalSection 54220->54231 54221->54208 54224 6c32b5b4 54224->54208 54225->54206 54226->54210 54227->54207 54228->54216 54229->54216 54230->54221 54231->54224 54233 6c1f5514 std::_Lockit::_Lockit 7 API calls 54232->54233 54234 6c1c41c6 54233->54234 54247 6c1c2a86 9 API calls 2 library calls 54234->54247 54236 6c1c41db 54245 6c1c421c 54236->54245 54248 6c1c4372 68 API calls 2 library calls 54236->54248 54237 6c1f5545 std::_Lockit::~_Lockit 2 API calls 54238 6c1c4238 54237->54238 54238->54186 54238->54188 54240 6c1c4201 54241 6c1c4209 54240->54241 54242 6c1c424b 54240->54242 54249 6c1f5727 16 API calls 2 library calls 54241->54249 54250 6c1c2ba8 RaiseException CallUnexpected 54242->54250 54245->54237 54247->54236 54248->54240 54249->54245 54252 6c1d95d7 ___CxxFrameHandler 16 API calls 54251->54252 54253 6c1ca6e5 54252->54253 54254 6c1f5985 45 API calls 54253->54254 54255 6c1ca34e 54254->54255 54255->54164 54257 6c1f5aae 54256->54257 54258 6c1ca407 54257->54258 54266 6c32a511 54257->54266 54258->54171 54264 6c1c9b08 29 API calls 54258->54264 54262 6c1f5b1d 54262->54258 54263 6c32d953 69 API calls 54262->54263 54263->54258 54264->54169 54265->54171 54267 6c32a51c ___scrt_is_nonwritable_in_current_image 54266->54267 54268 6c32a52f 54267->54268 54270 6c32a54f 54267->54270 54303 6c31ea09 14 API calls __dosmaperr 54268->54303 54272 6c32a561 54270->54272 54273 6c32a554 54270->54273 54271 6c32a534 54304 6c32ae7c 29 API calls _memcpy_s 54271->54304 54289 6c338a08 54272->54289 54305 6c31ea09 14 API calls __dosmaperr 54273->54305 54275 6c1f5b02 54275->54258 54285 6c32a1b4 54275->54285 54279 6c32a571 54306 6c31ea09 14 API calls __dosmaperr 54279->54306 54280 6c32a57e 54297 6c338dd2 54280->54297 54286 6c32a1c7 swprintf 54285->54286 54438 6c32a467 54286->54438 54288 6c32a1dc swprintf 54288->54262 54290 6c338a14 ___scrt_is_nonwritable_in_current_image 54289->54290 54308 6c32b571 EnterCriticalSection 54290->54308 54292 6c338a22 54309 6c338aac 54292->54309 54298 6c338ddd 54297->54298 54340 6c329f63 54298->54340 54301 6c32a593 54307 6c32a5bc LeaveCriticalSection __fread_nolock 54301->54307 54303->54271 54304->54275 54305->54275 54306->54275 54307->54275 54308->54292 54317 6c338acf 54309->54317 54310 6c338a2f 54322 6c338a68 54310->54322 54311 6c338b27 54327 6c335708 54311->54327 54316 6c338b39 54316->54310 54335 6c334667 6 API calls std::_Lockit::_Lockit 54316->54335 54317->54310 54317->54311 54317->54317 54325 6c31e8cd EnterCriticalSection 54317->54325 54326 6c31e8e1 LeaveCriticalSection 54317->54326 54319 6c338b58 54336 6c31e8cd EnterCriticalSection 54319->54336 54339 6c32b588 LeaveCriticalSection 54322->54339 54324 6c32a56a 54324->54279 54324->54280 54325->54317 54326->54317 54332 6c335715 _unexpected 54327->54332 54328 6c335740 RtlAllocateHeap 54330 6c335753 54328->54330 54328->54332 54329 6c335755 54338 6c31ea09 14 API calls __dosmaperr 54329->54338 54334 6c3323b7 14 API calls __dosmaperr 54330->54334 54332->54328 54332->54329 54337 6c328beb EnterCriticalSection LeaveCriticalSection ___CxxFrameHandler 54332->54337 54334->54316 54335->54319 54336->54310 54337->54332 54338->54330 54339->54324 54341 6c329f82 54340->54341 54342 6c329f95 54341->54342 54350 6c329faa 54341->54350 54360 6c31ea09 14 API calls __dosmaperr 54342->54360 54344 6c329f9a 54361 6c32ae7c 29 API calls _memcpy_s 54344->54361 54346 6c329fa5 54346->54301 54357 6c341ae0 54346->54357 54348 6c32a17b 54366 6c32ae7c 29 API calls _memcpy_s 54348->54366 54350->54350 54355 6c32a0ca 54350->54355 54362 6c32bd6f 39 API calls 2 library calls 54350->54362 54352 6c32a11a 54352->54355 54363 6c32bd6f 39 API calls 2 library calls 54352->54363 54354 6c32a138 54354->54355 54364 6c32bd6f 39 API calls 2 library calls 54354->54364 54355->54346 54365 6c31ea09 14 API calls __dosmaperr 54355->54365 54367 6c341e98 54357->54367 54360->54344 54361->54346 54362->54352 54363->54354 54364->54355 54365->54348 54366->54346 54370 6c341ea4 ___scrt_is_nonwritable_in_current_image 54367->54370 54368 6c341eab 54387 6c31ea09 14 API calls __dosmaperr 54368->54387 54370->54368 54372 6c341ed6 54370->54372 54371 6c341eb0 54388 6c32ae7c 29 API calls _memcpy_s 54371->54388 54378 6c341b00 54372->54378 54377 6c341afb 54377->54301 54379 6c32f285 __wsopen_s 39 API calls 54378->54379 54380 6c341b22 54379->54380 54381 6c31dff2 __wsopen_s 17 API calls 54380->54381 54382 6c341b2f 54381->54382 54383 6c341b36 54382->54383 54390 6c341b6e 54382->54390 54385 6c341b68 54383->54385 54437 6c3323b7 14 API calls __dosmaperr 54383->54437 54389 6c341f2d LeaveCriticalSection __wsopen_s 54385->54389 54387->54371 54388->54377 54389->54377 54391 6c342008 __wsopen_s 29 API calls 54390->54391 54392 6c341b8b 54391->54392 54393 6c341ba0 54392->54393 54394 6c341bb9 54392->54394 54396 6c31ea1c __dosmaperr 14 API calls 54393->54396 54395 6c32a63d __wsopen_s 18 API calls 54394->54395 54397 6c341bbe 54395->54397 54408 6c341ba5 54396->54408 54398 6c341bc7 54397->54398 54399 6c341bde 54397->54399 54400 6c31ea1c __dosmaperr 14 API calls 54398->54400 54401 6c341f73 __wsopen_s CreateFileW 54399->54401 54403 6c341bcc 54400->54403 54409 6c341c17 54401->54409 54402 6c31ea09 __dosmaperr 14 API calls 54427 6c341bb2 54402->54427 54404 6c31ea09 __dosmaperr 14 API calls 54403->54404 54404->54408 54405 6c341c94 GetFileType 54406 6c341ce6 54405->54406 54407 6c341c9f GetLastError 54405->54407 54416 6c32a7e1 __wsopen_s 15 API calls 54406->54416 54412 6c31ea2f __dosmaperr 14 API calls 54407->54412 54408->54402 54409->54405 54410 6c341c69 GetLastError 54409->54410 54414 6c341f73 __wsopen_s CreateFileW 54409->54414 54411 6c31ea2f __dosmaperr 14 API calls 54410->54411 54411->54408 54413 6c341cad CloseHandle 54412->54413 54413->54408 54415 6c341cd6 54413->54415 54417 6c341c5c 54414->54417 54419 6c31ea09 __dosmaperr 14 API calls 54415->54419 54418 6c341d07 54416->54418 54417->54405 54417->54410 54420 6c341d53 54418->54420 54422 6c342182 __wsopen_s 73 API calls 54418->54422 54421 6c341cdb 54419->54421 54423 6c34222c __wsopen_s 73 API calls 54420->54423 54425 6c341d5a 54420->54425 54421->54408 54422->54420 54424 6c341d88 54423->54424 54424->54425 54426 6c341d96 54424->54426 54428 6c33a4e0 __wsopen_s 32 API calls 54425->54428 54426->54427 54429 6c341e12 CloseHandle 54426->54429 54427->54383 54428->54427 54430 6c341f73 __wsopen_s CreateFileW 54429->54430 54431 6c341e3d 54430->54431 54432 6c341e47 GetLastError 54431->54432 54433 6c341e73 54431->54433 54434 6c31ea2f __dosmaperr 14 API calls 54432->54434 54433->54427 54435 6c341e53 54434->54435 54436 6c32a750 __wsopen_s 15 API calls 54435->54436 54436->54433 54437->54385 54440 6c32a473 ___scrt_is_nonwritable_in_current_image 54438->54440 54439 6c32a479 54461 6c32b025 29 API calls 2 library calls 54439->54461 54440->54439 54443 6c32a4bc 54440->54443 54442 6c32a494 54442->54288 54449 6c31e8cd EnterCriticalSection 54443->54449 54445 6c32a4c8 54450 6c32a37b 54445->54450 54447 6c32a4de 54462 6c32a507 LeaveCriticalSection __fread_nolock 54447->54462 54449->54445 54451 6c32a3a1 54450->54451 54452 6c32a38e 54450->54452 54463 6c32a2a2 54451->54463 54452->54447 54454 6c32a3c4 54455 6c32a452 54454->54455 54456 6c32a3df 54454->54456 54470 6c32e66b 34 API calls 3 library calls 54454->54470 54455->54447 54458 6c32db69 ___scrt_uninitialize_crt 64 API calls 54456->54458 54460 6c32a3f2 54458->54460 54467 6c338bee 54460->54467 54461->54442 54462->54442 54464 6c32a2b3 54463->54464 54466 6c32a30b 54463->54466 54464->54466 54471 6c338bae 31 API calls 2 library calls 54464->54471 54466->54454 54472 6c338d4f 54467->54472 54469 6c338c07 54469->54455 54470->54456 54471->54466 54473 6c32a5d3 __fread_nolock 29 API calls 54472->54473 54474 6c338d61 54473->54474 54475 6c338d7d SetFilePointerEx 54474->54475 54477 6c338d69 __fread_nolock 54474->54477 54476 6c338d95 GetLastError 54475->54476 54475->54477 54476->54477 54477->54469 54478->54175 54479->54178 54480->54180 54482 6c1cafa9 54481->54482 54493 6c1cb0e6 54482->54493 54485 6c1c9824 54486 6c1c9882 54485->54486 54488 6c1c98bc 54485->54488 54487 6c1c9a82 69 API calls 54486->54487 54489 6c1c9889 54487->54489 54488->54140 54489->54488 54490 6c1c98a8 54489->54490 54504 6c32a1ee 54489->54504 54490->54488 54508 6c32df60 54490->54508 54494 6c1cb14e 54493->54494 54495 6c1cb124 54493->54495 54499 6c1cb15d 54494->54499 54503 6c1c1dc2 39 API calls 54494->54503 54496 6c1c1f46 39 API calls 54495->54496 54497 6c1cafc5 54496->54497 54497->54140 54497->54485 54499->54497 54500 6c1c418c 68 API calls 54499->54500 54501 6c1cb1a0 54500->54501 54501->54497 54502 6c1c1f46 39 API calls 54501->54502 54502->54497 54503->54499 54505 6c32a201 swprintf 54504->54505 54506 6c32a467 67 API calls 54505->54506 54507 6c32a216 swprintf 54506->54507 54507->54490 54509 6c32df80 54508->54509 54510 6c32df6b 54508->54510 54512 6c32df88 54509->54512 54513 6c32df9d 54509->54513 54526 6c31ea09 14 API calls __dosmaperr 54510->54526 54528 6c31ea09 14 API calls __dosmaperr 54512->54528 54522 6c32e635 54513->54522 54515 6c32df70 54527 6c32ae7c 29 API calls _memcpy_s 54515->54527 54517 6c32df98 54517->54488 54519 6c32df8d 54529 6c32ae7c 29 API calls _memcpy_s 54519->54529 54520 6c32df7b 54520->54488 54523 6c32e649 swprintf 54522->54523 54530 6c32ebde 54523->54530 54525 6c32e655 swprintf 54525->54517 54526->54515 54527->54520 54528->54519 54529->54517 54531 6c32ebea ___scrt_is_nonwritable_in_current_image 54530->54531 54532 6c32ebf1 54531->54532 54533 6c32ec14 54531->54533 54556 6c32b025 29 API calls 2 library calls 54532->54556 54541 6c31e8cd EnterCriticalSection 54533->54541 54536 6c32ec0a 54536->54525 54537 6c32ec22 54542 6c32ea3d 54537->54542 54539 6c32ec31 54557 6c32ec63 LeaveCriticalSection __fread_nolock 54539->54557 54541->54537 54543 6c32ea74 54542->54543 54544 6c32ea4c 54542->54544 54545 6c32a18d __fread_nolock 29 API calls 54543->54545 54561 6c32b025 29 API calls 2 library calls 54544->54561 54547 6c32ea7d 54545->54547 54558 6c338c0c 54547->54558 54550 6c32eb27 54562 6c32e6c7 34 API calls 4 library calls 54550->54562 54552 6c32eb3e 54555 6c32ea67 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 54552->54555 54563 6c32e872 33 API calls 2 library calls 54552->54563 54553 6c32eb36 54553->54555 54555->54539 54556->54536 54557->54536 54564 6c338c2a 54558->54564 54561->54555 54562->54553 54563->54555 54565 6c338c36 ___scrt_is_nonwritable_in_current_image 54564->54565 54566 6c32ea9b 54565->54566 54567 6c338c79 54565->54567 54569 6c338cbf 54565->54569 54566->54550 54566->54552 54566->54555 54576 6c32b025 29 API calls 2 library calls 54567->54576 54575 6c32a9c1 EnterCriticalSection 54569->54575 54571 6c338cc5 54572 6c338ce6 54571->54572 54573 6c338d4f __fread_nolock 31 API calls 54571->54573 54577 6c338d47 LeaveCriticalSection __wsopen_s 54572->54577 54573->54572 54575->54571 54576->54566 54577->54566 54579 6c31b5a3 54580 6c31b5b1 54579->54580 54581 6c31b5ac 54579->54581 54585 6c31b498 54580->54585 54596 6c31b5c6 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 54581->54596 54586 6c31b4a4 ___scrt_is_nonwritable_in_current_image 54585->54586 54587 6c31b4cd dllmain_raw 54586->54587 54589 6c31b4b3 54586->54589 54592 6c31b4c8 __DllMainCRTStartup@12 54586->54592 54588 6c31b4e7 dllmain_crt_dispatch 54587->54588 54587->54589 54588->54589 54588->54592 54590 6c31b539 54590->54589 54591 6c31b542 dllmain_crt_dispatch 54590->54591 54591->54589 54593 6c31b555 dllmain_raw 54591->54593 54592->54590 54597 6c31b36c 114 API calls 4 library calls 54592->54597 54593->54589 54595 6c31b52e dllmain_raw 54595->54590 54596->54580 54597->54595 54598 6c1c9628 54599 6c1c9643 ___CxxFrameHandler 54598->54599 54600 6c1c9649 ___CxxFrameHandler 54598->54600 54599->54600 54601 6c32e2ef __fread_nolock 45 API calls 54599->54601 54602 6c1c96e5 54599->54602 54601->54599 54602->54600 54604 6c32e2ef 54602->54604 54607 6c32e252 54604->54607 54608 6c32e25e ___scrt_is_nonwritable_in_current_image 54607->54608 54609 6c32e2a8 54608->54609 54611 6c32e271 _memcpy_s 54608->54611 54619 6c32e296 54608->54619 54620 6c31e8cd EnterCriticalSection 54609->54620 54635 6c31ea09 14 API calls __dosmaperr 54611->54635 54613 6c32e2b2 54621 6c32e30c 54613->54621 54614 6c32e28b 54636 6c32ae7c 29 API calls _memcpy_s 54614->54636 54619->54600 54620->54613 54623 6c32e31e _memcpy_s 54621->54623 54626 6c32e2c9 54621->54626 54622 6c32e32b 54659 6c31ea09 14 API calls __dosmaperr 54622->54659 54623->54622 54623->54626 54630 6c32e37c 54623->54630 54637 6c32e2e7 LeaveCriticalSection __fread_nolock 54626->54637 54628 6c32e4a7 _memcpy_s 54727 6c31ea09 14 API calls __dosmaperr 54628->54727 54630->54626 54630->54628 54632 6c32a18d __fread_nolock 29 API calls 54630->54632 54638 6c33b309 54630->54638 54661 6c3231c6 29 API calls 3 library calls 54630->54661 54662 6c33b8d2 54630->54662 54632->54630 54633 6c32e330 54660 6c32ae7c 29 API calls _memcpy_s 54633->54660 54635->54614 54636->54619 54637->54619 54639 6c33b314 54638->54639 54640 6c33b321 54639->54640 54641 6c33b339 54639->54641 54758 6c31ea09 14 API calls __dosmaperr 54640->54758 54645 6c33b398 54641->54645 54653 6c33b331 54641->54653 54760 6c33cd01 14 API calls 2 library calls 54641->54760 54643 6c33b326 54759 6c32ae7c 29 API calls _memcpy_s 54643->54759 54646 6c32a18d __fread_nolock 29 API calls 54645->54646 54648 6c33b3b1 54646->54648 54728 6c33b7b9 54648->54728 54651 6c32a18d __fread_nolock 29 API calls 54652 6c33b3ea 54651->54652 54652->54653 54654 6c32a18d __fread_nolock 29 API calls 54652->54654 54653->54630 54655 6c33b3f8 54654->54655 54655->54653 54656 6c32a18d __fread_nolock 29 API calls 54655->54656 54657 6c33b406 54656->54657 54658 6c32a18d __fread_nolock 29 API calls 54657->54658 54658->54653 54659->54633 54660->54626 54661->54630 54663 6c33b8e4 54662->54663 54664 6c33b8fc 54662->54664 54781 6c31ea1c 14 API calls __dosmaperr 54663->54781 54666 6c33bc3e 54664->54666 54671 6c33b93f 54664->54671 54800 6c31ea1c 14 API calls __dosmaperr 54666->54800 54667 6c33b8e9 54782 6c31ea09 14 API calls __dosmaperr 54667->54782 54670 6c33bc43 54801 6c31ea09 14 API calls __dosmaperr 54670->54801 54672 6c33b8f1 54671->54672 54674 6c33b94a 54671->54674 54678 6c33b97a 54671->54678 54672->54630 54783 6c31ea1c 14 API calls __dosmaperr 54674->54783 54675 6c33b957 54802 6c32ae7c 29 API calls _memcpy_s 54675->54802 54677 6c33b94f 54784 6c31ea09 14 API calls __dosmaperr 54677->54784 54681 6c33b993 54678->54681 54682 6c33b9a0 54678->54682 54683 6c33b9ce 54678->54683 54681->54682 54717 6c33b9bc 54681->54717 54785 6c31ea1c 14 API calls __dosmaperr 54682->54785 54788 6c3323f1 15 API calls 3 library calls 54683->54788 54686 6c33b9a5 54786 6c31ea09 14 API calls __dosmaperr 54686->54786 54687 6c33b9df 54789 6c3323b7 14 API calls __dosmaperr 54687->54789 54691 6c33b9ac 54787 6c32ae7c 29 API calls _memcpy_s 54691->54787 54692 6c33b9e8 54790 6c3323b7 14 API calls __dosmaperr 54692->54790 54694 6c33bb1a 54695 6c33bb8e 54694->54695 54698 6c33bb33 GetConsoleMode 54694->54698 54697 6c33bb92 ReadFile 54695->54697 54700 6c33bc06 GetLastError 54697->54700 54701 6c33bbaa 54697->54701 54698->54695 54702 6c33bb44 54698->54702 54699 6c33b9ef 54703 6c33ba14 54699->54703 54704 6c33b9f9 54699->54704 54705 6c33bc13 54700->54705 54706 6c33bb6a 54700->54706 54701->54700 54707 6c33bb83 54701->54707 54702->54697 54708 6c33bb4a ReadConsoleW 54702->54708 54793 6c338bae 31 API calls 2 library calls 54703->54793 54791 6c31ea09 14 API calls __dosmaperr 54704->54791 54798 6c31ea09 14 API calls __dosmaperr 54705->54798 54724 6c33b9b7 __fread_nolock 54706->54724 54794 6c31ea2f 14 API calls __dosmaperr 54706->54794 54720 6c33bbe6 54707->54720 54721 6c33bbcf 54707->54721 54707->54724 54708->54707 54713 6c33bb64 GetLastError 54708->54713 54713->54706 54715 6c33b9fe 54792 6c31ea1c 14 API calls __dosmaperr 54715->54792 54716 6c33bc18 54799 6c31ea1c 14 API calls __dosmaperr 54716->54799 54772 6c33f4af 54717->54772 54722 6c33bbff 54720->54722 54720->54724 54796 6c33bcdb 34 API calls 2 library calls 54721->54796 54797 6c33bf7f 32 API calls __fread_nolock 54722->54797 54795 6c3323b7 14 API calls __dosmaperr 54724->54795 54726 6c33bc04 54726->54724 54727->54633 54729 6c33b7c5 ___scrt_is_nonwritable_in_current_image 54728->54729 54730 6c33b7cd 54729->54730 54734 6c33b7e8 54729->54734 54762 6c31ea1c 14 API calls __dosmaperr 54730->54762 54732 6c33b7d2 54763 6c31ea09 14 API calls __dosmaperr 54732->54763 54735 6c33b7ff 54734->54735 54736 6c33b83a 54734->54736 54764 6c31ea1c 14 API calls __dosmaperr 54735->54764 54739 6c33b843 54736->54739 54740 6c33b858 54736->54740 54738 6c33b804 54765 6c31ea09 14 API calls __dosmaperr 54738->54765 54767 6c31ea1c 14 API calls __dosmaperr 54739->54767 54761 6c32a9c1 EnterCriticalSection 54740->54761 54744 6c33b80c 54766 6c32ae7c 29 API calls _memcpy_s 54744->54766 54745 6c33b848 54768 6c31ea09 14 API calls __dosmaperr 54745->54768 54746 6c33b85e 54747 6c33b892 54746->54747 54748 6c33b87d 54746->54748 54752 6c33b8d2 __fread_nolock 41 API calls 54747->54752 54769 6c31ea09 14 API calls __dosmaperr 54748->54769 54754 6c33b88d 54752->54754 54753 6c33b882 54770 6c31ea1c 14 API calls __dosmaperr 54753->54770 54771 6c33b8ca LeaveCriticalSection __wsopen_s 54754->54771 54757 6c33b3b9 54757->54651 54757->54653 54758->54643 54759->54653 54760->54645 54761->54746 54762->54732 54763->54757 54764->54738 54765->54744 54766->54757 54767->54745 54768->54744 54769->54753 54770->54754 54771->54757 54773 6c33f4c9 54772->54773 54774 6c33f4bc 54772->54774 54778 6c33f4d5 54773->54778 54804 6c31ea09 14 API calls __dosmaperr 54773->54804 54803 6c31ea09 14 API calls __dosmaperr 54774->54803 54777 6c33f4c1 54777->54694 54778->54694 54779 6c33f4f6 54805 6c32ae7c 29 API calls _memcpy_s 54779->54805 54781->54667 54782->54672 54783->54677 54784->54675 54785->54686 54786->54691 54787->54724 54788->54687 54789->54692 54790->54699 54791->54715 54792->54724 54793->54717 54794->54724 54795->54672 54796->54724 54797->54726 54798->54716 54799->54724 54800->54670 54801->54675 54802->54672 54803->54777 54804->54779 54805->54777 54806 6c1d8d0a 54811 6c2602c2 54806->54811 54809 6c1d9700 32 API calls 54810 6c1d8d1e 54809->54810 54814 6c25a432 54811->54814 54813 6c1d8d14 54813->54809 54815 6c25a43e __EH_prolog3 54814->54815 54822 6c1fc870 54815->54822 54817 6c25a476 54818 6c25a4b7 54817->54818 54819 6c25a47f GetProfileIntW GetProfileIntW 54817->54819 54833 6c1fc8e4 21 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 54818->54833 54819->54818 54821 6c25a4be Concurrency::details::ExternalContextBase::~ExternalContextBase 54821->54813 54823 6c1fc8de 54822->54823 54824 6c1fc87c 54822->54824 54835 6c1f0b00 20 API calls CallUnexpected 54823->54835 54826 6c1fc88a 54824->54826 54834 6c1fc908 InitializeCriticalSection 54824->54834 54829 6c1fc8cc EnterCriticalSection 54826->54829 54830 6c1fc89a EnterCriticalSection 54826->54830 54827 6c1fc8e3 54829->54817 54831 6c1fc8c4 LeaveCriticalSection 54830->54831 54832 6c1fc8b1 InitializeCriticalSection 54830->54832 54831->54829 54832->54831 54833->54821 54834->54826 54835->54827 54836 6c1feb44 54837 6c1feb4d 54836->54837 54838 6c1feb5d 54836->54838 54867 6c1fe76d TlsAlloc InitializeCriticalSection RaiseException 54837->54867 54842 6c1febaf 54838->54842 54848 6c1fe7ad EnterCriticalSection 54838->54848 54841 6c1feb71 54841->54842 54843 6c1feb77 54841->54843 54869 6c1f0b00 20 API calls CallUnexpected 54842->54869 54868 6c1feaa6 EnterCriticalSection TlsGetValue LeaveCriticalSection LeaveCriticalSection 54843->54868 54846 6c1febb4 54847 6c1feb83 Concurrency::details::ExternalContextBase::~ExternalContextBase 54849 6c1fe7d1 54848->54849 54851 6c1fe881 _memcpy_s 54849->54851 54853 6c1fe838 GlobalHandle 54849->54853 54855 6c1fe823 54849->54855 54859 6c1fe8e4 LeaveCriticalSection 54849->54859 54852 6c1fe8b1 LeaveCriticalSection 54851->54852 54852->54841 54856 6c1fe8cc 54853->54856 54857 6c1fe84b GlobalUnlock 54853->54857 54861 6c1fe82b GlobalAlloc 54855->54861 54856->54859 54860 6c1fe8d1 GlobalHandle 54856->54860 54862 6c1f0528 54857->54862 54870 6c1f0acc RaiseException CallUnexpected 54859->54870 54860->54859 54863 6c1fe8dd GlobalLock 54860->54863 54864 6c1fe86d 54861->54864 54865 6c1fe861 GlobalReAlloc 54862->54865 54863->54859 54864->54856 54866 6c1fe871 GlobalLock 54864->54866 54865->54864 54866->54851 54866->54859 54867->54838 54868->54847 54869->54846 54871 6c1f0223 54872 6c1f0227 54871->54872 54873 6c1f023d 54871->54873 54872->54873 54875 6c1febed 26 API calls 3 library calls 54872->54875 54875->54873 54876 6c1d5a00 54890 6c1d5a43 ___CxxFrameHandler _strlen 54876->54890 54877 6c1d5b59 _strlen 54881 6c1d5b86 54877->54881 54954 6c1c22c0 31 API calls 2 library calls 54877->54954 54880 6c1d95d7 ___CxxFrameHandler 16 API calls 54880->54890 54883 6c1d5bd5 54881->54883 54884 6c1d5bc6 54881->54884 54887 6c1d5b8d ___CxxFrameHandler 54881->54887 54886 6c1d95d7 ___CxxFrameHandler 16 API calls 54883->54886 54955 6c1c1ba0 31 API calls ___CxxFrameHandler 54884->54955 54886->54887 54956 6c1d52e6 33 API calls 2 library calls 54887->54956 54888 6c1d5b27 Sleep 54888->54890 54889 6c1d5c67 54892 6c32ae8c ___CxxFrameHandler 29 API calls 54889->54892 54890->54877 54890->54880 54890->54888 54890->54889 54898 6c1d5103 CreateToolhelp32Snapshot 54890->54898 54953 6c1c1ba0 31 API calls ___CxxFrameHandler 54890->54953 54894 6c1d5c6c 54892->54894 54893 6c1d5c12 54893->54889 54895 6c1d5c41 ___CxxFrameHandler 54893->54895 54957 6c1c2572 31 API calls ___CxxFrameHandler 54894->54957 54897 6c1d5c7b 54899 6c1d511f _memcpy_s 54898->54899 54900 6c1d52c2 54898->54900 54901 6c1d5135 Process32FirstW 54899->54901 54900->54890 54902 6c1d52bb CloseHandle 54901->54902 54914 6c1d5155 ___CxxFrameHandler _strlen 54901->54914 54902->54900 54903 6c1d515e WideCharToMultiByte 54903->54914 54904 6c1d52dc 54959 6c1c22c0 31 API calls 2 library calls 54904->54959 54906 6c1d52e1 54907 6c32ae8c ___CxxFrameHandler 29 API calls 54906->54907 54909 6c1d52e6 SHGetFolderPathA 54907->54909 54911 6c1d58f9 54909->54911 54913 6c1d533b _strlen 54909->54913 54910 6c1d95d7 ___CxxFrameHandler 16 API calls 54910->54914 54911->54890 54912 6c1d599b 54964 6c1c22c0 31 API calls 2 library calls 54912->54964 54913->54912 54918 6c1d53ae 54913->54918 54919 6c1d53a6 54913->54919 54928 6c1d5362 ___CxxFrameHandler 54913->54928 54914->54903 54914->54904 54914->54906 54914->54910 54916 6c1d52cf CloseHandle 54914->54916 54917 6c1d52a1 Process32NextW 54914->54917 54958 6c1c1ba0 31 API calls ___CxxFrameHandler 54914->54958 54916->54900 54917->54902 54917->54903 54923 6c1d95d7 ___CxxFrameHandler 16 API calls 54918->54923 54960 6c1c1ba0 31 API calls ___CxxFrameHandler 54919->54960 54920 6c1d59a0 54965 6c1c22c0 31 API calls 2 library calls 54920->54965 54923->54928 54924 6c1d59ac 54966 6c1c22c0 31 API calls 2 library calls 54924->54966 54926 6c1d59b8 54967 6c1c22c0 31 API calls 2 library calls 54926->54967 54928->54920 54929 6c1d5404 54928->54929 54933 6c1d5960 54928->54933 54938 6c1d540d ___CxxFrameHandler 54928->54938 54961 6c1c1ba0 31 API calls ___CxxFrameHandler 54929->54961 54930 6c1d59c4 54968 6c1c2572 31 API calls ___CxxFrameHandler 54930->54968 54935 6c1d95d7 ___CxxFrameHandler 16 API calls 54933->54935 54934 6c1d59d3 54934->54890 54935->54938 54936 6c1d5595 54962 6c1c1ba0 31 API calls ___CxxFrameHandler 54936->54962 54938->54924 54938->54936 54939 6c1d5944 54938->54939 54940 6c1d5996 54938->54940 54945 6c1d55a2 ___CxxFrameHandler 54938->54945 54942 6c1d95d7 ___CxxFrameHandler 16 API calls 54939->54942 54941 6c32ae8c ___CxxFrameHandler 29 API calls 54940->54941 54941->54912 54942->54945 54943 6c1d573a 54963 6c1c1ba0 31 API calls ___CxxFrameHandler 54943->54963 54945->54926 54945->54940 54945->54943 54946 6c1d5985 54945->54946 54951 6c1d574a ___CxxFrameHandler 54945->54951 54947 6c1d95d7 ___CxxFrameHandler 16 API calls 54946->54947 54947->54951 54948 6c1d5889 ___CxxFrameHandler 54949 6c1d58ae DeleteFileA 54948->54949 54948->54951 54949->54911 54950 6c1d58bd 54949->54950 54950->54940 54952 6c1d58e8 ___CxxFrameHandler 54950->54952 54951->54940 54951->54948 54952->54911 54953->54890 54954->54877 54955->54887 54956->54893 54957->54897 54958->54914 54959->54906 54960->54928 54961->54938 54962->54945 54963->54951 54964->54920 54965->54924 54966->54926 54967->54930 54968->54934

            Executed Functions

            Function 6C1C56FA Relevance: 40.8, APIs: 22, Strings: 1, Instructions: 558encryptionCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 206 6c1c56fa-6c1c5701 207 6c1c5735-6c1c5736 206->207 208 6c1c5703-6c1c570d 206->208 209 6c1c570f-6c1c571a 208->209 210 6c1c5721-6c1c5732 call 6c1d960c 208->210 211 6c1c571c-6c1c571f 209->211 212 6c1c5737-6c1c57a1 call 6c32ae8c CryptAcquireContextW 209->212 210->207 211->210 217 6c1c5d4a-6c1c5d90 call 6c31bcce call 6c31b6f1 212->217 218 6c1c57a7-6c1c57d4 212->218 236 6c1c5d93-6c1c5dae call 6c1c56fa * 2 217->236 220 6c1c57d6-6c1c57eb 218->220 222 6c1c5a30-6c1c5a66 CryptReleaseContext call 6c1c6a66 * 2 220->222 223 6c1c57f1-6c1c5805 CryptCreateHash 220->223 249 6c1c5a68-6c1c5a72 222->249 250 6c1c5aa6-6c1c5aab 222->250 226 6c1c580b-6c1c5810 223->226 227 6c1c5c82-6c1c5cd9 CryptReleaseContext call 6c31bcce call 6c31b6f1 223->227 231 6c1c5835-6c1c583b 226->231 232 6c1c5812-6c1c582f CryptHashData 226->232 227->236 233 6c1c583d-6c1c5840 231->233 234 6c1c5847-6c1c584d 231->234 232->231 238 6c1c5cde-6c1c5d3e CryptDestroyHash CryptReleaseContext call 6c31bcce call 6c31b6f1 232->238 233->234 240 6c1c584f 234->240 241 6c1c5851-6c1c5870 call 6c1c64f8 234->241 238->236 240->241 263 6c1c5881-6c1c5898 CryptHashData 241->263 264 6c1c5872-6c1c587c call 6c1c66d0 241->264 252 6c1c5a9c-6c1c5aa3 call 6c1d960c 249->252 253 6c1c5a74-6c1c5a8a 249->253 256 6c1c5aad-6c1c5ac2 250->256 257 6c1c5aeb-6c1c5af0 250->257 252->250 259 6c1c5d45 call 6c32ae8c 253->259 260 6c1c5a90-6c1c5a9a 253->260 265 6c1c5ac4-6c1c5ad6 256->265 266 6c1c5ae1-6c1c5ae8 call 6c1d960c 256->266 267 6c1c5b26-6c1c5b2b 257->267 268 6c1c5af2-6c1c5afc 257->268 259->217 260->252 275 6c1c589e-6c1c58c6 CryptGetHashParam 263->275 276 6c1c5bc6-6c1c5c1f CryptDestroyHash CryptReleaseContext call 6c31bcce call 6c31b6f1 263->276 264->263 265->259 274 6c1c5adc-6c1c5adf 265->274 266->257 270 6c1c5b2d-6c1c5b37 267->270 271 6c1c5b60-6c1c5b73 267->271 278 6c1c5b1c-6c1c5b23 call 6c1d960c 268->278 279 6c1c5afe-6c1c5b09 268->279 282 6c1c5b39-6c1c5b4b 270->282 283 6c1c5b56-6c1c5b5d call 6c1d960c 270->283 274->266 284 6c1c58cc-6c1c58d7 275->284 285 6c1c5c24-6c1c5c7d CryptDestroyHash CryptReleaseContext call 6c31bcce call 6c31b6f1 275->285 276->236 278->267 279->259 287 6c1c5b0f-6c1c5b1a 279->287 282->259 290 6c1c5b51-6c1c5b54 282->290 283->271 293 6c1c58d9-6c1c58db 284->293 294 6c1c58e5 284->294 285->236 287->278 290->283 298 6c1c58de-6c1c58e0 293->298 299 6c1c58eb-6c1c58f2 294->299 300 6c1c59e1-6c1c5a00 CryptGetHashParam CryptDestroyHash 294->300 298->300 305 6c1c5934-6c1c5955 call 6c31d9f0 299->305 306 6c1c58f4-6c1c58fc 299->306 302 6c1c5b74-6c1c5bc1 CryptReleaseContext call 6c31bcce call 6c31b6f1 300->302 303 6c1c5a06-6c1c5a2b call 6c1c68a0 300->303 302->236 303->220 305->298 307 6c1c5d40 call 6c1c64ee 306->307 308 6c1c5902-6c1c5927 306->308 307->259 313 6c1c5929-6c1c5932 call 6c1c1ba0 308->313 314 6c1c5957-6c1c595d call 6c1d95d7 308->314 325 6c1c5960-6c1c599b call 6c31d9f0 call 6c31d470 313->325 314->325 330 6c1c599d-6c1c59a7 325->330 331 6c1c59d1-6c1c59de 325->331 332 6c1c59a9-6c1c59b4 330->332 333 6c1c59c7-6c1c59ce call 6c1d960c 330->333 331->300 332->259 334 6c1c59ba-6c1c59c5 332->334 333->331 334->333
            APIs
            • CryptAcquireContextW.ADVAPI32 ref: 6C1C5799
            • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 6C1C57FD
            • CryptHashData.ADVAPI32(?,?,?,00000000), ref: 6C1C5827
            • CryptHashData.ADVAPI32(?,?,?,00000000,?,?,?), ref: 6C1C5890
            • CryptGetHashParam.ADVAPI32(?,00000004,?,?,00000000), ref: 6C1C58B8
            • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 6C1C59ED
            • CryptDestroyHash.ADVAPI32(?), ref: 6C1C59F8
            • CryptReleaseContext.ADVAPI32(?,00000000), ref: 6C1C5A33
            • CryptReleaseContext.ADVAPI32(?,00000000), ref: 6C1C5B7A
            • ___std_exception_copy.LIBVCRUNTIME ref: 6C1C5B9E
              • Part of subcall function 6C31B6F1: RaiseException.KERNEL32(E06D7363,00000001,00000003,6C1C22CA,?,?,?,6C1F5BF2,6C1C22CA,6C39B17C,?,6C1C22CA,string too long,6C1D6933), ref: 6C31B752
            • ___std_exception_copy.LIBVCRUNTIME ref: 6C1C5D6D
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Crypt$Hash$Context$DataParamRelease___std_exception_copy$AcquireCreateDestroyExceptionRaise
            • String ID: X;5l
            • API String ID: 1086747659-3791003109
            • Opcode ID: c8b99acb75422583d9c58ee2c00790441cdb9c3591eaf9d3635831f50d6307e0
            • Instruction ID: 689c28173ab485227f669e71069ba95c03ffe2ff66042f4d38692ae297fbe9e5
            • Opcode Fuzzy Hash: c8b99acb75422583d9c58ee2c00790441cdb9c3591eaf9d3635831f50d6307e0
            • Instruction Fuzzy Hash: A622ADB2E112189FDB14CFA4CC85AAEBBB9EF55704F148229F405EB750EB389944CF91
            Function 6C1C5DCB Relevance: 35.6, APIs: 17, Strings: 3, Instructions: 561encryptionCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 337 6c1c5dcb-6c1c5e20 call 6c1c556c 340 6c1c5e69-6c1c5ec2 call 6c1c573c CryptAcquireContextW 337->340 341 6c1c5e22-6c1c5e33 337->341 346 6c1c62dd-6c1c6326 call 6c31bcce call 6c31b6f1 340->346 347 6c1c5ec8-6c1c5f06 CryptImportKey 340->347 341->340 343 6c1c5e35-6c1c5e67 call 6c1c68a0 call 6c31d470 341->343 343->340 373 6c1c6484-6c1c648b call 6c1c22c0 346->373 350 6c1c5f0c-6c1c5f1e CryptSetKeyParam 347->350 351 6c1c632b-6c1c6379 CryptReleaseContext call 6c31bcce call 6c31b6f1 347->351 355 6c1c637e-6c1c63d7 CryptDestroyKey CryptReleaseContext call 6c31bcce call 6c31b6f1 350->355 356 6c1c5f24-6c1c5f3d CryptSetKeyParam 350->356 351->373 355->373 359 6c1c63dc-6c1c6435 CryptDestroyKey CryptReleaseContext call 6c31bcce call 6c31b6f1 356->359 360 6c1c5f43-6c1c5f61 356->360 359->373 366 6c1c5fb0-6c1c5fde CryptDecrypt CryptDestroyKey CryptReleaseContext 360->366 367 6c1c5f63 360->367 370 6c1c5fe4-6c1c5ff2 366->370 371 6c1c6437-6c1c6481 call 6c31bcce call 6c31b6f1 366->371 374 6c1c5f69-6c1c5f72 367->374 375 6c1c6490 call 6c1c64ee 367->375 379 6c1c5ff4-6c1c5ffb 370->379 380 6c1c6000 370->380 371->373 373->375 383 6c1c5f7f-6c1c5f85 call 6c1d95d7 374->383 384 6c1c5f74-6c1c5f7d call 6c1c1ba0 374->384 386 6c1c6495-6c1c64b4 call 6c1c64ee call 6c1c56fa 375->386 387 6c1c60f0-6c1c6103 379->387 380->387 388 6c1c6006-6c1c600d 380->388 400 6c1c5f88-6c1c5fad call 6c31d470 383->400 384->400 387->373 393 6c1c6109-6c1c610c 387->393 395 6c1c600f-6c1c6011 388->395 396 6c1c6059-6c1c606f call 6c31d9f0 388->396 401 6c1c610e-6c1c6125 call 6c31d470 393->401 402 6c1c6127-6c1c6158 393->402 395->386 404 6c1c6017-6c1c6045 395->404 396->387 400->366 423 6c1c6196-6c1c619e 401->423 410 6c1c616a-6c1c6175 call 6c1d95d7 402->410 411 6c1c615a-6c1c6168 call 6c1c1ba0 402->411 412 6c1c6047-6c1c6057 call 6c1c1ba0 404->412 413 6c1c6071-6c1c607e call 6c1d95d7 404->413 428 6c1c6178-6c1c6194 call 6c31d470 410->428 411->428 427 6c1c6081-6c1c60af call 6c31d9f0 call 6c31d470 412->427 413->427 429 6c1c61cc-6c1c61d1 423->429 430 6c1c61a0-6c1c61aa 423->430 466 6c1c60dd-6c1c60ed 427->466 467 6c1c60b1-6c1c60bb 427->467 428->423 434 6c1c6206-6c1c620b 429->434 435 6c1c61d3-6c1c61dd 429->435 431 6c1c61ac-6c1c61b7 430->431 432 6c1c61c2-6c1c61c9 call 6c1d960c 430->432 437 6c1c61bd-6c1c61c0 431->437 438 6c1c62d8 call 6c32ae8c 431->438 432->429 443 6c1c620d-6c1c6222 434->443 444 6c1c6252-6c1c6257 434->444 441 6c1c61df-6c1c61ea 435->441 442 6c1c61f5-6c1c61ff call 6c1d960c 435->442 437->432 438->346 441->438 451 6c1c61f0-6c1c61f3 441->451 442->434 453 6c1c6224-6c1c6236 443->453 454 6c1c6241-6c1c624b call 6c1d960c 443->454 448 6c1c6288-6c1c628d 444->448 449 6c1c6259-6c1c6263 444->449 459 6c1c628f-6c1c6299 448->459 460 6c1c62c2-6c1c62d7 448->460 456 6c1c6265-6c1c6270 449->456 457 6c1c6277-6c1c6281 call 6c1d960c 449->457 451->442 453->438 462 6c1c623c-6c1c623f 453->462 454->444 456->438 464 6c1c6272-6c1c6275 456->464 457->448 468 6c1c62b8-6c1c62bf call 6c1d960c 459->468 469 6c1c629b-6c1c62b1 459->469 462->454 464->457 466->387 471 6c1c60bd-6c1c60c8 467->471 472 6c1c60d3-6c1c60da call 6c1d960c 467->472 468->460 469->438 473 6c1c62b3-6c1c62b6 469->473 471->438 476 6c1c60ce-6c1c60d1 471->476 472->466 473->468 476->472
            APIs
              • Part of subcall function 6C1C556C: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 6C1C55B5
              • Part of subcall function 6C1C556C: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 6C1C562D
            • CryptAcquireContextW.ADVAPI32 ref: 6C1C5EBA
            • CryptImportKey.ADVAPI32(?,?,00000014,00000000,00000000,?), ref: 6C1C5EFE
            • CryptSetKeyParam.ADVAPI32(?,00000001,?,00000000), ref: 6C1C5F16
            • CryptSetKeyParam.ADVAPI32(?,00000004,?,00000000), ref: 6C1C5F35
            • CryptDecrypt.ADVAPI32(?,00000000,00000001,00000000,?,?), ref: 6C1C5FC1
            • CryptDestroyKey.ADVAPI32(?,?,?), ref: 6C1C5FCC
            • CryptReleaseContext.ADVAPI32(?,00000000,?,?), ref: 6C1C5FD6
            • ___std_exception_copy.LIBVCRUNTIME ref: 6C1C6303
            • CryptReleaseContext.ADVAPI32(?,00000000), ref: 6C1C632F
            • ___std_exception_copy.LIBVCRUNTIME ref: 6C1C6356
            • CryptDestroyKey.ADVAPI32(?), ref: 6C1C6381
            • CryptReleaseContext.ADVAPI32(?,00000000), ref: 6C1C638D
            • ___std_exception_copy.LIBVCRUNTIME ref: 6C1C63B4
              • Part of subcall function 6C31B6F1: RaiseException.KERNEL32(E06D7363,00000001,00000003,6C1C22CA,?,?,?,6C1F5BF2,6C1C22CA,6C39B17C,?,6C1C22CA,string too long,6C1D6933), ref: 6C31B752
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Crypt$Context$Release___std_exception_copy$BinaryDestroyParamString$AcquireDecryptExceptionImportRaise
            • String ID: Salt$X;5l$ed__
            • API String ID: 2404961614-1500593774
            • Opcode ID: c6f9b42494f9374cab455d1a34790ec082657caf54cb5ce598dc3cd993f52782
            • Instruction ID: 89a1c136400e23ecb5ad8a5ae8ea993eda4fba517a74f74da063ed1459cc29d5
            • Opcode Fuzzy Hash: c6f9b42494f9374cab455d1a34790ec082657caf54cb5ce598dc3cd993f52782
            • Instruction Fuzzy Hash: C8228EB2E012189FDB14CF68CC55BAEBBB9EF65304F148229F805E7740E7799944CB92
            Function 6C1D5103 Relevance: 15.5, APIs: 10, Instructions: 547processCOMMON
            Download Yara Rule
            APIs
            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C1D5111
            • Process32FirstW.KERNEL32(00000000,?), ref: 6C1D5148
            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000,?,00000002,00000000), ref: 6C1D5176
            • _strlen.LIBCMT ref: 6C1D518D
            • Process32NextW.KERNEL32(?,?), ref: 6C1D52AE
            • CloseHandle.KERNELBASE(00000000,?,00000002,00000000), ref: 6C1D52BC
            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 6C1D52D2
            • SHGetFolderPathA.SHELL32 ref: 6C1D532D
            • _strlen.LIBCMT ref: 6C1D534B
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: CloseHandleProcess32_strlen$ByteCharCreateFirstFolderMultiNextPathSnapshotToolhelp32Wide
            • String ID:
            • API String ID: 2690550405-0
            • Opcode ID: f240ba640434381dc7d740846119cc3db93d8251eeb445dc6882651dabafe7de
            • Instruction ID: b536bde2b1366be9ce9eb85bc8e00e2b05b75adb0041b0481163d3e34d94ede8
            • Opcode Fuzzy Hash: f240ba640434381dc7d740846119cc3db93d8251eeb445dc6882651dabafe7de
            • Instruction Fuzzy Hash: 97122BB2E002148FDB14CF68CC907DEB7F6FF89324F264228E855A7781EB35A9458B51
            Function 6C1D5C94 Relevance: 14.3, APIs: 9, Instructions: 769comCOMMON
            Download Yara Rule
            APIs
            • GetFileAttributesA.KERNELBASE(?), ref: 6C1D5E3E
            • SHGetFolderPathA.SHELL32 ref: 6C1D5E61
            • _strlen.LIBCMT ref: 6C1D5E7F
            • GetFileAttributesA.KERNELBASE(?), ref: 6C1D6434
            • CoInitialize.OLE32(00000000), ref: 6C1D648E
            • CoCreateInstance.OLE32(6C358C90,00000000,00000001,6C355330,00000000), ref: 6C1D64A5
            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 6C1D64D4
            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000104), ref: 6C1D6570
            • CoUninitialize.COMBASE ref: 6C1D6594
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: AttributesByteCharFileMultiWide$CreateFolderInitializeInstancePathUninitialize_strlen
            • String ID:
            • API String ID: 1074249417-0
            • Opcode ID: 0d881b455b8f6a47062ed0628fa54d88063a855bd6c38c650ccdbf12e55798ec
            • Instruction ID: 862f194360e9fc36bf9a568df9c31dafce308e4d4bc89522f289c508da62163f
            • Opcode Fuzzy Hash: 0d881b455b8f6a47062ed0628fa54d88063a855bd6c38c650ccdbf12e55798ec
            • Instruction Fuzzy Hash: 4E52D2B1E002188FDB14CF68CC947DEBBB6FF49318F164668E519E7780EB34A9858B51
            Function 6C1F7C58 Relevance: 70.4, APIs: 34, Strings: 6, Instructions: 356stringCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 0 6c1f7c58-6c1f7cae call 6c1f8a44 call 6c1dd1dc GetDeviceCaps 5 6c1f7cc6-6c1f7cce 0->5 6 6c1f7cb0-6c1f7cbc 0->6 8 6c1f7ce4-6c1f7cec 5->8 9 6c1f7cd0-6c1f7cd4 5->9 6->5 7 6c1f7cbe 6->7 7->5 11 6c1f7cee-6c1f7cf2 8->11 12 6c1f7d02-6c1f7d0a 8->12 9->8 10 6c1f7cd6-6c1f7cde call 6c1dc4d4 DeleteObject 9->10 10->8 11->12 13 6c1f7cf4-6c1f7cfc call 6c1dc4d4 DeleteObject 11->13 14 6c1f7d0c-6c1f7d10 12->14 15 6c1f7d20-6c1f7d28 12->15 13->12 14->15 18 6c1f7d12-6c1f7d1a call 6c1dc4d4 DeleteObject 14->18 19 6c1f7d3e-6c1f7d46 15->19 20 6c1f7d2a-6c1f7d2e 15->20 18->15 25 6c1f7d5c-6c1f7d64 19->25 26 6c1f7d48-6c1f7d4c 19->26 20->19 24 6c1f7d30-6c1f7d38 call 6c1dc4d4 DeleteObject 20->24 24->19 27 6c1f7d7a-6c1f7d82 25->27 28 6c1f7d66-6c1f7d6a 25->28 26->25 31 6c1f7d4e-6c1f7d56 call 6c1dc4d4 DeleteObject 26->31 34 6c1f7d98-6c1f7da0 27->34 35 6c1f7d84-6c1f7d88 27->35 28->27 33 6c1f7d6c-6c1f7d74 call 6c1dc4d4 DeleteObject 28->33 31->25 33->27 40 6c1f7db6-6c1f7dbe 34->40 41 6c1f7da2-6c1f7da6 34->41 35->34 39 6c1f7d8a-6c1f7d92 call 6c1dc4d4 DeleteObject 35->39 39->34 42 6c1f7dd4-6c1f7ddc 40->42 43 6c1f7dc0-6c1f7dc4 40->43 41->40 46 6c1f7da8-6c1f7db0 call 6c1dc4d4 DeleteObject 41->46 48 6c1f7dde-6c1f7de2 42->48 49 6c1f7df2-6c1f7e4f call 6c1f8709 call 6c31d9f0 GetTextCharsetInfo 42->49 43->42 47 6c1f7dc6-6c1f7dce call 6c1dc4d4 DeleteObject 43->47 46->40 47->42 48->49 54 6c1f7de4-6c1f7dec call 6c1dc4d4 DeleteObject 48->54 62 6c1f7e56-6c1f7e5a 49->62 63 6c1f7e51-6c1f7e54 49->63 54->49 64 6c1f7e5d-6c1f7e83 lstrcpyW 62->64 65 6c1f7e5c 62->65 63->64 66 6c1f7e85-6c1f7e8c 64->66 67 6c1f7ef1-6c1f7f32 CreateFontIndirectW call 6c1dc4a8 call 6c32d632 64->67 65->64 66->67 68 6c1f7e8e-6c1f7ea8 EnumFontFamiliesW 66->68 78 6c1f7f39-6c1f803f CreateFontIndirectW call 6c1dc4a8 call 6c1f8709 CreateFontIndirectW call 6c1dc4a8 CreateFontIndirectW call 6c1dc4a8 CreateFontIndirectW call 6c1dc4a8 GetSystemMetrics lstrcpyW CreateFontIndirectW call 6c1dc4a8 GetStockObject 67->78 79 6c1f7f34-6c1f7f36 67->79 70 6c1f7ebf-6c1f7edc EnumFontFamiliesW 68->70 71 6c1f7eaa-6c1f7ebd lstrcpyW 68->71 73 6c1f7ede-6c1f7ee3 70->73 74 6c1f7ee5 70->74 71->67 76 6c1f7eea-6c1f7eeb lstrcpyW 73->76 74->76 76->67 92 6c1f810f-6c1f811c call 6c1f874a 78->92 93 6c1f8045-6c1f8054 GetObjectW 78->93 79->78 99 6c1f8147-6c1f8149 92->99 93->92 95 6c1f805a-6c1f810a lstrcpyW CreateFontIndirectW call 6c1dc4a8 CreateFontIndirectW call 6c1dc4a8 GetObjectW CreateFontIndirectW call 6c1dc4a8 CreateFontIndirectW call 6c1dc4a8 93->95 95->92 101 6c1f811e-6c1f8125 99->101 102 6c1f814b-6c1f815b call 6c1d7f12 99->102 105 6c1f8127-6c1f8131 call 6c1e4029 101->105 106 6c1f8171-6c1f8176 call 6c1f0b00 101->106 108 6c1f8160-6c1f8170 call 6c1dd231 call 6c1f8ac7 102->108 105->99 117 6c1f8133-6c1f8143 105->117 117->99
            APIs
            • __EH_prolog3_GS.LIBCMT ref: 6C1F7C62
              • Part of subcall function 6C1DD1DC: __EH_prolog3.LIBCMT ref: 6C1DD1E3
              • Part of subcall function 6C1DD1DC: GetWindowDC.USER32(00000000,00000004,6C1F78A0,00000000), ref: 6C1DD20F
            • GetDeviceCaps.GDI32(?,00000058), ref: 6C1F7C82
            • DeleteObject.GDI32(00000000), ref: 6C1F7CDE
            • DeleteObject.GDI32(00000000), ref: 6C1F7CFC
            • DeleteObject.GDI32(00000000), ref: 6C1F7D1A
            • DeleteObject.GDI32(00000000), ref: 6C1F7D38
            • DeleteObject.GDI32(00000000), ref: 6C1F7D56
            • DeleteObject.GDI32(00000000), ref: 6C1F7D74
            • DeleteObject.GDI32(00000000), ref: 6C1F7D92
            • DeleteObject.GDI32(00000000), ref: 6C1F7DB0
            • DeleteObject.GDI32(00000000), ref: 6C1F7DCE
            • DeleteObject.GDI32(00000000), ref: 6C1F7DEC
            • GetTextCharsetInfo.GDI32(?,00000000,00000000), ref: 6C1F7E24
            • lstrcpyW.KERNEL32(?,?), ref: 6C1F7E79
            • EnumFontFamiliesW.GDI32(?,00000000,6C1F8905,Segoe UI), ref: 6C1F7EA0
            • lstrcpyW.KERNEL32(?,Segoe UI), ref: 6C1F7EB3
            • EnumFontFamiliesW.GDI32(?,00000000,6C1F8905,Tahoma), ref: 6C1F7ED1
            • lstrcpyW.KERNEL32(?,MS Sans Serif), ref: 6C1F7EEB
            • CreateFontIndirectW.GDI32(?), ref: 6C1F7EF5
            • CreateFontIndirectW.GDI32(?), ref: 6C1F7F3D
            • CreateFontIndirectW.GDI32(?), ref: 6C1F7F7C
            • CreateFontIndirectW.GDI32(?), ref: 6C1F7FA8
            • CreateFontIndirectW.GDI32(?), ref: 6C1F7FC9
            • GetSystemMetrics.USER32(00000048), ref: 6C1F7FE8
            • lstrcpyW.KERNEL32(?,Marlett), ref: 6C1F7FFB
            • CreateFontIndirectW.GDI32(?), ref: 6C1F8005
            • GetStockObject.GDI32(00000011), ref: 6C1F8031
            • GetObjectW.GDI32(00000000,0000005C,?), ref: 6C1F804C
            • lstrcpyW.KERNEL32(?,Arial), ref: 6C1F808D
            • CreateFontIndirectW.GDI32(?), ref: 6C1F8097
            • CreateFontIndirectW.GDI32(?), ref: 6C1F80B0
            • GetObjectW.GDI32(?,0000005C,?), ref: 6C1F80CE
            • CreateFontIndirectW.GDI32(?), ref: 6C1F80DC
            • CreateFontIndirectW.GDI32(?), ref: 6C1F80FD
              • Part of subcall function 6C1F874A: __EH_prolog3_GS.LIBCMT ref: 6C1F8751
              • Part of subcall function 6C1F874A: GetTextMetricsW.GDI32(?,?), ref: 6C1F8786
              • Part of subcall function 6C1F874A: GetTextMetricsW.GDI32(?,?), ref: 6C1F87C6
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Object$Font$CreateDeleteIndirect$lstrcpy$MetricsText$EnumFamiliesH_prolog3_$CapsCharsetDeviceH_prolog3InfoStockSystemWindow
            • String ID: Arial$D}5l$MS Sans Serif$Marlett$Segoe UI$Tahoma
            • API String ID: 2837096512-2213279153
            • Opcode ID: 9ec5596302dd8b061864817822f8d7e13483d81e1bab0457930dc566d991217e
            • Instruction ID: 43e3defd840aae652045387339b38edccd1ec5f9c02e99c8a6e418006496d532
            • Opcode Fuzzy Hash: 9ec5596302dd8b061864817822f8d7e13483d81e1bab0457930dc566d991217e
            • Instruction Fuzzy Hash: 90E17D70A003499FDF119FB4C818BEEB7FDAF06309F00465AA52AE7641EB34958ACF50
            Function 6C1F783A Relevance: 64.8, APIs: 43, Instructions: 298COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 121 6c1f783a-6c1f7859 call 6c1f89db GetSysColor 124 6c1f785b-6c1f7865 GetSysColor 121->124 125 6c1f786a 121->125 124->125 126 6c1f7867-6c1f7868 124->126 127 6c1f786c-6c1f787c GetSysColor 125->127 126->127 128 6c1f788f 127->128 129 6c1f787e-6c1f7888 GetSysColor 127->129 131 6c1f7891-6c1f79c8 call 6c1dd1dc GetDeviceCaps GetSysColor * 21 128->131 129->128 130 6c1f788a-6c1f788d 129->130 130->131 134 6c1f79ca-6c1f79d1 131->134 135 6c1f79d3-6c1f79df GetSysColor 131->135 136 6c1f79e5-6c1f79fb GetSysColorBrush 134->136 135->136 137 6c1f7c52-6c1f7c57 call 6c1f0b00 136->137 138 6c1f7a01-6c1f7a0e GetSysColorBrush 136->138 138->137 139 6c1f7a14-6c1f7a21 GetSysColorBrush 138->139 139->137 142 6c1f7a27-6c1f7b72 call 6c1dc4fe CreateSolidBrush call 6c1dc4a8 call 6c1dc4fe CreateSolidBrush call 6c1dc4a8 call 6c1dc4fe CreateSolidBrush call 6c1dc4a8 call 6c1dc4fe CreateSolidBrush call 6c1dc4a8 call 6c1dc4fe CreateSolidBrush call 6c1dc4a8 call 6c1dc4fe CreateSolidBrush call 6c1dc4a8 call 6c1dc4fe CreateSolidBrush call 6c1dc4a8 call 6c1dc4fe CreatePen call 6c1dc4a8 call 6c1dc4fe CreatePen call 6c1dc4a8 call 6c1dc4fe CreatePen call 6c1dc4a8 139->142 183 6c1f7b74-6c1f7b78 142->183 184 6c1f7b81-6c1f7b88 142->184 183->184 185 6c1f7b7a-6c1f7b7c call 6c1dc4fe 183->185 186 6c1f7bee-6c1f7bfa call 6c1f8808 184->186 187 6c1f7b8a-6c1f7bec CreateSolidBrush call 6c1dc4a8 184->187 185->184 186->137 193 6c1f7bfc-6c1f7c30 call 6c1dc4a8 CreatePatternBrush call 6c1dc4a8 call 6c1d7f12 186->193 194 6c1f7c35-6c1f7c51 call 6c22b409 call 6c1dd231 call 6c1f8ab3 187->194 193->194
            APIs
            • __EH_prolog3.LIBCMT ref: 6C1F7841
            • GetSysColor.USER32(00000016), ref: 6C1F784A
            • GetSysColor.USER32(0000000F), ref: 6C1F785D
            • GetSysColor.USER32(00000015), ref: 6C1F7874
            • GetSysColor.USER32(0000000F), ref: 6C1F7880
            • GetDeviceCaps.GDI32(?,0000000C), ref: 6C1F78A8
            • GetSysColor.USER32(0000000F), ref: 6C1F78B6
            • GetSysColor.USER32(00000010), ref: 6C1F78C4
            • GetSysColor.USER32(00000015), ref: 6C1F78D2
            • GetSysColor.USER32(00000016), ref: 6C1F78E0
            • GetSysColor.USER32(00000014), ref: 6C1F78EE
            • GetSysColor.USER32(00000012), ref: 6C1F78FC
            • GetSysColor.USER32(00000011), ref: 6C1F790A
            • GetSysColor.USER32(00000006), ref: 6C1F7915
            • GetSysColor.USER32(0000000D), ref: 6C1F7920
            • GetSysColor.USER32(0000000E), ref: 6C1F792B
            • GetSysColor.USER32(00000005), ref: 6C1F7936
            • GetSysColor.USER32(00000008), ref: 6C1F7944
            • GetSysColor.USER32(00000009), ref: 6C1F794F
            • GetSysColor.USER32(00000007), ref: 6C1F795A
            • GetSysColor.USER32(00000002), ref: 6C1F7965
            • GetSysColor.USER32(00000003), ref: 6C1F7970
            • GetSysColor.USER32(0000001B), ref: 6C1F797E
            • GetSysColor.USER32(0000001C), ref: 6C1F798C
            • GetSysColor.USER32(0000000A), ref: 6C1F799A
            • GetSysColor.USER32(0000000B), ref: 6C1F79A8
            • GetSysColor.USER32(00000013), ref: 6C1F79B6
            • GetSysColor.USER32(0000001A), ref: 6C1F79DF
            • GetSysColorBrush.USER32(00000010), ref: 6C1F79F0
            • GetSysColorBrush.USER32(00000014), ref: 6C1F7A03
            • GetSysColorBrush.USER32(00000005), ref: 6C1F7A16
            • CreateSolidBrush.GDI32(?), ref: 6C1F7A37
            • CreateSolidBrush.GDI32(?), ref: 6C1F7A55
            • CreateSolidBrush.GDI32(?), ref: 6C1F7A73
            • CreateSolidBrush.GDI32(?), ref: 6C1F7A94
            • CreateSolidBrush.GDI32(?), ref: 6C1F7AB2
            • CreateSolidBrush.GDI32(?), ref: 6C1F7AD0
            • CreateSolidBrush.GDI32(?), ref: 6C1F7AEE
            • CreatePen.GDI32(00000000,00000001,00000000), ref: 6C1F7B14
            • CreatePen.GDI32(00000000,00000001,00000000), ref: 6C1F7B38
            • CreatePen.GDI32(00000000,00000001,00000000), ref: 6C1F7B5C
            • CreateSolidBrush.GDI32(?), ref: 6C1F7BDA
            • CreatePatternBrush.GDI32(00000000), ref: 6C1F7C18
              • Part of subcall function 6C1DC4FE: DeleteObject.GDI32(00000000), ref: 6C1DC50D
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Color$BrushCreate$Solid$CapsDeleteDeviceH_prolog3ObjectPattern
            • String ID:
            • API String ID: 3754413814-0
            • Opcode ID: 4b2f71fd262529721167fee55843f6e4a1f29f2bc94cb78f77ce0da04023ddc3
            • Instruction ID: 06fd7fa25118a4255cc3a6c5bcd18fcc27e7b3cb4798bb6265bb88f6c8ff59e9
            • Opcode Fuzzy Hash: 4b2f71fd262529721167fee55843f6e4a1f29f2bc94cb78f77ce0da04023ddc3
            • Instruction Fuzzy Hash: F1C1F371B00B06AFDB04AFB488587DDBBB5BF05706F040619E616D7A80EB75A4A6CFD0
            Function 6C1FE7AD Relevance: 15.1, APIs: 10, Instructions: 124memoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 687 6c1fe7ad-6c1fe7cf EnterCriticalSection 688 6c1fe7e5-6c1fe7e8 687->688 689 6c1fe7d1-6c1fe7d5 687->689 690 6c1fe7ea-6c1fe7ed 688->690 691 6c1fe815-6c1fe817 688->691 692 6c1fe7db-6c1fe7df 689->692 693 6c1fe8ea 689->693 690->693 694 6c1fe7f3-6c1fe7f8 690->694 695 6c1fe818-6c1fe821 691->695 692->688 697 6c1fe8a6-6c1fe8ac 692->697 696 6c1fe8ed-6c1fe8f8 LeaveCriticalSection call 6c1f0acc 693->696 698 6c1fe7fb-6c1fe7fe 694->698 701 6c1fe838-6c1fe845 GlobalHandle 695->701 702 6c1fe823-6c1fe836 call 6c1f0528 GlobalAlloc 695->702 699 6c1fe8ae 697->699 700 6c1fe8b1-6c1fe8cb LeaveCriticalSection 697->700 704 6c1fe808-6c1fe80a 698->704 705 6c1fe800-6c1fe806 698->705 699->700 707 6c1fe8cc-6c1fe8cf 701->707 708 6c1fe84b-6c1fe867 GlobalUnlock call 6c1f0528 GlobalReAlloc 701->708 716 6c1fe86d-6c1fe86f 702->716 704->697 710 6c1fe810-6c1fe813 704->710 705->698 705->704 711 6c1fe8e4-6c1fe8e8 707->711 712 6c1fe8d1-6c1fe8db GlobalHandle 707->712 708->716 710->695 711->696 712->711 715 6c1fe8dd-6c1fe8de GlobalLock 712->715 715->711 716->707 718 6c1fe871-6c1fe87f GlobalLock 716->718 718->711 719 6c1fe881-6c1fe8a4 call 6c31d9f0 718->719 719->697
            APIs
            • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6C1EDB74,?,6C1E26E9,?,6C1ED034), ref: 6C1FE7BE
            • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,?,?,?,?,6C1EDB74,?,6C1E26E9,?,6C1ED034), ref: 6C1FE830
            • GlobalHandle.KERNEL32(?), ref: 6C1FE83A
            • GlobalUnlock.KERNEL32(00000000), ref: 6C1FE84C
            • GlobalReAlloc.KERNEL32(?,00000000), ref: 6C1FE867
            • GlobalLock.KERNEL32(00000000), ref: 6C1FE872
            • LeaveCriticalSection.KERNEL32(?), ref: 6C1FE8BF
            • GlobalHandle.KERNEL32(?), ref: 6C1FE8D3
            • GlobalLock.KERNEL32(00000000), ref: 6C1FE8DE
            • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C1EDB74,?,6C1E26E9,?,6C1ED034,F0C0CBE2), ref: 6C1FE8ED
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
            • String ID:
            • API String ID: 2667261700-0
            • Opcode ID: 7019322acb73a6667704dccefe91cfa4d55433106a7c32c10bec2a73c9d7c3c8
            • Instruction ID: cb798e98c5eef26ecbc72576dcff202f9cb0689784250420c3c8f7c026375695
            • Opcode Fuzzy Hash: 7019322acb73a6667704dccefe91cfa4d55433106a7c32c10bec2a73c9d7c3c8
            • Instruction Fuzzy Hash: 0741D47060121AEFDF04AF64C885B99BBF8FF01305F104265E426D7A50EB71EAA2CBD0
            Function 6C341B6E Relevance: 13.8, APIs: 9, Instructions: 273COMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 935 6c341b6e-6c341b9e call 6c342008 938 6c341ba0-6c341bab call 6c31ea1c 935->938 939 6c341bb9-6c341bc5 call 6c32a63d 935->939 946 6c341bad-6c341bb4 call 6c31ea09 938->946 944 6c341bc7-6c341bdc call 6c31ea1c call 6c31ea09 939->944 945 6c341bde-6c341c27 call 6c341f73 939->945 944->946 955 6c341c94-6c341c9d GetFileType 945->955 956 6c341c29-6c341c32 945->956 953 6c341e93-6c341e97 946->953 957 6c341ce6-6c341ce9 955->957 958 6c341c9f-6c341cd0 GetLastError call 6c31ea2f CloseHandle 955->958 960 6c341c34-6c341c38 956->960 961 6c341c69-6c341c8f GetLastError call 6c31ea2f 956->961 964 6c341cf2-6c341cf8 957->964 965 6c341ceb-6c341cf0 957->965 958->946 972 6c341cd6-6c341ce1 call 6c31ea09 958->972 960->961 966 6c341c3a-6c341c67 call 6c341f73 960->966 961->946 969 6c341cfc-6c341d4a call 6c32a7e1 964->969 970 6c341cfa 964->970 965->969 966->955 966->961 977 6c341d4c-6c341d58 call 6c342182 969->977 978 6c341d69-6c341d91 call 6c34222c 969->978 970->969 972->946 977->978 984 6c341d5a 977->984 985 6c341d96-6c341dd7 978->985 986 6c341d93-6c341d94 978->986 987 6c341d5c-6c341d64 call 6c33a4e0 984->987 988 6c341df8-6c341e06 985->988 989 6c341dd9-6c341ddd 985->989 986->987 987->953 990 6c341e91 988->990 991 6c341e0c-6c341e10 988->991 989->988 993 6c341ddf-6c341df3 989->993 990->953 991->990 994 6c341e12-6c341e45 CloseHandle call 6c341f73 991->994 993->988 998 6c341e47-6c341e73 GetLastError call 6c31ea2f call 6c32a750 994->998 999 6c341e79-6c341e8d 994->999 998->999 999->990
            APIs
              • Part of subcall function 6C341F73: CreateFileW.KERNELBASE(6C1D6E59,00000000,?,6C341C17,?,?,00000000,?,6C341C17,6C1D6E59,0000000C), ref: 6C341F90
            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C341C82
            • __dosmaperr.LIBCMT ref: 6C341C89
            • GetFileType.KERNELBASE(00000000), ref: 6C341C95
            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C341C9F
            • __dosmaperr.LIBCMT ref: 6C341CA8
            • CloseHandle.KERNEL32(00000000), ref: 6C341CC8
            • CloseHandle.KERNEL32(6C338E1C), ref: 6C341E15
            • GetLastError.KERNEL32 ref: 6C341E47
            • __dosmaperr.LIBCMT ref: 6C341E4E
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
            • String ID:
            • API String ID: 4237864984-0
            • Opcode ID: 1801c0daf84b6d4c19d37a60fa82fd1eba9ce02dfe0fd076f0b320318ce94115
            • Instruction ID: bff4e554e62135ef85057e1511d17a645c625b9e27a6b80a660e8ab14e80213c
            • Opcode Fuzzy Hash: 1801c0daf84b6d4c19d37a60fa82fd1eba9ce02dfe0fd076f0b320318ce94115
            • Instruction Fuzzy Hash: 78A17632A245449FCF099F68CC55BAD3BF4EB07328F184259E851AB790D732C826CF92
            Function 6C1D6D3B Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 302COMMON
            Download Yara Rule

            Control-flow Graph

            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID:
            • String ID: QQPh$VQi'
            • API String ID: 0-4065925739
            • Opcode ID: 1b9eebb29c869307ff0c41c4d6c05bd4f5ebf8b72bcc097ee253fc7ec4fc68b5
            • Instruction ID: dc02c0acbe79bad73748d807dd62b9f26e5e52c00310de3393aadb24f9cccad8
            • Opcode Fuzzy Hash: 1b9eebb29c869307ff0c41c4d6c05bd4f5ebf8b72bcc097ee253fc7ec4fc68b5
            • Instruction Fuzzy Hash: 5FB125B2D001149FDB14CFA8CC947EEB7B6EF49314F160629E815A7784EB34BD858B91
            Function 6C1D6D4F Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 229threadCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
              • Part of subcall function 6C1D6707: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 6C1D6745
              • Part of subcall function 6C1D6707: _strlen.LIBCMT ref: 6C1D6759
            • CreateThread.KERNELBASE(00000000,00000000,Function_00015A00,6C3ADF78,00000000,00000000), ref: 6C1D70CB
            • CreateThread.KERNELBASE(00000000,00000000,6C1D50F3,00000000,00000000,00000000), ref: 6C1D70DD
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: CreateThread$FileModuleName_strlen
            • String ID: QQPh$VQi'
            • API String ID: 3685154038-4065925739
            • Opcode ID: d1d8b508f0e9afe1a88e1545f4e2da7016febcb8c29b1a60d1faf7e968540972
            • Instruction ID: 4ffef70b29a942a7e065a0805928d523bf6c5d51312d2a61858908427f0e915a
            • Opcode Fuzzy Hash: d1d8b508f0e9afe1a88e1545f4e2da7016febcb8c29b1a60d1faf7e968540972
            • Instruction Fuzzy Hash: 028126B2D001149FDB14CFA8CC947EDB7B6EF4A314F160629E815A7784DB34BD858B91
            Function 6C25A432 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38COMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • __EH_prolog3.LIBCMT ref: 6C25A439
              • Part of subcall function 6C1FC870: EnterCriticalSection.KERNEL32(6C3B0410,?,?,?,?,6C1E8ABC,00000001,?,6C1E8FDB,?,AfxFrameOrView140su,00007A02,?), ref: 6C1FC8A1
              • Part of subcall function 6C1FC870: InitializeCriticalSection.KERNEL32(00000000,?,6C1E8ABC,00000001,?,6C1E8FDB,?,AfxFrameOrView140su,00007A02,?), ref: 6C1FC8B7
              • Part of subcall function 6C1FC870: LeaveCriticalSection.KERNEL32(6C3B0410,?,6C1E8ABC,00000001,?,6C1E8FDB,?,AfxFrameOrView140su,00007A02,?), ref: 6C1FC8C5
              • Part of subcall function 6C1FC870: EnterCriticalSection.KERNEL32(00000000,?,?,?,6C1E8ABC,00000001,?,6C1E8FDB,?,AfxFrameOrView140su,00007A02,?), ref: 6C1FC8D2
            • GetProfileIntW.KERNEL32(windows,DragMinDist,00000002), ref: 6C25A48C
            • GetProfileIntW.KERNEL32(windows,DragDelay,000000C8), ref: 6C25A4A2
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: CriticalSection$EnterProfile$H_prolog3InitializeLeave
            • String ID: DragDelay$DragMinDist$windows
            • API String ID: 3965097884-2101198082
            • Opcode ID: 5a43c390c20ee3a28b7e2db0c97f3302aa8d2d5457051d7c83324aea36b516bc
            • Instruction ID: cdd21517bebff042e48e9d3e0e90ec8c9db01a15e5a70272d873993f54f8a8f3
            • Opcode Fuzzy Hash: 5a43c390c20ee3a28b7e2db0c97f3302aa8d2d5457051d7c83324aea36b516bc
            • Instruction Fuzzy Hash: EA0171B4A017409FDB60DF76851674ABAF4BF19704F40491EE14ADBF40E7B4A005CF08
            Function 6C33B8D2 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1065 6c33b8d2-6c33b8e2 1066 6c33b8e4-6c33b8f7 call 6c31ea1c call 6c31ea09 1065->1066 1067 6c33b8fc-6c33b8fe 1065->1067 1081 6c33bc56 1066->1081 1069 6c33b904-6c33b90a 1067->1069 1070 6c33bc3e-6c33bc4b call 6c31ea1c call 6c31ea09 1067->1070 1069->1070 1073 6c33b910-6c33b939 1069->1073 1088 6c33bc51 call 6c32ae7c 1070->1088 1073->1070 1076 6c33b93f-6c33b948 1073->1076 1079 6c33b962-6c33b964 1076->1079 1080 6c33b94a-6c33b95d call 6c31ea1c call 6c31ea09 1076->1080 1084 6c33bc3a-6c33bc3c 1079->1084 1085 6c33b96a-6c33b96e 1079->1085 1080->1088 1087 6c33bc59-6c33bc5c 1081->1087 1084->1087 1085->1084 1086 6c33b974-6c33b978 1085->1086 1086->1080 1090 6c33b97a-6c33b991 1086->1090 1088->1081 1093 6c33b993-6c33b996 1090->1093 1094 6c33b9c6-6c33b9cc 1090->1094 1096 6c33b998-6c33b99e 1093->1096 1097 6c33b9bc-6c33b9c4 1093->1097 1098 6c33b9a0-6c33b9b7 call 6c31ea1c call 6c31ea09 call 6c32ae7c 1094->1098 1099 6c33b9ce-6c33b9d5 1094->1099 1096->1097 1096->1098 1101 6c33ba39-6c33ba58 1097->1101 1130 6c33bb71 1098->1130 1102 6c33b9d7 1099->1102 1103 6c33b9d9-6c33b9f7 call 6c3323f1 call 6c3323b7 * 2 1099->1103 1106 6c33bb14-6c33bb1d call 6c33f4af 1101->1106 1107 6c33ba5e-6c33ba6a 1101->1107 1102->1103 1134 6c33ba14-6c33ba37 call 6c338bae 1103->1134 1135 6c33b9f9-6c33ba0f call 6c31ea09 call 6c31ea1c 1103->1135 1119 6c33bb1f-6c33bb31 1106->1119 1120 6c33bb8e 1106->1120 1107->1106 1108 6c33ba70-6c33ba72 1107->1108 1108->1106 1112 6c33ba78-6c33ba99 1108->1112 1112->1106 1116 6c33ba9b-6c33bab1 1112->1116 1116->1106 1121 6c33bab3-6c33bab5 1116->1121 1119->1120 1125 6c33bb33-6c33bb42 GetConsoleMode 1119->1125 1123 6c33bb92-6c33bba8 ReadFile 1120->1123 1121->1106 1126 6c33bab7-6c33bada 1121->1126 1128 6c33bc06-6c33bc11 GetLastError 1123->1128 1129 6c33bbaa-6c33bbb0 1123->1129 1125->1120 1131 6c33bb44-6c33bb48 1125->1131 1126->1106 1133 6c33badc-6c33baf2 1126->1133 1136 6c33bc13-6c33bc25 call 6c31ea09 call 6c31ea1c 1128->1136 1137 6c33bc2a-6c33bc2d 1128->1137 1129->1128 1138 6c33bbb2 1129->1138 1132 6c33bb74-6c33bb7e call 6c3323b7 1130->1132 1131->1123 1139 6c33bb4a-6c33bb62 ReadConsoleW 1131->1139 1132->1087 1133->1106 1143 6c33baf4-6c33baf6 1133->1143 1134->1101 1135->1130 1136->1130 1140 6c33bc33-6c33bc35 1137->1140 1141 6c33bb6a-6c33bb70 call 6c31ea2f 1137->1141 1147 6c33bbb5-6c33bbc7 1138->1147 1148 6c33bb83-6c33bb8c 1139->1148 1149 6c33bb64 GetLastError 1139->1149 1140->1132 1141->1130 1143->1106 1152 6c33baf8-6c33bb0f 1143->1152 1147->1132 1156 6c33bbc9-6c33bbcd 1147->1156 1148->1147 1149->1141 1152->1106 1160 6c33bbe6-6c33bbf3 1156->1160 1161 6c33bbcf-6c33bbdf call 6c33bcdb 1156->1161 1162 6c33bbf5 call 6c33bc5d 1160->1162 1163 6c33bbff-6c33bc04 call 6c33bf7f 1160->1163 1170 6c33bbe2-6c33bbe4 1161->1170 1171 6c33bbfa-6c33bbfd 1162->1171 1163->1171 1170->1132 1171->1170
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f940ea811c28dd637aaa43a4a2f2b142d407214eb1fe4911266d33520e826e3b
            • Instruction ID: 0aa976d4f4c57e03e23cb574a0ed0f6888608b0da96d9cea1648c9c69cf9fd9d
            • Opcode Fuzzy Hash: f940ea811c28dd637aaa43a4a2f2b142d407214eb1fe4911266d33520e826e3b
            • Instruction Fuzzy Hash: C3B13870A04699AFDF05CF99C884BAD7BB8BF4631CF145249E4589FB41CB329941CFA1
            Function 6C1D6FDC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97threadsynchronizationCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • CreateThread.KERNELBASE(00000000,00000000,Function_00015A00,6C3ADF78,00000000,00000000), ref: 6C1D70CB
            • CreateThread.KERNELBASE(00000000,00000000,6C1D50F3,00000000,00000000,00000000), ref: 6C1D70DD
            • WaitForSingleObject.KERNEL32(00000000,00011170), ref: 6C1D70F3
            • CloseHandle.KERNEL32(00000000), ref: 6C1D7105
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: CreateThread$CloseHandleObjectSingleWait
            • String ID: QQPh
            • API String ID: 15858426-3327739746
            • Opcode ID: ebc7ba0645c3b7962200d797e113641bee09789842fc882ef29f83db4818debc
            • Instruction ID: 1c88eb76aeefee0389f3cd37b9c491870e721c9d960fade36e3bb95bf091e217
            • Opcode Fuzzy Hash: ebc7ba0645c3b7962200d797e113641bee09789842fc882ef29f83db4818debc
            • Instruction Fuzzy Hash: DA3129B2E001149FEB148F68DC58BAE73BAEF46314F160225E816E7684E734FD818BD1
            Function 00E21C50 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1198 e21c50-e21c76 GetCommandLineW CommandLineToArgvW 1199 e21c82-e21cb7 call e21d6f 1198->1199 1200 e21c78-e21c7f 1198->1200 1203 e21cb9-e21cbd 1199->1203 1204 e21d1c-e21d30 LocalFree call e21000 1199->1204 1205 e21cc1-e21d12 WideCharToMultiByte call e21d6f WideCharToMultiByte 1203->1205 1208 e21d35-e21d40 1204->1208 1214 e21d14-e21d18 1205->1214 1210 e21d42-e21d48 1208->1210 1211 e21d5a-e21d6c call e21d78 1208->1211 1210->1211 1212 e21d4a-e21d58 call e21d78 1210->1212 1212->1210 1212->1211 1214->1204
            APIs
            • GetCommandLineW.KERNEL32(00000001), ref: 00E21C61
            • CommandLineToArgvW.SHELL32(00000000), ref: 00E21C68
            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00E20000), ref: 00E21CD3
            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 00E21CF3
            • LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,00E20000,00000000,00000000,00000000,00E22778,00000014), ref: 00E21D25
            Memory Dump Source
            • Source File: 00000003.00000002.1780458776.0000000000E21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
            • Associated: 00000003.00000002.1780443399.0000000000E20000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000003.00000002.1780472190.0000000000E22000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000003.00000002.1780486959.0000000000E23000.00000004.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000003.00000002.1780501099.0000000000E24000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000003.00000002.1780501099.0000000000E66000.00000002.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_e20000_Update.jbxd
            Similarity
            • API ID: ByteCharCommandLineMultiWide$ArgvFreeLocal
            • String ID:
            • API String ID: 4060259846-0
            • Opcode ID: a00b8f9cfcd934c74b887d476dfe21231c45101da40b936540e4a7c1f1a8d3fb
            • Instruction ID: 9d1b267c1e394fe60b8ef23af7b6268e7d1989b6ba87069f48247d5224d350b2
            • Opcode Fuzzy Hash: a00b8f9cfcd934c74b887d476dfe21231c45101da40b936540e4a7c1f1a8d3fb
            • Instruction Fuzzy Hash: A331B070604315AFE720EF28AC45F1B77E4EF94715F10092CFA55AB2C0D670AE098B62
            Function 6C31B498 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1218 6c31b498-6c31b4a9 call 6c1f6bf0 1221 6c31b4ab-6c31b4b1 1218->1221 1222 6c31b4ba-6c31b4c1 1218->1222 1221->1222 1223 6c31b4b3-6c31b4b5 1221->1223 1224 6c31b4c3-6c31b4c6 1222->1224 1225 6c31b4cd-6c31b4e1 dllmain_raw 1222->1225 1228 6c31b593-6c31b5a2 1223->1228 1224->1225 1229 6c31b4c8-6c31b4cb 1224->1229 1226 6c31b4e7-6c31b4f8 dllmain_crt_dispatch 1225->1226 1227 6c31b58a-6c31b591 1225->1227 1226->1227 1230 6c31b4fe-6c31b510 call 6c287be5 1226->1230 1227->1228 1229->1230 1233 6c31b512-6c31b514 1230->1233 1234 6c31b539-6c31b53b 1230->1234 1233->1234 1235 6c31b516-6c31b534 call 6c287be5 call 6c31b36c dllmain_raw 1233->1235 1236 6c31b542-6c31b553 dllmain_crt_dispatch 1234->1236 1237 6c31b53d-6c31b540 1234->1237 1235->1234 1236->1227 1239 6c31b555-6c31b587 dllmain_raw 1236->1239 1237->1227 1237->1236 1239->1227
            APIs
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: dllmain_raw$dllmain_crt_dispatch
            • String ID:
            • API String ID: 3136044242-0
            • Opcode ID: 8f97b44b8ea5e93fef2eb0182deb562aae93e6fee3aaf5d3953964c9167cec62
            • Instruction ID: 61bf8dc9a07e599550ef9d7a18d161bdd4a72e0920cf52a588ecc6ba501fb00f
            • Opcode Fuzzy Hash: 8f97b44b8ea5e93fef2eb0182deb562aae93e6fee3aaf5d3953964c9167cec62
            • Instruction Fuzzy Hash: 172171F2D09559AECB258F56CC40AAE3A79EB41B9CF018125F8155FF60CB328D458FA0
            Function 6C1D6CC8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
            Download Yara Rule

            Control-flow Graph

            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: FileModuleName_strlen
            • String ID: Upda$dll$te.d
            • API String ID: 2404361900-2264352279
            • Opcode ID: d630f4307509fced1af938fef395305ee165f5e08b0e8f96a13adec1ad3b2870
            • Instruction ID: d86eb6a7ff3a4dcca94db2959369984d651724f04db4b09aae854f4bafaa69f2
            • Opcode Fuzzy Hash: d630f4307509fced1af938fef395305ee165f5e08b0e8f96a13adec1ad3b2870
            • Instruction Fuzzy Hash: 7131C1B1D017489FEB10CFA4C985BEEBBB9FF05304F114918E855AB680D734BA49CB91
            Function 6C1F3A37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1261 6c1f3a37-6c1f3a4a GetModuleHandleW 1262 6c1f3a4c-6c1f3a5d GetProcAddress 1261->1262 1263 6c1f3a71-6c1f3a73 1261->1263 1264 6c1f3a5f-6c1f3a6e 1262->1264 1265 6c1f3a70 1262->1265 1264->1265 1265->1263
            APIs
            • GetModuleHandleW.KERNEL32(Shell32,?,?,6C1D7CE7,YSS.AppID.NoVersion,00000000,?,00000000,?,00000000,6C1D8345,?), ref: 6C1F3A42
            • GetProcAddress.KERNEL32(00000000,SetCurrentProcessExplicitAppUserModelID), ref: 6C1F3A53
            Strings
            • SetCurrentProcessExplicitAppUserModelID, xrefs: 6C1F3A4D
            • Shell32, xrefs: 6C1F3A3B
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: AddressHandleModuleProc
            • String ID: SetCurrentProcessExplicitAppUserModelID$Shell32
            • API String ID: 1646373207-2658420654
            • Opcode ID: 885dbfcecaa294888969a9bb56e0b1ffff17a470255574f385438ddfcd4947a9
            • Instruction ID: 6a32ae48010fc17cf924d7bed7ae901e4373f4eb067a7b44da2f137288b23ae8
            • Opcode Fuzzy Hash: 885dbfcecaa294888969a9bb56e0b1ffff17a470255574f385438ddfcd4947a9
            • Instruction Fuzzy Hash: F8E08635701726678A265F66DC58C9B7FACDB956A1300003AF917C3700DE35D801CAE4
            Function 6C1D5A00 Relevance: 6.2, APIs: 4, Instructions: 208sleepCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: _strlen$Sleep
            • String ID:
            • API String ID: 2737124692-0
            • Opcode ID: 152b9735f252d34ad5602a6418b34128cc67ae248f0361ddef90ee174ddf103e
            • Instruction ID: 053f379214c29da11b68b96854be37a331392f409f6036696df25c148a78f9a3
            • Opcode Fuzzy Hash: 152b9735f252d34ad5602a6418b34128cc67ae248f0361ddef90ee174ddf103e
            • Instruction Fuzzy Hash: 2771D3F2D012289BCB10CFB4DC807DE7BB6EF19354F160625E858A7B80F735AA448B91
            Function 6C1E2829 Relevance: 6.1, APIs: 4, Instructions: 121threadCOMMON
            Download Yara Rule
            APIs
            • __EH_prolog3_GS.LIBCMT ref: 6C1E2833
              • Part of subcall function 6C1F1666: __EH_prolog3.LIBCMT ref: 6C1F166D
            • GetCurrentThread.KERNEL32 ref: 6C1E2892
            • GetCurrentThreadId.KERNEL32 ref: 6C1E289B
            • GetVersionExW.KERNEL32 ref: 6C1E2937
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: CurrentThread$H_prolog3H_prolog3_Version
            • String ID:
            • API String ID: 786120064-0
            • Opcode ID: 3dd4ed54c61ae059d6c58caa589d2ca948a233fdc433f285be68f5245edbf1eb
            • Instruction ID: e0e1607e2ff8dda66307a1b7618712006fa09b985af275f09e95c78e14ddbdc0
            • Opcode Fuzzy Hash: 3dd4ed54c61ae059d6c58caa589d2ca948a233fdc433f285be68f5245edbf1eb
            • Instruction Fuzzy Hash: DE5100B0A01B118FDB258F2A849868AFBF4BF49304F50896ED5AEC7B00DB70A545CF55
            Function 6C1F777D Relevance: 6.1, APIs: 4, Instructions: 59COMMON
            Download Yara Rule
            APIs
            • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003), ref: 6C1F77DA
            • VerSetConditionMask.KERNEL32(00000000), ref: 6C1F77E2
            • VerifyVersionInfoW.KERNEL32(0000011C,00000003,00000000), ref: 6C1F77F3
            • GetSystemMetrics.USER32(00001000), ref: 6C1F7804
              • Part of subcall function 6C1F783A: __EH_prolog3.LIBCMT ref: 6C1F7841
              • Part of subcall function 6C1F783A: GetSysColor.USER32(00000016), ref: 6C1F784A
              • Part of subcall function 6C1F783A: GetSysColor.USER32(0000000F), ref: 6C1F785D
              • Part of subcall function 6C1F783A: GetSysColor.USER32(00000015), ref: 6C1F7874
              • Part of subcall function 6C1F783A: GetSysColor.USER32(0000000F), ref: 6C1F7880
              • Part of subcall function 6C1F783A: GetDeviceCaps.GDI32(?,0000000C), ref: 6C1F78A8
              • Part of subcall function 6C1F783A: GetSysColor.USER32(0000000F), ref: 6C1F78B6
              • Part of subcall function 6C1F783A: GetSysColor.USER32(00000010), ref: 6C1F78C4
              • Part of subcall function 6C1F783A: GetSysColor.USER32(00000015), ref: 6C1F78D2
              • Part of subcall function 6C1F783A: GetSysColor.USER32(00000016), ref: 6C1F78E0
              • Part of subcall function 6C1F783A: GetSysColor.USER32(00000014), ref: 6C1F78EE
              • Part of subcall function 6C1F783A: GetSysColor.USER32(00000012), ref: 6C1F78FC
              • Part of subcall function 6C1F783A: GetSysColor.USER32(00000011), ref: 6C1F790A
              • Part of subcall function 6C1F783A: GetSysColor.USER32(00000006), ref: 6C1F7915
              • Part of subcall function 6C1F783A: GetSysColor.USER32(0000000D), ref: 6C1F7920
              • Part of subcall function 6C1F783A: GetSysColor.USER32(0000000E), ref: 6C1F792B
              • Part of subcall function 6C1F783A: GetSysColor.USER32(00000005), ref: 6C1F7936
              • Part of subcall function 6C1F783A: GetSysColor.USER32(00000008), ref: 6C1F7944
              • Part of subcall function 6C1F783A: GetSysColor.USER32(00000009), ref: 6C1F794F
              • Part of subcall function 6C1F783A: GetSysColor.USER32(00000007), ref: 6C1F795A
              • Part of subcall function 6C1F783A: GetSysColor.USER32(00000002), ref: 6C1F7965
              • Part of subcall function 6C1F783A: GetSysColor.USER32(00000003), ref: 6C1F7970
              • Part of subcall function 6C1F783A: GetSysColor.USER32(0000001B), ref: 6C1F797E
              • Part of subcall function 6C1F783A: GetSysColor.USER32(0000001C), ref: 6C1F798C
              • Part of subcall function 6C1F783A: GetSysColor.USER32(0000000A), ref: 6C1F799A
              • Part of subcall function 6C1F7C58: __EH_prolog3_GS.LIBCMT ref: 6C1F7C62
              • Part of subcall function 6C1F7C58: GetDeviceCaps.GDI32(?,00000058), ref: 6C1F7C82
              • Part of subcall function 6C1F7C58: DeleteObject.GDI32(00000000), ref: 6C1F7CDE
              • Part of subcall function 6C1F7C58: DeleteObject.GDI32(00000000), ref: 6C1F7CFC
              • Part of subcall function 6C1F7C58: DeleteObject.GDI32(00000000), ref: 6C1F7D1A
              • Part of subcall function 6C1F7C58: DeleteObject.GDI32(00000000), ref: 6C1F7D38
              • Part of subcall function 6C1F7C58: DeleteObject.GDI32(00000000), ref: 6C1F7D56
              • Part of subcall function 6C1F7C58: DeleteObject.GDI32(00000000), ref: 6C1F7D74
              • Part of subcall function 6C1F7C58: DeleteObject.GDI32(00000000), ref: 6C1F7D92
              • Part of subcall function 6C1F7C58: DeleteObject.GDI32(00000000), ref: 6C1F7DB0
              • Part of subcall function 6C1F8177: GetSystemMetrics.USER32(00000031), ref: 6C1F8185
              • Part of subcall function 6C1F8177: GetSystemMetrics.USER32(00000032), ref: 6C1F8193
              • Part of subcall function 6C1F8177: SetRectEmpty.USER32(?), ref: 6C1F81A6
              • Part of subcall function 6C1F8177: EnumDisplayMonitors.USER32(00000000,00000000,6C1F894F,?,?,?), ref: 6C1F81B6
              • Part of subcall function 6C1F8177: SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 6C1F81C5
              • Part of subcall function 6C1F8177: SystemParametersInfoW.USER32(00001002,00000000,?,00000000), ref: 6C1F81F2
              • Part of subcall function 6C1F8177: SystemParametersInfoW.USER32(00001012,00000000,?,00000000), ref: 6C1F8206
              • Part of subcall function 6C1F8177: SystemParametersInfoW.USER32(0000100A,00000000,?,00000000), ref: 6C1F822C
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Color$DeleteObject$System$Info$Parameters$Metrics$CapsConditionDeviceMask$DisplayEmptyEnumH_prolog3H_prolog3_MonitorsRectVerifyVersion
            • String ID:
            • API String ID: 2442922003-0
            • Opcode ID: cfeaa3df643940ee58db0c63eba4c84ae89387b6fb5a25c9077b60f58f9aaf7d
            • Instruction ID: 13834426bd49f2185215762214755e1d6decda6e2b7f4ed9f108aaefbd475391
            • Opcode Fuzzy Hash: cfeaa3df643940ee58db0c63eba4c84ae89387b6fb5a25c9077b60f58f9aaf7d
            • Instruction Fuzzy Hash: FF11A3B0A00318ABDB159F759C59FEF76FCEB8A709F40055EA24696280DBB14A45CFD0
            Function 6C1C9628 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: __fread_nolock
            • String ID: GL\X
            • API String ID: 2638373210-767099042
            • Opcode ID: f50627584f8ae813fa0e8e73bbecc42529a2e3f3997c3b6ee8ce4f89ae63f6b3
            • Instruction ID: b35829216d91ae796c72cca128e9fb0f14df0f6365ea89a10da100bb3336369b
            • Opcode Fuzzy Hash: f50627584f8ae813fa0e8e73bbecc42529a2e3f3997c3b6ee8ce4f89ae63f6b3
            • Instruction Fuzzy Hash: DD51F7767052148FCB08CE3DD890A5A73E5EFD9718F164269FC48CB785D639EC098B92
            Function 6C1F7421 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 96COMMON
            Download Yara Rule
            APIs
            • __EH_prolog3.LIBCMT ref: 6C1F7428
              • Part of subcall function 6C1F777D: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003), ref: 6C1F77DA
              • Part of subcall function 6C1F777D: VerSetConditionMask.KERNEL32(00000000), ref: 6C1F77E2
              • Part of subcall function 6C1F777D: VerifyVersionInfoW.KERNEL32(0000011C,00000003,00000000), ref: 6C1F77F3
              • Part of subcall function 6C1F777D: GetSystemMetrics.USER32(00001000), ref: 6C1F7804
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: ConditionMask$H_prolog3InfoMetricsSystemVerifyVersion
            • String ID: (^5l$D}5l
            • API String ID: 2710481357-2160771677
            • Opcode ID: e86bdab5880e0cb1adaabbcc9a51bb0ae80a4ec8164c20bae4c544cf00e3a772
            • Instruction ID: 4eb6b2d8a66806cec06fe905d8a160d46661a50ac23f4ea20c54597e5998206d
            • Opcode Fuzzy Hash: e86bdab5880e0cb1adaabbcc9a51bb0ae80a4ec8164c20bae4c544cf00e3a772
            • Instruction Fuzzy Hash: E551CCB0906F458FD3A9CF3A85417C6FAE0BF89300F50CA2E91AED6760EB7061858F55
            Function 6C33C139 Relevance: 4.5, APIs: 3, Instructions: 17fileCOMMON
            Download Yara Rule
            APIs
            • DeleteFileW.KERNELBASE(6C32F26E,?,6C32F26E,?,?,?,?), ref: 6C33C141
            • GetLastError.KERNEL32(?,6C32F26E,?,?,?,?), ref: 6C33C14B
            • __dosmaperr.LIBCMT ref: 6C33C152
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: DeleteErrorFileLast__dosmaperr
            • String ID:
            • API String ID: 1545401867-0
            • Opcode ID: 7b866e19b3c5ecface1c935f509e3ff47da21b533c55f6106b2af09e11692abb
            • Instruction ID: 39742c241645f81f72a86898e98696e2c4ae7cbaa2767a96ab82c30ec8e5f561
            • Opcode Fuzzy Hash: 7b866e19b3c5ecface1c935f509e3ff47da21b533c55f6106b2af09e11692abb
            • Instruction Fuzzy Hash: 69D0123221824A6B8F012EF6AC0C8463B6CEB863797145711F43EC5A90EF33D8509A91
            Function 6C31B265 Relevance: 3.1, APIs: 2, Instructions: 92COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • __RTC_Initialize.LIBCMT ref: 6C31B2B2
              • Part of subcall function 6C31B65E: InitializeSListHead.KERNEL32(6C3B2058,6C31B2BC,6C3A7588,00000010,6C31B455,?,00000000,?,00000007,6C3A75A8,00000010,6C31B468,?,?,6C31B4F1,?), ref: 6C31B663
            • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6C31B31C
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
            • String ID:
            • API String ID: 3231365870-0
            • Opcode ID: fc394ef0e7bef19f0b405977c8d828afab7b92ed596375ee6c48ddeab26715e5
            • Instruction ID: 671ba4a060a819150c622f5826ad79961223e749a6d8d147e561457876991355
            • Opcode Fuzzy Hash: fc394ef0e7bef19f0b405977c8d828afab7b92ed596375ee6c48ddeab26715e5
            • Instruction Fuzzy Hash: 7221F3B274C2459EDB08ABB4A8207CD33A4AB1232CF100D29D4915BFC0DF26502ACEA6
            Function 6C31B36C Relevance: 3.1, APIs: 2, Instructions: 75COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • __RTC_Initialize.LIBCMT ref: 6C31B3B3
            • ___scrt_uninitialize_crt.LIBCMT ref: 6C31B3CD
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Initialize___scrt_uninitialize_crt
            • String ID:
            • API String ID: 2442719207-0
            • Opcode ID: 5146172b005934dcb357ddb84546de469d1d90ac71ebba857430973f21e2d97c
            • Instruction ID: 6223c04f4a1ab5bbbe4a43d7e8a181240cd52b8e1e1b2dbfbce09e37e8411120
            • Opcode Fuzzy Hash: 5146172b005934dcb357ddb84546de469d1d90ac71ebba857430973f21e2d97c
            • Instruction Fuzzy Hash: A62108F2A4C2499FDB0CDFBAD4117DC37A8EB0671DF10851AD4109AF90CF71551A8E65
            Function 6C1E07F9 Relevance: 3.1, APIs: 2, Instructions: 63memoryCOMMON
            Download Yara Rule
            APIs
            • _memcpy_s.LIBCMT ref: 6C1E084C
            • SysAllocStringLen.OLEAUT32(00000000,?), ref: 6C1E0872
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: AllocString_memcpy_s
            • String ID:
            • API String ID: 696070862-0
            • Opcode ID: ed930fa49ccbc77e853b1491a7b9d4a995ac3c3db4c2f82749e714fda00eca0a
            • Instruction ID: b783cf6b9f9a76267983c77883123b0fac89765c320bccf2510237bd7267a6e3
            • Opcode Fuzzy Hash: ed930fa49ccbc77e853b1491a7b9d4a995ac3c3db4c2f82749e714fda00eca0a
            • Instruction Fuzzy Hash: 4A110636600645AFEB009F988C44F9E77A8EF55718B11402AF904D7A54DF31F824DAE1
            Function 6C338D4F Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • SetFilePointerEx.KERNELBASE(00000000,00000000,?,00008000,6C1CA407,00008000,6C338E1C,?,?,?,6C338BD7,6C338E1C,?,00000000,6C1CA407,?), ref: 6C338D8B
            • GetLastError.KERNEL32(00000000,?,?,?,6C338BD7,6C338E1C,?,00000000,6C1CA407,?,00000000,00008000,6C338E1C,?,?,6C341B8B), ref: 6C338D98
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: ErrorFileLastPointer
            • String ID:
            • API String ID: 2976181284-0
            • Opcode ID: f09a3bf4e2ba346c4e7f20a512ec35b345da79baae196c42239af3d8ebdbb44c
            • Instruction ID: 792f62ef50fac9b02ce74d4f90b9f9c52eb7a7ec02f203e3e7e85a8fe0124488
            • Opcode Fuzzy Hash: f09a3bf4e2ba346c4e7f20a512ec35b345da79baae196c42239af3d8ebdbb44c
            • Instruction Fuzzy Hash: A70149326146A5AFCF068F59CC05D9E3B79EF92338B24020AF811DB690E772D941CFA1
            Function 00E21215 Relevance: 3.0, APIs: 2, Instructions: 20COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00E21721: GetModuleHandleW.KERNEL32(00000000,00E211DF,00E20000,00000000,00000000,00000000,00E22778,00000014), ref: 00E21723
            • _c_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00E21227
            • _exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000007,00E22778,00000014), ref: 00E21256
            Memory Dump Source
            • Source File: 00000003.00000002.1780458776.0000000000E21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
            • Associated: 00000003.00000002.1780443399.0000000000E20000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000003.00000002.1780472190.0000000000E22000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000003.00000002.1780486959.0000000000E23000.00000004.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000003.00000002.1780501099.0000000000E24000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000003.00000002.1780501099.0000000000E66000.00000002.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_e20000_Update.jbxd
            Similarity
            • API ID: HandleModule_c_exit_exit
            • String ID:
            • API String ID: 750871209-0
            • Opcode ID: 16fa93b7bc53292110ca8a16250e65417d72c628d38c51941cfc6685c9766e0c
            • Instruction ID: 01293091f06c2298ae163c0036cb3518528da1412c868a08a085f5f58b648469
            • Opcode Fuzzy Hash: 16fa93b7bc53292110ca8a16250e65417d72c628d38c51941cfc6685c9766e0c
            • Instruction Fuzzy Hash: 45E08637D04269CFCF149BA4F8023DDB7B1FB91368F102195E911B32A1D7351A119651
            Function 6C33A510 Relevance: 2.6, APIs: 2, Instructions: 63COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • CloseHandle.KERNELBASE(00000000,?,00000000,?,6C33A4FF,6C341D61,?,00000000,00000000), ref: 6C33A566
            • GetLastError.KERNEL32(?,00000000,?,6C33A4FF,6C341D61,?,00000000,00000000), ref: 6C33A570
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: CloseErrorHandleLast
            • String ID:
            • API String ID: 918212764-0
            • Opcode ID: 6cf7ba3bdc8ef934032676165256a8178415c5ab0c69f7f738e279072656dd9f
            • Instruction ID: a9c58f18c35cbd7428685f8e9327a036d6368e465eb4bd8e0daecd94c86a5f3c
            • Opcode Fuzzy Hash: 6cf7ba3bdc8ef934032676165256a8178415c5ab0c69f7f738e279072656dd9f
            • Instruction Fuzzy Hash: DA1129336092B01BEF0506B5940579E376A8B8373CF290349E99D86EC0EB2785414A71
            Function 6C32EA3D Relevance: 1.7, APIs: 1, Instructions: 157COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 15d6eb9c23949482de240d9e2cac0b6786468aa7f6308a9d8cc60cca9cec72c2
            • Instruction ID: 6437a4fa07472407ac16490ce13cf944152e0ddad5728b83b1cd8e5ccc729f2d
            • Opcode Fuzzy Hash: 15d6eb9c23949482de240d9e2cac0b6786468aa7f6308a9d8cc60cca9cec72c2
            • Instruction Fuzzy Hash: EF51B474A04308AFDF00CF68C886E99BBB5EF4A328F248259E8595B791D3769D41CFD1
            Function 6C338DD2 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: __wsopen_s
            • String ID:
            • API String ID: 3347428461-0
            • Opcode ID: 3ee792154ae70f1da520be5f20978ee1b8bd7654bbacffce898699b34b5df18f
            • Instruction ID: 38785b9df3ec390a27cd84af0c8766779d128879516776eda40df3149c806800
            • Opcode Fuzzy Hash: 3ee792154ae70f1da520be5f20978ee1b8bd7654bbacffce898699b34b5df18f
            • Instruction Fuzzy Hash: E9114872A0420AAFCF05DF58E9449DB7BF8EF48308F14406AF819EB351D671E915CBA5
            Function 6C335708 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • RtlAllocateHeap.NTDLL(00000008,?,6C1F5BE4,?,6C3327E1,00000001,00000364,6C1F5BE4,FFFFFFFF,000000FF,?,6C31BCF8,6C1C22CC,6C1C22CA,?,?), ref: 6C335749
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: AllocateHeap
            • String ID:
            • API String ID: 1279760036-0
            • Opcode ID: 5794557ce304cc326826d83c468999e5fc24a477fbf1d905d515b16a3b0a0e5a
            • Instruction ID: eeb45e742269017b3289489fa979b003e1f07baafb4a34e0aea4630f29f3d351
            • Opcode Fuzzy Hash: 5794557ce304cc326826d83c468999e5fc24a477fbf1d905d515b16a3b0a0e5a
            • Instruction Fuzzy Hash: 78F0E9316061B4EBEB118E669D4CB8B379CAF427E4B245512EC5CAAD80EB32D4018FE1
            Function 6C3323F1 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • RtlAllocateHeap.NTDLL(00000000,6C1F5BE4,6C1C22CA,?,6C31BCF8,6C1C22CC,6C1C22CA,?,?,?,6C1F5B84,6C1F5BE4,6C1C22CE,6C1C22CA,6C1C22CA,6C1C22CA), ref: 6C332423
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: AllocateHeap
            • String ID:
            • API String ID: 1279760036-0
            • Opcode ID: 3f9756785e74ea54bf054ad21c7746074642a4923eb0cff71552cf01ea88b65e
            • Instruction ID: 209d721e3dcbdd60e9affcddd85381e742883e025131d2c48ebea77b3cbe3efc
            • Opcode Fuzzy Hash: 3f9756785e74ea54bf054ad21c7746074642a4923eb0cff71552cf01ea88b65e
            • Instruction Fuzzy Hash: 71E02B712053B05BEB111AA78F0CBCB765CDF427A8F511221EE5C96D85EB23D4018EF1
            Function 6C341F73 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • CreateFileW.KERNELBASE(6C1D6E59,00000000,?,6C341C17,?,?,00000000,?,6C341C17,6C1D6E59,0000000C), ref: 6C341F90
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: CreateFile
            • String ID:
            • API String ID: 823142352-0
            • Opcode ID: 0c087cf7e89bf1f78ad08aceb00f910d5b8924e0f70bba1aad627ba463c7f4b0
            • Instruction ID: 0cadd1008927661a1a579228ea0736e54f957c2748b994a825711ec4042de662
            • Opcode Fuzzy Hash: 0c087cf7e89bf1f78ad08aceb00f910d5b8924e0f70bba1aad627ba463c7f4b0
            • Instruction Fuzzy Hash: EBD06C3210410DBFDF028E84DC06EDA3BAAFB4C714F014000BA2956020C732E821AB90
            Function 00E21000 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
            Download Yara Rule
            APIs
            • TCGamerUpdateMain.UPDATE(?,?), ref: 00E2100B
            Memory Dump Source
            • Source File: 00000003.00000002.1780458776.0000000000E21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
            • Associated: 00000003.00000002.1780443399.0000000000E20000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000003.00000002.1780472190.0000000000E22000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000003.00000002.1780486959.0000000000E23000.00000004.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000003.00000002.1780501099.0000000000E24000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000003.00000002.1780501099.0000000000E66000.00000002.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_e20000_Update.jbxd
            Similarity
            • API ID: GamerMainUpdate
            • String ID:
            • API String ID: 3533789159-0
            • Opcode ID: 0dc032e54f475a4c8a862538ffc73d883b9d6e7095286aea5a65631e74e2db75
            • Instruction ID: 8384d6dc1b78bc32af1e2f99f6c23e2e9d85a128f8ae49908bb0437239ec9c48
            • Opcode Fuzzy Hash: 0dc032e54f475a4c8a862538ffc73d883b9d6e7095286aea5a65631e74e2db75
            • Instruction Fuzzy Hash: 80B092B656020C6BCB44EAD8EC42C9A33DC5A58650B448054BE0C8B241E936FA9087A1
            Function 6C1DC4FE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
            Download Yara Rule
            APIs
            • DeleteObject.GDI32(00000000), ref: 6C1DC50D
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: DeleteObject
            • String ID:
            • API String ID: 1531683806-0
            • Opcode ID: 56dcf331afad79b495f8f444be36658fa32431df06d8a6227cfed886e5587b5d
            • Instruction ID: c62328ed01db47f508eb39def6c8f89ba8b2f8b7b704ccd7b25b8b35a7aad46c
            • Opcode Fuzzy Hash: 56dcf331afad79b495f8f444be36658fa32431df06d8a6227cfed886e5587b5d
            • Instruction Fuzzy Hash: B7B012B0B11105EECF007B71C61C31A3B786B4130FF06DD94E006C5802EB3AD045DB00
            Function 6C1D50F3 Relevance: 1.3, APIs: 1, Instructions: 4sleepCOMMON
            Download Yara Rule
            APIs
            • Sleep.KERNELBASE(00011D28), ref: 6C1D50F8
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Sleep
            • String ID:
            • API String ID: 3472027048-0
            • Opcode ID: dc2fbd18377be83b52d8bd500d6b406608893a375cd118d9065d672205a942b5
            • Instruction ID: 84737c8347834d3392f15fe94de21a43557003dee8b4dd4488a4642aafd0f996
            • Opcode Fuzzy Hash: dc2fbd18377be83b52d8bd500d6b406608893a375cd118d9065d672205a942b5
            • Instruction Fuzzy Hash: 30A002B1751108564B045F74580E88675F85FA975374195227311C9044FA7540D09665

            Non-executed Functions

            Function 6C20518D Relevance: 24.3, APIs: 16, Instructions: 285windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 6C2052AD
            • GetDlgItem.USER32(?,00003020), ref: 6C2052FD
            • GetDlgItem.USER32(?,00003020), ref: 6C205328
            • GetWindowRect.USER32(00000000,?), ref: 6C20533C
            • MapDialogRect.USER32(?,?), ref: 6C20535F
            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000016), ref: 6C205389
            • GetDlgItem.USER32(?,00000001), ref: 6C20539A
            • GetWindowRect.USER32(00000000,?), ref: 6C2053AC
            • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000015,?), ref: 6C2053D0
            • GetWindowRect.USER32(?,?), ref: 6C2053E5
            • GetWindowRect.USER32(?,?), ref: 6C205443
            • GetDlgItem.USER32(?,00000001), ref: 6C205455
            • GetWindowRect.USER32(00000000,?), ref: 6C205464
            • GetDlgItem.USER32(?,00000001), ref: 6C20548D
            • ShowWindow.USER32(00000000,00000000), ref: 6C20549C
            • EnableWindow.USER32(00000000,00000000), ref: 6C2054A5
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Window$Rect$Item$DialogEnableMessageSendShow
            • String ID:
            • API String ID: 966972710-0
            • Opcode ID: 5f43915c3c52d4eb4cd17e1ff569fc084a2683fe789d7db8c8ec9a1cfb81fff8
            • Instruction ID: 8ad7e575f94ddc86c66da065e536a1f58fc7797fa21af7ed898fdfbd7d8151b5
            • Opcode Fuzzy Hash: 5f43915c3c52d4eb4cd17e1ff569fc084a2683fe789d7db8c8ec9a1cfb81fff8
            • Instruction Fuzzy Hash: 39A19131A0170AAFDB10CFA4CD84BAFBBB9FF49305F104129F855A6651EB71A944CB24
            Function 6C1FD8C7 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 189keyboardCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 6C1E3FCC: GetParent.USER32(?), ref: 6C1E3FD6
            • ScreenToClient.USER32(?,?), ref: 6C1FD954
            • GetKeyState.USER32(00000001), ref: 6C1FD9C5
            • GetKeyState.USER32(00000001), ref: 6C1FDA20
            • IsWindow.USER32(?), ref: 6C1FDAE1
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: State$ClientParentScreenWindow
            • String ID: 0
            • API String ID: 1527269598-4108050209
            • Opcode ID: 638e16cc153656c4169f9bc699ef534cc43bf9a4325379eb56f8c1b771b0c943
            • Instruction ID: 3ce8c519896091aa5cc8aaf9d47aa860343b1b3a3ddef62a87c6ca5c44a73111
            • Opcode Fuzzy Hash: 638e16cc153656c4169f9bc699ef534cc43bf9a4325379eb56f8c1b771b0c943
            • Instruction Fuzzy Hash: 1861DF34B043199FDF04AFA4C884BBC7BF5BF49708F140166E822A7B90DB7598438B85
            Function 6C1FF4A1 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 42libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6C1E3720,6C1E27A9,00000003,?,00000004,6C1E27A9), ref: 6C1FF4B3
            • GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 6C1FF4C3
            • EncodePointer.KERNEL32(00000000,?,6C1E3720,6C1E27A9,00000003,?,00000004,6C1E27A9), ref: 6C1FF4CC
            • DecodePointer.KERNEL32(00000000,?,?,6C1E3720,6C1E27A9,00000003,?,00000004,6C1E27A9), ref: 6C1FF4DA
            • GetLocaleInfoW.KERNEL32(00000000,00000004,?,00000003,?,6C1E3720,6C1E27A9,00000003,?,00000004,6C1E27A9), ref: 6C1FF511
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Pointer$AddressDecodeEncodeHandleInfoLocaleModuleProc
            • String ID: GetLocaleInfoEx$kernel32.dll
            • API String ID: 1461536855-1547310189
            • Opcode ID: bef4890bb6759651b25bf48d815b51ec1c27c1f9b3e9d58f63666cec680fe722
            • Instruction ID: 8b8f3ead2b6a662f2a53800a399062d8bfa3710174a9b16373bde8fd5fab5baa
            • Opcode Fuzzy Hash: bef4890bb6759651b25bf48d815b51ec1c27c1f9b3e9d58f63666cec680fe722
            • Instruction Fuzzy Hash: 4401FB3660121AABCF125F64DE0889E3FFDBF19355B008415FD3AD6920EB76C921DBA4
            Function 6C2216B5 Relevance: 10.6, APIs: 7, Instructions: 138fileCOMMON
            Download Yara Rule
            APIs
            • __EH_prolog3_GS.LIBCMT ref: 6C2216BF
            • PathIsUNCW.SHLWAPI(?,?,?,?,6C253542,00000024,?,?,?), ref: 6C22176F
            • GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,6C253542,00000024,?,?,?), ref: 6C221793
            • GetFullPathNameW.KERNEL32(?,00000104,?,?,00000268,6C221531,?,?,00000000,?,6C253542,00000024,?,?,?), ref: 6C2216F2
              • Part of subcall function 6C221673: GetLastError.KERNEL32(?,?,?,6C2217A4,?,?,?,6C253542,00000024,?,?,?), ref: 6C22167F
              • Part of subcall function 6C2215A8: PathStripToRootW.SHLWAPI(00000000,?,?,6C253542,00000024,?,?,?), ref: 6C2215DC
            • CharUpperW.USER32(?,?,6C253542,00000024,?,?,?), ref: 6C2217C1
            • FindFirstFileW.KERNEL32(?,?,?,6C253542,00000024,?,?,?), ref: 6C2217D9
            • FindClose.KERNEL32(00000000,?,6C253542,00000024,?,?,?), ref: 6C2217E5
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Path$Find$CharCloseErrorFileFirstFullH_prolog3_InformationLastNameRootStripUpperVolume
            • String ID:
            • API String ID: 2323451338-0
            • Opcode ID: 561713232152015d110d4c1cf4695f03459877cc8b66aefdaf4e9f34b64f3df5
            • Instruction ID: 66248363bd478db436777d7d002dc4e2481949394752ebf3e7a7dda5dd41a9a6
            • Opcode Fuzzy Hash: 561713232152015d110d4c1cf4695f03459877cc8b66aefdaf4e9f34b64f3df5
            • Instruction Fuzzy Hash: 2A418571514119AFEB14EB24CC98EFE737CEF41309F1006A5E859A2650EB36ED898E61
            Function 6C1F2313 Relevance: 9.2, APIs: 6, Instructions: 229windowCOMMON
            Download Yara Rule
            APIs
            • GetWindowRect.USER32(?,?), ref: 6C1F2361
            • EqualRect.USER32(?,00000000), ref: 6C1F237F
              • Part of subcall function 6C1F519E: SetWindowPos.USER32(?,00000000,?,00000000,00000115,00000000,00000000,?,?,6C1F2831,00000000,00000002,00000002,00000000,00000000,00000115), ref: 6C1F51C6
            • IsWindowVisible.USER32(?), ref: 6C1F243A
            • CopyRect.USER32(?,?), ref: 6C1F247A
            • GetParent.USER32(?), ref: 6C1F255C
            • SetParent.USER32(?,?), ref: 6C1F2572
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: RectWindow$Parent$CopyEqualVisible
            • String ID:
            • API String ID: 3103310903-0
            • Opcode ID: 82a5976a4f05d96344a4feb6261b9489353d20e831682f4b589859ef63826b7f
            • Instruction ID: 5dcef5e4f09f37684ad89d725c67b221ebcd0e763b1972f9c1654251558e0d7b
            • Opcode Fuzzy Hash: 82a5976a4f05d96344a4feb6261b9489353d20e831682f4b589859ef63826b7f
            • Instruction Fuzzy Hash: AA81D471701658ABDF198F34CC99BEAB3B9BF44308F1042A9E82AD7690DB349946CF50
            Function 00E215D0 Relevance: 9.1, APIs: 6, Instructions: 73COMMON
            Download Yara Rule
            APIs
            • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00E215DC
            • memset.VCRUNTIME140(?,00000000,00000003), ref: 00E21602
            • memset.VCRUNTIME140(?,00000000,00000050), ref: 00E2168C
            • IsDebuggerPresent.KERNEL32 ref: 00E216A8
            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00E216C8
            • UnhandledExceptionFilter.KERNEL32(?), ref: 00E216D2
            Memory Dump Source
            • Source File: 00000003.00000002.1780458776.0000000000E21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
            • Associated: 00000003.00000002.1780443399.0000000000E20000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000003.00000002.1780472190.0000000000E22000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000003.00000002.1780486959.0000000000E23000.00000004.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000003.00000002.1780501099.0000000000E24000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000003.00000002.1780501099.0000000000E66000.00000002.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_e20000_Update.jbxd
            Similarity
            • API ID: ExceptionFilterPresentUnhandledmemset$DebuggerFeatureProcessor
            • String ID:
            • API String ID: 1045392073-0
            • Opcode ID: 3d1b9d2d269e819e5fcdea0aabacf3bb08ee7a5644f85d1532ac217c3173773d
            • Instruction ID: 1a5f2b7caa983a44f791e3b37d7c9d359b81b429acaa5d281a1264467393408b
            • Opcode Fuzzy Hash: 3d1b9d2d269e819e5fcdea0aabacf3bb08ee7a5644f85d1532ac217c3173773d
            • Instruction Fuzzy Hash: 12310775D452289BDB21DFA4D989BCCBBF8AF18304F1041EAE509AB250EB719B85CF44
            Function 6C1C556C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 119encryptionCOMMON
            Download Yara Rule
            APIs
            • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 6C1C55B5
            • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 6C1C562D
              • Part of subcall function 6C1C56BE: ___std_exception_copy.LIBVCRUNTIME ref: 6C1C56E3
              • Part of subcall function 6C31B6F1: RaiseException.KERNEL32(E06D7363,00000001,00000003,6C1C22CA,?,?,?,6C1F5BF2,6C1C22CA,6C39B17C,?,6C1C22CA,string too long,6C1D6933), ref: 6C31B752
            • ___std_exception_copy.LIBVCRUNTIME ref: 6C1C5682
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: BinaryCryptString___std_exception_copy$ExceptionRaise
            • String ID: Failed to calculate base64 decoded size.$X;5l
            • API String ID: 1999913932-219672820
            • Opcode ID: e1866b261f20e05810fc717ed7a24db6bf21cf4a18ee0b78fba1c6f2f959b094
            • Instruction ID: 2a23037cd4daebf73f44edbfe72061b942190a1678a5743869ffed6929df6fa5
            • Opcode Fuzzy Hash: e1866b261f20e05810fc717ed7a24db6bf21cf4a18ee0b78fba1c6f2f959b094
            • Instruction Fuzzy Hash: BA4180B1A01214AFDB10CF54CC45BAABBB9EF54354F048529F849ABB50E738A945CFA2
            Function 6C33EFEA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetLocaleInfoW.KERNEL32(?,2000000B,6C33E9BB,00000002,00000000,?,?,?,6C33E9BB,?,00000000), ref: 6C33F083
            • GetLocaleInfoW.KERNEL32(?,20001004,6C33E9BB,00000002,00000000,?,?,?,6C33E9BB,?,00000000), ref: 6C33F0AC
            • GetACP.KERNEL32(?,?,6C33E9BB,?,00000000), ref: 6C33F0C1
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: InfoLocale
            • String ID: ACP$OCP
            • API String ID: 2299586839-711371036
            • Opcode ID: 164b37cc3089a09a33610e68b13309741fe797c1ad229a6caeb66bd32e416f25
            • Instruction ID: 3140baef06ed25938222efefd517d568db74b6e50ff3d6f0b99c8bc2c4b0bb9c
            • Opcode Fuzzy Hash: 164b37cc3089a09a33610e68b13309741fe797c1ad229a6caeb66bd32e416f25
            • Instruction Fuzzy Hash: 82210872604161A6E7118F6DC800AC773B6EB48F5CB969594E90EC7A10F737DE41CF50
            Function 6C1DD9D2 Relevance: 7.8, APIs: 5, Instructions: 266COMMON
            Download Yara Rule
            APIs
            • GetClientRect.USER32(?,?), ref: 6C1DD9F5
            • InflateRect.USER32(?,?,?), ref: 6C1DDA11
            • BeginDeferWindowPos.USER32(?), ref: 6C1DDA85
            • InvalidateRect.USER32(?,00000000,00000001,00000018,00000008,00000000,0000EA20), ref: 6C1DDAF4
            • EndDeferWindowPos.USER32(00000000), ref: 6C1DDCF2
              • Part of subcall function 6C1F4FBD: GetDlgItem.USER32(?,?), ref: 6C1F4FCE
              • Part of subcall function 6C1DF6EF: GetClientRect.USER32(?,?), ref: 6C1DF711
              • Part of subcall function 6C1DF6EF: GetParent.USER32(?), ref: 6C1DF72A
              • Part of subcall function 6C1DF6EF: GetClientRect.USER32(?,?), ref: 6C1DF759
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Rect$Client$DeferWindow$BeginInflateInvalidateItemParent
            • String ID:
            • API String ID: 939197390-0
            • Opcode ID: f8ef97dab3d8f6d957c5a499c3cd5958d1a6b974fdefaf5845042a7aaf377703
            • Instruction ID: d9e04e2849f7e47a25b50716adc94b4930f8c6193a0d6e2f97900470ff33c6f3
            • Opcode Fuzzy Hash: f8ef97dab3d8f6d957c5a499c3cd5958d1a6b974fdefaf5845042a7aaf377703
            • Instruction Fuzzy Hash: 67B10371E0064AAFDB09DFA8C880BEDFBB9BF49304F154219E419AB240DB71A955CF91
            Function 6C33E885 Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 6C332643: GetLastError.KERNEL32(00000000,?,6C3369BA), ref: 6C332647
              • Part of subcall function 6C332643: SetLastError.KERNEL32(00000000,?,?,00000028,6C32D5FE), ref: 6C3326E9
            • GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 6C33E98D
            • IsValidCodePage.KERNEL32(00000000), ref: 6C33E9CB
            • IsValidLocale.KERNEL32(?,00000001), ref: 6C33E9DE
            • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 6C33EA26
            • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 6C33EA41
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
            • String ID:
            • API String ID: 415426439-0
            • Opcode ID: 216eedae66f4fb6e40b38c72000799cae071024aa11f014ef1e804cc46fc6c88
            • Instruction ID: 2acac61be578d638f035c509a0e67072a8a3034612833e3c1118ad57d1c2d929
            • Opcode Fuzzy Hash: 216eedae66f4fb6e40b38c72000799cae071024aa11f014ef1e804cc46fc6c88
            • Instruction Fuzzy Hash: D351A071A00769AEEF00DFA5CC40AEE77B8BF06708F105429E568E7680E7759A448FA1
            Function 6C1E1701 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 377COMMON
            Download Yara Rule
            APIs
            • GetWindowRect.USER32(?,?), ref: 6C1E1A08
              • Part of subcall function 6C1F519E: SetWindowPos.USER32(?,00000000,?,00000000,00000115,00000000,00000000,?,?,6C1F2831,00000000,00000002,00000002,00000000,00000000,00000115), ref: 6C1F51C6
            • SetRectEmpty.USER32(?), ref: 6C1E1A96
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: RectWindow$Empty
            • String ID: @
            • API String ID: 650961088-2766056989
            • Opcode ID: 806fbc45f2601f55a0587bb523be4b3e43babc72860628354315f73e49dc8efe
            • Instruction ID: 58ec3bd11d38e3f46f6c984b7a5e7021a4c9769481cdf67646a5659b9786c89f
            • Opcode Fuzzy Hash: 806fbc45f2601f55a0587bb523be4b3e43babc72860628354315f73e49dc8efe
            • Instruction Fuzzy Hash: 12E11371E016199FDB08CFA8C895AEEBBB5FF49314F25411AE815F7391DB30A941CB90
            Function 6C323270 Relevance: 6.5, APIs: 4, Instructions: 455COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c27e77543becadc3561d5a1300e07b90c5736504884e24db4cacd4e9ad29205e
            • Instruction ID: 6f15d7b42c9773510e0d0b6e2540c7cf4c77d6d1d607c7cbe77c3c99854ffd27
            • Opcode Fuzzy Hash: c27e77543becadc3561d5a1300e07b90c5736504884e24db4cacd4e9ad29205e
            • Instruction Fuzzy Hash: 9D024C71E012199BDF14CFA9C890A9EFBF9FF48318F248269D919E7740D735A9418F90
            Function 6C3381EC Relevance: 6.2, APIs: 4, Instructions: 205COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C3382DC
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: FileFindFirst
            • String ID:
            • API String ID: 1974802433-0
            • Opcode ID: cef298c82195ec1da49bdaa8016a7940d6882c8436bf569eaa572fcd5f6e7efa
            • Instruction ID: 034cd0062123a96e1df2790623b8ec59d1b3e3f1c1ff34bb8bf2dfa9f0a964a4
            • Opcode Fuzzy Hash: cef298c82195ec1da49bdaa8016a7940d6882c8436bf569eaa572fcd5f6e7efa
            • Instruction Fuzzy Hash: 6071E3759051B89FDF119F248C88AEEBBB8AB45308F1451DBE05DD7601EB328E858F12
            Function 6C1FC42D Relevance: 6.1, APIs: 4, Instructions: 79windowCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Parent$H_prolog3Iconic
            • String ID:
            • API String ID: 881905488-0
            • Opcode ID: 2f8f507d1ed3cbe3eb30c1117ce6f297f4daa3d1dfebe838e8a23cd3c0b01c74
            • Instruction ID: f1f31a70cee5d298c85a86537052b38291ae5988c7a1ac1a0a8f22f3a7db7898
            • Opcode Fuzzy Hash: 2f8f507d1ed3cbe3eb30c1117ce6f297f4daa3d1dfebe838e8a23cd3c0b01c74
            • Instruction Fuzzy Hash: 1B21B032600609ABDF22AF64C814BAE7BF6BF45314F044125FDA5D7A60EB35D816EB90
            Function 6C1F6AD6 Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • IsProcessorFeaturePresent.KERNEL32(00000017,00000001), ref: 6C1F6AE2
            • IsDebuggerPresent.KERNEL32 ref: 6C1F6BAE
            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6C1F6BC7
            • UnhandledExceptionFilter.KERNEL32(?), ref: 6C1F6BD1
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
            • String ID:
            • API String ID: 254469556-0
            • Opcode ID: 52b5405c3097533ab341917270f3a7488009af7ab56dd4808b50d39e646ed080
            • Instruction ID: 3c835f4b969be29c9b8eeb66d005343c1c2f850bc88e80f76ec5a5c3780864d5
            • Opcode Fuzzy Hash: 52b5405c3097533ab341917270f3a7488009af7ab56dd4808b50d39e646ed080
            • Instruction Fuzzy Hash: 3B31D675D0522C9BDF21DFA4C9497CDBBF8AF18305F1041AAE40DAB250EB719A858F45
            Function 6C22A73B Relevance: 6.0, APIs: 4, Instructions: 47keyboardCOMMON
            Download Yara Rule
            APIs
            • GetKeyboardState.USER32(?), ref: 6C22A755
            • GetKeyboardLayout.USER32(?), ref: 6C22A77B
            • MapVirtualKeyW.USER32(00000000,00000000), ref: 6C22A788
            • ToUnicodeEx.USER32(00000000,00000000,?,?,00000002,00000000,00000000), ref: 6C22A7A5
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Keyboard$LayoutStateUnicodeVirtual
            • String ID:
            • API String ID: 961187839-0
            • Opcode ID: 8504872ac9b635d0102cf51bae77acecb735a3bf82f8fecb6208293db0b0e211
            • Instruction ID: cfa04b55ea644f3282c9a431c4aa251fcd1ca0c751154832ed2a26b40fa1d035
            • Opcode Fuzzy Hash: 8504872ac9b635d0102cf51bae77acecb735a3bf82f8fecb6208293db0b0e211
            • Instruction Fuzzy Hash: 58018471A00208AFEF14DFA0DC49FDE7BBCAF15705F500165B64AEA580EB719A88CB95
            Function 6C1E64A2 Relevance: 6.0, APIs: 4, Instructions: 38keyboardwindowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 6C1F4E48: GetWindowLongW.USER32(?,000000F0), ref: 6C1F4E55
            • GetKeyState.USER32(00000010), ref: 6C1E64BF
            • GetKeyState.USER32(00000011), ref: 6C1E64CC
            • GetKeyState.USER32(00000012), ref: 6C1E64D9
            • SendMessageW.USER32(?,00000111,0000E146,00000000), ref: 6C1E64F3
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: State$LongMessageSendWindow
            • String ID:
            • API String ID: 1063413437-0
            • Opcode ID: 0600972095f27416bc9d8ed1da4e1aed0e5cbde3efd7e8fc0ea4f557946108a6
            • Instruction ID: 2409941031df2e0c6c4a6c2d3652fe9ebba5de53865d30bc41f16e025c1aaeb6
            • Opcode Fuzzy Hash: 0600972095f27416bc9d8ed1da4e1aed0e5cbde3efd7e8fc0ea4f557946108a6
            • Instruction Fuzzy Hash: 88F0E936381A0E37EA102E304C48BD936795F05B4BF554634AB52EAAD0DE50C4D19321
            Function 6C1E6EE3 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 404COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: H_prolog3
            • String ID: pt5l
            • API String ID: 431132790-4290138313
            • Opcode ID: 0568a0dbbcf16c7ec8720781ec3c31d4bc93714aa25f3e8bddbd22af57804000
            • Instruction ID: eb899e5d62b69bb49f08dc124c5ff39d05260eee925eec99f5fac3acb585e565
            • Opcode Fuzzy Hash: 0568a0dbbcf16c7ec8720781ec3c31d4bc93714aa25f3e8bddbd22af57804000
            • Instruction Fuzzy Hash: B8E18B70A00A1ADBEF04CF64C854BEE7BB6BF49308F14455AE815EBB91DB34E941CB91
            Function 6C1DA257 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
            Download Yara Rule
            APIs
            • OutputDebugStringA.KERNEL32(IsolationAware function called after IsolationAwareCleanup,00000000,?,6C1E3B60,00000000,6C39A3F8,00000014,6C1E3C28,InitCommonControlsEx,6C39A418,00000010,6C1E91DD,00000008,?), ref: 6C1DA26B
            • GetLastError.KERNEL32(6C1E91DD,00000000,?,6C1E3B60,00000000,6C39A3F8,00000014,6C1E3C28,InitCommonControlsEx,6C39A418,00000010,6C1E91DD,00000008,?), ref: 6C1DA2A2
              • Part of subcall function 6C1DA479: GetModuleFileNameW.KERNEL32(?,?,00000105,?,6C1E3B60,00000000,6C39A3F8,00000014,6C1E3C28,InitCommonControlsEx,6C39A418,00000010,6C1E91DD,00000008,?), ref: 6C1DA529
              • Part of subcall function 6C1DA479: SetLastError.KERNEL32(0000006F,?,6C1E3B60,00000000,6C39A3F8,00000014,6C1E3C28,InitCommonControlsEx,6C39A418,00000010,6C1E91DD,00000008,?), ref: 6C1DA53D
            Strings
            • IsolationAware function called after IsolationAwareCleanup, xrefs: 6C1DA266
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: ErrorLast$DebugFileModuleNameOutputString
            • String ID: IsolationAware function called after IsolationAwareCleanup
            • API String ID: 3265401609-2690750368
            • Opcode ID: 430417ee2d9aef80d8485393c732f2bac0ca7632063b3cb336b06ec19d06dda4
            • Instruction ID: af4a9494573d1250ce343768dbe82669ac428256160f45c67100a658d4507c9c
            • Opcode Fuzzy Hash: 430417ee2d9aef80d8485393c732f2bac0ca7632063b3cb336b06ec19d06dda4
            • Instruction Fuzzy Hash: 2CF0C230B863158A9F14CAE79940AAEB67CA7277493234926F913C2940D726F87587D1
            Function 6C32AEDD Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,6C1F5BE4), ref: 6C32AFD5
            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,6C1F5BE4), ref: 6C32AFDF
            • UnhandledExceptionFilter.KERNEL32(6C1C1FA2,?,?,?,?,?,6C1F5BE4), ref: 6C32AFEC
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: ExceptionFilterUnhandled$DebuggerPresent
            • String ID:
            • API String ID: 3906539128-0
            • Opcode ID: f6fc5cfb9f26f8143639949b6c83b082623aba0dd413f861dde2900aede0d663
            • Instruction ID: 84c5d37e4e4c64b7f72cbb7a2450d07c0ab9bd6b92151e4642af82b4a468e0d3
            • Opcode Fuzzy Hash: f6fc5cfb9f26f8143639949b6c83b082623aba0dd413f861dde2900aede0d663
            • Instruction Fuzzy Hash: 6531C57590122CABCF21DF68D888BCDBBB8BF08314F5046DAE41DA7250E7759B858F45
            Function 6C1C1145 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 48memoryCOMMON
            Download Yara Rule
            APIs
            • GetProcessHeap.KERNEL32 ref: 6C1C147E
              • Part of subcall function 6C1D964B: AcquireSRWLockExclusive.KERNEL32(6C3AE068,ios_base::badbit set,ios_base::failbit set,?,6C1C2116,6C3ADE84,6C1C1FA3), ref: 6C1D9656
              • Part of subcall function 6C1D964B: ReleaseSRWLockExclusive.KERNEL32(6C3AE068,?,6C1C2116,6C3ADE84,6C1C1FA3), ref: 6C1D9690
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: ExclusiveLock$AcquireHeapProcessRelease
            • String ID: D45l
            • API String ID: 904919049-4033196799
            • Opcode ID: 813b9e3e8a6d0736fc63640eca9109c19b060e57f7ed0aa182f907a8f6e5adda
            • Instruction ID: 54382533aa2ca6a24932c367fb0050e9f29dc259cd30ba5946758adcff9d5cd4
            • Opcode Fuzzy Hash: 813b9e3e8a6d0736fc63640eca9109c19b060e57f7ed0aa182f907a8f6e5adda
            • Instruction Fuzzy Hash: 4F116AB9B40640CBCA04CBA8E456F99B375A737318F264625FD0246B40EB79A4768F53
            Function 6C1EC528 Relevance: 3.0, APIs: 2, Instructions: 36windowCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: IconicVisibleWindow
            • String ID:
            • API String ID: 1797901696-0
            • Opcode ID: 031518240a88a0b14cecd21f08e0582b461307969068f7a2baaad4fd4c749f61
            • Instruction ID: 7c84942c63c9f137d877a6c91682fc1a52e88882aa20ee9eee7d263ed184d3af
            • Opcode Fuzzy Hash: 031518240a88a0b14cecd21f08e0582b461307969068f7a2baaad4fd4c749f61
            • Instruction Fuzzy Hash: ABF0E932305420AB8504253D9C506BEBFADAFDE6357040326EA61D3AE0AB90585153D0
            Function 6C1E0523 Relevance: 3.0, APIs: 2, Instructions: 20windowCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: IconicVisibleWindow
            • String ID:
            • API String ID: 1797901696-0
            • Opcode ID: 4b187928e60b829bc0d1cd6185d64d2c0fcca25435524791c55be935dc4fb7ff
            • Instruction ID: dc5f9c86a5b1a70ab38dd733e2e56ee59298a576aeed40cfba69f6d111057b9b
            • Opcode Fuzzy Hash: 4b187928e60b829bc0d1cd6185d64d2c0fcca25435524791c55be935dc4fb7ff
            • Instruction Fuzzy Hash: 23E01231310556DFDF051F29D848AADBB7DFF99652304027AE409C7620FF61D851DB84
            Function 6C1E7BB2 Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Iconic
            • String ID:
            • API String ID: 110040809-0
            • Opcode ID: 566d1dd44e91323a4a3c824e6b1a1f7843cd14d42af37b9e52ed24774c910a4f
            • Instruction ID: 63ee599101352ecda65030af6dc26b026e2ef44cded6b2b143b80e206beca361
            • Opcode Fuzzy Hash: 566d1dd44e91323a4a3c824e6b1a1f7843cd14d42af37b9e52ed24774c910a4f
            • Instruction Fuzzy Hash: A9D01231214B68CFE721AA15E484BC273B9BF09319B01052FD94686D60E7E098C0C7C0
            Function 00E21764 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
            Download Yara Rule
            APIs
            • SetUnhandledExceptionFilter.KERNEL32(Function_00001770,00E210D3), ref: 00E21769
            Memory Dump Source
            • Source File: 00000003.00000002.1780458776.0000000000E21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
            • Associated: 00000003.00000002.1780443399.0000000000E20000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000003.00000002.1780472190.0000000000E22000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000003.00000002.1780486959.0000000000E23000.00000004.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000003.00000002.1780501099.0000000000E24000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000003.00000002.1780501099.0000000000E66000.00000002.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_e20000_Update.jbxd
            Similarity
            • API ID: ExceptionFilterUnhandled
            • String ID:
            • API String ID: 3192549508-0
            • Opcode ID: abc670bd73c42d51c9c6377666af92fe7ab0573ae464917f306a9a40bc764d2c
            • Instruction ID: 667762fb9c6ab8c260612aa52d78f6e703faa0405cdef4d0a626d7d5d30b3aaf
            • Opcode Fuzzy Hash: abc670bd73c42d51c9c6377666af92fe7ab0573ae464917f306a9a40bc764d2c
            • Instruction Fuzzy Hash:
            Function 6C1F8DFF Relevance: 45.9, APIs: 25, Strings: 1, Instructions: 428windowCOMMON
            Download Yara Rule
            APIs
            • __EH_prolog3_GS.LIBCMT ref: 6C1F8E09
              • Part of subcall function 6C1D9B7C: __EH_prolog3.LIBCMT ref: 6C1D9B83
            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 6C1F8E81
            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 6C1F8EB4
            • CopyRect.USER32(?,?), ref: 6C1F8EDB
            • GetObjectW.GDI32(?,00000018,?), ref: 6C1F8F08
            • GetSystemMetrics.USER32(00000032), ref: 6C1F8F25
            • GetSystemMetrics.USER32(00000031), ref: 6C1F8F30
            • GetSysColor.USER32(00000004), ref: 6C1F8F70
            • CreateCompatibleDC.GDI32(00000000), ref: 6C1F8F8A
            • CopyRect.USER32(?,?), ref: 6C1F8FDE
            • GetSysColor.USER32(0000000D), ref: 6C1F8FEF
            • GetSysColor.USER32(00000010), ref: 6C1F900F
            • GetSysColor.USER32(00000014), ref: 6C1F9019
            • GetSysColor.USER32(0000000D), ref: 6C1F904F
            • GetSysColor.USER32(00000007), ref: 6C1F91C4
            • ExtTextOutW.GDI32(00000001,?,?,00000002,00000000,?,?,00000000), ref: 6C1F9209
            • CreateCompatibleDC.GDI32(00000000), ref: 6C1F926E
            • InflateRect.USER32(00000000,000000FF,000000FF), ref: 6C1F9297
            • BitBlt.GDI32(00000003,00000000,?,?,?,?,00000000,00000000,00CC0020), ref: 6C1F92B6
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Color$Rect$CompatibleCopyCreateInfoItemMenuMetricsSystem$H_prolog3H_prolog3_InflateObjectText
            • String ID: @
            • API String ID: 364174344-2766056989
            • Opcode ID: c6123d17bbb419d5bbe0035ffc85341c377be0fb2324dff621215c464cd61cfe
            • Instruction ID: f3add316d00ff89e00988abf08406464473fa893eed5aefb32f5d0ae07dca92c
            • Opcode Fuzzy Hash: c6123d17bbb419d5bbe0035ffc85341c377be0fb2324dff621215c464cd61cfe
            • Instruction Fuzzy Hash: E9F18771A002189FDF00DFA8CC98BEDBBB9FF09315F144259E916AB290DB75A946CF50
            Function 6C25B783 Relevance: 44.1, APIs: 24, Strings: 1, Instructions: 327fileCOMMON
            Download Yara Rule
            APIs
            • __EH_prolog3_GS.LIBCMT ref: 6C25B78D
            • GetModuleFileNameW.KERNEL32(00000000,?,00000104,6C390350,00000000,6C390728,00000000,6C38DB20,00000000,?,?,00000A88,6C25DC39,?,00000000,00000038), ref: 6C25B82C
            • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,6C38DB20,00000000,?,?,00000A88,6C25DC39,?,00000000,00000038), ref: 6C25B8DF
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: File$CreateH_prolog3_ModuleName
            • String ID:
            • API String ID: 3408945735-3916222277
            • Opcode ID: 4e7acf682211a5d0c728032b63d19ecde83745266a68b01adc09086ea6bdb26f
            • Instruction ID: f988d995cc7baa78f8d57639504e9c958722ffb5a695ad102ebf47c7e62a06ad
            • Opcode Fuzzy Hash: 4e7acf682211a5d0c728032b63d19ecde83745266a68b01adc09086ea6bdb26f
            • Instruction Fuzzy Hash: 79C17C72A00219AFDF219F60CC44FEE77B8EF0A315F5005A4F909A2994EB719E95CF61
            Function 6C1D95CD Relevance: 43.8, APIs: 12, Strings: 13, Instructions: 43registryclipboardCOMMON
            Download Yara Rule
            APIs
            • RegisterClipboardFormatW.USER32(Native), ref: 6C31AB06
            • RegisterClipboardFormatW.USER32(OwnerLink), ref: 6C31AB13
            • RegisterClipboardFormatW.USER32(ObjectLink), ref: 6C31AB21
            • RegisterClipboardFormatW.USER32(Embedded Object), ref: 6C31AB2F
            • RegisterClipboardFormatW.USER32(Embed Source), ref: 6C31AB3D
            • RegisterClipboardFormatW.USER32(Link Source), ref: 6C31AB4B
            • RegisterClipboardFormatW.USER32(Object Descriptor), ref: 6C31AB59
            • RegisterClipboardFormatW.USER32(Link Source Descriptor), ref: 6C31AB67
            • RegisterClipboardFormatW.USER32(FileName), ref: 6C31AB75
            • RegisterClipboardFormatW.USER32(FileNameW), ref: 6C31AB83
            • RegisterClipboardFormatW.USER32(Rich Text Format), ref: 6C31AB91
            • RegisterClipboardFormatW.USER32(RichEdit Text and Objects), ref: 6C31AB9F
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: ClipboardFormatRegister
            • String ID: ;l$Embed Source$Embedded Object$FileName$FileNameW$Link Source$Link Source Descriptor$Native$Object Descriptor$ObjectLink$OwnerLink$Rich Text Format$RichEdit Text and Objects
            • API String ID: 1228543026-1920505827
            • Opcode ID: 6a30bf8e1542ae274b9a9431cb7346abfc812fdeccc951c81a696ad1186fe304
            • Instruction ID: 56dba4a992c002a526b7efbe7d6f747c18715fa6ebd049063ad8ddbbadaa710c
            • Opcode Fuzzy Hash: 6a30bf8e1542ae274b9a9431cb7346abfc812fdeccc951c81a696ad1186fe304
            • Instruction Fuzzy Hash: 79111A719027049FCF60BFB5970C4457AF8BA1A6033804F1AE1869B952E73D9484DF80
            Function 6C1DC118 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 265windowCOMMON
            Download Yara Rule
            APIs
            • __EH_prolog3_GS.LIBCMT ref: 6C1DC11F
            • CreateCompatibleDC.GDI32(00000000), ref: 6C1DC174
            • CreateCompatibleDC.GDI32(00000000), ref: 6C1DC18C
            • CreateCompatibleDC.GDI32(00000000), ref: 6C1DC1A4
            • GetObjectW.GDI32(00000004,00000018,?), ref: 6C1DC1C4
            • CreateBitmap.GDI32(?,?,?,?,00000000), ref: 6C1DC1EA
            • CreateBitmap.GDI32(00000008,00000008,00000001,00000001,6C3569A0), ref: 6C1DC20D
            • CreatePatternBrush.GDI32(?), ref: 6C1DC21F
            • DeleteObject.GDI32(?), ref: 6C1DC24E
            • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 6C1DC25F
            • GetPixel.GDI32(?,00000000,00000000), ref: 6C1DC2A7
            • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6C1DC2CD
            • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00EE0086), ref: 6C1DC2F5
            • FillRect.USER32(?,?,?), ref: 6C1DC357
              • Part of subcall function 6C1DD3A4: __EH_prolog3.LIBCMT ref: 6C1DD3AB
            • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 6C1DC385
            • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,008800C6), ref: 6C1DC3A0
            • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 6C1DC3B7
            • DeleteDC.GDI32(00000000), ref: 6C1DC424
            • DeleteDC.GDI32(00000000), ref: 6C1DC440
            • DeleteDC.GDI32(00000000), ref: 6C1DC45F
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Create$Delete$BitmapCompatible$Object$BrushFillH_prolog3H_prolog3_PatternPixelRect
            • String ID: (^5l$`g5l$`g5l
            • API String ID: 308707564-3958563804
            • Opcode ID: ebd0d0448f2b8e1c2377f70c1314b3c8896d8b1149a993b778b854a1b2dc2087
            • Instruction ID: e1f2dca9ff5937538b272e70408b259be95bd64fa1cb4c85ecf6e78ff3f47b95
            • Opcode Fuzzy Hash: ebd0d0448f2b8e1c2377f70c1314b3c8896d8b1149a993b778b854a1b2dc2087
            • Instruction Fuzzy Hash: E8B114B2D01208AFDF01AFE4CD94AEEBB79FF18309F214518F506A6661DB316955DF20
            Function 6C25CAB7 Relevance: 34.7, APIs: 23, Instructions: 236windowCOMMON
            Download Yara Rule
            APIs
            • __EH_prolog3_GS.LIBCMT ref: 6C25CAC1
            • CopyImage.USER32(?,00000000,00000000,00000000,00002000), ref: 6C25CAF7
              • Part of subcall function 6C25E0A4: __EH_prolog3_GS.LIBCMT ref: 6C25E0AE
              • Part of subcall function 6C25E0A4: GetObjectW.GDI32(?,00000018,?), ref: 6C25E0D3
              • Part of subcall function 6C25E0A4: GetObjectW.GDI32(?,00000054,?), ref: 6C25E118
            • GetObjectW.GDI32(?,00000018,?), ref: 6C25CB31
            • DeleteObject.GDI32(?), ref: 6C25CBB6
            • CreateCompatibleDC.GDI32(00000000), ref: 6C25CBE4
            • GetObjectW.GDI32(?,00000018,?), ref: 6C25CC00
            • GetObjectW.GDI32(?,00000018,?), ref: 6C25CC4A
            • SelectObject.GDI32(?,?), ref: 6C25CC6D
            • SelectObject.GDI32(?,?), ref: 6C25CCA4
            • CreateCompatibleBitmap.GDI32(?,?,?), ref: 6C25CCCA
            • SelectObject.GDI32(?,00000000), ref: 6C25CCE5
            • CreateCompatibleDC.GDI32(?), ref: 6C25CD15
            • SelectObject.GDI32(?,?), ref: 6C25CD33
            • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6C25CD72
            • SelectObject.GDI32(?,?), ref: 6C25CD87
            • BitBlt.GDI32(?,?,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6C25CDBD
            • SelectObject.GDI32(?,?), ref: 6C25CDCF
            • SelectObject.GDI32(?,00000000), ref: 6C25CDE0
            • DeleteObject.GDI32(?), ref: 6C25CDF1
            • DeleteObject.GDI32(?), ref: 6C25CE39
            • SelectObject.GDI32(?,?), ref: 6C25CE51
            • SelectObject.GDI32(?,00000000), ref: 6C25CE62
            • DeleteObject.GDI32(?), ref: 6C25CE6E
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Object$Select$Delete$CompatibleCreate$H_prolog3_$BitmapCopyImage
            • String ID:
            • API String ID: 1780083495-0
            • Opcode ID: 4baa92ecad0c626a78e8abf0a3d5602ecb6e87c939c24f96bc6ac2390843a772
            • Instruction ID: c69d3597d80c4ee4e83ea5728c3630dd396a2aba9fe43a40cd01a4b6b5c7e504
            • Opcode Fuzzy Hash: 4baa92ecad0c626a78e8abf0a3d5602ecb6e87c939c24f96bc6ac2390843a772
            • Instruction Fuzzy Hash: 4AA16E70A01629EFDF219F64CC44BEEB7B8BF09716F5042D4E919A2650EB319E94CF50
            Function 6C1DBE63 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212windowCOMMON
            Download Yara Rule
            APIs
            • __EH_prolog3.LIBCMT ref: 6C1DBE6A
            • GetSysColor.USER32(00000014), ref: 6C1DBEA1
              • Part of subcall function 6C1DC5AB: __EH_prolog3.LIBCMT ref: 6C1DC5B2
              • Part of subcall function 6C1DC5AB: CreateSolidBrush.GDI32(6C1E8A6F), ref: 6C1DC5CD
            • GetSysColor.USER32(00000010), ref: 6C1DBEB6
            • CreateCompatibleDC.GDI32(00000000), ref: 6C1DBECA
            • CreateCompatibleDC.GDI32(00000000), ref: 6C1DBEE2
            • GetObjectW.GDI32(10C2C95B,00000018,?), ref: 6C1DBF05
            • CreateBitmap.GDI32(?,?,?,?,00000000), ref: 6C1DBF26
            • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 6C1DBF47
              • Part of subcall function 6C1DCFCA: SelectObject.GDI32(6C1E8A6F,?), ref: 6C1DCFD3
            • GetPixel.GDI32(?,00000000,00000000), ref: 6C1DBF8F
              • Part of subcall function 6C1DC8DA: SetBkColor.GDI32(?,6C1E8A6F), ref: 6C1DC8EF
              • Part of subcall function 6C1DC8DA: SetBkColor.GDI32(?,6C1E8A6F), ref: 6C1DC901
            • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6C1DBFB8
            • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,001100A6), ref: 6C1DBFE2
            • BitBlt.GDI32(?,00000001,00000001,?,?,?,00000000,00000000,00E20746), ref: 6C1DC04D
            • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00E20746), ref: 6C1DC076
            • DeleteDC.GDI32(00000000), ref: 6C1DC0EB
            • DeleteDC.GDI32(00000000), ref: 6C1DC10A
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Create$Color$BitmapCompatibleDeleteH_prolog3Object$BrushPixelSelectSolid
            • String ID: (^5l$`g5l$`g5l
            • API String ID: 2254850417-3958563804
            • Opcode ID: d4c6334bfcad3e95d60db6482b97f7aeb28049a38a901dbf7e080b31f682b1f4
            • Instruction ID: c5c17e339e6cbbbfa82973e40e7026512b583586e5f3b0ad9de8b91bc09fc3e6
            • Opcode Fuzzy Hash: d4c6334bfcad3e95d60db6482b97f7aeb28049a38a901dbf7e080b31f682b1f4
            • Instruction Fuzzy Hash: F3810572900208AFDF01AFE4CD95FEEBB7AFF18305F210524F502A66A0DB716995DB60
            Function 6C25D777 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 254COMMON
            Download Yara Rule
            APIs
            • __EH_prolog3_GS.LIBCMT ref: 6C25D781
            • CreateCompatibleDC.GDI32(00000000), ref: 6C25D7C9
            • GetObjectW.GDI32(?,00000018,?), ref: 6C25D7EA
            • SelectObject.GDI32(?,?), ref: 6C25D825
            • CreateCompatibleDC.GDI32(?), ref: 6C25D852
            • CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 6C25D8BA
            • SelectObject.GDI32(?,00000000), ref: 6C25D8D1
            • SelectObject.GDI32(?,00000000), ref: 6C25D8E3
            • SelectObject.GDI32(?,00000000), ref: 6C25D8FA
            • DeleteObject.GDI32(?), ref: 6C25D906
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Object$Select$Create$Compatible$DeleteH_prolog3_Section
            • String ID: $(
            • API String ID: 1429849173-55695022
            • Opcode ID: 0ebbd99323cfc9daa2643204daf0464337d21c61456d5c3deea6f2e67db1a24a
            • Instruction ID: f042230377ba5eae83b9501b9eb99af1b628dc66a26ed0a79e9ca4066274e5c0
            • Opcode Fuzzy Hash: 0ebbd99323cfc9daa2643204daf0464337d21c61456d5c3deea6f2e67db1a24a
            • Instruction Fuzzy Hash: F6B13B31D01229DFDF25DF65CD44B9ABBB5BF5A301F0082EAE949A6251EB305A84CF20
            Function 6C1E4FD7 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 179windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 6C1F4E48: GetWindowLongW.USER32(?,000000F0), ref: 6C1F4E55
            • GetParent.USER32(6C1EA23E), ref: 6C1E5018
            • SendMessageW.USER32(00000000,0000036B,00000000,00000000), ref: 6C1E503A
            • GetWindowRect.USER32(6C1EA23E,?), ref: 6C1E505E
            • GetWindowLongW.USER32(00000000,000000F0), ref: 6C1E507E
            • MonitorFromWindow.USER32(00000000,00000001), ref: 6C1E50B7
            • GetMonitorInfoW.USER32(00000000), ref: 6C1E50BE
            • CopyRect.USER32(?,?), ref: 6C1E50CC
            • GetWindowRect.USER32(00000000,?), ref: 6C1E50D9
            • MonitorFromWindow.USER32(00000000,00000002), ref: 6C1E50E6
            • GetMonitorInfoW.USER32(00000000), ref: 6C1E50ED
            • CopyRect.USER32(?,?), ref: 6C1E50FB
            • GetParent.USER32(6C1EA23E), ref: 6C1E5105
            • GetClientRect.USER32(00000000,?), ref: 6C1E5112
            • GetClientRect.USER32(00000000,?), ref: 6C1E511D
            • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 6C1E512B
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Window$Rect$Monitor$ClientCopyFromInfoLongParent$MessagePointsSend
            • String ID: (
            • API String ID: 3610148278-3887548279
            • Opcode ID: 506370bf4dd7006404ab813d3fce38538db22a4ae511315e752882758d68b03f
            • Instruction ID: ecea50eea3c1045b07e50399546c42c2627f112db461d0232df7cb596d041eff
            • Opcode Fuzzy Hash: 506370bf4dd7006404ab813d3fce38538db22a4ae511315e752882758d68b03f
            • Instruction Fuzzy Hash: 4D613F72A00609AFDF01CFA8C988AAE77B9FF49305F254215F515F7144EB71A9458B60
            Function 6C1F9E45 Relevance: 28.7, APIs: 19, Instructions: 239windowCOMMON
            Download Yara Rule
            APIs
            • __EH_prolog3_GS.LIBCMT ref: 6C1F9E4C
            • CreateRectRgnIndirect.GDI32(?), ref: 6C1F9E84
            • CopyRect.USER32(?,?), ref: 6C1F9E98
            • InflateRect.USER32(?,?,?), ref: 6C1F9EAE
            • IntersectRect.USER32(?,?,?), ref: 6C1F9EBA
            • CreateRectRgnIndirect.GDI32(?), ref: 6C1F9EC4
            • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6C1F9ED9
            • CombineRgn.GDI32(?,?,?,00000003), ref: 6C1F9EF3
            • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6C1F9F3A
            • SetRectRgn.GDI32(?,?,00000004,?,?), ref: 6C1F9F57
            • CopyRect.USER32(?,?), ref: 6C1F9F62
            • InflateRect.USER32(?,?,?), ref: 6C1F9F78
            • IntersectRect.USER32(?,?,?), ref: 6C1F9F84
            • SetRectRgn.GDI32(?,?,?,?,?), ref: 6C1F9F99
            • CombineRgn.GDI32(?,?,?,00000003), ref: 6C1F9FAA
            • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6C1F9FBE
            • CombineRgn.GDI32(?,?,?,00000003), ref: 6C1F9FD8
              • Part of subcall function 6C1F9DA1: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,?), ref: 6C1F9DE8
              • Part of subcall function 6C1F9DA1: CreatePatternBrush.GDI32(00000000), ref: 6C1F9DF5
              • Part of subcall function 6C1F9DA1: DeleteObject.GDI32(00000000), ref: 6C1F9E01
            • PatBlt.GDI32(00000004,?,?,?,?,005A0049), ref: 6C1FA036
              • Part of subcall function 6C1DC827: SelectObject.GDI32(?,00000000), ref: 6C1DC847
              • Part of subcall function 6C1DC827: SelectObject.GDI32(?,00000000), ref: 6C1DC85D
              • Part of subcall function 6C1DCC7E: SelectClipRgn.GDI32(?,00000000), ref: 6C1DCC9E
              • Part of subcall function 6C1DCC7E: SelectClipRgn.GDI32(?,00000000), ref: 6C1DCCB4
            • PatBlt.GDI32(00000004,?,?,?,?,005A0049), ref: 6C1FA099
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Rect$Create$Select$CombineObject$ClipCopyIndirectInflateIntersect$BitmapBrushDeleteH_prolog3_Pattern
            • String ID:
            • API String ID: 770706554-0
            • Opcode ID: f0590ec74689938fb4751714612c498d23e650aad5b4941e2abe707955ccd332
            • Instruction ID: 1c3496321bc0fce95b053b4da1a39edfb61bc30c0f89294d5e802a1a94205b0a
            • Opcode Fuzzy Hash: f0590ec74689938fb4751714612c498d23e650aad5b4941e2abe707955ccd332
            • Instruction Fuzzy Hash: 5691F2B2A00218AFCF05DFE4D898DEEBBBAFF49305B044519F912A3650DB35A955CF60
            Function 6C1E82C3 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 178COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID:
            • String ID: #32768$AfxOldWndProc423
            • API String ID: 0-2141921550
            • Opcode ID: 28419ba737ea2b52bc37b8935f9bd26ee824fc82ceb2b60ab27d1339f4f5ee24
            • Instruction ID: 9b4577fe67b9fffbf092b45f5d2a42eb3ec29892a42f94421ac05e78c851de8d
            • Opcode Fuzzy Hash: 28419ba737ea2b52bc37b8935f9bd26ee824fc82ceb2b60ab27d1339f4f5ee24
            • Instruction Fuzzy Hash: 9B5109316446289BDF119F54CC88BEE3BB8EF1A719F104296F815EB680DB359A81CF91
            Function 6C25D26D Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 215COMMON
            Download Yara Rule
            APIs
            • __EH_prolog3_GS.LIBCMT ref: 6C25D277
            • GetObjectW.GDI32(00000000,00000018,?), ref: 6C25D2B5
            • CreateCompatibleDC.GDI32(00000000), ref: 6C25D2F4
            • SelectObject.GDI32(?,00000000), ref: 6C25D317
            • GetObjectW.GDI32(?,00000054,?), ref: 6C25D364
            • CreateDIBSection.GDI32(?,?), ref: 6C25D3C6
            • CreateCompatibleDC.GDI32(?), ref: 6C25D400
            • SelectObject.GDI32(?,00000000), ref: 6C25D419
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Object$Create$CompatibleSelect$H_prolog3_Section
            • String ID: (
            • API String ID: 1338481308-3887548279
            • Opcode ID: e6b21b9d0a8e77e9c972595d797ca6a05df35b39cc52ba8d3576c80d6bd75cd4
            • Instruction ID: df54d520b70bab217a91f25b0f0a6c2e9f34f565095ed52cb3d0b9a3b94c4c90
            • Opcode Fuzzy Hash: e6b21b9d0a8e77e9c972595d797ca6a05df35b39cc52ba8d3576c80d6bd75cd4
            • Instruction Fuzzy Hash: 22A14970901709DFDF61DF64C980B9AB7B5BF09305F1085A9E84EE7651EB30AA99CF20
            Function 6C2C8926 Relevance: 24.4, APIs: 16, Instructions: 395COMMON
            Download Yara Rule
            APIs
            • __EH_prolog3_GS.LIBCMT ref: 6C2C892D
            • GetCursorPos.USER32(?), ref: 6C2C89E6
            • IsRectEmpty.USER32(?), ref: 6C2C8A1A
            • IsRectEmpty.USER32(?), ref: 6C2C8A41
            • IsRectEmpty.USER32(?), ref: 6C2C8A63
            • GetWindowRect.USER32(?,?), ref: 6C2C8A91
            • GetWindowRect.USER32(?,?), ref: 6C2C8AC1
            • PtInRect.USER32(?,?,?), ref: 6C2C8B0E
            • OffsetRect.USER32(?,?,00000000), ref: 6C2C8B26
              • Part of subcall function 6C2C9F12: __EH_prolog3.LIBCMT ref: 6C2C9F19
              • Part of subcall function 6C2C9F12: SetRectEmpty.USER32 ref: 6C2CA019
              • Part of subcall function 6C2C9F12: SetRectEmpty.USER32(?), ref: 6C2CA020
            • SetRectEmpty.USER32(?), ref: 6C2C8B49
            • OffsetRect.USER32(?,?,?), ref: 6C2C8CDA
            • IsRectEmpty.USER32(?), ref: 6C2C8CFA
            • IsRectEmpty.USER32(?), ref: 6C2C8D2D
            • PtInRect.USER32(?,00000000,00000000), ref: 6C2C8D41
            • OffsetRect.USER32(?,?,?), ref: 6C2C8D6D
            • IsRectEmpty.USER32(?), ref: 6C2C8D8C
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Rect$Empty$Offset$Window$CursorH_prolog3H_prolog3_
            • String ID:
            • API String ID: 359163869-0
            • Opcode ID: 3341375ac367064970535fcbf03b6316c4c57039225501a5ccec8731119c0c93
            • Instruction ID: f117e793ebb7fb4d8b69619a740a94a9845d0b136a96f4e1b01f64d88bf7c41e
            • Opcode Fuzzy Hash: 3341375ac367064970535fcbf03b6316c4c57039225501a5ccec8731119c0c93
            • Instruction Fuzzy Hash: 5CE19D72B00219DFDF45CFA4C884AAEBBB9FF49305F14825AEC05AB645EB31E845CB51
            Function 6C25F680 Relevance: 24.2, APIs: 16, Instructions: 155windowCOMMON
            Download Yara Rule
            APIs
            • __EH_prolog3.LIBCMT ref: 6C25F687
            • CreateCompatibleDC.GDI32(00000000), ref: 6C25F6B5
            • GetObjectW.GDI32(?,00000018,?), ref: 6C25F6CE
            • SelectObject.GDI32(?,?), ref: 6C25F6EA
            • CreateCompatibleBitmap.GDI32(?,?,?), ref: 6C25F70B
            • SelectObject.GDI32(?,00000000), ref: 6C25F71C
            • CreateCompatibleDC.GDI32(?), ref: 6C25F736
            • SelectObject.GDI32(?,?), ref: 6C25F74B
            • SelectObject.GDI32(?,00000000), ref: 6C25F75C
            • DeleteObject.GDI32(?), ref: 6C25F765
            • BitBlt.GDI32(?,00000000,00000000,000000FF,?,?,00000000,00000000,00CC0020), ref: 6C25F785
            • GetPixel.GDI32(?,?,00000000), ref: 6C25F7AB
            • SetPixel.GDI32(?,?,00000000,00000000), ref: 6C25F7F2
            • SelectObject.GDI32(?,?), ref: 6C25F819
            • SelectObject.GDI32(?,00000000), ref: 6C25F823
            • DeleteObject.GDI32(?), ref: 6C25F82B
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Object$Select$CompatibleCreate$DeletePixel$BitmapH_prolog3
            • String ID:
            • API String ID: 3639146769-0
            • Opcode ID: 45b978fa602621067990433351131c901d6c3979b9bfba4efa512c2b4741dc5c
            • Instruction ID: 24d57b0d72bc11a85745594a86c2bd6b2ca454db2fcc259f8a349ce74b773b1d
            • Opcode Fuzzy Hash: 45b978fa602621067990433351131c901d6c3979b9bfba4efa512c2b4741dc5c
            • Instruction Fuzzy Hash: 9A51F43191121EEFDF019FE4CD48AAFBB79FF09316F600125F912A66A0EB319961CB50
            Function 6C1FDE6E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 204timekeyboardCOMMON
            Download Yara Rule
            APIs
            • GetKeyState.USER32(00000001), ref: 6C1FDE79
            • GetCursorPos.USER32(?), ref: 6C1FDE9E
            • ScreenToClient.USER32(?,?), ref: 6C1FDEAB
            • GetCapture.USER32 ref: 6C1FDF1D
            • ClientToScreen.USER32(?,?), ref: 6C1FDF60
            • WindowFromPoint.USER32(?,?), ref: 6C1FDF6C
            • IsChild.USER32(?,?), ref: 6C1FDF84
            • KillTimer.USER32(?,0000EC0A), ref: 6C1FDFC4
            • KillTimer.USER32(?,0000EC09), ref: 6C1FDFED
              • Part of subcall function 6C1E7FC4: GetForegroundWindow.USER32 ref: 6C1E7FD1
              • Part of subcall function 6C1E7FC4: GetLastActivePopup.USER32(?), ref: 6C1E7FE2
            • GetParent.USER32(?), ref: 6C1FE044
            • IsAppThemed.UXTHEME ref: 6C1FE09E
            • OpenThemeData.UXTHEME(?,REBAR), ref: 6C1FE0B0
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: ClientKillScreenTimerWindow$ActiveCaptureChildCursorDataForegroundFromLastOpenParentPointPopupStateThemeThemed
            • String ID: REBAR
            • API String ID: 214255902-925029515
            • Opcode ID: f672e93d92b00d66ef2876039ec1442ceea4c008ffec4a6c1111c88596c0d05e
            • Instruction ID: 501145810ac33bd40710c31fad057eba77a6339cb4dd534d9e641fd205705a1a
            • Opcode Fuzzy Hash: f672e93d92b00d66ef2876039ec1442ceea4c008ffec4a6c1111c88596c0d05e
            • Instruction Fuzzy Hash: AF61A371B00615AFDB04AF74C894ABD7BF9BF49309B140269E825D7B90EB71DD02CB91
            Function 6C1FF51A Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 172libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(kernel32.dll,?,?), ref: 6C1FF54D
            • GetProcAddress.KERNEL32(00000000,GetThreadPreferredUILanguages), ref: 6C1FF55D
            • EncodePointer.KERNEL32(00000000,?,?), ref: 6C1FF566
            • DecodePointer.KERNEL32(00000000,?,?), ref: 6C1FF574
            • GetUserDefaultUILanguage.KERNEL32(?,?), ref: 6C1FF59B
            • ___crtDownlevelLCIDToLocaleName.LIBCPMT ref: 6C1FF5AB
            • ___crtDownlevelLCIDToLocaleName.LIBCPMT ref: 6C1FF5DF
            • GetSystemDefaultUILanguage.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C1FF612
            • ___crtDownlevelLCIDToLocaleName.LIBCPMT ref: 6C1FF622
            • ___crtDownlevelLCIDToLocaleName.LIBCPMT ref: 6C1FF65F
            • ___crtDownlevelLCIDToLocaleName.LIBCPMT ref: 6C1FF69A
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: DownlevelLocaleName___crt$DefaultLanguagePointer$AddressDecodeEncodeHandleModuleProcSystemUser
            • String ID: GetThreadPreferredUILanguages$kernel32.dll
            • API String ID: 404278886-1646127487
            • Opcode ID: e094ad18147c8e1277403b6e5aac94b77a09946ea6de4c28c592101d547e13da
            • Instruction ID: 174039722e8004ee17bc41bc262b144d8c93ccb2382eaf52a8847faadd8e3af2
            • Opcode Fuzzy Hash: e094ad18147c8e1277403b6e5aac94b77a09946ea6de4c28c592101d547e13da
            • Instruction Fuzzy Hash: BD513CB2E0025A9FDB14DFA4C984DEE77FDEF49314F000126E516A7650DB74AA09CFA1
            Function 6C1ECA71 Relevance: 22.9, APIs: 15, Instructions: 351windowCOMMON
            Download Yara Rule
            APIs
            • GetDlgCtrlID.USER32(?), ref: 6C1ECC4B
              • Part of subcall function 6C1F51FB: ShowWindow.USER32(?,00000000,?,?,6C1F29E0,00000000), ref: 6C1F520C
              • Part of subcall function 6C1EC9D7: GetDesktopWindow.USER32 ref: 6C1EC9E0
              • Part of subcall function 6C1EC9D7: GetWindow.USER32(00000000), ref: 6C1EC9E7
              • Part of subcall function 6C1EC9D7: GetWindowLongW.USER32(00000000,000000F0), ref: 6C1ECA15
              • Part of subcall function 6C1EC9D7: ShowWindow.USER32(00000000,00000000), ref: 6C1ECA30
              • Part of subcall function 6C1EC9D7: GetWindow.USER32(00000000,00000002), ref: 6C1ECA5E
            • GetDlgItem.USER32(?,?), ref: 6C1ECD08
            • ShowWindow.USER32(00000000,00000000,?,?,?), ref: 6C1ECD16
            • GetMenu.USER32(?), ref: 6C1ECD28
            • InvalidateRect.USER32(?,00000000,00000001), ref: 6C1ECD44
            • GetDlgItem.USER32(?,0000E900), ref: 6C1ECD90
            • SetWindowLongW.USER32(00000000,000000F4,0000EA21), ref: 6C1ECDA4
            • GetDlgItem.USER32(?,0000EA21), ref: 6C1ECDC0
            • GetDlgItem.USER32(?,0000E900), ref: 6C1ECDD6
            • SetWindowLongW.USER32(00000000,000000F4,0000EA21), ref: 6C1ECDE8
            • SetWindowLongW.USER32(?,000000F4,0000E900), ref: 6C1ECDF4
            • InvalidateRect.USER32(?,00000000,00000001), ref: 6C1ECE07
            • SetMenu.USER32(?,00000000), ref: 6C1ECE1E
            • GetDlgItem.USER32(?,?), ref: 6C1ECE7B
            • ShowWindow.USER32(?,00000005), ref: 6C1ECE89
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Window$Item$LongShow$InvalidateMenuRect$CtrlDesktop
            • String ID:
            • API String ID: 2951210208-0
            • Opcode ID: eaa20678dd654b29266c1df1bb147b70b24c82229910ca50ad3557f356abc6f3
            • Instruction ID: 9c70c177a320fc1f26f47e9d4325eb725aac033a770ec87960ac3c3460d8e6eb
            • Opcode Fuzzy Hash: eaa20678dd654b29266c1df1bb147b70b24c82229910ca50ad3557f356abc6f3
            • Instruction Fuzzy Hash: 09D17C31B01A15EFDF04EF28CCA4BADBBB5BF59315F104265E916EB690DB70A940CB90
            Function 6C1EDE2C Relevance: 22.8, APIs: 15, Instructions: 313windowkeyboardCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 6C1F95B7: GetFocus.USER32 ref: 6C1F95BB
              • Part of subcall function 6C1F95B7: GetParent.USER32(00000000), ref: 6C1F95DC
              • Part of subcall function 6C1F95B7: GetWindowLongW.USER32(00000000,000000F0), ref: 6C1F95FB
              • Part of subcall function 6C1F95B7: GetParent.USER32(00000000), ref: 6C1F9609
              • Part of subcall function 6C1F95B7: GetDesktopWindow.USER32 ref: 6C1F9611
              • Part of subcall function 6C1F95B7: SendMessageW.USER32(00000000,0000014F,00000000,00000000), ref: 6C1F9625
            • GetMenu.USER32(?), ref: 6C1EDEAD
            • GetMenuItemCount.USER32(?), ref: 6C1EDEEB
            • GetSubMenu.USER32(?,00000000), ref: 6C1EDF01
            • GetMenuItemCount.USER32(?), ref: 6C1EDF26
            • GetMenuItemID.USER32(?,00000000), ref: 6C1EDF40
            • GetSubMenu.USER32(?,?), ref: 6C1EDF5C
            • GetMenuItemID.USER32(?,00000000), ref: 6C1EDF74
            • GetMenuItemCount.USER32(?), ref: 6C1EDF95
            • GetMenuItemID.USER32(?,?), ref: 6C1EDFCB
            • SendMessageW.USER32(?,00000362,-0000E001,00000000), ref: 6C1EE087
            • UpdateWindow.USER32(?), ref: 6C1EE0A8
            • GetKeyState.USER32(00000079), ref: 6C1EE0C6
            • GetKeyState.USER32(00000012), ref: 6C1EE0D7
            • GetParent.USER32(?), ref: 6C1EE199
            • PostMessageW.USER32(?,0000036A,00000000,00000000), ref: 6C1EE1B3
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Menu$Item$CountMessageParentWindow$SendState$DesktopFocusLongPostUpdate
            • String ID:
            • API String ID: 1315724587-0
            • Opcode ID: 199b5a4fcf88f47f6d449fe93965a0be4d6daa28a1ac01fb50c76863ca1abe12
            • Instruction ID: cba8738434d31947ca80e1864010022bd78614cee08ed3f4e0eb9828ba0255ac
            • Opcode Fuzzy Hash: 199b5a4fcf88f47f6d449fe93965a0be4d6daa28a1ac01fb50c76863ca1abe12
            • Instruction Fuzzy Hash: B1C1CF30B00A16EFDB04DF64C884BADBBB5FF59315F144269E825E7690DB309981CF90
            Function 6C1F2ADA Relevance: 21.4, APIs: 14, Instructions: 439COMMON
            Download Yara Rule
            APIs
            • IsRectEmpty.USER32(?), ref: 6C1F2B13
            • GetClientRect.USER32(?,?), ref: 6C1F2B5E
            • BeginDeferWindowPos.USER32(?), ref: 6C1F2B89
            • GetWindowRect.USER32(?,?), ref: 6C1F2C6F
            • OffsetRect.USER32(?,?,00000000), ref: 6C1F2CA6
            • OffsetRect.USER32(?,?,00000000), ref: 6C1F2CDC
            • OffsetRect.USER32(?,00000002,00000000), ref: 6C1F2D06
            • EqualRect.USER32(?,?), ref: 6C1F2D14
            • OffsetRect.USER32(?,00000000,?), ref: 6C1F2DE1
            • OffsetRect.USER32(?,00000000,00000002), ref: 6C1F2E19
            • OffsetRect.USER32(?,00000000,00000002), ref: 6C1F2E3F
            • EqualRect.USER32(?,?), ref: 6C1F2E76
            • EndDeferWindowPos.USER32(00000000), ref: 6C1F2F8C
            • SetRectEmpty.USER32(?), ref: 6C1F2F9D
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Rect$Offset$Window$DeferEmptyEqual$BeginClient
            • String ID:
            • API String ID: 3160784657-0
            • Opcode ID: 86a0190276b66bc85b5f2672be2a437f88c50831d9cf02d9cd3f0762ca0dfab8
            • Instruction ID: 99f333e81506e86c90978cd972c9689cd618307c812de6c64a092893fda91971
            • Opcode Fuzzy Hash: 86a0190276b66bc85b5f2672be2a437f88c50831d9cf02d9cd3f0762ca0dfab8
            • Instruction Fuzzy Hash: 37022871A01249CFDF04CFA8C988BADBBF9FF59308F244269E815AB255D731A946CF50
            Function 6C254E36 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 216COMMON
            Download Yara Rule
            APIs
            • __EH_prolog3.LIBCMT ref: 6C254E3D
              • Part of subcall function 6C1D9B7C: __EH_prolog3.LIBCMT ref: 6C1D9B83
              • Part of subcall function 6C2E4A63: __EH_prolog3.LIBCMT ref: 6C2E4A6A
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: H_prolog3
            • String ID: MFCButton$MFCColorButton$MFCEditBrowse$MFCFontComboBox$MFCLink$MFCMaskedEdit$MFCMenuButton$MFCPropertyGrid$MFCShellList$MFCShellTree$MFCVSListBox
            • API String ID: 431132790-2110171958
            • Opcode ID: 7cf37dccddb44e502749f9ad8bb7c38044b499adad52b72fe2a27935b37f9140
            • Instruction ID: 122d04174428960d6caf44aa6e7f4f90f6177322c4640964e3fe4412fc28fb0d
            • Opcode Fuzzy Hash: 7cf37dccddb44e502749f9ad8bb7c38044b499adad52b72fe2a27935b37f9140
            • Instruction Fuzzy Hash: 5E61927190930F95EF04DBB89924BEFB7E45F0A31CF60042AA915EBEC0EF35961C8651
            Function 6C2662BE Relevance: 21.2, APIs: 2, Strings: 10, Instructions: 195COMMON
            Download Yara Rule
            APIs
            • __EH_prolog3.LIBCMT ref: 6C2662C5
              • Part of subcall function 6C257770: __EH_prolog3.LIBCMT ref: 6C257777
            • GetWindowRect.USER32(?,?), ref: 6C2663AB
              • Part of subcall function 6C1F4F59: GetDlgCtrlID.USER32(?), ref: 6C1F4F64
              • Part of subcall function 6C267FCB: GetWindowRect.USER32(?,?), ref: 6C267FD9
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: H_prolog3RectWindow$Ctrl
            • String ID: %TsPane-%d$%TsPane-%d%x$IsFloating$MRUWidth$Panes$PinState$RecentFrameAlignment$RecentRowIndex$RectRecentDocked$RectRecentFloat
            • API String ID: 2598721110-2628993547
            • Opcode ID: c9c4bb28a09873c763232139bec459f48c05ad8089f8fb911448f0845c3565fe
            • Instruction ID: 25756e09344ad938c63eda3ed920e6f5bb9904b5d5a3673af626867d2526e300
            • Opcode Fuzzy Hash: c9c4bb28a09873c763232139bec459f48c05ad8089f8fb911448f0845c3565fe
            • Instruction Fuzzy Hash: BC811835A00219DFCF04DFA5C894AFDBB76BF99314F090469E916AB7A1CB35A801CF60
            Function 6C1E0881 Relevance: 19.6, APIs: 13, Instructions: 146windowCOMMON
            Download Yara Rule
            APIs
            • LoadResource.KERNEL32(?,?,?,?,00000000), ref: 6C1E0890
            • LockResource.KERNEL32(00000000), ref: 6C1E089F
              • Part of subcall function 6C1E07DA: _memcpy_s.LIBCMT ref: 6C1E07E9
            • GetSysColor.USER32 ref: 6C1E0923
            • GetSysColor.USER32 ref: 6C1E0936
            • GetSysColor.USER32 ref: 6C1E0951
            • GetDC.USER32(00000000), ref: 6C1E0987
            • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 6C1E0997
            • CreateCompatibleDC.GDI32(00000000), ref: 6C1E09A5
            • SelectObject.GDI32(00000000,?), ref: 6C1E09B1
            • StretchDIBits.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6C1E09E4
            • SelectObject.GDI32(00000000,00000000), ref: 6C1E09EC
            • DeleteDC.GDI32(00000000), ref: 6C1E09F3
            • ReleaseDC.USER32(00000000,00000000), ref: 6C1E09FF
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Color$CompatibleCreateObjectResourceSelect$BitmapBitsDeleteLoadLockReleaseStretch_memcpy_s
            • String ID:
            • API String ID: 367613035-0
            • Opcode ID: a893d176c3e89dbb43f875bd90e9612993129eb36daad88dca8474b9b5ac4cca
            • Instruction ID: 30c1f446f9466a551be90ffeadaf9a0d490fa130a453ecdaa9ea561097cdb528
            • Opcode Fuzzy Hash: a893d176c3e89dbb43f875bd90e9612993129eb36daad88dca8474b9b5ac4cca
            • Instruction Fuzzy Hash: F541B472A01218AFEB009F69CC84EBEBBBDFF8A351B158159F505E7341DB319941DBA0
            Function 6C1F4588 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 171windowCOMMON
            Download Yara Rule
            APIs
            • EnableMenuItem.USER32(?,?,00000403), ref: 6C1F45B8
            • GetFocus.USER32 ref: 6C1F45D2
            • GetParent.USER32(?), ref: 6C1F45DD
            • SendMessageW.USER32(?,00000028,00000000,00000000), ref: 6C1F45F2
            • CheckMenuItem.USER32(?,?,00000400), ref: 6C1F4645
            • SendMessageW.USER32(?,00000087,00000000,00000000), ref: 6C1F4660
            • SendMessageW.USER32(?,000000F1,?,00000000), ref: 6C1F467D
            • SetMenuItemBitmaps.USER32(?,?,00000400,00000000,00000000), ref: 6C1F46EA
            • SetMenuItemInfoW.USER32(?,?,00000001,?), ref: 6C1F473A
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: ItemMenu$MessageSend$BitmapsCheckEnableFocusInfoParent
            • String ID: 0$@
            • API String ID: 2977031974-1545510068
            • Opcode ID: 385fee01c16eb0221f17acea088d24d342a0197a0d20b83beabe2f0c2868449e
            • Instruction ID: 694e84a21f5640b0768ddc308594b66f155cfa2c492c2dd4f7935e77d8a4e3d2
            • Opcode Fuzzy Hash: 385fee01c16eb0221f17acea088d24d342a0197a0d20b83beabe2f0c2868449e
            • Instruction Fuzzy Hash: A251BD71200204EFDB20CF15C944B9ABBF9FF50729F148629E6699BA50DB71E887CF90
            Function 6C2660C1 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 164COMMON
            Download Yara Rule
            APIs
            • __EH_prolog3.LIBCMT ref: 6C2660C8
              • Part of subcall function 6C257770: __EH_prolog3.LIBCMT ref: 6C257777
              • Part of subcall function 6C1F4F59: GetDlgCtrlID.USER32(?), ref: 6C1F4F64
              • Part of subcall function 6C263414: __EH_prolog3.LIBCMT ref: 6C26341B
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: H_prolog3$Ctrl
            • String ID: %TsPane-%d$%TsPane-%d%x$IsFloating$MRUWidth$Panes$PinState$RecentFrameAlignment$RecentRowIndex$RectRecentDocked$RectRecentFloat
            • API String ID: 3879667756-2628993547
            • Opcode ID: a142bba265a3730281bab1ba516ff7d27dcf2f30770fe539dca39aa7a21812de
            • Instruction ID: ee58e61cb69c537a267c04637a9090e696da8044a8eb5e04f8db5bf4f35a9b64
            • Opcode Fuzzy Hash: a142bba265a3730281bab1ba516ff7d27dcf2f30770fe539dca39aa7a21812de
            • Instruction Fuzzy Hash: 67517F31A0052AABDF04DF64C894AEEBB7AFF89314B140559E816AB381CF35AD05CF91
            Function 6C210487 Relevance: 18.4, APIs: 12, Instructions: 406timewindowCOMMON
            Download Yara Rule
            APIs
            • __EH_prolog3_GS.LIBCMT ref: 6C21048E
            • SetCursor.USER32(?,00000048,6C20F935,00000000,00000200,00000000), ref: 6C21052D
              • Part of subcall function 6C1DD0FD: __EH_prolog3.LIBCMT ref: 6C1DD104
              • Part of subcall function 6C1DD0FD: GetDC.USER32(00000000), ref: 6C1DD130
              • Part of subcall function 6C1F9E45: __EH_prolog3_GS.LIBCMT ref: 6C1F9E4C
              • Part of subcall function 6C1F9E45: CreateRectRgnIndirect.GDI32(?), ref: 6C1F9E84
              • Part of subcall function 6C1F9E45: CopyRect.USER32(?,?), ref: 6C1F9E98
              • Part of subcall function 6C1F9E45: InflateRect.USER32(?,?,?), ref: 6C1F9EAE
              • Part of subcall function 6C1F9E45: IntersectRect.USER32(?,?,?), ref: 6C1F9EBA
              • Part of subcall function 6C1F9E45: CreateRectRgnIndirect.GDI32(?), ref: 6C1F9EC4
              • Part of subcall function 6C1F9E45: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6C1F9ED9
              • Part of subcall function 6C1F9E45: CombineRgn.GDI32(?,?,?,00000003), ref: 6C1F9EF3
              • Part of subcall function 6C1F9E45: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6C1F9F3A
              • Part of subcall function 6C1F9E45: SetRectRgn.GDI32(?,?,00000004,?,?), ref: 6C1F9F57
              • Part of subcall function 6C1F9E45: CopyRect.USER32(?,?), ref: 6C1F9F62
              • Part of subcall function 6C1DD152: ReleaseDC.USER32(?,00000000), ref: 6C1DD186
            • GetFocus.USER32 ref: 6C2105C4
            • SetTimer.USER32(?,0000EC07,000001F4,00000000), ref: 6C2106B5
            • TrackMouseEvent.USER32(?,?,?,?,?,?,00000000), ref: 6C2106EC
            • SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 6C210772
            • InvalidateRect.USER32(?,?,00000001,?,?,?,?,?,?,00000000), ref: 6C2108AD
            • InflateRect.USER32(?,00000000,?), ref: 6C2108F3
            • RedrawWindow.USER32(?,?,00000000,00000401,?,?,?,?,?,00000000), ref: 6C210906
            • KillTimer.USER32(?,0000EC07,?,?,?,?,?,00000000), ref: 6C210995
            • SetTimer.USER32(?,0000EC07,000001F4,00000000), ref: 6C2109B3
            • UpdateWindow.USER32(?), ref: 6C2109DC
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Rect$Create$Timer$CopyH_prolog3_IndirectInflateWindow$CombineCursorEventFocusH_prolog3IntersectInvalidateKillMessageMouseRedrawReleaseSendTrackUpdate
            • String ID:
            • API String ID: 3035320136-0
            • Opcode ID: 9815218c243592859abc88d8f6b770b1fb66a3236458ece57c54a275f98ae673
            • Instruction ID: 26ff60619c3a1b9e5f22963c6bad3266cd35d7014683b1e33404c6c63c2ada2f
            • Opcode Fuzzy Hash: 9815218c243592859abc88d8f6b770b1fb66a3236458ece57c54a275f98ae673
            • Instruction Fuzzy Hash: C9F17F70A0565AAFDB04CF64C854BEDBBF5BF45329F204319F92597A90DB30A861CF90
            Function 6C20F37A Relevance: 18.3, APIs: 12, Instructions: 291windowCOMMON
            Download Yara Rule
            APIs
            • __EH_prolog3_GS.LIBCMT ref: 6C20F384
              • Part of subcall function 6C260644: __EH_prolog3_catch.LIBCMT ref: 6C26064B
              • Part of subcall function 6C268355: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C2683EA
              • Part of subcall function 6C268355: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C268400
              • Part of subcall function 6C268355: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C26840B
              • Part of subcall function 6C268355: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C268416
              • Part of subcall function 6C268355: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C268421
              • Part of subcall function 6C268355: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C26842C
            • EnableMenuItem.USER32(?,0000420F,00000001), ref: 6C20F58C
            • EnableMenuItem.USER32(?,0000420E,00000001), ref: 6C20F5A7
            • CheckMenuItem.USER32(?,00004214,00000008), ref: 6C20F5DB
            • CheckMenuItem.USER32(?,00004212,00000008), ref: 6C20F5ED
            • EnableMenuItem.USER32(?,00004212,00000001), ref: 6C20F622
            • EnableMenuItem.USER32(?,00004212,00000001), ref: 6C20F651
            • EnableMenuItem.USER32(?,00004213,00000001), ref: 6C20F660
            • EnableMenuItem.USER32(?,00004214,00000001), ref: 6C20F66F
            • EnableMenuItem.USER32(?,00004215,00000001), ref: 6C20F6C1
            • CheckMenuItem.USER32(?,00004215,00000008), ref: 6C20F6D9
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: ContextExternal$ItemMenu$Enable$BaseBase::~Concurrency::details::$Check$H_prolog3_H_prolog3_catch
            • String ID:
            • API String ID: 3031833757-0
            • Opcode ID: 9871148897aa2a4fb9d7dadc692c2cf56ab552fbbca26bc23675e09e42257545
            • Instruction ID: a0d7652bc84ba7ee87ba06083dbb59c41493dcf0b25f355c70309d0ee3a4d705
            • Opcode Fuzzy Hash: 9871148897aa2a4fb9d7dadc692c2cf56ab552fbbca26bc23675e09e42257545
            • Instruction Fuzzy Hash: AAB18030B4161AEFDB04CF15C844A9ABBB4FF05719F14826AFD159BA90DB709941CF98
            Function 6C2903D9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 131windowCOMMON
            Download Yara Rule
            APIs
            • __EH_prolog3.LIBCMT ref: 6C2903E0
            • GetObjectW.GDI32(00000018,00000018,00000000), ref: 6C2903F7
              • Part of subcall function 6C290336: CreateDIBSection.GDI32(00000000,00000028,00000000,?,00000000,00000000), ref: 6C2903AD
            • CreateCompatibleDC.GDI32(00000000), ref: 6C290477
            • SelectObject.GDI32(?,00000018), ref: 6C29048A
            • CreateCompatibleDC.GDI32(00000000), ref: 6C2904A8
            • SelectObject.GDI32(?,?), ref: 6C2904BD
            • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6C2904DC
            • SelectObject.GDI32(?,00000000), ref: 6C2904EA
            • SelectObject.GDI32(?,00000000), ref: 6C2904F4
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Object$Select$Create$Compatible$H_prolog3Section
            • String ID:
            • API String ID: 2431383920-3916222277
            • Opcode ID: 818632b7163ae8602921820240e1b19d40757b57e9ccc831fa2c567ae288fbbe
            • Instruction ID: a0d5f03e663dfd437997583ec54f0b80b625ddd7b22b15d8472b3ef24482c9aa
            • Opcode Fuzzy Hash: 818632b7163ae8602921820240e1b19d40757b57e9ccc831fa2c567ae288fbbe
            • Instruction Fuzzy Hash: 9641AC72E0021DAFDB01DFE5CC84AEEBB79FF49316F108129F911A6694DB319849CB60
            Function 6C1E87A6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 118windowCOMMON
            Download Yara Rule
            APIs
            • __EH_prolog3_GS.LIBCMT ref: 6C1E87B0
            • SendMessageW.USER32(?,00000000,00000000,00000080), ref: 6C1E87F7
            • SendMessageW.USER32(?,00000000,00000000,?), ref: 6C1E8823
            • ValidateRect.USER32(?,00000000,?,?,?,?,?,?,?,?,?,?,000000AC), ref: 6C1E8836
              • Part of subcall function 6C1FEDA9: GetClientRect.USER32(?,?), ref: 6C1FEE0D
            • GetClientRect.USER32(?,?), ref: 6C1E88A7
            • BeginPaint.USER32(?,?,?,?,?,?,?,?,?,?,?,?,000000AC), ref: 6C1E88B4
            • SendMessageW.USER32(?,00000000,00000000,?), ref: 6C1E88EA
            • SendMessageW.USER32(?,00000000,00000000), ref: 6C1E890C
            • EndPaint.USER32(?,?,?,?,?,?,?,?,?,?,?,?,000000AC), ref: 6C1E8924
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: MessageSend$Rect$ClientPaint$BeginH_prolog3_Validate
            • String ID: W
            • API String ID: 3883544035-655174618
            • Opcode ID: e1cd9ca167a7a2bb8d9ca97e0cce284e1d6a19192c72e9b4d8237fe31e231948
            • Instruction ID: 21ae11f1e9a1c626522153a1946cc3897e06b5980800ada0d6067855d7d7047a
            • Opcode Fuzzy Hash: e1cd9ca167a7a2bb8d9ca97e0cce284e1d6a19192c72e9b4d8237fe31e231948
            • Instruction Fuzzy Hash: F841C231E00605DBEF119FA5C854BAEB7B9FF89309F10452EE066D2A20EB319955CF50
            Function 6C1F9309 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 102windowCOMMON
            Download Yara Rule
            APIs
            • __EH_prolog3.LIBCMT ref: 6C1F9310
            • GetObjectW.GDI32(?,00000018,?), ref: 6C1F932D
            • GetSystemMetrics.USER32(00000032), ref: 6C1F9340
            • GetSystemMetrics.USER32(00000031), ref: 6C1F934B
            • GetMenuItemInfoW.USER32(00000000,?,00000000,00000030), ref: 6C1F938D
            • GetMenuItemInfoW.USER32(00000000,?,00000000,00000030), ref: 6C1F93B8
            • GetSystemMetrics.USER32(0000000F), ref: 6C1F9420
            • GetSystemMetrics.USER32(0000000F), ref: 6C1F942C
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: MetricsSystem$InfoItemMenu$H_prolog3Object
            • String ID: 0$@
            • API String ID: 414968830-1545510068
            • Opcode ID: 98e515166b902ca6fc4dac2cd44bba4e8fbe05c807022b0f35729f6299c9173e
            • Instruction ID: 615ddb3f8ec6c3d1951383e88bdf8dff3374d129e61bad9879430aa43bb1775b
            • Opcode Fuzzy Hash: 98e515166b902ca6fc4dac2cd44bba4e8fbe05c807022b0f35729f6299c9173e
            • Instruction Fuzzy Hash: 25416972E00219ABDF01DFA0CD95FEEB7B8BF15305F154515E915BB680EB70AA09CB60
            Function 6C1FF02C Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 86COMMON
            Download Yara Rule
            APIs
            • CoInitialize.OLE32(00000000), ref: 6C1FF04C
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Initialize
            • String ID: D2D1.dll$D2D1CreateFactory$D2D1MakeRotateMatrix$DWrite.dll$DWriteCreateFactory
            • API String ID: 2538663250-1403614551
            • Opcode ID: 1e5fddac975b7f9616d68f5d0db194c7944d991066ea331787646178993fa99e
            • Instruction ID: 91dca7b850c967dd4bee2e49eb28395f48061010cfb7fbe67cbf60772283a1fc
            • Opcode Fuzzy Hash: 1e5fddac975b7f9616d68f5d0db194c7944d991066ea331787646178993fa99e
            • Instruction Fuzzy Hash: 42219075610706AFD7205E75DC44F577AEEEB4A249F100A29F473D2D50EBB4D406CA60
            Function 6C2013D3 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 389windowCOMMON
            Download Yara Rule
            APIs
            • __EH_prolog3_GS.LIBCMT ref: 6C2013DD
            • SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 6C2015B5
            • SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 6C20177D
            • InvalidateRect.USER32(?,00000000,00000001), ref: 6C2017A3
            • UpdateWindow.USER32(?), ref: 6C2017C5
            • SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 6C201882
            • InvalidateRect.USER32(?,00000000,00000001), ref: 6C2018A8
            • UpdateWindow.USER32(?), ref: 6C2018CA
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: MessageSend$InvalidateRectUpdateWindow$H_prolog3_
            • String ID: :/\
            • API String ID: 2009545923-2793184486
            • Opcode ID: 84f1899ecf149a2a44981fa2de818a775c7df7d1a7d3aef8c479edb1311b424b
            • Instruction ID: 97c3cbaba05c1d3440926513547114fc967cd25a203d9989c24cf47d91f5c505
            • Opcode Fuzzy Hash: 84f1899ecf149a2a44981fa2de818a775c7df7d1a7d3aef8c479edb1311b424b
            • Instruction Fuzzy Hash: ACF108356006598FCF14EB64CCA8BED77B5BF49309F1501D9E50A9B3A1DB34AA89CF10
            Function 6C255C5E Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 139memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 6C1FEBED: __EH_prolog3_catch.LIBCMT ref: 6C1FEBF4
            • GetModuleHandleW.KERNEL32(comctl32.dll,6C255DDD,?,00000000,?,?,6C205C94,?,?,?,0000001C,6C204AF1,?,?), ref: 6C255C91
            • GetUserDefaultUILanguage.KERNEL32(?,?,6C205C94,?,?,?,0000001C,6C204AF1,?,?), ref: 6C255CA1
            • FindResourceExW.KERNEL32(00000000,00000005,000003EE,0000FC11,?,?,6C205C94,?,?,?,0000001C,6C204AF1,?,?), ref: 6C255CDF
            • FindResourceW.KERNEL32(00000000,000003EE,00000005,?,?,6C205C94,?,?,?,0000001C,6C204AF1,?,?), ref: 6C255CFE
            • LoadResource.KERNEL32(00000000,00000000,?,?,6C205C94,?,?,?,0000001C,6C204AF1,?,?), ref: 6C255D0A
              • Part of subcall function 6C255E1B: GetDC.USER32(00000000), ref: 6C255E6E
              • Part of subcall function 6C255E1B: EnumFontFamiliesExW.GDI32(00000000,?,6C255E05,?,00000000,?,?,?,?,?,00000000,00000000), ref: 6C255E89
              • Part of subcall function 6C255E1B: ReleaseDC.USER32(00000000,00000000), ref: 6C255E91
            • GlobalAlloc.KERNEL32(00000040,00000000,?,?,?,0000001C,6C204AF1,?,?), ref: 6C255D3A
            • GlobalFree.KERNEL32(00000001), ref: 6C255DB2
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Resource$FindGlobal$AllocDefaultEnumFamiliesFontFreeH_prolog3_catchHandleLanguageLoadModuleReleaseUser
            • String ID: MS UI Gothic$comctl32.dll
            • API String ID: 1488066090-3248924666
            • Opcode ID: 2e97cb134800757e253f4cc582b2edfc602816991ae4323a38c97d4c46d44160
            • Instruction ID: 03d73de119c9d861d03bf9c763021151b14c8810db6fc89bd3cc57cbd08ddf5c
            • Opcode Fuzzy Hash: 2e97cb134800757e253f4cc582b2edfc602816991ae4323a38c97d4c46d44160
            • Instruction Fuzzy Hash: 6E41F43620160AABE7105B64CC49BBB37ECDF4671AF504039FD26CBB80EB75D8518761
            Function 6C1EA38E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 94COMMON
            Download Yara Rule
            APIs
            • __EH_prolog3_catch_GS.LIBCMT ref: 6C1EA395
            • GetPropW.USER32(?,AfxOldWndProc423), ref: 6C1EA3AC
            • CallWindowProcW.USER32(?,?,00000110,?,?), ref: 6C1EA40C
              • Part of subcall function 6C1EA1AA: GetWindowRect.USER32(6C1DAA2A,6C1DAA2A), ref: 6C1EA1E3
              • Part of subcall function 6C1EA1AA: GetWindow.USER32(00000004,00000004), ref: 6C1EA200
            • SetWindowLongW.USER32(?,000000FC,?), ref: 6C1EA42F
            • RemovePropW.USER32(?,AfxOldWndProc423), ref: 6C1EA43B
            • GlobalFindAtomW.KERNEL32(AfxOldWndProc423), ref: 6C1EA446
            • GlobalDeleteAtom.KERNEL32(?), ref: 6C1EA450
              • Part of subcall function 6C1EA186: GetWindowRect.USER32(6C1DAA2A,00000000), ref: 6C1EA193
            • CallWindowProcW.USER32(?,?,?,?,?), ref: 6C1EA498
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prolog3_catch_LongRemove
            • String ID: AfxOldWndProc423
            • API String ID: 3351853316-1060338832
            • Opcode ID: 752d314cfe08bb4d33da2663bafcdfd19b4cf055355309c4b1fc39e052c0f742
            • Instruction ID: 80d32e7b130b180a021bf076d49c220ad3f7e53583a3b23cbec1888e9679fa64
            • Opcode Fuzzy Hash: 752d314cfe08bb4d33da2663bafcdfd19b4cf055355309c4b1fc39e052c0f742
            • Instruction Fuzzy Hash: FD31AE72901608BBCB009FA4CC48DEE7FBDEF4E315B144209F912E7A10DB399991DBA0
            Function 6C1E2338 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 55COMMON
            Download Yara Rule
            APIs
            • GetDC.USER32(00000000), ref: 6C1E2348
            • GetSystemMetrics.USER32(00000048), ref: 6C1E236A
            • CreateFontW.GDI32(00000000), ref: 6C1E2371
            • SelectObject.GDI32(00000000,00000000), ref: 6C1E237F
            • GetCharWidthW.GDI32(00000000,00000036,00000036,6C3A88FC), ref: 6C1E2391
            • SelectObject.GDI32(00000000,00000000), ref: 6C1E239D
            • DeleteObject.GDI32(00000000), ref: 6C1E23A4
            • ReleaseDC.USER32(00000000,00000000), ref: 6C1E23AD
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Object$Select$CharCreateDeleteFontMetricsReleaseSystemWidth
            • String ID: Marlett
            • API String ID: 1397664628-3688754224
            • Opcode ID: 319ea8667eaa5711b22bf734b312ea07a4b48550359e4573037bfc5faf6b940d
            • Instruction ID: b8dc6510a025d76721f81a39f71713704697e774889ea4c2a6f9bdee536b3e09
            • Opcode Fuzzy Hash: 319ea8667eaa5711b22bf734b312ea07a4b48550359e4573037bfc5faf6b940d
            • Instruction Fuzzy Hash: ED014F313026917BD6251EA64C4CE6B3E7DEBCBF63F144218F615D5181DA654C41DB31
            Function 6C1E93AC Relevance: 15.5, APIs: 10, Instructions: 482COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 58d6d1a17ce602f5c2c26938677bd4e762b6a5f72e120eb4bcd801d3a62c68f6
            • Instruction ID: b853f52129c66b9b6a4c929c8aacb7b4609f3fb6fde02897dfba712ef3a267ca
            • Opcode Fuzzy Hash: 58d6d1a17ce602f5c2c26938677bd4e762b6a5f72e120eb4bcd801d3a62c68f6
            • Instruction Fuzzy Hash: 66028835A00A19EFCB01CF69C9A0ADEB7B5FF4E314F158259E916AB711D731AC81CB90
            Function 6C1FBDEE Relevance: 15.2, APIs: 10, Instructions: 212timeCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Cursor$Window$CaptureKillLoadParentRectReleaseTimerUpdate
            • String ID:
            • API String ID: 2135910768-0
            • Opcode ID: fc2fb17b7a98ccdbcb645bf235eab43f8675dbb157f5f5b9cc070ed0abeaeaa0
            • Instruction ID: a2dbc5d5921f78e69367dcdad2acc3306df67325b6ccdc336ba254b049ca842a
            • Opcode Fuzzy Hash: fc2fb17b7a98ccdbcb645bf235eab43f8675dbb157f5f5b9cc070ed0abeaeaa0
            • Instruction Fuzzy Hash: E671D131F04219EFDF049F64C884BAEB7B9FF49304F1545A5E926A3A41CB38A8438F90
            Function 6C25E0A4 Relevance: 15.2, APIs: 10, Instructions: 200COMMON
            Download Yara Rule
            APIs
            • __EH_prolog3_GS.LIBCMT ref: 6C25E0AE
            • GetObjectW.GDI32(?,00000018,?), ref: 6C25E0D3
            • GetObjectW.GDI32(?,00000054,?), ref: 6C25E118
            • CreateCompatibleDC.GDI32(00000000), ref: 6C25E204
            • SelectObject.GDI32(?,?), ref: 6C25E226
            • GetPixel.GDI32(?,00000000,00000000), ref: 6C25E285
            • GetPixel.GDI32(?,?,00000000), ref: 6C25E297
            • SetPixel.GDI32(?,00000000,00000000,00000000), ref: 6C25E2A6
            • SetPixel.GDI32(?,?,00000000,00000000), ref: 6C25E2B8
            • SelectObject.GDI32(?,00000000), ref: 6C25E306
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: ObjectPixel$Select$CompatibleCreateH_prolog3_
            • String ID:
            • API String ID: 1266819874-0
            • Opcode ID: 95f2d32b0059c804802d850c6c6ababe0a1174e674b9686ebe737943b4ffedc8
            • Instruction ID: f8d0dbf08668734eeee0e9749f662a266c671c04f64b8ded66deeb82fa3e37d1
            • Opcode Fuzzy Hash: 95f2d32b0059c804802d850c6c6ababe0a1174e674b9686ebe737943b4ffedc8
            • Instruction Fuzzy Hash: 8B813B71E002298BDF20CFA9C884A9EBBB5FF49305F648169E859E7701DB309D95CF90
            Function 6C1F0E01 Relevance: 15.1, APIs: 10, Instructions: 149windowCOMMON
            Download Yara Rule
            APIs
            • __EH_prolog3_GS.LIBCMT ref: 6C1F0E0B
            • GetMenuItemCount.USER32(?), ref: 6C1F0E37
            • GetSubMenu.USER32(?,00000000), ref: 6C1F0E6D
            • GetMenuState.USER32(?,?,00000400), ref: 6C1F0E8A
            • GetSubMenu.USER32(?,00000000), ref: 6C1F0EE7
            • GetMenuStringW.USER32(?,?,?,00000100,00000400), ref: 6C1F0F10
            • AppendMenuW.USER32(?,00000010,?,?), ref: 6C1F0F98
            • GetMenuItemCount.USER32(00000000), ref: 6C1F1008
            • InsertMenuW.USER32(?,00000000,?,00000000), ref: 6C1F1035
            • GetMenuItemID.USER32(?,?), ref: 6C1F1066
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Menu$Item$Count$AppendH_prolog3_InsertStateString
            • String ID:
            • API String ID: 2171526683-0
            • Opcode ID: c366a27b2686ec1620023057cb6bd1697ade0b77f16c7163bd33484d679a244a
            • Instruction ID: b26e27ccfc35738f960497760efd2b66449866ac8a85a50d2593e0552ee6baeb
            • Opcode Fuzzy Hash: c366a27b2686ec1620023057cb6bd1697ade0b77f16c7163bd33484d679a244a
            • Instruction Fuzzy Hash: 4361447194222CAFDF20DF64CD88BD9B7B4BB18305F1041E9E419A62A1DB359EC2CF50
            Function 6C1EAC50 Relevance: 15.1, APIs: 10, Instructions: 137COMMON
            Download Yara Rule
            APIs
            • __EH_prolog3_catch.LIBCMT ref: 6C1EAC57
            • FindResourceW.KERNEL32(?,00000000,00000005,00000024,6C1D7C26), ref: 6C1EAC98
            • LoadResource.KERNEL32(?,00000000), ref: 6C1EACA4
            • LockResource.KERNEL32(?,00000024,6C1D7C26), ref: 6C1EACB4
            • GetDesktopWindow.USER32 ref: 6C1EACEB
            • IsWindowEnabled.USER32(00000000), ref: 6C1EACF6
            • EnableWindow.USER32(00000000,00000000), ref: 6C1EAD02
            • EnableWindow.USER32(00000000,00000001), ref: 6C1EADE6
            • GetActiveWindow.USER32 ref: 6C1EADF0
            • SetActiveWindow.USER32(00000000,?,00000024,6C1D7C26), ref: 6C1EADFC
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Window$Resource$ActiveEnable$DesktopEnabledFindH_prolog3_catchLoadLock
            • String ID:
            • API String ID: 723642982-0
            • Opcode ID: 25a70e085b359f52572b28c9766e5c438c7eed2605847d651c1d34b565890808
            • Instruction ID: 3411f41cf7ac6a234003ffc79e248a10873f2aaca9575bed14d4c6b9dd0ca055
            • Opcode Fuzzy Hash: 25a70e085b359f52572b28c9766e5c438c7eed2605847d651c1d34b565890808
            • Instruction Fuzzy Hash: B4518F30A01B16DBDF009FA0C884BEEBBB9BF4C719F140215E926E7791DB349845CBA1
            Function 6C1FE1F0 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
            Download Yara Rule
            APIs
            • DefWindowProcW.USER32(?,00000046,00000000,?,?), ref: 6C1FE20F
            • GetWindowRect.USER32(?,?), ref: 6C1FE22E
            • SetRect.USER32(?,?,00000000,?,?), ref: 6C1FE26D
            • InvalidateRect.USER32(?,?,00000001), ref: 6C1FE27C
            • SetRect.USER32(?,?,00000000,?,?), ref: 6C1FE294
            • InvalidateRect.USER32(?,?,00000001), ref: 6C1FE2A3
            • SetRect.USER32(?,00000000,?,?,?), ref: 6C1FE2CB
            • InvalidateRect.USER32(?,?,00000001), ref: 6C1FE2DA
            • SetRect.USER32(?,00000000,?,00000001,?), ref: 6C1FE2F1
            • InvalidateRect.USER32(?,?,00000001), ref: 6C1FE300
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Rect$Invalidate$Window$Proc
            • String ID:
            • API String ID: 570070710-0
            • Opcode ID: 6d7bcd20f5af7d6d017f01721a28eb4d4d01d0d378ccafaa71e173bb52e1036d
            • Instruction ID: b2c6734aa4d641b0e59e5fb3857853f451500bb5684158a0bd4f97face724797
            • Opcode Fuzzy Hash: 6d7bcd20f5af7d6d017f01721a28eb4d4d01d0d378ccafaa71e173bb52e1036d
            • Instruction Fuzzy Hash: 0B411D72A00209AFDF10CFA4C989FAFBBBDFF49705F104619F645A6190E771AA44CB61
            Function 6C1FBB4C Relevance: 15.1, APIs: 10, Instructions: 100timeCOMMON
            Download Yara Rule
            APIs
            • __EH_prolog3.LIBCMT ref: 6C1FBB53
            • ClientToScreen.USER32(?,?), ref: 6C1FBB72
            • GetSystemMetrics.USER32(00000025), ref: 6C1FBB7A
            • GetSystemMetrics.USER32(00000025), ref: 6C1FBB90
            • GetSystemMetrics.USER32(00000024), ref: 6C1FBBA4
            • GetSystemMetrics.USER32(00000024), ref: 6C1FBBB8
              • Part of subcall function 6C1E8974: __snprintf_s.LIBCMT ref: 6C1E89C0
              • Part of subcall function 6C1E8974: GetClassInfoW.USER32(?,0000007C,?), ref: 6C1E8A24
            • CreateEllipticRgn.GDI32(00000000,00000000,00000020,00000020,?,00007921,?,?,?,?,00000010), ref: 6C1FBC31
            • SetWindowRgn.USER32(?,?,00000001), ref: 6C1FBC48
            • SetCapture.USER32(?,?,00007921,?,?,?,?,00000010), ref: 6C1FBC51
            • SetTimer.USER32(?,0000EC08,00000032,00000000), ref: 6C1FBC6A
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: MetricsSystem$CaptureClassClientCreateEllipticH_prolog3InfoScreenTimerWindow__snprintf_s
            • String ID:
            • API String ID: 1263403047-0
            • Opcode ID: 146953c3f73f685ad343372034529202f948e3a594247a27feabd4b690dad34d
            • Instruction ID: cafbba68059cd237f495af068a88ebf5f776992e1636bbbeeae68d3e94116c24
            • Opcode Fuzzy Hash: 146953c3f73f685ad343372034529202f948e3a594247a27feabd4b690dad34d
            • Instruction Fuzzy Hash: CB313B71700605AFEB18DF74CC59FAEBBB8FF48306F100619A65A9B291DB71A811CB90
            Function 6C1E29E4 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 301windowCOMMON
            Download Yara Rule
            APIs
            • PostMessageW.USER32(?,0000036A,00000000,00000000), ref: 6C1E2A05
            • PostMessageW.USER32(?,0000036A,00000000,00000000), ref: 6C1E2A4F
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: MessagePost
            • String ID: %08lX-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X$RestartByRestartManager
            • API String ID: 410705778-5890034
            • Opcode ID: b98b06548be82d1ae0f9ad337fbf012d398464e1b23c5b6f2a0f4d931a33246c
            • Instruction ID: 23810a7f5c187bc9f40e2c8a9c4c8b70c190ff80cb1f315750b47911200a98aa
            • Opcode Fuzzy Hash: b98b06548be82d1ae0f9ad337fbf012d398464e1b23c5b6f2a0f4d931a33246c
            • Instruction Fuzzy Hash: 79B19D72A00519AFCF05DFA4C868AFEBBB9EF5D214F150069E902E7750EB35AD05CB60
            Function 6C2ECD0D Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 124COMMON
            Download Yara Rule
            APIs
            • __EH_prolog3.LIBCMT ref: 6C2ECD14
              • Part of subcall function 6C2523BE: __EH_prolog3.LIBCMT ref: 6C2523C5
              • Part of subcall function 6C313520: SetRectEmpty.USER32(?), ref: 6C313555
            • SetRectEmpty.USER32(?), ref: 6C2ECE44
            • SetRectEmpty.USER32 ref: 6C2ECE55
            • SetRectEmpty.USER32(?), ref: 6C2ECE5C
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: EmptyRect$H_prolog3
            • String ID: (^5l$D}5l$False$True
            • API String ID: 3752103406-2130360778
            • Opcode ID: 289957753dd94d7b538422ce5df50a77b1a045c97a36dca6d86498fda4a93a04
            • Instruction ID: 852241304e5b2b66192ef6a82fc2f3e50a4ea8d28b8311ff9ee5bc0aebdc4161
            • Opcode Fuzzy Hash: 289957753dd94d7b538422ce5df50a77b1a045c97a36dca6d86498fda4a93a04
            • Instruction Fuzzy Hash: FA510EB09052018FCB4ACF29D484BE9BBE8BF08304F4881BEA81D8F796CB701244CF65
            Function 6C1DA479 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 118libraryCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryW.KERNEL32(Comctl32.dll,00000000,00000000,00000002,Comctl32.dll,00000040), ref: 6C1DA60F
              • Part of subcall function 6C1DA43B: GetProcAddress.KERNEL32(00000000,?), ref: 6C1DA469
            • GetModuleFileNameW.KERNEL32(?,?,00000105,?,6C1E3B60,00000000,6C39A3F8,00000014,6C1E3C28,InitCommonControlsEx,6C39A418,00000010,6C1E91DD,00000008,?), ref: 6C1DA529
            • SetLastError.KERNEL32(0000006F,?,6C1E3B60,00000000,6C39A3F8,00000014,6C1E3C28,InitCommonControlsEx,6C39A418,00000010,6C1E91DD,00000008,?), ref: 6C1DA53D
            • GetLastError.KERNEL32(00000020), ref: 6C1DA594
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: ErrorLast$AddressFileLibraryLoadModuleNameProc
            • String ID: $@$Comctl32.dll$GetModuleHandleExW
            • API String ID: 3640817601-4183358198
            • Opcode ID: f7c8e6c488732ddd282026f1b6b555e6ed322f7317c754dc2419325fdf8ce034
            • Instruction ID: 3fab58611c6b03b0e13a52cf574522305fd0fdde41ea10c98954eb1c99c13c4f
            • Opcode Fuzzy Hash: f7c8e6c488732ddd282026f1b6b555e6ed322f7317c754dc2419325fdf8ce034
            • Instruction Fuzzy Hash: A1410471A01215DAEF20CF64CC88BDD76B8EB51318F210296E419E65D0EB78EA85CF51
            Function 6C272781 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 100sleepthreadCOMMON
            Download Yara Rule
            APIs
            • EnterCriticalSection.KERNEL32(6C3B1BF4,?,00000000,?,6C20AB85,00000001,00000000,?,?,6C20A81B,?,00000000,?,?), ref: 6C2727A6
            • SetThreadPriority.KERNEL32(00000000,000000FF,?,00000000), ref: 6C2727D7
            • LeaveCriticalSection.KERNEL32(6C3B1BF4,?,00000000), ref: 6C2727ED
            • PlaySoundW.WINMM(MenuCommand,00000000,00012002), ref: 6C27283E
            • Sleep.KERNEL32(00000005,00000000,6C3B1BF4,00000000,?,00000000,?,6C20AB85,00000001,00000000,?,?,6C20A81B,?,00000000,?), ref: 6C272869
            • PlaySoundW.WINMM(00000000,00000000,00000040), ref: 6C27287E
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: CriticalPlaySectionSound$EnterLeavePrioritySleepThread
            • String ID: MenuCommand$MenuPopup
            • API String ID: 2370138168-2036262055
            • Opcode ID: a200241a8d4a30df260e7bc58a11597dad4ebb9556bf1612eb359628558eabb9
            • Instruction ID: 2a84ce2de41735a8e56353598bc5c2f8876f3b2b4efe5c839a62f913046ca558
            • Opcode Fuzzy Hash: a200241a8d4a30df260e7bc58a11597dad4ebb9556bf1612eb359628558eabb9
            • Instruction Fuzzy Hash: DF31A6B5604209EBDA205F6A9C8CB5A377CD74373AF300316F934A6DD0D77788818AB5
            Function 6C1E3CA8 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 73libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6C1E3CCE
            • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C1E3CDE
            • EncodePointer.KERNEL32(00000000), ref: 6C1E3CE7
            • DecodePointer.KERNEL32(00000000), ref: 6C1E3CF5
            • GetSystemDirectoryW.KERNEL32(?,00000105), ref: 6C1E3D1D
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Pointer$AddressDecodeDirectoryEncodeHandleModuleProcSystem
            • String ID: SetDefaultDllDirectories$\$kernel32.dll
            • API String ID: 2101061299-3881611067
            • Opcode ID: 74c4627981de54e2ed8b5421e0494e1465de801e96f6bab9bfaeca0087fdae52
            • Instruction ID: d5cac648d7487cbba96e9fdc96f090ddeb9d67912449b8416601fbcfc034cfa0
            • Opcode Fuzzy Hash: 74c4627981de54e2ed8b5421e0494e1465de801e96f6bab9bfaeca0087fdae52
            • Instruction Fuzzy Hash: 3F210231A41919A7CB229A758C48FDF37FCBF1E748F840866E816E3610E774D6468B91
            Function 6C206164 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 66COMMON
            Download Yara Rule
            APIs
            • GetStockObject.GDI32(00000011), ref: 6C206186
            • GetStockObject.GDI32(0000000D), ref: 6C206192
            • GetObjectW.GDI32(00000000,0000005C,?), ref: 6C2061A3
            • GetDC.USER32(00000000), ref: 6C2061B2
            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 6C2061C9
            • MulDiv.KERNEL32(?,00000048,00000000), ref: 6C2061D5
            • ReleaseDC.USER32(00000000,00000000), ref: 6C2061E1
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Object$Stock$CapsDeviceRelease
            • String ID: System
            • API String ID: 46613423-3470857405
            • Opcode ID: 83e8f2506395b006dc755d24a9b7a35be6095aed147f91535dfca0ed866756ed
            • Instruction ID: d6f641fc91c0b6d0bd6145a893367ac9ec2a69cce6e063548a20e62f73316702
            • Opcode Fuzzy Hash: 83e8f2506395b006dc755d24a9b7a35be6095aed147f91535dfca0ed866756ed
            • Instruction Fuzzy Hash: D7118171740309ABEB009F95CC49FAE7BB9BB46746F40011AFA06DB281EB61D944C760
            Function 6C1E7F0C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 65windowCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Window$ActiveFocus$MessageSend
            • String ID: u
            • API String ID: 1556911595-4067256894
            • Opcode ID: cce804ed7cda077e7180fed4deac7f1180f7e7d8a6f4e7d15f154dbdf916469f
            • Instruction ID: dc6a52b52e7314b444a98705c21c51047911baf3d5ae7de19d116e4344b3ec19
            • Opcode Fuzzy Hash: cce804ed7cda077e7180fed4deac7f1180f7e7d8a6f4e7d15f154dbdf916469f
            • Instruction Fuzzy Hash: 5A11C432606A046BFB112F74CC4877A3779AB1D30AB208266F932C6D5BE739C840D7E0
            Function 6C2F5BD9 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39COMMON
            Download Yara Rule
            APIs
            • __EH_prolog3.LIBCMT ref: 6C2F5BE0
              • Part of subcall function 6C1FC870: EnterCriticalSection.KERNEL32(6C3B0410,?,?,?,?,6C1E8ABC,00000001,?,6C1E8FDB,?,AfxFrameOrView140su,00007A02,?), ref: 6C1FC8A1
              • Part of subcall function 6C1FC870: InitializeCriticalSection.KERNEL32(00000000,?,6C1E8ABC,00000001,?,6C1E8FDB,?,AfxFrameOrView140su,00007A02,?), ref: 6C1FC8B7
              • Part of subcall function 6C1FC870: LeaveCriticalSection.KERNEL32(6C3B0410,?,6C1E8ABC,00000001,?,6C1E8FDB,?,AfxFrameOrView140su,00007A02,?), ref: 6C1FC8C5
              • Part of subcall function 6C1FC870: EnterCriticalSection.KERNEL32(00000000,?,?,?,6C1E8ABC,00000001,?,6C1E8FDB,?,AfxFrameOrView140su,00007A02,?), ref: 6C1FC8D2
            • GetProfileIntW.KERNEL32(windows,DragScrollInset,0000000B), ref: 6C2F5C2B
            • GetProfileIntW.KERNEL32(windows,DragScrollDelay,00000032), ref: 6C2F5C3E
            • GetProfileIntW.KERNEL32(windows,DragScrollInterval,00000032), ref: 6C2F5C51
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: CriticalSection$Profile$Enter$H_prolog3InitializeLeave
            • String ID: DragScrollDelay$DragScrollInset$DragScrollInterval$windows
            • API String ID: 4229786687-1024936294
            • Opcode ID: 96310e848c6eb3e3fb987a1ad567a7e8985cd31b12cc513205111df84f7a4665
            • Instruction ID: b5d71183583f2644219fd651d7bf462a9aa306bf7eb2a9e3c7b2b76d69796e16
            • Opcode Fuzzy Hash: 96310e848c6eb3e3fb987a1ad567a7e8985cd31b12cc513205111df84f7a4665
            • Instruction Fuzzy Hash: DD017CB2A003059FDB31EFB4C915749B6F8BB16704F00062AE25ADAA80D7788005CF18
            Function 6C1EC84B Relevance: 13.6, APIs: 9, Instructions: 137windowCOMMON
            Download Yara Rule
            APIs
            • __EH_prolog3.LIBCMT ref: 6C1EC852
            • GetDesktopWindow.USER32 ref: 6C1EC898
            • GetWindow.USER32(00000000), ref: 6C1EC89F
            • IsWindowEnabled.USER32(00000000), ref: 6C1EC8AF
            • SendMessageW.USER32(00000000,0000036C,00000000,00000000), ref: 6C1EC8DA
            • EnableWindow.USER32(00000000,00000000), ref: 6C1EC8E6
            • GetWindow.USER32(00000000,00000002), ref: 6C1EC8FB
            • IsWindow.USER32(00000000), ref: 6C1EC998
            • EnableWindow.USER32(?,00000001), ref: 6C1EC9AD
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Window$Enable$DesktopEnabledH_prolog3MessageSend
            • String ID:
            • API String ID: 1053735628-0
            • Opcode ID: 2df0b2c56ce69ddde681d3e48457959407bd730e032a06b334726d68f6e8b448
            • Instruction ID: 0b6732dbd21d12a41017f9e139910be5b93c96809d274c24d072ea1fdfd33e2f
            • Opcode Fuzzy Hash: 2df0b2c56ce69ddde681d3e48457959407bd730e032a06b334726d68f6e8b448
            • Instruction Fuzzy Hash: 49410732A01B065BDB11AF61CC54BDF7BB8EF0A715F150529E91AFA640EF319841CB50
            Function 6C1F356E Relevance: 13.6, APIs: 9, Instructions: 104windowCOMMON
            Download Yara Rule
            APIs
            • __EH_prolog3.LIBCMT ref: 6C1F3575
              • Part of subcall function 6C21F2D9: LoadCursorW.USER32(?,00007F00), ref: 6C21F33B
            • GetSystemMenu.USER32(?,00000000,00000000,00000000,6C390874,?,6C3A89DC), ref: 6C1F35E6
            • DeleteMenu.USER32(?,0000F000,00000000,00000000), ref: 6C1F3609
            • DeleteMenu.USER32(?,0000F020,00000000), ref: 6C1F3619
            • DeleteMenu.USER32(?,0000F030,00000000), ref: 6C1F3629
            • DeleteMenu.USER32(?,0000F120,00000000), ref: 6C1F3639
            • DeleteMenu.USER32(00000000,0000F060,00000000,0000F011), ref: 6C1F366C
            • AppendMenuW.USER32(00000000,00000000,0000F060,?), ref: 6C1F3680
            • SetParent.USER32(?,?), ref: 6C1F36CD
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Menu$Delete$AppendCursorH_prolog3LoadParentSystem
            • String ID:
            • API String ID: 2353656248-0
            • Opcode ID: f5dd7de824414ef3e02696e03f776eb14eddf2f730e202fc53174c07a8191309
            • Instruction ID: 928747123f481ab774cc96738ad4ae61e14a10c3835a0388a056e5d90261130b
            • Opcode Fuzzy Hash: f5dd7de824414ef3e02696e03f776eb14eddf2f730e202fc53174c07a8191309
            • Instruction Fuzzy Hash: 9141E731751716AFEB108F60CC45FAE7BB8FF04719F104524B665AB6D0DB70A902DB94
            Function 6C205594 Relevance: 13.6, APIs: 9, Instructions: 77windowkeyboardCOMMON
            Download Yara Rule
            APIs
            • GetPropW.USER32(?,?), ref: 6C2055B2
            • GlobalLock.KERNEL32(00000000), ref: 6C2055BF
            • SendMessageW.USER32(?,00000476,00000000,00000000), ref: 6C2055DA
            • GlobalUnlock.KERNEL32(00000000), ref: 6C2055E5
            • RemovePropW.USER32(?), ref: 6C2055F4
            • GlobalFree.KERNEL32(00000000), ref: 6C2055FF
            • GlobalUnlock.KERNEL32(00000000), ref: 6C205621
            • GetAsyncKeyState.USER32(00000011), ref: 6C205632
            • SendMessageW.USER32(?,00000475,00000000,?), ref: 6C20565A
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Global$MessagePropSendUnlock$AsyncFreeLockRemoveState
            • String ID:
            • API String ID: 723318029-0
            • Opcode ID: a8e641db8c16ae5e6996d4d32193670a89b891efec77c7a9dd8e1047688fcfe7
            • Instruction ID: ff563130d829ff97e9aebde83ca1f4c7c8356189b410dd521a9a300bfd412bbf
            • Opcode Fuzzy Hash: a8e641db8c16ae5e6996d4d32193670a89b891efec77c7a9dd8e1047688fcfe7
            • Instruction Fuzzy Hash: 72216D3170470AABDB101F61CC48B5A77BDBB0A75BF14423AF94696A50EB7294508B58
            Function 6C205ABA Relevance: 13.6, APIs: 9, Instructions: 67windowCOMMON
            Download Yara Rule
            APIs
            • GetDlgItem.USER32(?,?), ref: 6C205AD5
            • GetWindowLongW.USER32(00000000,000000F0), ref: 6C205AE4
            • IsWindowEnabled.USER32(00000000), ref: 6C205AF2
            • GetDlgItem.USER32(?,00003024), ref: 6C205B09
            • GetWindowLongW.USER32(00000000,000000F0), ref: 6C205B15
            • IsWindowEnabled.USER32(?), ref: 6C205B25
            • GetFocus.USER32 ref: 6C205B46
            • IsWindowEnabled.USER32(00000000), ref: 6C205B4D
            • SetFocus.USER32(?), ref: 6C205B5A
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Window$Enabled$FocusItemLong
            • String ID:
            • API String ID: 1558694495-0
            • Opcode ID: b8d0b13742786d955738013ab4ee06d01461bf2fe20aa6bb66d69cbcd71b0cdc
            • Instruction ID: 8a01633018b6b1e67b968e6003fbcd66ab48a0ef3eea592f0b05ed2a5bd07617
            • Opcode Fuzzy Hash: b8d0b13742786d955738013ab4ee06d01461bf2fe20aa6bb66d69cbcd71b0cdc
            • Instruction Fuzzy Hash: 6F11E43270121EABDB025F65CC88BAEBB7DFF06316B140235FC15D2264EB729850DB94
            Function 6C32B263 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 295COMMON
            Download Yara Rule
            APIs
            • __allrem.LIBCMT ref: 6C32B3F6
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C32B412
            • __allrem.LIBCMT ref: 6C32B429
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C32B447
            • __allrem.LIBCMT ref: 6C32B45E
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C32B47C
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
            • String ID: !;l
            • API String ID: 1992179935-1785130986
            • Opcode ID: c255fdad222cb593c5b846441d1e3e91b82e5cf8cf6693d83ea8b8dc8a9060f3
            • Instruction ID: 2ffc833f868ec7d08c212ca27f9f6cd6eeedf43194d677767014d06e9a75f4ff
            • Opcode Fuzzy Hash: c255fdad222cb593c5b846441d1e3e91b82e5cf8cf6693d83ea8b8dc8a9060f3
            • Instruction Fuzzy Hash: F49129726007169BEB109F69CC80B9A73E9AF4532CF24422AE556DFFC0EB79D5048F91
            Function 6C25AD88 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 261windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 6C25AC24: GdipGetImagePixelFormat.GDIPLUS(?,6C3B1B70,00000000,00000000,?,6C25ADCC,F0C0CBE2,?,00000000,6C3B1B70), ref: 6C25AC32
              • Part of subcall function 6C25AC68: GdipGetImagePalette.GDIPLUS(?,00000000,?,?,?,6C25AEEB,00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,F0C0CBE2), ref: 6C25AC77
            • GdipBitmapLockBits.GDIPLUS(?,?,00000001,?,?,00000000,00000000,?,00000000,00000000,00000000,F0C0CBE2,?,00000000,6C3B1B70), ref: 6C25AFE0
            • GdipBitmapUnlockBits.GDIPLUS(?,?,?,?,00000001,?,?,00000000,00000000,?,00000000,00000000,00000000,F0C0CBE2,?,00000000), ref: 6C25B090
            • GdipDrawImageI.GDIPLUS(?,00000000,00000000,00000000,?,?,00000082,00000000,00022009,?,00000000,00000000,?,00000000,00000000,00000000), ref: 6C25B0E2
            • GdipDeleteGraphics.GDIPLUS(?,?,00000000,00000000,00000000,?,?,00000082,00000000,00022009,?,00000000,00000000,?,00000000,00000000), ref: 6C25B0ED
            • GdipDisposeImage.GDIPLUS(?,?,?,00000000,00000000,00000000,?,?,00000082,00000000,00022009,?,00000000,00000000,?,00000000), ref: 6C25B0F8
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Gdip$Image$BitmapBits$DeleteDisposeDrawFormatGraphicsLockPalettePixelUnlock
            • String ID: &$ &
            • API String ID: 1665940520-360661826
            • Opcode ID: 9715a3bb80cd16df8f6311130dee3818dec56dc8a4ec23b59eae39d534dd6707
            • Instruction ID: b06ea2469dbf212040f93c4b02497a3fb656c42364619e6e2976d31105f880ba
            • Opcode Fuzzy Hash: 9715a3bb80cd16df8f6311130dee3818dec56dc8a4ec23b59eae39d534dd6707
            • Instruction Fuzzy Hash: D2A163F1A0122D9BCB24CF14CC81AEAB7B5EF44318F9441E9EA19A7601D7319D95CFA8
            Function 6C1E6AEF Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 209libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(user32.dll), ref: 6C1E6B11
            • GetProcAddress.KERNEL32(00000000,GetGestureInfo), ref: 6C1E6B46
            • GetProcAddress.KERNEL32(00000000,CloseGestureInfoHandle), ref: 6C1E6B6E
            • ScreenToClient.USER32(?,?), ref: 6C1E6BFA
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: AddressProc$ClientHandleModuleScreen
            • String ID: CloseGestureInfoHandle$GetGestureInfo$user32.dll
            • API String ID: 471820996-2905070798
            • Opcode ID: de01424eb6317f472bbf4c98c7fb81474f433509877c2e987209455d0209d200
            • Instruction ID: 86a007e29292732b350f7dad8b7880feec45465d17e653658abf5acc3432b7a0
            • Opcode Fuzzy Hash: de01424eb6317f472bbf4c98c7fb81474f433509877c2e987209455d0209d200
            • Instruction Fuzzy Hash: 7A815C74700A1AEFCB06CF69C994AA9BBB9FF5E304B500169E905D7B50DB35E960CF80
            Function 6C209E47 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 184COMMON
            Download Yara Rule
            APIs
            • __EH_prolog3_catch.LIBCMT ref: 6C209E51
              • Part of subcall function 6C257770: __EH_prolog3.LIBCMT ref: 6C257777
            • IsWindow.USER32(?), ref: 6C209F84
              • Part of subcall function 6C1F4F59: GetDlgCtrlID.USER32(?), ref: 6C1F4F64
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: CtrlH_prolog3H_prolog3_catchWindow
            • String ID: %TsMFCToolBar-%d$%TsMFCToolBar-%d%x$Buttons$MFCToolBars$Name
            • API String ID: 1537839037-190999575
            • Opcode ID: 69118f6e6e3f169316fc3a0926b8d43b0a8c12facc7f4287c1c06a4f5c37e17e
            • Instruction ID: eba8774a6e41497130e3cc6f9be65a913dfc59f6becdafe1675ddc1a9a29dd4b
            • Opcode Fuzzy Hash: 69118f6e6e3f169316fc3a0926b8d43b0a8c12facc7f4287c1c06a4f5c37e17e
            • Instruction Fuzzy Hash: 8E717971A0121DDFDF05DBA4C890AEEBBB5AF49318F10405AE816A7790DB34AE05CBA1
            Function 6C1E6979 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 130libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(user32.dll), ref: 6C1E69A4
            • GetProcAddress.KERNEL32(00000000,GetTouchInputInfo), ref: 6C1E69D9
            • GetProcAddress.KERNEL32(00000000,CloseTouchInputHandle), ref: 6C1E6A01
            • ScreenToClient.USER32(?,?), ref: 6C1E6AC9
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: AddressProc$ClientHandleModuleScreen
            • String ID: CloseTouchInputHandle$GetTouchInputInfo$user32.dll
            • API String ID: 471820996-1853737257
            • Opcode ID: 9a618b2a20087af52217ee7d443ce281ba71df24f0c2adc3ade5b601e3ebb119
            • Instruction ID: 03bb7d25d271b0cf5b6acf727d45e993b2069fcf8a1f866dc9eb0e5a3ff5092c
            • Opcode Fuzzy Hash: 9a618b2a20087af52217ee7d443ce281ba71df24f0c2adc3ade5b601e3ebb119
            • Instruction Fuzzy Hash: F641C339B01629EFCF058FA9E85899D7BBDEF9E324B10452AEA06D3740DB309811CB50
            Function 6C1FF9D6 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(uxtheme.dll,?,?,6C1F8689,?,00000000,?,?,?,000000FF,?,?,00000040), ref: 6C1FF9E8
            • GetProcAddress.KERNEL32(00000000,DrawThemeTextEx), ref: 6C1FF9F8
            • EncodePointer.KERNEL32(00000000,?,?,6C1F8689,?,00000000,?,?,?,000000FF,?,?,00000040), ref: 6C1FFA01
            • DecodePointer.KERNEL32(00000000,?,?,6C1F8689,?,00000000,?,?,?,000000FF,?,?,00000040), ref: 6C1FFA0F
            • DrawThemeText.UXTHEME(?,?,?,?,?,?,?,00000000,?,?,?,6C1F8689,?,00000000,?,?), ref: 6C1FFA5C
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Pointer$AddressDecodeDrawEncodeHandleModuleProcTextTheme
            • String ID: DrawThemeTextEx$uxtheme.dll
            • API String ID: 1727381832-3035683158
            • Opcode ID: ba5c946676d81ba4b954ee66f2ffa429cd21b6757e0116dcd3dc26db0bb33a7b
            • Instruction ID: 7c836e318b7e4331df5715b4db1024b26025150277f377fd7c0dd49d2c98e14d
            • Opcode Fuzzy Hash: ba5c946676d81ba4b954ee66f2ffa429cd21b6757e0116dcd3dc26db0bb33a7b
            • Instruction Fuzzy Hash: 4111A23260511AABCF125F94CD089DA3FBABF1D395B014110FA2AA1620E776C821EF90
            Function 6C1F1166 Relevance: 12.2, APIs: 8, Instructions: 246filecomCOMMON
            Download Yara Rule
            APIs
            • __EH_prolog3_GS.LIBCMT ref: 6C1F116D
            • OleDuplicateData.OLE32(?,?,00000000), ref: 6C1F11FE
            • GlobalLock.KERNEL32(00000000), ref: 6C1F1220
            • CopyMetaFileW.GDI32(?,00000000), ref: 6C1F122E
            • GlobalUnlock.KERNEL32(00000000), ref: 6C1F123C
            • GlobalFree.KERNEL32(00000000), ref: 6C1F1243
            • GlobalUnlock.KERNEL32(00000000), ref: 6C1F1250
              • Part of subcall function 6C1D9B7C: __EH_prolog3.LIBCMT ref: 6C1D9B83
            • CopyFileW.KERNEL32(?,?,00000000,?,?,00000054), ref: 6C1F13FC
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Global$CopyFileUnlock$DataDuplicateFreeH_prolog3H_prolog3_LockMeta
            • String ID:
            • API String ID: 4039237054-0
            • Opcode ID: 05825590b5076ba4a0e0c6687e1369a6728e7450fc672a9329d3b5570a9b6e4d
            • Instruction ID: 499752ce8b4ae08247a09ff290b56148f2a7c54e5b2cf659f837f85fdb23f387
            • Opcode Fuzzy Hash: 05825590b5076ba4a0e0c6687e1369a6728e7450fc672a9329d3b5570a9b6e4d
            • Instruction Fuzzy Hash: 128192B1611511EFDB048FB5CD58AAABBF9FF997047248259E426CBA51DB30E802CB60
            Function 6C204FB0 Relevance: 12.2, APIs: 8, Instructions: 154windowCOMMON
            Download Yara Rule
            APIs
            • IsWindowEnabled.USER32(00000000), ref: 6C205029
            • EnableWindow.USER32(00000000,00000000), ref: 6C205035
            • GetCapture.USER32 ref: 6C205042
            • SendMessageW.USER32(00000000,0000001F,00000000,00000000), ref: 6C205051
            • EnableWindow.USER32(00000000,00000001), ref: 6C20512E
            • GetActiveWindow.USER32 ref: 6C205138
            • SetActiveWindow.USER32(00000000), ref: 6C205143
            • EnableWindow.USER32(00000000,00000001), ref: 6C205182
              • Part of subcall function 6C1E8DAA: UnhookWindowsHookEx.USER32(?), ref: 6C1E8DD4
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Window$Enable$Active$CaptureEnabledHookMessageSendUnhookWindows
            • String ID:
            • API String ID: 1281840512-0
            • Opcode ID: da724517e5b00bbf8b3cea5c22bffc63d6a37ef7c2d861e499ed7c0ad460c5b8
            • Instruction ID: eee944fb52fbb9cd98f8b2ee2cc19b30971f31e24eeb502ede865dd7360b9b57
            • Opcode Fuzzy Hash: da724517e5b00bbf8b3cea5c22bffc63d6a37ef7c2d861e499ed7c0ad460c5b8
            • Instruction Fuzzy Hash: 1E519170B0160BEBDB049F74C848BEEBBB9BF0831AF10462AE955E7680DF749445CB94
            Function 6C1E4D4B Relevance: 12.1, APIs: 8, Instructions: 139windowCOMMON
            Download Yara Rule
            APIs
            • GetClientRect.USER32(?,?), ref: 6C1E4D95
            • BeginDeferWindowPos.USER32(00000008), ref: 6C1E4DAB
            • GetTopWindow.USER32(?), ref: 6C1E4DBC
            • GetDlgCtrlID.USER32(00000000), ref: 6C1E4DC5
            • SendMessageW.USER32(00000000,00000361,00000000,00000000), ref: 6C1E4DFD
            • GetWindow.USER32(00000000,00000002), ref: 6C1E4E06
            • CopyRect.USER32(?,?), ref: 6C1E4E21
            • EndDeferWindowPos.USER32(00000000), ref: 6C1E4EB1
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Window$DeferRect$BeginClientCopyCtrlMessageSend
            • String ID:
            • API String ID: 1228040700-0
            • Opcode ID: 8a7f26ac7adefbabec3713623a1c3fe2b60a31393fcd326cae50f66de1ffe0a0
            • Instruction ID: b8b355b6766071f4b1e0dd31c0a746eed6432ea8f2c15835e2c1133c2bc2689e
            • Opcode Fuzzy Hash: 8a7f26ac7adefbabec3713623a1c3fe2b60a31393fcd326cae50f66de1ffe0a0
            • Instruction Fuzzy Hash: BD512332A01618DFDF00CFA8C884BEEB7B9BF5D315F14815AE811EB640D779A940CBA5
            Function 6C210A00 Relevance: 12.1, APIs: 8, Instructions: 129COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 6C267E2D: ReleaseCapture.USER32 ref: 6C267E64
              • Part of subcall function 6C267E2D: IsWindow.USER32(?), ref: 6C267E93
              • Part of subcall function 6C267E2D: DestroyWindow.USER32(?), ref: 6C267EA3
            • SetRectEmpty.USER32(?), ref: 6C210A2B
            • ReleaseCapture.USER32 ref: 6C210A31
            • SetCapture.USER32(?,?,?,?,6C2089A2,?), ref: 6C210A44
            • GetCapture.USER32 ref: 6C210A83
            • ReleaseCapture.USER32 ref: 6C210A93
            • SetCapture.USER32(?,?,?,?,6C2089A2,?), ref: 6C210AA6
            • RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 6C210B44
            • RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 6C210B91
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Capture$Window$Release$Redraw$DestroyEmptyRect
            • String ID:
            • API String ID: 2209428161-0
            • Opcode ID: 58c9a45005376121ba743d996b2c9806a90b203526082f345b494445a1920d28
            • Instruction ID: 8d5d98ed8687479e1e139510bfd47fb751573480bce03de1bd92ce8a145058af
            • Opcode Fuzzy Hash: 58c9a45005376121ba743d996b2c9806a90b203526082f345b494445a1920d28
            • Instruction Fuzzy Hash: 6041B731700616AFDB049F74C884B9DBBB9FF4431AF100266EA15C7790DB30A915CB90
            Function 6C25F9D1 Relevance: 12.1, APIs: 8, Instructions: 101memoryCOMMON
            Download Yara Rule
            APIs
            • GlobalAlloc.KERNEL32(00000002,00000000,00000000,00000000,?,?,6C25F9C6,00000000,00000000,?,6C360D9C,?,6C25DCA3,?,?,?), ref: 6C25F9E2
            • GlobalLock.KERNEL32(00000000), ref: 6C25F9EF
            • GlobalUnlock.KERNEL32(00000000), ref: 6C25F9FA
            • GlobalFree.KERNEL32(00000000), ref: 6C25FA01
            • GlobalUnlock.KERNEL32(00000000), ref: 6C25FA1F
            • CreateStreamOnHGlobal.OLE32(00000000,00000001,00000000), ref: 6C25FA2C
            • EnterCriticalSection.KERNEL32(6C3B1B70,00000000), ref: 6C25FA45
            • LeaveCriticalSection.KERNEL32(6C3B1B70,00000000), ref: 6C25FAAC
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Global$CriticalSectionUnlock$AllocCreateEnterFreeLeaveLockStream
            • String ID:
            • API String ID: 295443201-0
            • Opcode ID: f93794b9e5644ccff395a8ed4e5f4d6778d518b78fee46ca154bc54ddca4bf85
            • Instruction ID: 0df97529f7d88411e62071708b55a40b4ca0d3b47429d55d2e5e2c9bfc685c0d
            • Opcode Fuzzy Hash: f93794b9e5644ccff395a8ed4e5f4d6778d518b78fee46ca154bc54ddca4bf85
            • Instruction Fuzzy Hash: 6831AB39301616ABCF01DF288818BAF3BBDAF5A35AF100115F90697750FB35D941CB99
            Function 6C213D22 Relevance: 12.1, APIs: 8, Instructions: 95COMMON
            Download Yara Rule
            APIs
            • ScreenToClient.USER32(?,?), ref: 6C213D3E
            • GetParent.USER32(?), ref: 6C213D4E
            • GetClientRect.USER32(?,?), ref: 6C213D92
            • MapWindowPoints.USER32(?,?,?,00000002), ref: 6C213DA4
            • PtInRect.USER32(?,?,?), ref: 6C213DB4
            • GetClientRect.USER32(?,?), ref: 6C213DE1
            • MapWindowPoints.USER32(?,?,?,00000002), ref: 6C213DF3
            • PtInRect.USER32(?,?,?), ref: 6C213E03
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Rect$Client$PointsWindow$ParentScreen
            • String ID:
            • API String ID: 1944725958-0
            • Opcode ID: 2b248cac32bb4ad61392ed7e82bf2d19d504ee86cd427796f28c24615a943dd6
            • Instruction ID: 4f016a47385e6b793ec79c5e317fc94b3dd72ffe66c6511e8a925017b275a752
            • Opcode Fuzzy Hash: 2b248cac32bb4ad61392ed7e82bf2d19d504ee86cd427796f28c24615a943dd6
            • Instruction Fuzzy Hash: 12319C32A1461EABCF019FA0C884DAE7BBEFF493057100229FA06DB650EB31DD158B91
            Function 6C1F107A Relevance: 12.1, APIs: 8, Instructions: 67windowCOMMON
            Download Yara Rule
            APIs
            • GetMenuItemCount.USER32(?), ref: 6C1F1083
            • GetMenuItemCount.USER32(?), ref: 6C1F108F
            • GetSubMenu.USER32(?,-00000001), ref: 6C1F10A6
            • GetMenuItemCount.USER32(00000000), ref: 6C1F10B9
            • GetSubMenu.USER32(00000000,00000000), ref: 6C1F10CA
            • RemoveMenu.USER32(00000000,00000000,00000400), ref: 6C1F10E4
            • GetSubMenu.USER32(?,00000000), ref: 6C1F10FB
            • RemoveMenu.USER32(?,-00000001,00000400), ref: 6C1F1116
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Menu$CountItem$Remove
            • String ID:
            • API String ID: 3494307843-0
            • Opcode ID: 414961832f2e3431a4127ddf7729387b14d1c7ce0743c4fcba7dc68fc1f31560
            • Instruction ID: e1be52e439ab61544b54bde75c048b6c9964555bb86fef3daeaf22add83755e2
            • Opcode Fuzzy Hash: 414961832f2e3431a4127ddf7729387b14d1c7ce0743c4fcba7dc68fc1f31560
            • Instruction Fuzzy Hash: E71167B160524AABDF015F26CD49B8F7FBDEB93346F304224F821A6411D771D9829BA0
            Function 6C1F8177 Relevance: 12.1, APIs: 8, Instructions: 65COMMON
            Download Yara Rule
            APIs
            • GetSystemMetrics.USER32(00000031), ref: 6C1F8185
            • GetSystemMetrics.USER32(00000032), ref: 6C1F8193
            • SetRectEmpty.USER32(?), ref: 6C1F81A6
            • EnumDisplayMonitors.USER32(00000000,00000000,6C1F894F,?,?,?), ref: 6C1F81B6
            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 6C1F81C5
            • SystemParametersInfoW.USER32(00001002,00000000,?,00000000), ref: 6C1F81F2
            • SystemParametersInfoW.USER32(00001012,00000000,?,00000000), ref: 6C1F8206
            • SystemParametersInfoW.USER32(0000100A,00000000,?,00000000), ref: 6C1F822C
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: System$InfoParameters$Metrics$DisplayEmptyEnumMonitorsRect
            • String ID:
            • API String ID: 2614369430-0
            • Opcode ID: d414b1a49d4bfd87e19d3d7c5e8503e56950c295a4a619449611b7070a88e531
            • Instruction ID: c8d75044c17d06ec2f3b4fbe469fd465090be14fb7f40f03142ed689a664b90c
            • Opcode Fuzzy Hash: d414b1a49d4bfd87e19d3d7c5e8503e56950c295a4a619449611b7070a88e531
            • Instruction Fuzzy Hash: 38214AB1301616BFF7444F718888AE6FBBCFF0A346F10422AE958C6140E7B16895CBA1
            Function 6C1E2E1C Relevance: 12.1, APIs: 8, Instructions: 64memorystringCOMMON
            Download Yara Rule
            APIs
            • GlobalLock.KERNEL32(00000000), ref: 6C1E2E30
            • lstrcmpW.KERNEL32(00000000,?), ref: 6C1E2E49
            • OpenPrinterW.WINSPOOL.DRV(?,?,00000000), ref: 6C1E2E5E
            • DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 6C1E2E7E
            • GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 6C1E2E86
            • GlobalLock.KERNEL32(00000000), ref: 6C1E2E94
            • DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 6C1E2EA5
            • ClosePrinter.WINSPOOL.DRV(?), ref: 6C1E2EBD
              • Part of subcall function 6C1F9896: GlobalFlags.KERNEL32(?), ref: 6C1F98A3
              • Part of subcall function 6C1F9896: GlobalUnlock.KERNEL32(?), ref: 6C1F98B1
              • Part of subcall function 6C1F9896: GlobalFree.KERNEL32(?), ref: 6C1F98BD
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
            • String ID:
            • API String ID: 168474834-0
            • Opcode ID: f91819ecff6e4fab4816324349b7efbffd4c0cae27b9873976947353889ba8b8
            • Instruction ID: 4b582b3a731c74f4e71fdf32f40983145a4193fd5d8306fc8e54c2bd1cd2862c
            • Opcode Fuzzy Hash: f91819ecff6e4fab4816324349b7efbffd4c0cae27b9873976947353889ba8b8
            • Instruction Fuzzy Hash: 39119071501A09BEEF129FA0CD99EAB7BBDEF04749B000529B61295920E732C990DB70
            Function 00E2101B Relevance: 12.1, APIs: 8, Instructions: 56COMMON
            Download Yara Rule
            APIs
            • _set_app_type.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000002), ref: 00E2101E
            • _set_fmode.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000002), ref: 00E21029
            • __p__commode.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000002), ref: 00E21035
            • __RTC_Initialize.LIBCMT ref: 00E2104D
            • _configure_narrow_argv.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00E217FA), ref: 00E21062
              • Part of subcall function 00E2155C: InitializeSListHead.KERNEL32(00E230C0,00E21072), ref: 00E21561
            • __setusermatherr.API-MS-WIN-CRT-MATH-L1-1-0(Function_0000154F), ref: 00E21080
            • _configthreadlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(00000000), ref: 00E2109B
            • _initialize_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00E210AA
            Memory Dump Source
            • Source File: 00000003.00000002.1780458776.0000000000E21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
            • Associated: 00000003.00000002.1780443399.0000000000E20000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000003.00000002.1780472190.0000000000E22000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000003.00000002.1780486959.0000000000E23000.00000004.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000003.00000002.1780501099.0000000000E24000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000003.00000002.1780501099.0000000000E66000.00000002.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_e20000_Update.jbxd
            Similarity
            • API ID: Initialize$HeadList__p__commode__setusermatherr_configthreadlocale_configure_narrow_argv_initialize_narrow_environment_set_app_type_set_fmode
            • String ID:
            • API String ID: 1933938900-0
            • Opcode ID: a19b1ee01c4d4b1e6da4dd8aaac53ce8f9ce2352db620f55e16d8f8334ca09ac
            • Instruction ID: ae8951e2c53a8ddab4a05928b743a991865cf74f0657fb24bda176d46ab8d010
            • Opcode Fuzzy Hash: a19b1ee01c4d4b1e6da4dd8aaac53ce8f9ce2352db620f55e16d8f8334ca09ac
            • Instruction Fuzzy Hash: EA014F45AC03B554D9243BF93907E9E42D90FF1794B2539D6B913B6083ED55878040B3
            Function 6C1F14AD Relevance: 12.0, APIs: 8, Instructions: 49memoryCOMMON
            Download Yara Rule
            APIs
            • GlobalSize.KERNEL32(?), ref: 6C1F14B6
            • GlobalAlloc.KERNEL32(00002002,00000000,?,?,6C1F1429,?,?,00000054), ref: 6C1F14CE
            • GlobalLock.KERNEL32(?), ref: 6C1F14DE
            • GlobalLock.KERNEL32(?), ref: 6C1F14E7
            • GlobalSize.KERNEL32(?), ref: 6C1F14F4
              • Part of subcall function 6C1E07DA: _memcpy_s.LIBCMT ref: 6C1E07E9
            • GlobalUnlock.KERNEL32(?), ref: 6C1F1505
            • GlobalUnlock.KERNEL32(?), ref: 6C1F150E
            • GlobalSize.KERNEL32(?), ref: 6C1F151E
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Global$Size$LockUnlock$Alloc_memcpy_s
            • String ID:
            • API String ID: 3833998449-0
            • Opcode ID: e6376ac4ab7e7feddd7634eaa6f3d0e258a7e9ea2c2abbcbc0247ac689b70ee3
            • Instruction ID: b991d589c33e5eea253ce5bda8827adf4920f08953654d6d405f25e533bd6007
            • Opcode Fuzzy Hash: e6376ac4ab7e7feddd7634eaa6f3d0e258a7e9ea2c2abbcbc0247ac689b70ee3
            • Instruction Fuzzy Hash: 2D012172602214FBDB112FB59C8C89E7EBCFB1A2A67544724F91791311E6328D518BB0
            Function 6C1FCACF Relevance: 12.0, APIs: 8, Instructions: 34COMMON
            Download Yara Rule
            APIs
            • GetSystemMetrics.USER32(0000000B), ref: 6C1FCAD5
            • GetSystemMetrics.USER32(0000000C), ref: 6C1FCAE0
            • GetSystemMetrics.USER32(00000002), ref: 6C1FCAEB
            • GetSystemMetrics.USER32(00000003), ref: 6C1FCAF9
            • GetDC.USER32(00000000), ref: 6C1FCB07
            • GetDeviceCaps.GDI32(00000000,00000058), ref: 6C1FCB12
            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 6C1FCB1E
            • ReleaseDC.USER32(00000000,00000000), ref: 6C1FCB2A
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: MetricsSystem$CapsDevice$Release
            • String ID:
            • API String ID: 1151147025-0
            • Opcode ID: 2165afb98ae158707be14fceb394ddd2dca1906c4e01f41b06ddb70ec6c7bd91
            • Instruction ID: c660b7763b8ce2e84c1adab65e01ad34c976aa0b5bd97e024f3786b19bfd5438
            • Opcode Fuzzy Hash: 2165afb98ae158707be14fceb394ddd2dca1906c4e01f41b06ddb70ec6c7bd91
            • Instruction Fuzzy Hash: C2F0B771B41714ABEB106FB1894DB5A7F78FB46713F004A29F642DE180EBB684818F90
            Function 6C1DF79B Relevance: 10.8, APIs: 7, Instructions: 347COMMON
            Download Yara Rule
            APIs
            • OffsetRect.USER32(?,00000000,?), ref: 6C1DF8B4
            • OffsetRect.USER32(?,?,00000000), ref: 6C1DF8D4
            • SetCapture.USER32(?), ref: 6C1DF947
            • RedrawWindow.USER32(?,00000000,00000000,00000180,00000000), ref: 6C1DF966
            • ReleaseCapture.USER32 ref: 6C1DF9F4
            • OffsetRect.USER32(?,000000FF,000000FF), ref: 6C1DFA6A
            • OffsetRect.USER32(?,000000FF,000000FF), ref: 6C1DFA7B
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: OffsetRect$Capture$RedrawReleaseWindow
            • String ID:
            • API String ID: 1110970518-0
            • Opcode ID: 89c3a73a57daa8e0bd2bb4309507b045b10030fea4e0f37bcdda3f8c3c3cac6c
            • Instruction ID: 20f305d6e90efd650b091ba7c1c62a9a848bac9f70a066e6031a90df5a3689ed
            • Opcode Fuzzy Hash: 89c3a73a57daa8e0bd2bb4309507b045b10030fea4e0f37bcdda3f8c3c3cac6c
            • Instruction Fuzzy Hash: EED15C357006249FCF048F68C8A8BED3BB9BF59310F1901B9ED1A9B385CF74A9458B95
            Function 6C337305 Relevance: 10.8, APIs: 7, Instructions: 329COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: _strrchr
            • String ID:
            • API String ID: 3213747228-0
            • Opcode ID: dce1a1d4e96a144ba9a677b3921edf5527b7a6c4dc94a3a55d8ad5bf03e6a6d9
            • Instruction ID: c59bd29084502c646eb68975b30742b04cac99bbcb2b8ddc84b54573f9546226
            • Opcode Fuzzy Hash: dce1a1d4e96a144ba9a677b3921edf5527b7a6c4dc94a3a55d8ad5bf03e6a6d9
            • Instruction Fuzzy Hash: 2CB16632A053E5DFEB158E28C980BEE7FA4EF07318F145155E908AB781D3359901CFA1
            Function 6C331A4F Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 301COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • type_info::operator==.LIBVCRUNTIME ref: 6C331B6E
            • CallUnexpected.LIBVCRUNTIME ref: 6C331DE7
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: CallUnexpectedtype_info::operator==
            • String ID: ^5l$csm$csm$csm
            • API String ID: 2673424686-3229547909
            • Opcode ID: 68414a572f78bfce0c6471394469c9b03322276334c699cbed7d82ba723764b7
            • Instruction ID: 68ec6a9235bc76b419b0d3207bccf627f05b02213e852bf543d6b1719ae7da54
            • Opcode Fuzzy Hash: 68414a572f78bfce0c6471394469c9b03322276334c699cbed7d82ba723764b7
            • Instruction Fuzzy Hash: F3B1CB719002A8DFCF15CFA0C8809EEBBB5FF05318F14515AE8186BA21D736DA65CF92
            Function 6C2F58D7 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 168COMMON
            Download Yara Rule
            APIs
            • __EH_prolog3_catch.LIBCMT ref: 6C2F58DE
              • Part of subcall function 6C2F5BA1: OleGetClipboard.OLE32(00000000), ref: 6C2F5BB7
            • ReleaseStgMedium.OLE32(?), ref: 6C2F5962
            • ReleaseStgMedium.OLE32(?), ref: 6C2F59A9
            • ReleaseStgMedium.OLE32(?), ref: 6C2F59B8
            • CoTaskMemFree.OLE32(?,?,00000000,?,00000040,6C26068C,?,00000000,00000000,0000005C), ref: 6C2F5A68
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: MediumRelease$ClipboardFreeH_prolog3_catchTask
            • String ID: '
            • API String ID: 3213536121-1997036262
            • Opcode ID: 4aabab3f4ced79eadce8df472d8f56409a3cc2229f40c5f777f3daaf2f8d943a
            • Instruction ID: 82150933e1fbb03f9624e405a88ddff6153dbd70ef2076d41a3d8ca7c0db7255
            • Opcode Fuzzy Hash: 4aabab3f4ced79eadce8df472d8f56409a3cc2229f40c5f777f3daaf2f8d943a
            • Instruction Fuzzy Hash: B051847194120EDBDF00DFB8C494AEDFBB9AF49319F148029E921A7740DB71DA46CB60
            Function 6C1EB66B Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 6C216B59: IsWindow.USER32(?), ref: 6C216B65
            • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6C1EB82F
              • Part of subcall function 6C2171D7: GetClientRect.USER32(?,?), ref: 6C2171FF
              • Part of subcall function 6C2171D7: PtInRect.USER32(?,00000000,?), ref: 6C217219
            • ScreenToClient.USER32(?,?), ref: 6C1EB6FC
            • PtInRect.USER32(?,?,?), ref: 6C1EB70F
            • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6C1EB741
            • GetParent.USER32(?), ref: 6C1EB771
            • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6C1EB7EF
            • GetFocus.USER32 ref: 6C1EB7F5
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: MessageRectSend$Client$FocusParentScreenWindow
            • String ID:
            • API String ID: 1639644240-0
            • Opcode ID: 9eb8818b49a8d1e3a64413584f284a976f1c4a7adf8205c9c8e72b46c5afd11e
            • Instruction ID: 9de2411f8a4cda2975f3ec6990c24f92baa628aa362fac908be8862cb2c1fb45
            • Opcode Fuzzy Hash: 9eb8818b49a8d1e3a64413584f284a976f1c4a7adf8205c9c8e72b46c5afd11e
            • Instruction Fuzzy Hash: A7516931E00A1AABDF00CFA5C844EAEBBB9FF4D708B10416AE815E7B50DB35D911CB94
            Function 6C20D8E5 Relevance: 10.6, APIs: 7, Instructions: 143COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 6C260644: __EH_prolog3_catch.LIBCMT ref: 6C26064B
            • UpdateWindow.USER32(?), ref: 6C20D992
            • EqualRect.USER32(?,?), ref: 6C20D9D2
            • InflateRect.USER32(?,00000002,00000002), ref: 6C20D9EA
            • InvalidateRect.USER32(?,?,00000001), ref: 6C20D9F9
            • InflateRect.USER32(?,00000002,00000002), ref: 6C20DA10
            • InvalidateRect.USER32(?,?,00000001), ref: 6C20DA22
            • UpdateWindow.USER32(?), ref: 6C20DA2B
              • Part of subcall function 6C20C10A: InvalidateRect.USER32(?,?,00000001,?), ref: 6C20C181
              • Part of subcall function 6C20C10A: InflateRect.USER32(?,00000000,?), ref: 6C20C1C7
              • Part of subcall function 6C20C10A: RedrawWindow.USER32(?,?,00000000,00000401), ref: 6C20C1DB
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Rect$InflateInvalidateWindow$Update$EqualH_prolog3_catchRedraw
            • String ID:
            • API String ID: 1041772997-0
            • Opcode ID: b3a68a97168f70adcacf929997c93ddf3876c6ba7b18eddb92b0adf205e4819f
            • Instruction ID: 68e524376934d1349d60a6654053c9eb2e83cc3f4f0c7d4c744baccf7e2b01e4
            • Opcode Fuzzy Hash: b3a68a97168f70adcacf929997c93ddf3876c6ba7b18eddb92b0adf205e4819f
            • Instruction Fuzzy Hash: 3C517175A0061A9FCF00CF64C885BAE3BB9BF49715F140279EC16DB291DB719901CBA0
            Function 6C1E51C2 Relevance: 10.6, APIs: 7, Instructions: 135windowCOMMON
            Download Yara Rule
            APIs
            • GetParent.USER32(?), ref: 6C1E51EF
            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 6C1E5211
            • UpdateWindow.USER32(?), ref: 6C1E522B
            • SendMessageW.USER32(00000000,00000121,00000001,?), ref: 6C1E5251
            • SendMessageW.USER32(?,0000036A,00000000,00000000), ref: 6C1E5269
            • UpdateWindow.USER32(?), ref: 6C1E52B6
              • Part of subcall function 6C1F4E48: GetWindowLongW.USER32(?,000000F0), ref: 6C1F4E55
            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 6C1E5300
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Message$Window$PeekSendUpdate$LongParent
            • String ID:
            • API String ID: 2853195852-0
            • Opcode ID: 9a62e183c1e41d66b69efb9c9033c11c8ea2bff828d866251578b17454128fcf
            • Instruction ID: 7e4a63d02ac526782cb51b9254449b5c0496470e9b14c1cb04b3deb89ab0ce43
            • Opcode Fuzzy Hash: 9a62e183c1e41d66b69efb9c9033c11c8ea2bff828d866251578b17454128fcf
            • Instruction Fuzzy Hash: FC41A471B05A0AEFEB048FB5C848BAE7BB9FF19749F108158E811D7990D770DD418B90
            Function 6C22A7C9 Relevance: 10.6, APIs: 7, Instructions: 131keyboardCOMMON
            Download Yara Rule
            APIs
            • GetAsyncKeyState.USER32(00000012), ref: 6C22A7EA
            • GetAsyncKeyState.USER32(00000012), ref: 6C22A808
            • GetKeyboardState.USER32(?), ref: 6C22A83A
            • GetKeyboardLayout.USER32(?), ref: 6C22A84D
            • MapVirtualKeyW.USER32(?,00000000), ref: 6C22A858
            • ToUnicodeEx.USER32(?,00000000,?,?,00000002,00000001,00000000), ref: 6C22A873
            • CharUpperW.USER32(?), ref: 6C22A889
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: State$AsyncKeyboard$CharLayoutUnicodeUpperVirtual
            • String ID:
            • API String ID: 298839909-0
            • Opcode ID: 90e00fdbe7b1bc8c8479b8cd4172dba00a25e1d708ed07a17304a20a3d3a39d9
            • Instruction ID: f8d3a7bc67c3d25c06177a4a23facb589ac7c4c193e3b2293c62164615b01858
            • Opcode Fuzzy Hash: 90e00fdbe7b1bc8c8479b8cd4172dba00a25e1d708ed07a17304a20a3d3a39d9
            • Instruction Fuzzy Hash: 13411F7570010DDBDB00DB218844BEEB7BCEF51745F11406AF995EBE40EBB489869BA2
            Function 6C31BE60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
            Download Yara Rule
            APIs
            • _ValidateLocalCookies.LIBCMT ref: 6C31BE97
            • ___except_validate_context_record.LIBVCRUNTIME ref: 6C31BE9F
            • _ValidateLocalCookies.LIBCMT ref: 6C31BF28
            • __IsNonwritableInCurrentImage.LIBCMT ref: 6C31BF53
            • _ValidateLocalCookies.LIBCMT ref: 6C31BFA8
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
            • String ID: csm
            • API String ID: 1170836740-1018135373
            • Opcode ID: df1bbbcccc097efa865717eea1ea55794311f9ec3f98763f76760a5ec59b1b0d
            • Instruction ID: e75ec5a0cd45e1329add355c1736fdd1afb64bb41ef8f643b7f764cea0ece032
            • Opcode Fuzzy Hash: df1bbbcccc097efa865717eea1ea55794311f9ec3f98763f76760a5ec59b1b0d
            • Instruction Fuzzy Hash: 6E419D74A052599FCF048F68C844ADE7BB5AF0532CF108195E9199FB91D732DA05CFA2
            Function 6C266746 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 124COMMON
            Download Yara Rule
            APIs
            • __EH_prolog3_GS.LIBCMT ref: 6C26674D
            • CopyRect.USER32(?,?), ref: 6C2667FB
            • IsRectEmpty.USER32(?), ref: 6C266813
            • IsRectEmpty.USER32(?), ref: 6C26682B
            • IsRectEmpty.USER32(?), ref: 6C266840
              • Part of subcall function 6C1F84C0: __EH_prolog3.LIBCMT ref: 6C1F84C7
              • Part of subcall function 6C1F84C0: LoadCursorW.USER32(00000000,00007F00), ref: 6C1F84EB
              • Part of subcall function 6C1F84C0: GetClassInfoW.USER32(?,?,?), ref: 6C1F8526
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Rect$Empty$ClassCopyCursorH_prolog3H_prolog3_InfoLoad
            • String ID: Afx:ControlBar
            • API String ID: 685170547-4244778371
            • Opcode ID: ad8e27a67ef1d2c86c5869afcf86214390621fbb6a622e348d4a447c6baffd03
            • Instruction ID: bfc5ff1506a05253859b26f2e29d5c389d9452fd82aafc4d627ac58510e5acf2
            • Opcode Fuzzy Hash: ad8e27a67ef1d2c86c5869afcf86214390621fbb6a622e348d4a447c6baffd03
            • Instruction Fuzzy Hash: 6641E471A002199BDF01DFA5C894BEE7BB9AF4A308F154069FC05FB740DB75A949CB60
            Function 6C1F337E Relevance: 10.6, APIs: 7, Instructions: 123COMMON
            Download Yara Rule
            APIs
            • GetClientRect.USER32(?,?), ref: 6C1F33AB
            • IsThemeBackgroundPartiallyTransparent.UXTHEME(?,00000006,00000000), ref: 6C1F33C6
            • DrawThemeParentBackground.UXTHEME(?,?,?), ref: 6C1F33DA
            • SetRectEmpty.USER32(?), ref: 6C1F33EB
            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 6C1F33F9
            • DrawThemeBackground.UXTHEME(?,?,00000006,00000000,?,00000000), ref: 6C1F342F
            • CopyRect.USER32(?,?), ref: 6C1F3494
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: BackgroundRectTheme$Draw$ClientCopyEmptyInfoParametersParentPartiallySystemTransparent
            • String ID:
            • API String ID: 2388076383-0
            • Opcode ID: 53d0ca3e472d62ed3386bcad1f3d476327842e449b9ec1809c237a6379139fa9
            • Instruction ID: ee15691ef4723e8eb1e03d00ceee576278bb677e2e5891842daf2196b1bc58d7
            • Opcode Fuzzy Hash: 53d0ca3e472d62ed3386bcad1f3d476327842e449b9ec1809c237a6379139fa9
            • Instruction Fuzzy Hash: 86418371A00609AFDB01DFA4C944AEFB7FDFF09244F10452AE956A7100E771AE45CB60
            Function 6C1F087A Relevance: 10.6, APIs: 7, Instructions: 122windowthreadCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 6C1F07A6: GetParent.USER32(00000024), ref: 6C1F0803
              • Part of subcall function 6C1F07A6: GetLastActivePopup.USER32(00000024), ref: 6C1F0816
              • Part of subcall function 6C1F07A6: IsWindowEnabled.USER32(00000024), ref: 6C1F082A
              • Part of subcall function 6C1F07A6: EnableWindow.USER32(00000024,00000000), ref: 6C1F083D
            • EnableWindow.USER32(?,00000001), ref: 6C1F08C5
            • GetWindowThreadProcessId.USER32(?,?), ref: 6C1F08DB
            • GetCurrentProcessId.KERNEL32 ref: 6C1F08E5
            • SendMessageW.USER32(?,00000376,00000000,00000000), ref: 6C1F08FB
            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 6C1F0986
            • MessageBoxW.USER32(?,?,?,6C1D7FF4), ref: 6C1F09A8
            • EnableWindow.USER32(00000000,00000001), ref: 6C1F09CD
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Window$Enable$MessageProcess$ActiveCurrentEnabledFileLastModuleNameParentPopupSendThread
            • String ID:
            • API String ID: 1924968399-0
            • Opcode ID: 3a164ac612f0f63b7e6ed84cc37e64186d174d4626413d4be5e974a53af3ba5c
            • Instruction ID: fee23529b1ef22b345944db76a0f2c0d6af74da119ca1f4730913697b0e4b58d
            • Opcode Fuzzy Hash: 3a164ac612f0f63b7e6ed84cc37e64186d174d4626413d4be5e974a53af3ba5c
            • Instruction Fuzzy Hash: 79417EB1A4125D9BEB109F68CC88BEAB7F8BB15704F1001A9E57DE7650E7718E82CF50
            Function 6C1FB60E Relevance: 10.6, APIs: 7, Instructions: 121windowCOMMON
            Download Yara Rule
            APIs
            • __EH_prolog3_GS.LIBCMT ref: 6C1FB615
            • CreateCompatibleDC.GDI32(?), ref: 6C1FB644
            • GetClientRect.USER32(?,?), ref: 6C1FB661
            • SelectObject.GDI32(?,?), ref: 6C1FB69A
            • BitBlt.GDI32(?,00000000,00000000,?,?,00000001,00000000,00000000,00CC0020), ref: 6C1FB6C1
            • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6C1FB747
            • SelectObject.GDI32(?,00000000), ref: 6C1FB755
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: ObjectSelect$ClientCompatibleCreateH_prolog3_Rect
            • String ID:
            • API String ID: 1651110115-0
            • Opcode ID: 70a75a81ecb4c142cd9249eb156e6270ce32ce293e1aef5063a314648478cfc8
            • Instruction ID: a42ab4afbfd9ae0c085d39f2a7008119a89946b23d1f6538fb5b04cfbd1f0d95
            • Opcode Fuzzy Hash: 70a75a81ecb4c142cd9249eb156e6270ce32ce293e1aef5063a314648478cfc8
            • Instruction Fuzzy Hash: FE41F271A00209AFEF04DFA4CD95FEEBBB9FF58704F104119F512A6290DB716A05CB60
            Function 6C1F4C62 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 119registryCOMMON
            Download Yara Rule
            APIs
            • __EH_prolog3_GS.LIBCMT ref: 6C1F4C6C
            • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?), ref: 6C1F4D71
            • RegEnumKeyW.ADVAPI32(?,00000000,?,00000104), ref: 6C1F4D8E
            • RegCloseKey.ADVAPI32(?), ref: 6C1F4DAF
            • RegQueryValueW.ADVAPI32(80000001,?,?,?), ref: 6C1F4DCA
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: CloseEnumH_prolog3_OpenQueryValue
            • String ID: Software\
            • API String ID: 1666054129-964853688
            • Opcode ID: 96abfbab2767a423496bea83b2055491c8e0838b7e03b8790177b014cd206c4f
            • Instruction ID: 78fd4750c748e37f3ab67d5791436952b433740e83aff4432f8aab4c85f9ff99
            • Opcode Fuzzy Hash: 96abfbab2767a423496bea83b2055491c8e0838b7e03b8790177b014cd206c4f
            • Instruction Fuzzy Hash: 0A417172902129BBDF11DBA0DDA8BEE76BCEF09318F1401E9E515A3640DB349E85CF64
            Function 6C1F4AC1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102registryCOMMON
            Download Yara Rule
            APIs
            • __EH_prolog3_catch_GS.LIBCMT ref: 6C1F4ACB
            • RegOpenKeyExW.ADVAPI32(?,00000010,00000000,0002001F,?,00000228), ref: 6C1F4B71
              • Part of subcall function 6C1F49FF: __EH_prolog3.LIBCMT ref: 6C1F4A06
            • RegEnumKeyW.ADVAPI32(?,00000000,?,00000104), ref: 6C1F4B95
            • RegCloseKey.ADVAPI32(?), ref: 6C1F4C4A
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: CloseEnumH_prolog3H_prolog3_catch_Open
            • String ID: Software\Classes\
            • API String ID: 854624316-1121929649
            • Opcode ID: 963096172c828f936bddc657bfdb8aaa9ebb0eea52e37dfbabdb7355783f150f
            • Instruction ID: 54c9a91ac3f4707482b9718734d177795393884ceb8c3310fd31108edbec3b6b
            • Opcode Fuzzy Hash: 963096172c828f936bddc657bfdb8aaa9ebb0eea52e37dfbabdb7355783f150f
            • Instruction Fuzzy Hash: 0041D032901208ABDB11DBA4DA98BDDB7F8AF54314F1141D5E929A3741DB34AA8ACF10
            Function 6C1EE994 Relevance: 10.6, APIs: 7, Instructions: 85windowthreadCOMMON
            Download Yara Rule
            APIs
            • SetFocus.USER32(00000000,00000000), ref: 6C1EE9B3
            • GetParent.USER32(?), ref: 6C1EE9C1
            • GetWindowThreadProcessId.USER32(?,00000000), ref: 6C1EE9DC
            • GetCurrentProcessId.KERNEL32 ref: 6C1EE9E2
            • GetActiveWindow.USER32 ref: 6C1EEA41
            • SendMessageW.USER32(?,00000006,00000001,00000000), ref: 6C1EEA52
            • SendMessageW.USER32(?,00000086,00000001,00000000), ref: 6C1EEA6C
              • Part of subcall function 6C1F525D: EnableWindow.USER32(?,00000024), ref: 6C1F526E
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Window$MessageProcessSend$ActiveCurrentEnableFocusParentThread
            • String ID:
            • API String ID: 2169720751-0
            • Opcode ID: 84dd955a736ecb2a1b355218922580990f16e7c9e71eed87c9e173d8b2ed8acd
            • Instruction ID: f59609c1c417ba6d82293790bd64744c13fa70d1fef5a605eef91a893844fbbb
            • Opcode Fuzzy Hash: 84dd955a736ecb2a1b355218922580990f16e7c9e71eed87c9e173d8b2ed8acd
            • Instruction Fuzzy Hash: B731D231340A28EBEF159F20CC88B9C7BB9BF5A746F104158F542D76D0DBB0AA84CB95
            Function 6C248A22 Relevance: 10.6, APIs: 7, Instructions: 85COMMON
            Download Yara Rule
            APIs
            • LockWindowUpdate.USER32(00000000,00000004,00000004), ref: 6C248A63
            • ValidateRect.USER32(?,00000000,0000E800), ref: 6C248A9F
            • UpdateWindow.USER32(?), ref: 6C248AA8
            • LockWindowUpdate.USER32(00000000), ref: 6C248AB9
            • ValidateRect.USER32(?,00000000,0000E800), ref: 6C248AE7
            • UpdateWindow.USER32(?), ref: 6C248AF0
            • LockWindowUpdate.USER32(00000000), ref: 6C248B01
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: UpdateWindow$Lock$RectValidate
            • String ID:
            • API String ID: 797752328-0
            • Opcode ID: a2e506e625b6c35abc82af48722ddfb649414010e3005fb8865ab1c6a981f1b7
            • Instruction ID: d682f4e10bcdf7bd6306354da680fb00d91cda0db14f540111c3d78f7d1ed645
            • Opcode Fuzzy Hash: a2e506e625b6c35abc82af48722ddfb649414010e3005fb8865ab1c6a981f1b7
            • Instruction Fuzzy Hash: 34318F3262171AEFDB048F64C844B4A7BF9FB45706F20866AFC56E7650EBB1D940CB90
            Function 6C1DA021 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 82COMMON
            Download Yara Rule
            APIs
            • __EH_prolog3_GS.LIBCMT ref: 6C1DA02B
            • GetClassNameW.USER32(?,?,000000FF), ref: 6C1DA085
            • IsAppThemed.UXTHEME(?,?,00000001,?), ref: 6C1DA116
            • GetStockObject.GDI32(00000005), ref: 6C1DA127
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: ClassH_prolog3_NameObjectStockThemed
            • String ID: Button$Static
            • API String ID: 2434646892-2498952662
            • Opcode ID: 2ad96c39dc238ffa7aea822c83b21b070c361d76ad1753787195674a76a77061
            • Instruction ID: f7271c109f40917f38cd39f0c707646ecf16c93f5af34547453c1b7e66187705
            • Opcode Fuzzy Hash: 2ad96c39dc238ffa7aea822c83b21b070c361d76ad1753787195674a76a77061
            • Instruction Fuzzy Hash: 5131C332A412199FDF14DF54C898BDA73B4EF29318F164199D519A7A80EF30FA88CF61
            Function 6C1E4EC8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81windowCOMMON
            Download Yara Rule
            APIs
            • __EH_prolog3.LIBCMT ref: 6C1E4ED2
            • GetTopWindow.USER32(?), ref: 6C1E4EFF
            • GetDlgCtrlID.USER32(00000000), ref: 6C1E4F11
            • SendMessageW.USER32(?,00000087,00000000,00000000), ref: 6C1E4F6C
            • GetWindow.USER32(00000000,00000002), ref: 6C1E4FAE
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Window$CtrlH_prolog3MessageSend
            • String ID: pt5l
            • API String ID: 849854284-4290138313
            • Opcode ID: 986e6b4a3fa4cb9cebfaaa6415f3486322f1963094c256a0198f1f6766c714dc
            • Instruction ID: c26b770ef106fc2fdbd8faa7911ab55e90096abd50fd7a8e6b350f215c2dc122
            • Opcode Fuzzy Hash: 986e6b4a3fa4cb9cebfaaa6415f3486322f1963094c256a0198f1f6766c714dc
            • Instruction Fuzzy Hash: 2F21F775901A146BEF128FA5CD40FEE77BABF5A708F100295F925E2A50EB308A46CB51
            Function 6C1F40B3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 79registryCOMMON
            Download Yara Rule
            APIs
            • RegOpenKeyExW.ADVAPI32(80000001,software,00000000,0002001F,?,?,00000000,00000000,?,00000000), ref: 6C1F40EE
            • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,00000000,?,00000000,00000000,?,00000000), ref: 6C1F411A
            • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,00000000,?,00000000,00000000,?,00000000), ref: 6C1F4146
            • RegCloseKey.ADVAPI32(00000000,?,00000000), ref: 6C1F4158
            • RegCloseKey.ADVAPI32(00000000,?,00000000), ref: 6C1F4167
              • Part of subcall function 6C1F3980: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 6C1F3991
              • Part of subcall function 6C1F3980: GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 6C1F39A1
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: CloseCreate$AddressHandleModuleOpenProc
            • String ID: software
            • API String ID: 550756860-2010147023
            • Opcode ID: 8193e0120c383baf8835028583f95b9fbf9f8a2f2b4bdcd1e2a9a58d537190ec
            • Instruction ID: f16381931dd6cc01b8eea42a93b18f4527b8fcecde2573f66696a41b30f6748d
            • Opcode Fuzzy Hash: 8193e0120c383baf8835028583f95b9fbf9f8a2f2b4bdcd1e2a9a58d537190ec
            • Instruction Fuzzy Hash: B2218B72A05118BFDB009F94DE44EFF7BBDEB52709F10016AF920E3600E7319A469BA1
            Function 6C33495D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • FreeLibrary.KERNEL32(00000000,?,6C334A6C,6C1C22CA,00000000,00000000,6C1F5BE4,6C1C22CC,?,6C3345C6,00000022,FlsSetValue,6C37C124,6C37C12C,6C1F5BE4), ref: 6C334A1E
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: FreeLibrary
            • String ID: api-ms-$ext-ms-
            • API String ID: 3664257935-537541572
            • Opcode ID: 54a9c687894d4a6aea208c60f4ffa6497cc26e36d99d212d0b1dd3fc0a62b6a8
            • Instruction ID: 308895b605a82a8e2f8b5261f8145a964638c7239f42a32861f28c652417f777
            • Opcode Fuzzy Hash: 54a9c687894d4a6aea208c60f4ffa6497cc26e36d99d212d0b1dd3fc0a62b6a8
            • Instruction Fuzzy Hash: E321D8356012B1A7D7119B65CC84A4A3B7CDB423A8F251310E85AB7680E737ED00CFE4
            Function 6C1F9796 Relevance: 10.6, APIs: 7, Instructions: 66COMMON
            Download Yara Rule
            APIs
            • RealChildWindowFromPoint.USER32(?,?,?,?,?,?,6C1E117C,?,?,?), ref: 6C1F97BA
            • ClientToScreen.USER32(?,?), ref: 6C1F97D4
            • GetWindow.USER32(?,00000005), ref: 6C1F9826
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Window$ChildClientFromPointRealScreen
            • String ID:
            • API String ID: 2518355518-0
            • Opcode ID: 4f81547f6b534d66ca519fc5cb4db95c58f200cc572f228088396b4d1bf8f587
            • Instruction ID: ad334faa958ff1d5085498f525286e9f26b53f150c823ad8f7b40c4f08632a27
            • Opcode Fuzzy Hash: 4f81547f6b534d66ca519fc5cb4db95c58f200cc572f228088396b4d1bf8f587
            • Instruction Fuzzy Hash: C4119631A0161DABDB01DFA4CC58EAF77FCEF4A711F510225F411E3140EB359A928BA1
            Function 6C1E8CA9 Relevance: 10.6, APIs: 7, Instructions: 65COMMON
            Download Yara Rule
            APIs
            • GetParent.USER32(?), ref: 6C1E8CC6
            • GetWindowRect.USER32(?,?), ref: 6C1E8CE4
            • ScreenToClient.USER32(?,?), ref: 6C1E8CF1
            • ScreenToClient.USER32(?,?), ref: 6C1E8CFE
            • EqualRect.USER32(?,?), ref: 6C1E8D09
            • DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000014), ref: 6C1E8D30
            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?,?,00000000), ref: 6C1E8D3A
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Window$ClientRectScreen$DeferEqualParent
            • String ID:
            • API String ID: 443303494-0
            • Opcode ID: a06237a04d14005375aa96beb4b25b9451412b4758734e4eca992aef4e55f421
            • Instruction ID: 8532fe400d4c49f574f780575758b711e729ac2750b66fd495b290cc88319264
            • Opcode Fuzzy Hash: a06237a04d14005375aa96beb4b25b9451412b4758734e4eca992aef4e55f421
            • Instruction Fuzzy Hash: 15213675A01509EFDF00DFA8C885EAEBBBCFF1A705B50421AF901EB154E771A940CBA1
            Function 6C25C9ED Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64COMMON
            Download Yara Rule
            APIs
            • SelectObject.GDI32(00000000,?), ref: 6C25CA0B
              • Part of subcall function 6C1F9631: DeleteObject.GDI32(6C1E13E5), ref: 6C1F9643
            • SelectObject.GDI32(?,?), ref: 6C25CA20
            • DeleteObject.GDI32(00000000), ref: 6C25CA81
            • DeleteDC.GDI32(00000000), ref: 6C25CA90
            • LeaveCriticalSection.KERNEL32(6C3B1B70), ref: 6C25CAA7
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Object$Delete$Select$CriticalLeaveSection
            • String ID:
            • API String ID: 3849354926-3916222277
            • Opcode ID: d530d0dcba51d2c8152e90c4e65d23d4d892cadf4af775ac4b8cd45bbd2b227b
            • Instruction ID: 5bea6db816d9228f003f9c5adb78e8c567c3617ae596c9b52d59e75822f9f306
            • Opcode Fuzzy Hash: d530d0dcba51d2c8152e90c4e65d23d4d892cadf4af775ac4b8cd45bbd2b227b
            • Instruction Fuzzy Hash: 9321213560020ADFCF00FF64C884B963B79BF4632AF604624FD159A5AAF771A895CB50
            Function 6C1E7D01 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
            Download Yara Rule
            APIs
            • IsWindow.USER32(00000000), ref: 6C1E7D18
            • FindResourceW.KERNEL32(?,00000000,AFX_DIALOG_LAYOUT), ref: 6C1E7D40
            • SizeofResource.KERNEL32(?,00000000), ref: 6C1E7D52
            • LoadResource.KERNEL32(?,00000000), ref: 6C1E7D5E
            • LockResource.KERNEL32(00000000), ref: 6C1E7D69
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Resource$FindLoadLockSizeofWindow
            • String ID: AFX_DIALOG_LAYOUT
            • API String ID: 2582447065-2436846380
            • Opcode ID: 8959e2cee035297c1670a04e7e9c46ce35b61236efabcc301f5e74d7e3f09299
            • Instruction ID: 97e0b2c1d03ba6da1a1bbcc809758213d28d795e6e55753dfe5652ed87d696be
            • Opcode Fuzzy Hash: 8959e2cee035297c1670a04e7e9c46ce35b61236efabcc301f5e74d7e3f09299
            • Instruction Fuzzy Hash: 81117C71601B04ABFB015EA48C48FBABAECFF4D659B104126E819D2642EB75C9408BA0
            Function 6C23C589 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 57COMMON
            Download Yara Rule
            APIs
            • __EH_prolog3.LIBCMT ref: 6C23C590
              • Part of subcall function 6C1D9B7C: __EH_prolog3.LIBCMT ref: 6C1D9B83
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: H_prolog3
            • String ID: AQUA_$BLACK_$BLUE_$IDX_OFFICE2007_STYLE$SILVER_
            • API String ID: 431132790-2717817858
            • Opcode ID: 9f2bbd71c046639597251750b6982457df3251bdaa2e192a8957f2e6ec2369ef
            • Instruction ID: 577ef1d6ba66f356a1fc081c4580958f71d3bfdb9f790b095ca68fbba593f4d2
            • Opcode Fuzzy Hash: 9f2bbd71c046639597251750b6982457df3251bdaa2e192a8957f2e6ec2369ef
            • Instruction Fuzzy Hash: 0811CBB650111AD7CB00EBB8C955BFE7B75AF40A28F254307E915ABB80CF349A45CB61
            Function 6C1E6DB4 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 46libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(user32.dll,?,?,00000000,?,6C1E643E,00000000,00000000), ref: 6C1E6DC5
            • GetProcAddress.KERNEL32(00000000,RegisterTouchWindow), ref: 6C1E6DD7
            • GetProcAddress.KERNEL32(00000000,UnregisterTouchWindow), ref: 6C1E6DE5
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: AddressProc$HandleModule
            • String ID: RegisterTouchWindow$UnregisterTouchWindow$user32.dll
            • API String ID: 667068680-2470269259
            • Opcode ID: 704749a2d3900803bb418707bfa1aeedf59b20a26cb543536c161bf4f25d8d6b
            • Instruction ID: 38bf7d4065c091c6c0ab5d378a9eb625eb292a207ab52e52ef29680eefe5e862
            • Opcode Fuzzy Hash: 704749a2d3900803bb418707bfa1aeedf59b20a26cb543536c161bf4f25d8d6b
            • Instruction Fuzzy Hash: 7C01D632601A1EAFCB059E65CC48A9A7AE9FF2D729F400035FA0AD2A40DF7588108AD0
            Function 6C1FFB0F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(uxtheme.dll,?,?,6C1F722C,00000001,?,00000002,00000000,?), ref: 6C1FFB21
            • GetProcAddress.KERNEL32(00000000,BeginBufferedPaint), ref: 6C1FFB31
            • EncodePointer.KERNEL32(00000000,?,6C1F722C,00000001,?,00000002,00000000,?), ref: 6C1FFB3A
            • DecodePointer.KERNEL32(00000000,?,?,6C1F722C,00000001,?,00000002,00000000,?), ref: 6C1FFB48
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
            • String ID: BeginBufferedPaint$uxtheme.dll
            • API String ID: 2061474489-1632326970
            • Opcode ID: 05d6c53822cb8f9427be4249232bc7cd01a8143e0cc8e7079f8982b4e4b9550a
            • Instruction ID: ce68ea07fae2ad4f83ff6b45039a5388bfe1dafd2213597990d130a21daa423e
            • Opcode Fuzzy Hash: 05d6c53822cb8f9427be4249232bc7cd01a8143e0cc8e7079f8982b4e4b9550a
            • Instruction Fuzzy Hash: 74F06D7660621AABCF129F648E18C9A3BFCAB1A785B000050F936D2610E735D911CFA4
            Function 6C1FFE6A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(comctl32.dll), ref: 6C1FFE7C
            • GetProcAddress.KERNEL32(00000000,TaskDialogIndirect), ref: 6C1FFE8C
            • EncodePointer.KERNEL32(00000000), ref: 6C1FFE95
            • DecodePointer.KERNEL32(00000000), ref: 6C1FFEA3
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
            • String ID: TaskDialogIndirect$comctl32.dll
            • API String ID: 2061474489-2809879075
            • Opcode ID: 36c5b0619a2225122e7df878fc3223a011a0c1243d7c4492e85093bc88871309
            • Instruction ID: 52505d697be1162f1a64f6c22dd3d84b08283bfcb983d55be876e2f011747295
            • Opcode Fuzzy Hash: 36c5b0619a2225122e7df878fc3223a011a0c1243d7c4492e85093bc88871309
            • Instruction Fuzzy Hash: 33F0903560161AABCF121FA4CD0899A3BFCAB0A7457010411FC36E2611E775C811CAA0
            Function 6C1FF8BA Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(shell32.dll), ref: 6C1FF8CC
            • GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 6C1FF8DC
            • EncodePointer.KERNEL32(00000000), ref: 6C1FF8E5
            • DecodePointer.KERNEL32(00000000), ref: 6C1FF8F3
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
            • String ID: SHCreateItemFromParsingName$shell32.dll
            • API String ID: 2061474489-2320870614
            • Opcode ID: 39ca221fdf51a3a1fc6baa4928613cda1ed5ec478bcceea38548d39ab1f722e0
            • Instruction ID: 0f768b06182fae813388106a8ad268794aa79846892f86ff8257d09e8fdb105a
            • Opcode Fuzzy Hash: 39ca221fdf51a3a1fc6baa4928613cda1ed5ec478bcceea38548d39ab1f722e0
            • Instruction Fuzzy Hash: 82F06D3160122BABCF121E65DD0889A3AFCAF1A3857000025FD2692610EB758912CE90
            Function 6C1FF91F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(shell32.dll), ref: 6C1FF931
            • GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 6C1FF941
            • EncodePointer.KERNEL32(00000000), ref: 6C1FF94A
            • DecodePointer.KERNEL32(00000000), ref: 6C1FF958
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
            • String ID: SHGetKnownFolderPath$shell32.dll
            • API String ID: 2061474489-2936008475
            • Opcode ID: 687fd6817811427967c0c3328d17a9504acfdebd6949322a281af1fc6e9b3046
            • Instruction ID: 364ce30dd6d82883690b14e8eb4e92063e683ed3a85922ce436516bfc5cf201d
            • Opcode Fuzzy Hash: 687fd6817811427967c0c3328d17a9504acfdebd6949322a281af1fc6e9b3046
            • Instruction Fuzzy Hash: 88F0307660621ABBCF126F648D0895A3FFCBF1E7457000015FD36D6611E775C811CBA4
            Function 6C1FF748 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6C1E2D63,?,?,?,?), ref: 6C1FF75A
            • GetProcAddress.KERNEL32(00000000,RegisterApplicationRecoveryCallback), ref: 6C1FF76A
            • EncodePointer.KERNEL32(00000000,?,?,6C1E2D63,?,?,?,?), ref: 6C1FF773
            • DecodePointer.KERNEL32(00000000,?,?,6C1E2D63,?,?,?,?), ref: 6C1FF781
            Strings
            • kernel32.dll, xrefs: 6C1FF755
            • RegisterApplicationRecoveryCallback, xrefs: 6C1FF764
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
            • String ID: RegisterApplicationRecoveryCallback$kernel32.dll
            • API String ID: 2061474489-202725706
            • Opcode ID: a80d56d5caf0daa35fe5dc38ea3592ef7fc18ed1fe7e4c1cd30dffc17f4fb5ce
            • Instruction ID: 8ac5f23198dc3226f001b239614ddd92e831304e18665c81a778142e81894965
            • Opcode Fuzzy Hash: a80d56d5caf0daa35fe5dc38ea3592ef7fc18ed1fe7e4c1cd30dffc17f4fb5ce
            • Instruction Fuzzy Hash: A4F0903660121BABDF125FA5CD0885A7FFCAB0A6857010221FC36D6610FB35C801CF94
            Function 6C1FF85E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(user32.dll), ref: 6C1FF870
            • GetProcAddress.KERNEL32(00000000,ChangeWindowMessageFilter), ref: 6C1FF880
            • EncodePointer.KERNEL32(00000000), ref: 6C1FF889
            • DecodePointer.KERNEL32(00000000), ref: 6C1FF897
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
            • String ID: ChangeWindowMessageFilter$user32.dll
            • API String ID: 2061474489-2498399450
            • Opcode ID: ce8db668d472e6bab6bfd44a3840a0beddfd874a4e518fcc7f766b31505a814c
            • Instruction ID: 75836c6b6afaf4f40b1fd43116aeaba9ab5f75aa0fb51a132548ba3d6bc85ea1
            • Opcode Fuzzy Hash: ce8db668d472e6bab6bfd44a3840a0beddfd874a4e518fcc7f766b31505a814c
            • Instruction Fuzzy Hash: 89F0823270621EABDF221F75CD0899A3BFCAB1AA853000061FD3BD2604EB75C911CA94
            Function 6C1FFB74 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(uxtheme.dll,?,?,6C1F7313,?,00000001,F0C0CBE2), ref: 6C1FFB86
            • GetProcAddress.KERNEL32(00000000,EndBufferedPaint), ref: 6C1FFB96
            • EncodePointer.KERNEL32(00000000,?,?,6C1F7313,?,00000001,F0C0CBE2), ref: 6C1FFB9F
            • DecodePointer.KERNEL32(00000000,?,?,6C1F7313,?,00000001,F0C0CBE2), ref: 6C1FFBAD
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
            • String ID: EndBufferedPaint$uxtheme.dll
            • API String ID: 2061474489-2993015961
            • Opcode ID: d3ae07057f003d57accd749e0a2103ddc837d1886dca231f35dbcd05b667ef46
            • Instruction ID: a8c26706ff59f7f0fbd80dbfd84034b6ce18fb9db53c4e91852a164b91b85f18
            • Opcode Fuzzy Hash: d3ae07057f003d57accd749e0a2103ddc837d1886dca231f35dbcd05b667ef46
            • Instruction Fuzzy Hash: 9EF0827170662AABCF125F748D2CD9E3BFCAB1A695B000411FC37D6610EB79C901CA90
            Function 6C1FF6E9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6C1E2D47,?,?), ref: 6C1FF6FB
            • GetProcAddress.KERNEL32(00000000,RegisterApplicationRestart), ref: 6C1FF70B
            • EncodePointer.KERNEL32(00000000,?,?,6C1E2D47,?,?), ref: 6C1FF714
            • DecodePointer.KERNEL32(00000000,?,?,6C1E2D47,?,?), ref: 6C1FF722
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
            • String ID: RegisterApplicationRestart$kernel32.dll
            • API String ID: 2061474489-1259503209
            • Opcode ID: b161bab6b371a836aa015c9f24b0d269c9060a163e2e9a6d1213a93ea351ee04
            • Instruction ID: ae992044521ea22f6f4df6190dc94cd059227942ac9d10442f09eaf932ea02f0
            • Opcode Fuzzy Hash: b161bab6b371a836aa015c9f24b0d269c9060a163e2e9a6d1213a93ea351ee04
            • Instruction Fuzzy Hash: 33F08235702216ABCF111FA58D4CD997BFCAB1A6853000111FC37D6600FB75D801CE94
            Function 6C1FF7AD Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 32libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6C1E2D82,00000000), ref: 6C1FF7BF
            • GetProcAddress.KERNEL32(00000000,ApplicationRecoveryInProgress), ref: 6C1FF7CF
            • EncodePointer.KERNEL32(00000000,?,?,6C1E2D82,00000000), ref: 6C1FF7D8
            • DecodePointer.KERNEL32(00000000,?,?,6C1E2D82,00000000), ref: 6C1FF7E6
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
            • String ID: ApplicationRecoveryInProgress$kernel32.dll
            • API String ID: 2061474489-2899047487
            • Opcode ID: b63f8f463826e9b8cd775bce166a3663993c0550366692a147e7faa9dbac04cf
            • Instruction ID: e1d2e773f83b611934be351f742f6d2f05439dd17362d9dcc5deaa80255b2295
            • Opcode Fuzzy Hash: b63f8f463826e9b8cd775bce166a3663993c0550366692a147e7faa9dbac04cf
            • Instruction Fuzzy Hash: 3DF0A03170262EABCF121F748A089593BFCBB1A6953010521FC3BE7A00FBA5C9018AA4
            Function 6C1FF809 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6C1E2DC5,00000001), ref: 6C1FF81B
            • GetProcAddress.KERNEL32(00000000,ApplicationRecoveryFinished), ref: 6C1FF82B
            • EncodePointer.KERNEL32(00000000,?,6C1E2DC5,00000001), ref: 6C1FF834
            • DecodePointer.KERNEL32(00000000,?,?,6C1E2DC5,00000001), ref: 6C1FF842
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
            • String ID: ApplicationRecoveryFinished$kernel32.dll
            • API String ID: 2061474489-1962646049
            • Opcode ID: 2ae0a94cf6870d96bf5ae8dab47a8acd25d2859445a17df645338060d8d644e4
            • Instruction ID: accfea1057eec167f8afb5fe2bf435811ba09ecb071f3c16a54db754af077f49
            • Opcode Fuzzy Hash: 2ae0a94cf6870d96bf5ae8dab47a8acd25d2859445a17df645338060d8d644e4
            • Instruction Fuzzy Hash: DAF0653170272E9BCF121F758A0C8593BFCAE2A6963040425FD37E6A14EB75D9118EA5
            Function 6C1FF984 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(shell32.dll,?,6C1E9230,?,?,6C1EA8E6,000FC000,00000010,00000048,6C1EAAC5,00000024,?,00000000,?,00000000), ref: 6C1FF993
            • GetProcAddress.KERNEL32(00000000,InitNetworkAddressControl), ref: 6C1FF9A3
            • EncodePointer.KERNEL32(00000000,?,?,6C1EA8E6,000FC000,00000010,00000048,6C1EAAC5,00000024,?,00000000,?,00000000,?,6C1EAD75,?), ref: 6C1FF9AC
            • DecodePointer.KERNEL32(00000000,?,6C1E9230,?,?,6C1EA8E6,000FC000,00000010,00000048,6C1EAAC5,00000024,?,00000000,?,00000000), ref: 6C1FF9BA
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
            • String ID: InitNetworkAddressControl$shell32.dll
            • API String ID: 2061474489-1950653938
            • Opcode ID: 076682a0c7e35bdbd95a230989c79b8470bc46a197414973180e1340864d5a75
            • Instruction ID: 7cb3f2af1df76c17b339e69092d50e51291d7afd355587f1db50849229a3b877
            • Opcode Fuzzy Hash: 076682a0c7e35bdbd95a230989c79b8470bc46a197414973180e1340864d5a75
            • Instruction Fuzzy Hash: 45E06531B075266BCF111F745A1855936FCBF1A2453010452F933D2500EB78CC02CE94
            Function 6C1FFA65 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(uxtheme.dll,?,6C1F71FE,?,?,?,?,?,?,?,?,00000008), ref: 6C1FFA74
            • GetProcAddress.KERNEL32(00000000,BufferedPaintInit), ref: 6C1FFA84
            • EncodePointer.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000008), ref: 6C1FFA8D
            • DecodePointer.KERNEL32(00000000,?,6C1F71FE,?,?,?,?,?,?,?,?,00000008), ref: 6C1FFA9B
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
            • String ID: BufferedPaintInit$uxtheme.dll
            • API String ID: 2061474489-1331937065
            • Opcode ID: 5d22edeecd8101dbcbf4b01396839f8e0ed962ef78ea70a9c18afe42665a914a
            • Instruction ID: 1ac503889d703d0ad73bf22e4b54795b844b34fcdcb73f99db0e2814db8b6877
            • Opcode Fuzzy Hash: 5d22edeecd8101dbcbf4b01396839f8e0ed962ef78ea70a9c18afe42665a914a
            • Instruction Fuzzy Hash: 06E09B72B067279BCF115F38AE0C5493AFC6F1A6893050451FD37E2700EB28C902CE94
            Function 6C1FFABA Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(uxtheme.dll,?,6C1F83B0,?,?,6C1F7649,F0C0CBE2,?,?,?,Function_00184D80,000000FF), ref: 6C1FFAC9
            • GetProcAddress.KERNEL32(00000000,BufferedPaintUnInit), ref: 6C1FFAD9
            • EncodePointer.KERNEL32(00000000,?,6C1F83B0,?,?,6C1F7649,F0C0CBE2,?,?,?,Function_00184D80,000000FF), ref: 6C1FFAE2
            • DecodePointer.KERNEL32(00000000,?,6C1F83B0,?,?,6C1F7649,F0C0CBE2,?,?,?,Function_00184D80,000000FF), ref: 6C1FFAF0
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
            • String ID: BufferedPaintUnInit$uxtheme.dll
            • API String ID: 2061474489-1501038116
            • Opcode ID: e31580ca9bc897c817894b05100854ca22d68afa74c9be1074caf29ab8c218c6
            • Instruction ID: da06d40f19fd4ef5aa8dfb226f5d8e6de12c207749c4b3d4c6b77c7142564c88
            • Opcode Fuzzy Hash: e31580ca9bc897c817894b05100854ca22d68afa74c9be1074caf29ab8c218c6
            • Instruction Fuzzy Hash: 8FE06571B066235BCF119F34A9189593AFCAB262467010055F837D6604EB28C902CBA4
            Function 6C1FFE1F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 27libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(comctl32.dll), ref: 6C1FFE2E
            • GetProcAddress.KERNEL32(00000000,TaskDialogIndirect), ref: 6C1FFE3E
            • EncodePointer.KERNEL32(00000000), ref: 6C1FFE47
            • DecodePointer.KERNEL32(00000000), ref: 6C1FFE59
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
            • String ID: TaskDialogIndirect$comctl32.dll
            • API String ID: 2061474489-2809879075
            • Opcode ID: 756fdb471ee9df752e3e958c4886520595aca54708d8d00e8198a7d41da263ee
            • Instruction ID: bf5bf41729855d7368aa46b9cab0db72c86e4f8ae1b682fafbbcf4d80c36e65a
            • Opcode Fuzzy Hash: 756fdb471ee9df752e3e958c4886520595aca54708d8d00e8198a7d41da263ee
            • Instruction Fuzzy Hash: 5DE048767062539F9F115EB45B0C94B37FD9F1A59A3060451FD23D6505F738C8058E60
            Function 6C1FCA7D Relevance: 10.5, APIs: 7, Instructions: 25COMMON
            Download Yara Rule
            APIs
            • GetSysColor.USER32(0000000F), ref: 6C1FCA82
            • GetSysColor.USER32(00000010), ref: 6C1FCA8D
            • GetSysColor.USER32(00000014), ref: 6C1FCA98
            • GetSysColor.USER32(00000012), ref: 6C1FCAA3
            • GetSysColor.USER32(00000006), ref: 6C1FCAAE
            • GetSysColorBrush.USER32(0000000F), ref: 6C1FCAB9
            • GetSysColorBrush.USER32(00000006), ref: 6C1FCAC4
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Color$Brush
            • String ID:
            • API String ID: 2798902688-0
            • Opcode ID: ea4ce09c145fbd8705b1948e6984cadd52661805b40e64b193c312b3a5a702b8
            • Instruction ID: d82fcffa3a52803dbb3f27359d58c683e62820aad69e23770fa80d242676382f
            • Opcode Fuzzy Hash: ea4ce09c145fbd8705b1948e6984cadd52661805b40e64b193c312b3a5a702b8
            • Instruction Fuzzy Hash: 7CF09E71A417089BDB206FB1858D786BBF4BF19B12F440B19E2468B980F7F790C09F00
            Function 6C20ADBA Relevance: 9.3, APIs: 6, Instructions: 333COMMON
            Download Yara Rule
            APIs
            • GetParent.USER32(00000000), ref: 6C20AE42
            • GetClientRect.USER32(?,6C20A694), ref: 6C20AE55
            • GetWindowRect.USER32(00000000,?), ref: 6C20AE9F
            • GetParent.USER32(00000000), ref: 6C20AEA8
            • GetParent.USER32(00000000), ref: 6C20B13B
            • RedrawWindow.USER32(?,00000000,00000000,00000105,?,?,00000000,?,?,?,?,?,?,?,6C20A694,00000000), ref: 6C20B16B
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Parent$RectWindow$ClientRedraw
            • String ID:
            • API String ID: 443302174-0
            • Opcode ID: dabb944a181166488cbcf3374017f239f9ab4849f8e77b5a1374ac88bf65baf7
            • Instruction ID: 2aaa3c0a84ec67242f3341a89c7d1f7d0a3a405bacbaf7d5ea1eb5b58f3f3178
            • Opcode Fuzzy Hash: dabb944a181166488cbcf3374017f239f9ab4849f8e77b5a1374ac88bf65baf7
            • Instruction Fuzzy Hash: ABD16A31B0061ADFDF15CF68C894BEDBBB5BF49311F14016AEC16AB691DB30A840CBA5
            Function 6C20D5A6 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
            Download Yara Rule
            APIs
            • GetParent.USER32(?), ref: 6C20D749
            • GetParent.USER32(?), ref: 6C20D768
            • GetParent.USER32(?), ref: 6C20D777
            • RedrawWindow.USER32(?,00000000,00000000,00000505,6C363474,00000000), ref: 6C20D7DD
            • GetParent.USER32(?), ref: 6C20D7E6
            • RedrawWindow.USER32(?,00000000,00000000,00000505,00000000), ref: 6C20D80D
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Parent$RedrawWindow
            • String ID:
            • API String ID: 2946272266-0
            • Opcode ID: d828ab836e16a6ae9280b8a0abc72f04d6f734b8a2d9128c846070a21fdaf32f
            • Instruction ID: 14a9ab40ace636e608b855a01c515ee4f53bbde7ea8f6d88d5b41e4038577139
            • Opcode Fuzzy Hash: d828ab836e16a6ae9280b8a0abc72f04d6f734b8a2d9128c846070a21fdaf32f
            • Instruction Fuzzy Hash: AA71B035701A2AAFDF059F64C898AAD7BBABF49305F14016AE816D7790DF34AD01CF90
            Function 6C1DED68 Relevance: 9.2, APIs: 6, Instructions: 195COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Rect$ClientInflate
            • String ID:
            • API String ID: 256450704-0
            • Opcode ID: 1bf909f6f15f13cc03c14ca871d975fb2bd2ae713f935c60ad1adfd64df05e93
            • Instruction ID: 7f6a25861c8a90ad4c1cd354b7a788c91bbc35e5c095bb5e62a0775d7ff1b523
            • Opcode Fuzzy Hash: 1bf909f6f15f13cc03c14ca871d975fb2bd2ae713f935c60ad1adfd64df05e93
            • Instruction Fuzzy Hash: 8C714E71E0061A9FDB04CFA9C984ADDF7F6FF58305F158169E819EB210D731AA42CB91
            Function 6C1F2605 Relevance: 9.2, APIs: 6, Instructions: 191COMMON
            Download Yara Rule
            APIs
            • GetWindowRect.USER32(?,?), ref: 6C1F264D
            • EqualRect.USER32(?,00000000), ref: 6C1F266B
              • Part of subcall function 6C1F519E: SetWindowPos.USER32(?,00000000,?,00000000,00000115,00000000,00000000,?,?,6C1F2831,00000000,00000002,00000002,00000000,00000000,00000115), ref: 6C1F51C6
            • GetDlgCtrlID.USER32(?), ref: 6C1F2717
            • CopyRect.USER32(?,00000000), ref: 6C1F2753
            • GetParent.USER32(?), ref: 6C1F2834
            • SetParent.USER32(?,?), ref: 6C1F284A
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Rect$ParentWindow$CopyCtrlEqual
            • String ID:
            • API String ID: 1662903855-0
            • Opcode ID: 05d50ab13672168c28b70c77f630577d3dd16041f4abea1be659ed2468f58bfd
            • Instruction ID: 0956b2f4862101cf22d5101cffca3b8a864d80642fc968996bd07686ad752a24
            • Opcode Fuzzy Hash: 05d50ab13672168c28b70c77f630577d3dd16041f4abea1be659ed2468f58bfd
            • Instruction Fuzzy Hash: D061C171601659ABDF14DF34CC89BEAB7F9BF55308F1002A8E92AD7690DB30A946CF50
            Function 6C1D40A8 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 435COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: _strlen
            • String ID: IP=$Port
            • API String ID: 4218353326-1046961985
            • Opcode ID: 5f14bfca70d032e181aee964934aa1bf67f571fac3d639c7309e5b51c327c0c8
            • Instruction ID: aedb0b0583ad27479db4ed82ea42f46dc6982a56ba801e8cab895fde6e898a58
            • Opcode Fuzzy Hash: 5f14bfca70d032e181aee964934aa1bf67f571fac3d639c7309e5b51c327c0c8
            • Instruction Fuzzy Hash: 4AF1C3B2910B008BD724CF38C894BA7B7F6BF95308F164A2DD59A87B50EB35F5498B41
            Function 6C221970 Relevance: 9.2, APIs: 6, Instructions: 177COMMON
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 6C2219B7
            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 6C221A22
            • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C221A3F
            • LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 6C221A7E
            • LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 6C221ADD
            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 6C221B00
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: ByteCharMultiStringWide
            • String ID:
            • API String ID: 2829165498-0
            • Opcode ID: 4af5407b1436982a4584fc3ac16935e7225f407cc75c9d7ef69e2c3a4f325e47
            • Instruction ID: 25a85c7b6b58701a463dbbc62b7578cac74f1402d9860e479e7472d5ecda654b
            • Opcode Fuzzy Hash: 4af5407b1436982a4584fc3ac16935e7225f407cc75c9d7ef69e2c3a4f325e47
            • Instruction Fuzzy Hash: 1E51A27260120EAFEF108F64CC44FAA3BB9EF4574AF214525FD15965A0E77ACC94CB90
            Function 6C20A4C6 Relevance: 9.2, APIs: 6, Instructions: 167windowCOMMON
            Download Yara Rule
            APIs
            • GetParent.USER32(00000000), ref: 6C20A554
            • SendMessageW.USER32(?,0000040C,00000000,00000000), ref: 6C20A590
            • SendMessageW.USER32(00000000,0000041C,00000000,?), ref: 6C20A5C3
            • SetRectEmpty.USER32(?), ref: 6C20A629
            • SendMessageW.USER32(00000000,0000040B,00000000,?), ref: 6C20A685
            • RedrawWindow.USER32(00000000,00000000,00000000,00000505), ref: 6C20A6B4
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: MessageSend$EmptyParentRectRedrawWindow
            • String ID:
            • API String ID: 3879113052-0
            • Opcode ID: 4b1f8efd4a02d0179c41c132152bd5673003e996d275a703cfbf0721753380f8
            • Instruction ID: 24b8c13baf8a3a1c2709f26de901d19fd4f2c49199ee7940383eb282163b11ad
            • Opcode Fuzzy Hash: 4b1f8efd4a02d0179c41c132152bd5673003e996d275a703cfbf0721753380f8
            • Instruction Fuzzy Hash: 4D516A71F01619DFDB18CF64C894BADBBB9BF49305F60422AE816A7780DB30A940CF80
            Function 6C20F8A4 Relevance: 9.2, APIs: 6, Instructions: 156windowCOMMON
            Download Yara Rule
            APIs
            • CallNextHookEx.USER32(00000000,?,?), ref: 6C20F8BF
            • WindowFromPoint.USER32(?,?), ref: 6C20F8E9
            • ScreenToClient.USER32(00000020,00000200), ref: 6C20F91F
            • GetParent.USER32(00000020), ref: 6C20F986
            • UpdateWindow.USER32(?), ref: 6C20F9EC
            • SendMessageW.USER32(?,00000100,00000024,00000000), ref: 6C20FA6A
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Window$CallClientFromHookMessageNextParentPointScreenSendUpdate
            • String ID:
            • API String ID: 4074787488-0
            • Opcode ID: 480c7d900dc7cad6f6857de967c0fab3ce37ef7c80a8661a2e3c7317e43d7b90
            • Instruction ID: d83de5d03a47d765dafe6670e28978b8e0cd63d66cbd7d1c46bb2c5120d4bb70
            • Opcode Fuzzy Hash: 480c7d900dc7cad6f6857de967c0fab3ce37ef7c80a8661a2e3c7317e43d7b90
            • Instruction Fuzzy Hash: BD51EE3570020AAFDF04CFA4C954FAE7BBAFF49315F20016AF92697AA0DB319951CB44
            Function 6C1EB8F1 Relevance: 9.1, APIs: 6, Instructions: 145windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6C1EB976
            • IsWindow.USER32(?), ref: 6C1EB9F1
            • ClientToScreen.USER32(?,?), ref: 6C1EBA02
            • IsWindow.USER32(?), ref: 6C1EBA20
            • ClientToScreen.USER32(?,?), ref: 6C1EBA50
            • SendMessageW.USER32(?,0000020A,?,?), ref: 6C1EBAAE
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: ClientMessageScreenSendWindow
            • String ID:
            • API String ID: 2093367132-0
            • Opcode ID: d60baa5b8ccdfc4690d8c3f9a48768074c973cb70adfa9cb39c99eefdddf095f
            • Instruction ID: ddab4f96e4fd15fd02bf35381af30e80f42856680c8d042c7e9c0340d450a460
            • Opcode Fuzzy Hash: d60baa5b8ccdfc4690d8c3f9a48768074c973cb70adfa9cb39c99eefdddf095f
            • Instruction Fuzzy Hash: C441D2B1205F26EADF004F78C984B7EBAB4EB6D309F100628E5A2D2E74D732D640C708
            Function 6C204C23 Relevance: 9.1, APIs: 6, Instructions: 140memoryCOMMON
            Download Yara Rule
            APIs
            • __EH_prolog3.LIBCMT ref: 6C204C2A
            • GlobalAlloc.KERNEL32(00000040,00000004), ref: 6C204D91
            • GlobalLock.KERNEL32(00000000), ref: 6C204D9E
            • GlobalUnlock.KERNEL32(00000000), ref: 6C204DAF
            • SetPropW.USER32(?,00000000), ref: 6C204DBF
            • GlobalFree.KERNEL32(00000000), ref: 6C204DCA
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Global$AllocFreeH_prolog3LockPropUnlock
            • String ID:
            • API String ID: 2329575679-0
            • Opcode ID: d55202e9df064336a5593e198de6b0197ae7fd9381574fe94c0a4d13114c1093
            • Instruction ID: 7c3feb0574be664c5aa343c0c12a6e926d3326f92cd8c259078405ad1516b1c9
            • Opcode Fuzzy Hash: d55202e9df064336a5593e198de6b0197ae7fd9381574fe94c0a4d13114c1093
            • Instruction Fuzzy Hash: F141D07530070A9BDB049F758844BDE7BA4BF15319F10421AEA29CBB90DF35D916CB90
            Function 6C1E156C Relevance: 9.1, APIs: 6, Instructions: 140windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 6C1F4E48: GetWindowLongW.USER32(?,000000F0), ref: 6C1F4E55
            • SendMessageW.USER32(?,0000043D,00000000,00000000), ref: 6C1E1612
            • SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 6C1E1623
            • SendMessageW.USER32(?,0000043C,00000001,00000000), ref: 6C1E1637
            • SendMessageW.USER32(?,0000043C,00000000,00000000), ref: 6C1E1648
            • SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 6C1E1657
            • InvalidateRect.USER32(?,00000000,00000001,00000000,?,00000000,?,?,?,?,?,?,?,?,?,6C1E0FF4), ref: 6C1E16EA
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: MessageSend$InvalidateLongRectWindow
            • String ID:
            • API String ID: 74886174-0
            • Opcode ID: 9f567d15468d0a531e500c0bff8a7d5f5c69ce4f009b36c52088cbafd000d83e
            • Instruction ID: a5b8469ffc40570f8da6e521e002236f7babb81aefd03749632a1cde5283946a
            • Opcode Fuzzy Hash: 9f567d15468d0a531e500c0bff8a7d5f5c69ce4f009b36c52088cbafd000d83e
            • Instruction Fuzzy Hash: 9F419B31740618ABDF049FA0CC99FEEBB79FF49710F144115FA05AB291EBB1A942CB94
            Function 6C1E488D Relevance: 9.1, APIs: 6, Instructions: 86windowCOMMON
            Download Yara Rule
            APIs
            • IsWindowVisible.USER32(?), ref: 6C1E48AE
            • GetWindow.USER32(?,00000005), ref: 6C1E48C5
            • GetWindowRect.USER32(00000000,?), ref: 6C1E48E0
              • Part of subcall function 6C1DD2F4: ScreenToClient.USER32(?,00000000), ref: 6C1DD303
              • Part of subcall function 6C1DD2F4: ScreenToClient.USER32(?,00000008), ref: 6C1DD310
            • SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,00000015,?), ref: 6C1E4906
            • GetWindow.USER32(00000000,00000002), ref: 6C1E490F
            • ScrollWindow.USER32(?,?,?,?,?), ref: 6C1E492B
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Window$ClientScreen$RectScrollVisible
            • String ID:
            • API String ID: 1714389229-0
            • Opcode ID: 6fadce9f3d62e49b1c0221ed432b5bd72e14164aa6689e425fd5126989156a39
            • Instruction ID: e51b187edd5c117faec1125128d354b14e7acafa479ebbd77535b66348520cd7
            • Opcode Fuzzy Hash: 6fadce9f3d62e49b1c0221ed432b5bd72e14164aa6689e425fd5126989156a39
            • Instruction Fuzzy Hash: 41218D36600A0AABDB01DFA5C884AAFBBBDFF8D705B154119F905A7610EB71ED418B60
            Function 6C1EF3DB Relevance: 9.1, APIs: 6, Instructions: 85windowCOMMON
            Download Yara Rule
            APIs
            • __EH_prolog3_catch.LIBCMT ref: 6C1EF3E2
            • UnpackDDElParam.USER32(000003E8,?,?,?), ref: 6C1EF41A
            • GlobalLock.KERNEL32(?), ref: 6C1EF422
            • GlobalUnlock.KERNEL32(?), ref: 6C1EF456
            • ReuseDDElParam.USER32(?,000003E8,000003E4,00008000,?), ref: 6C1EF499
            • PostMessageW.USER32(?,000003E4,?,00000000), ref: 6C1EF4A5
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: GlobalParam$H_prolog3_catchLockMessagePostReuseUnlockUnpack
            • String ID:
            • API String ID: 4045269880-0
            • Opcode ID: 7ace4abeb1c9fab227ef16fecdd37f36228fd98cdb15d94bdb10a0f9d23be4b6
            • Instruction ID: 9d7f95425e4c96e527d17c4e7ff90240c0d93373669f337cfca96883497423e9
            • Opcode Fuzzy Hash: 7ace4abeb1c9fab227ef16fecdd37f36228fd98cdb15d94bdb10a0f9d23be4b6
            • Instruction Fuzzy Hash: 50317E71A00209EFEF05DF60C994AFEB7B9AF18319F114118E91577790DB315E09CBA1
            Function 6C1F8243 Relevance: 9.1, APIs: 6, Instructions: 84windowCOMMON
            Download Yara Rule
            APIs
            • __EH_prolog3.LIBCMT ref: 6C1F824A
            • CreateRectRgnIndirect.GDI32(00000000), ref: 6C1F826A
              • Part of subcall function 6C1DCC7E: SelectClipRgn.GDI32(?,00000000), ref: 6C1DCC9E
              • Part of subcall function 6C1DCC7E: SelectClipRgn.GDI32(?,00000000), ref: 6C1DCCB4
            • GetParent.USER32(00000000), ref: 6C1F828A
            • DrawThemeParentBackground.UXTHEME(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000018), ref: 6C1F82AB
            • MapWindowPoints.USER32(00000000,?,00000000,00000001), ref: 6C1F82DF
            • SendMessageW.USER32(?,00000014,00000000,00000000), ref: 6C1F830B
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: ClipParentSelect$BackgroundCreateDrawH_prolog3IndirectMessagePointsRectSendThemeWindow
            • String ID:
            • API String ID: 935984306-0
            • Opcode ID: 0e3348e407826e5949d1c7ed47022d89de800a595f4eca661a8bcc22ccd6ec60
            • Instruction ID: d802ae61522abc287c58a439cb2927f01680b7b38d0fea44b18bddca940719c2
            • Opcode Fuzzy Hash: 0e3348e407826e5949d1c7ed47022d89de800a595f4eca661a8bcc22ccd6ec60
            • Instruction Fuzzy Hash: 14315872A0060AAFDF01DFE0C894BEE7BF4FF09305F014519EA11AA6A0DB75A915DF90
            Function 6C1E1EEF Relevance: 9.1, APIs: 6, Instructions: 80windowCOMMON
            Download Yara Rule
            APIs
            • __EH_prolog3_GS.LIBCMT ref: 6C1FDD8D
              • Part of subcall function 6C1DD1DC: __EH_prolog3.LIBCMT ref: 6C1DD1E3
              • Part of subcall function 6C1DD1DC: GetWindowDC.USER32(00000000,00000004,6C1F78A0,00000000), ref: 6C1DD20F
            • GetClientRect.USER32(?,?), ref: 6C1FDDAF
            • GetWindowRect.USER32(?,?), ref: 6C1FDDC3
              • Part of subcall function 6C1DD2F4: ScreenToClient.USER32(?,00000000), ref: 6C1DD303
              • Part of subcall function 6C1DD2F4: ScreenToClient.USER32(?,00000008), ref: 6C1DD310
            • OffsetRect.USER32(?,?,?), ref: 6C1FDDE4
              • Part of subcall function 6C1DCCC1: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 6C1DCCF8
              • Part of subcall function 6C1DCCC1: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 6C1DCD15
            • OffsetRect.USER32(?,?,?), ref: 6C1FDE06
              • Part of subcall function 6C1DCD22: IntersectClipRect.GDI32(?,?,?,?,?), ref: 6C1DCD59
              • Part of subcall function 6C1DCD22: IntersectClipRect.GDI32(00000000,?,?,?,?), ref: 6C1DCD76
            • SendMessageW.USER32(?,00000014,?,00000000), ref: 6C1FDE3E
              • Part of subcall function 6C1DD231: ReleaseDC.USER32(?,00000000), ref: 6C1DD265
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Rect$Clip$Client$ExcludeIntersectOffsetScreenWindow$H_prolog3H_prolog3_MessageReleaseSend
            • String ID:
            • API String ID: 3860140383-0
            • Opcode ID: 177b4e76d3dedb05c4a5ea701b79d1a750ad279b668f06dadca7b1c10fe2783a
            • Instruction ID: e22c798c5cfb0904cb5b4fa27bdf4aa1ad79d026a6404a8aef4b3df38c0587df
            • Opcode Fuzzy Hash: 177b4e76d3dedb05c4a5ea701b79d1a750ad279b668f06dadca7b1c10fe2783a
            • Instruction Fuzzy Hash: 6331E772A4011DAFDF05DBA4CC95EFDB7B9FF59305B140219F502A3650EB34AA49CB60
            Function 6C1F07A6 Relevance: 9.1, APIs: 6, Instructions: 71COMMON
            Download Yara Rule
            APIs
            • GetWindowLongW.USER32(00000024,000000F0), ref: 6C1F07DE
            • GetParent.USER32(00000024), ref: 6C1F07EC
            • GetParent.USER32(00000024), ref: 6C1F0803
            • GetLastActivePopup.USER32(00000024), ref: 6C1F0816
            • IsWindowEnabled.USER32(00000024), ref: 6C1F082A
            • EnableWindow.USER32(00000024,00000000), ref: 6C1F083D
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
            • String ID:
            • API String ID: 670545878-0
            • Opcode ID: e4867e699d547e3ef5e2c76e364a60b3f253e3f742ae59d9d81084776cfae237
            • Instruction ID: 11ba3c02026a22869f5568c7000d3dab373f659af04d88d1c3e1597ce29d49f7
            • Opcode Fuzzy Hash: e4867e699d547e3ef5e2c76e364a60b3f253e3f742ae59d9d81084776cfae237
            • Instruction Fuzzy Hash: 3D112932A426A9DBC7510E564884B5A77FC6F16F1AF160369EC34A7A00EF60CC034BD1
            Function 6C268355 Relevance: 9.1, APIs: 6, Instructions: 67COMMON
            Download Yara Rule
            APIs
            • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C2683EA
            • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C268400
            • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C26840B
            • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C268416
            • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C268421
            • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C26842C
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: ContextExternal$BaseBase::~Concurrency::details::
            • String ID:
            • API String ID: 1690591649-0
            • Opcode ID: 2b8508f798498cc682ea83f7209c2dc74edc1aa6bf13c40c97ee9f54407a656f
            • Instruction ID: bba2bd23953e461fd3e245cfbf55970aeefd177cfbe9e354eeb1ce36ba5c9280
            • Opcode Fuzzy Hash: 2b8508f798498cc682ea83f7209c2dc74edc1aa6bf13c40c97ee9f54407a656f
            • Instruction Fuzzy Hash: 8A217F32301909ABCB48EB74D8A0BEDB769FB41619F40422DD81687BC0DF247969CB90
            Function 6C33115C Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32(?,?,6C331153,6C331961,?,?,?,?,6C31BA30,?,?,?,?,?,00000000,00000000), ref: 6C33116A
            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6C331178
            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6C331191
            • SetLastError.KERNEL32(00000000,?,?,6C31BA30,?,?,?,?,?,00000000,00000000,00000000,?,?,?), ref: 6C3311E3
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: ErrorLastValue___vcrt_
            • String ID:
            • API String ID: 3852720340-0
            • Opcode ID: 429ea2a1e531a59ffde6d0369882ab2edc071d6a02650207e945c03809110a1f
            • Instruction ID: 807e75aa77ef102161ef9bcef1e13ccf366f40b65bf47396bee03430256b2e0e
            • Opcode Fuzzy Hash: 429ea2a1e531a59ffde6d0369882ab2edc071d6a02650207e945c03809110a1f
            • Instruction Fuzzy Hash: 3F01D232B0D3725AAA1029B67C8469B3B78DB0237D730132AE428519D0EB9388049AD0
            Function 6C1EC9D7 Relevance: 9.1, APIs: 6, Instructions: 59COMMON
            Download Yara Rule
            APIs
            • GetDesktopWindow.USER32 ref: 6C1EC9E0
            • GetWindow.USER32(00000000), ref: 6C1EC9E7
            • GetWindowLongW.USER32(00000000,000000F0), ref: 6C1ECA15
            • ShowWindow.USER32(00000000,00000000), ref: 6C1ECA30
            • ShowWindow.USER32(00000000,00000004), ref: 6C1ECA51
            • GetWindow.USER32(00000000,00000002), ref: 6C1ECA5E
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Window$Show$DesktopLong
            • String ID:
            • API String ID: 3178490500-0
            • Opcode ID: 66d0d985a15c4b04f13e86580edb55d845a66500b1aa42307a1453f71d3a32cd
            • Instruction ID: a73f28e7d24d45ea47d3851d6d3355cf1ebc4d58700d5e140c736e68c7212181
            • Opcode Fuzzy Hash: 66d0d985a15c4b04f13e86580edb55d845a66500b1aa42307a1453f71d3a32cd
            • Instruction Fuzzy Hash: C0112C71205F2567D712EE219C29B5A3F68AF967ABF159310FD10D5680FB61C040C7D4
            Function 6C1F970D Relevance: 9.0, APIs: 6, Instructions: 50COMMON
            Download Yara Rule
            APIs
            • ClientToScreen.USER32(?,?), ref: 6C1F9726
            • GetDlgCtrlID.USER32(00000000), ref: 6C1F9731
            • GetWindowLongW.USER32(00000000,000000F0), ref: 6C1F9741
            • GetWindowRect.USER32(00000000,?), ref: 6C1F975A
            • PtInRect.USER32(?,?,?), ref: 6C1F976A
            • GetWindow.USER32(?,00000005), ref: 6C1F9777
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Window$Rect$ClientCtrlLongScreen
            • String ID:
            • API String ID: 1315500227-0
            • Opcode ID: 855467ba325d6e74c1202e279aa3a8d43c0daf82339a2792ff9b284a7fa66b04
            • Instruction ID: 852946431973b19881b4f2a9ae4c0b8fbd27e962abfa91f5fac1c785beb81a79
            • Opcode Fuzzy Hash: 855467ba325d6e74c1202e279aa3a8d43c0daf82339a2792ff9b284a7fa66b04
            • Instruction Fuzzy Hash: FE01C030A0121AABDF01EF648C44FAF77BCEF07306F544315F822A6140E7319A868B92
            Function 6C1F95B7 Relevance: 9.0, APIs: 6, Instructions: 48windowCOMMON
            Download Yara Rule
            APIs
            • GetFocus.USER32 ref: 6C1F95BB
              • Part of subcall function 6C1F9657: GetWindowLongW.USER32(?,000000F0), ref: 6C1F9672
              • Part of subcall function 6C1F9657: GetClassNameW.USER32(?,?,0000000A), ref: 6C1F9687
              • Part of subcall function 6C1F9657: CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,combobox,000000FF), ref: 6C1F969E
            • GetParent.USER32(00000000), ref: 6C1F95DC
            • GetWindowLongW.USER32(00000000,000000F0), ref: 6C1F95FB
            • GetParent.USER32(00000000), ref: 6C1F9609
            • GetDesktopWindow.USER32 ref: 6C1F9611
            • SendMessageW.USER32(00000000,0000014F,00000000,00000000), ref: 6C1F9625
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Window$LongParent$ClassCompareDesktopFocusMessageNameSendString
            • String ID:
            • API String ID: 1233893325-0
            • Opcode ID: f18e75c2c99824ba138bcb4752e438f3ea0d124a26a78338e5b5bfcf9cae459c
            • Instruction ID: 8012fb1818d19e8ac7090d65651ada76968d0fca84dad9270b3a04a3c23ba08e
            • Opcode Fuzzy Hash: f18e75c2c99824ba138bcb4752e438f3ea0d124a26a78338e5b5bfcf9cae459c
            • Instruction Fuzzy Hash: 11F0A43120261567DA023F348D68B6E37FC9B9BF7AF210250F930A2688EF65D4834695
            Function 6C209B02 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 233COMMON
            Download Yara Rule
            APIs
            • __EH_prolog3_catch.LIBCMT ref: 6C209B0C
              • Part of subcall function 6C257770: __EH_prolog3.LIBCMT ref: 6C257777
              • Part of subcall function 6C1F4F59: GetDlgCtrlID.USER32(?), ref: 6C1F4F64
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: CtrlH_prolog3H_prolog3_catch
            • String ID: %TsMFCToolBar-%d$%TsMFCToolBar-%d%x$Buttons$MFCToolBars
            • API String ID: 905329913-3577816979
            • Opcode ID: e7a6c3cd80bed33f0dcd0fd07b7f16a7deea54cf13ec4eec533509c183c43954
            • Instruction ID: 1d502f26f3cce18ebb67c61754124125870ddca47338eb4e79d0ae90eea9dbed
            • Opcode Fuzzy Hash: e7a6c3cd80bed33f0dcd0fd07b7f16a7deea54cf13ec4eec533509c183c43954
            • Instruction Fuzzy Hash: CB914A35A0020D9FDF00EF94C994AEDBBB6AF49315F244069E916AB791CB30AD05CF61
            Function 6C2605C5 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137registryclipboardCOMMON
            Download Yara Rule
            APIs
            • __EH_prolog3.LIBCMT ref: 6C2605CC
            • RegisterClipboardFormatW.USER32(00000010), ref: 6C260616
            • __EH_prolog3_catch.LIBCMT ref: 6C26064B
              • Part of subcall function 6C21D2FC: __EH_prolog3.LIBCMT ref: 6C21D303
            • __EH_prolog3_catch.LIBCMT ref: 6C26079A
              • Part of subcall function 6C1F8B58: __EH_prolog3_catch.LIBCMT ref: 6C1F8B5F
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: H_prolog3_catch$H_prolog3$ClipboardFormatRegister
            • String ID: ToolbarButton%p
            • API String ID: 3051953459-899657487
            • Opcode ID: 8ffafcc8b157bc156c87f6904be66816da50a1901a0fe49355086739902b6f42
            • Instruction ID: fd2a457a12a3af2cb43199bfd27a37ddafa16ff38875aef6784a9132db634288
            • Opcode Fuzzy Hash: 8ffafcc8b157bc156c87f6904be66816da50a1901a0fe49355086739902b6f42
            • Instruction Fuzzy Hash: 57411775A0064A9BDF01DB728814BFE7BF4AF91308F000419E926ABF80DF30D946CB68
            Function 6C1E65C4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 118windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00000433,00000000,?), ref: 6C1E669E
            • GetWindowLongW.USER32(?,000000FC), ref: 6C1E66A9
            • GetWindowLongW.USER32(?,000000FC), ref: 6C1E66BD
            • SetWindowLongW.USER32(?,000000FC,00000000), ref: 6C1E66E6
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: LongWindow$MessageSend
            • String ID: ,
            • API String ID: 2178440468-3772416878
            • Opcode ID: b746cbf424990e7329690195e2f08d7ff57dfee10b4165d8d935447c2d65d436
            • Instruction ID: 18a0f817854818d88650a267890ad9fe8f02769be06a6986e58dfa23adb6cfbf
            • Opcode Fuzzy Hash: b746cbf424990e7329690195e2f08d7ff57dfee10b4165d8d935447c2d65d436
            • Instruction Fuzzy Hash: 3B41AD31B01A2DDFDB019FA5C884AADBBF9BF5C318B140269D956D7B51DB30E806CB90
            Function 6C1ED7D3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98COMMON
            Download Yara Rule
            APIs
            • __EH_prolog3_GS.LIBCMT ref: 6C1ED7DD
              • Part of subcall function 6C1F4E48: GetWindowLongW.USER32(?,000000F0), ref: 6C1F4E55
            • swprintf.LIBCMT ref: 6C1ED832
            • swprintf.LIBCMT ref: 6C1ED8D6
              • Part of subcall function 6C1E25CE: _memcpy_s.LIBCMT ref: 6C1E263A
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: swprintf$H_prolog3_LongWindow_memcpy_s
            • String ID: - $:%d
            • API String ID: 1278326813-2359489159
            • Opcode ID: 365e8e8dd67f948b512cb8e2606820659bf84d2c4f482934fef1931b79a3b4fc
            • Instruction ID: 4afdb498c152fa2fb4396597ef573b489fe8cd3bbced0fefe12089074ad418a0
            • Opcode Fuzzy Hash: 365e8e8dd67f948b512cb8e2606820659bf84d2c4f482934fef1931b79a3b4fc
            • Instruction Fuzzy Hash: C4319472A01515ABDB14DBB0CD55FEEB36CEF18208F0014A5B619E7A51EF30AE59CFA0
            Function 6C1F85A9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: String$FreeH_prolog3
            • String ID: @
            • API String ID: 315669285-2766056989
            • Opcode ID: b78a1bc9c2dbf66a83687e60585633be29fcd3eb094b7effd5d065e6133b9fbf
            • Instruction ID: 5e0e2bc970ee40bd8690193b24708794df84a7b6ba6fc73aafc40d1d3a3d145d
            • Opcode Fuzzy Hash: b78a1bc9c2dbf66a83687e60585633be29fcd3eb094b7effd5d065e6133b9fbf
            • Instruction Fuzzy Hash: 8E318CB190124AABDF01DFA5CC94AEE7BB8EF05318F10412AF934AA390DB319956CB50
            Function 6C2031FF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 96COMMON
            Download Yara Rule
            APIs
            • SetRectEmpty.USER32(7 l), ref: 6C20320B
            • GetClientRect.USER32(00000000,7 l), ref: 6C20322B
            • GetParent.USER32(00000000), ref: 6C20324A
            • OffsetRect.USER32(7 l,00000000,00000000), ref: 6C2032CC
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Rect$ClientEmptyOffsetParent
            • String ID: 7 l
            • API String ID: 3819956977-3690724274
            • Opcode ID: ec8f85642d99a7faa4d099b30a54850e65ae638b98ba2e8ba6e85aa835c8c6cf
            • Instruction ID: cd8cbe07c53bafa4d09ebe68a6792904b1007defdf8281d02b23519cdf843a73
            • Opcode Fuzzy Hash: ec8f85642d99a7faa4d099b30a54850e65ae638b98ba2e8ba6e85aa835c8c6cf
            • Instruction Fuzzy Hash: 81317171301606AFEB088F65C995F65B7A8FF45365B10821EE81ACBB40EB31EC51CBA0
            Function 6C1E8974 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: __snprintf_s$ClassInfo
            • String ID: Afx:%p:%x$Afx:%p:%x:%p:%p:%p
            • API String ID: 1341824228-2801496823
            • Opcode ID: 35de7372c0152e91cc5652254e77e9821a6ec0db7a38c09a78d20818317e2330
            • Instruction ID: dc8fabff622ba60bb7af7ea97228f63b90be3ec4b698a8d7aaef31f4a821bd10
            • Opcode Fuzzy Hash: 35de7372c0152e91cc5652254e77e9821a6ec0db7a38c09a78d20818317e2330
            • Instruction Fuzzy Hash: 4F3118B0900609EFDB01DFA9C848ADE7BF8BF89309F004016E514ABB50E7759A54CFA2
            Function 6C263528 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
            Download Yara Rule
            APIs
            • __EH_prolog3.LIBCMT ref: 6C26352F
              • Part of subcall function 6C257770: __EH_prolog3.LIBCMT ref: 6C257777
              • Part of subcall function 6C1F4F59: GetDlgCtrlID.USER32(?), ref: 6C1F4F64
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: H_prolog3$Ctrl
            • String ID: %TsBasePane-%d$%TsBasePane-%d%x$BasePanes$IsVisible
            • API String ID: 3879667756-2169875744
            • Opcode ID: 9bfc5e695072fb2a82b62fa9b9c23398a45f057e0c135f4356c761cffc1d172d
            • Instruction ID: b4295d0e26fe828b777a8518e7e937d7f9df7b4fdedf5ee5f86ff1e408ade814
            • Opcode Fuzzy Hash: 9bfc5e695072fb2a82b62fa9b9c23398a45f057e0c135f4356c761cffc1d172d
            • Instruction Fuzzy Hash: 8531A131A002199BCF00DFA5CC94AFEBBB5BF99314F150569E926A7790CF34A905CB61
            Function 6C263414 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 89COMMON
            Download Yara Rule
            APIs
            • __EH_prolog3.LIBCMT ref: 6C26341B
              • Part of subcall function 6C257770: __EH_prolog3.LIBCMT ref: 6C257777
              • Part of subcall function 6C1F4F59: GetDlgCtrlID.USER32(?), ref: 6C1F4F64
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: H_prolog3$Ctrl
            • String ID: %TsBasePane-%d$%TsBasePane-%d%x$BasePanes$IsVisible
            • API String ID: 3879667756-2169875744
            • Opcode ID: f32389703708d0b9bf15134812b5960836479ae9d97c14d5a768ad3787e820f2
            • Instruction ID: 0230986c61f7b41fee49ada4cbeb464047dd9d3e7bcefce1be7c9e7c4794be34
            • Opcode Fuzzy Hash: f32389703708d0b9bf15134812b5960836479ae9d97c14d5a768ad3787e820f2
            • Instruction Fuzzy Hash: 5731AF71A012099FDF00DFA5C890EEEBBB5BF49318F144569E915AB780CF34AD05CB61
            Function 6C31E120 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMONLIBRARYCODE
            Download Yara Rule
            Strings
            • C:\Users\Public\Bilite\Axialis\Update.exe, xrefs: 6C31E13C
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID:
            • String ID: C:\Users\Public\Bilite\Axialis\Update.exe
            • API String ID: 0-3977776465
            • Opcode ID: af886c8cfdbbb7b78624cb7dc0164840ce144f8ccc180d1bc19b528572d4cae7
            • Instruction ID: 6053d541ba5357271ac0c6dd6c16f5bd611d65b679ca0aa516d15230d97bbfcd
            • Opcode Fuzzy Hash: af886c8cfdbbb7b78624cb7dc0164840ce144f8ccc180d1bc19b528572d4cae7
            • Instruction Fuzzy Hash: FD218B3160C306AF97189EA6CC4C88A77ADBF463B97048635E85997E40E733EC508FE1
            Function 6C1EAF4F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID:
            • String ID: Edit
            • API String ID: 0-554135844
            • Opcode ID: d324a41768834791040b35a8f375af9bf5819c41e4969f5e3ae4d21ae31bfc07
            • Instruction ID: 446fe4cd610bbf789f682a5b5df0f59c1b9d562ccfdbf5d725302c2d09d76e84
            • Opcode Fuzzy Hash: d324a41768834791040b35a8f375af9bf5819c41e4969f5e3ae4d21ae31bfc07
            • Instruction Fuzzy Hash: 07114470355A01ABEB101F21CC08FAE7FB8AF0AB69F108665F2A1D1CA0EB61D440C7B0
            Function 6C2001AA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(Advapi32.dll,F0C0CBE2,?,?,?,Function_00184D80,000000FF), ref: 6C2001F1
            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 6C200201
              • Part of subcall function 6C1F4A62: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 6C1F4A75
              • Part of subcall function 6C1F4A62: GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 6C1F4A85
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: AddressHandleModuleProc
            • String ID: Advapi32.dll$RegDeleteKeyExW
            • API String ID: 1646373207-2191092095
            • Opcode ID: 6c5dc3d037af54116bedbf4d935551b179094b0a18518f39b84af1e2f5b46cec
            • Instruction ID: 74f1263b62eb0cbd943b7d5c9181a4f9cc76d8ff9ab34819feaf75d93c0c7e47
            • Opcode Fuzzy Hash: 6c5dc3d037af54116bedbf4d935551b179094b0a18518f39b84af1e2f5b46cec
            • Instruction Fuzzy Hash: FC119075748189AFEF028F55C904F8ABFB8FB5A750F004227FC1693A50D735A810CB94
            Function 6C2035DF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49COMMON
            Download Yara Rule
            APIs
            • __EH_prolog3.LIBCMT ref: 6C2035E6
            • GetClassNameW.USER32(?,00000000,00000400), ref: 6C203617
            • GetWindowLongW.USER32(?,000000F0), ref: 6C203650
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: ClassH_prolog3LongNameWindow
            • String ID: ComboBox$ComboBoxEx32
            • API String ID: 297531199-1907415764
            • Opcode ID: 20ace2495365d3074487704c4100095187287aa52f33a64fd099366c54855cba
            • Instruction ID: 37122a59561e529e271ed9df7d87d9f7ea6368dde0d8581a2bd99a041f5ae872
            • Opcode Fuzzy Hash: 20ace2495365d3074487704c4100095187287aa52f33a64fd099366c54855cba
            • Instruction Fuzzy Hash: C101D232505216ABEB009B55CC94FEEB374BF11379F500619E52163BD0DF34A409CA58
            Function 00E21D6F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47COMMON
            Download Yara Rule
            APIs
            • _callnewh.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00E21D85
            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00E21D92
            • _CxxThrowException.VCRUNTIME140(?,00E227B4), ref: 00E21E99
            • _CxxThrowException.VCRUNTIME140(?,00E22808), ref: 00E21EB6
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780458776.0000000000E21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
            • Associated: 00000003.00000002.1780443399.0000000000E20000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000003.00000002.1780472190.0000000000E22000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000003.00000002.1780486959.0000000000E23000.00000004.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000003.00000002.1780501099.0000000000E24000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000003.00000002.1780501099.0000000000E66000.00000002.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_e20000_Update.jbxd
            Similarity
            • API ID: ExceptionThrow$_callnewhmalloc
            • String ID: Unknown exception
            • API String ID: 4113974480-410509341
            • Opcode ID: 3aff7a7b756e97905010a9becab8554a0c99c8531687c8bd788a9e75d86f772d
            • Instruction ID: f2f1845c19a47327b204e44f33362504cd5429dc6c61be9d1419ca027141683e
            • Opcode Fuzzy Hash: 3aff7a7b756e97905010a9becab8554a0c99c8531687c8bd788a9e75d86f772d
            • Instruction Fuzzy Hash: 9BF0F43460432CB2CB04BAA8FD069A973AC5E20315BA0A1F8F924B2091EBB1EB15C1C0
            Function 6C25F96D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
            Download Yara Rule
            APIs
            • FindResourceW.KERNEL32(00000000,?,PNG,?,?,?,6C360D9C,?,6C25DCA3,?,?,?,00000038,6C25B38E), ref: 6C25F98F
            • LoadResource.KERNEL32(00000000,00000000,?,6C360D9C,?,6C25DCA3,?,?,?,00000038,6C25B38E), ref: 6C25F99D
            • LockResource.KERNEL32(00000000,?,6C360D9C,?,6C25DCA3,?,?,?,00000038,6C25B38E), ref: 6C25F9A8
            • SizeofResource.KERNEL32(00000000,00000000,?,6C360D9C,?,6C25DCA3,?,?,?,00000038,6C25B38E), ref: 6C25F9B6
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Resource$FindLoadLockSizeof
            • String ID: PNG
            • API String ID: 3473537107-364855578
            • Opcode ID: 2cdb762588eebf61ec59ab977de6b825528c8efc55a72e8ee622f2b3a4d02636
            • Instruction ID: b093eea76e2ef8f3ce6d9a617f67b9d737a268f71a757d28f8f1af45d3f3c478
            • Opcode Fuzzy Hash: 2cdb762588eebf61ec59ab977de6b825528c8efc55a72e8ee622f2b3a4d02636
            • Instruction Fuzzy Hash: 12F06DB7601A1ABB9B019FA58C48C9F7BBCDF8A6663104126FD02E3600EA71D91087B0
            Function 6C328D2B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,F0C0CBE2,?,?,00000000,6C344D80,000000FF,?,6C328DEC,6C328CC6,?,6C328E88,00000000), ref: 6C328D60
            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6C328D72
            • FreeLibrary.KERNEL32(00000000,?,?,00000000,6C344D80,000000FF,?,6C328DEC,6C328CC6,?,6C328E88,00000000), ref: 6C328D94
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: AddressFreeHandleLibraryModuleProc
            • String ID: CorExitProcess$mscoree.dll
            • API String ID: 4061214504-1276376045
            • Opcode ID: 33fa6238656938d2f7714edbfb845f8a7a620d9ffe6505f2aa985cdef97c8120
            • Instruction ID: 93d68f104f159fe855409cb82f0550768a2e0181e989eb29f0fed769e7364515
            • Opcode Fuzzy Hash: 33fa6238656938d2f7714edbfb845f8a7a620d9ffe6505f2aa985cdef97c8120
            • Instruction Fuzzy Hash: 00018B32A05559EFDF129F50CC04FAE7BBCFB05715F004A29F823A2690DB799900CE90
            Function 6C1FFBD3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37libraryloaderCOMMON
            Download Yara Rule
            APIs
            • DecodePointer.KERNEL32(00000000), ref: 6C1FFC0C
              • Part of subcall function 6C1E3CA8: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6C1E3CCE
              • Part of subcall function 6C1E3CA8: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C1E3CDE
              • Part of subcall function 6C1E3CA8: EncodePointer.KERNEL32(00000000), ref: 6C1E3CE7
            • GetProcAddress.KERNEL32(00000000,DwmDefWindowProc), ref: 6C1FFBF5
            • EncodePointer.KERNEL32(00000000), ref: 6C1FFBFE
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Pointer$AddressEncodeProc$DecodeHandleModule
            • String ID: DwmDefWindowProc$dwmapi.dll
            • API String ID: 1102202064-234806475
            • Opcode ID: e40a2c17daa59f7b7f51f768fd54dd887b9b4c48efb1b448157b9b6e537a56e0
            • Instruction ID: 193d8a16c4b60ace3edab94497a90c410c11035343b7e0ce9f8cbf84c62bdf1c
            • Opcode Fuzzy Hash: e40a2c17daa59f7b7f51f768fd54dd887b9b4c48efb1b448157b9b6e537a56e0
            • Instruction Fuzzy Hash: 65F01D3660562AABCF125E659E14C9A3FFCAF1A6D57000421FD27D2A10EB75C912CFA4
            Function 6C1FFC97 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryloaderCOMMON
            Download Yara Rule
            APIs
            • DecodePointer.KERNEL32(00000000), ref: 6C1FFCD0
              • Part of subcall function 6C1E3CA8: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6C1E3CCE
              • Part of subcall function 6C1E3CA8: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C1E3CDE
              • Part of subcall function 6C1E3CA8: EncodePointer.KERNEL32(00000000), ref: 6C1E3CE7
            • GetProcAddress.KERNEL32(00000000,DwmSetWindowAttribute), ref: 6C1FFCB9
            • EncodePointer.KERNEL32(00000000), ref: 6C1FFCC2
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Pointer$AddressEncodeProc$DecodeHandleModule
            • String ID: DwmSetWindowAttribute$dwmapi.dll
            • API String ID: 1102202064-3105884578
            • Opcode ID: 417d2f894457b9b7a85c875c5b1816b896a4f9ad74b4ca346390874982e7f3f7
            • Instruction ID: d0cc3910bfc83ac1c019e75c83b751fdb90ac166cbbaefa834147b077df84351
            • Opcode Fuzzy Hash: 417d2f894457b9b7a85c875c5b1816b896a4f9ad74b4ca346390874982e7f3f7
            • Instruction Fuzzy Hash: 7BF09072642627ABCF121F65CE28D9E3BFCAB592953000011FD3A96A50EB35C802CEA0
            Function 6C1FFDBA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryloaderCOMMON
            Download Yara Rule
            APIs
            • DecodePointer.KERNEL32(00000000), ref: 6C1FFDF3
              • Part of subcall function 6C1E3CA8: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6C1E3CCE
              • Part of subcall function 6C1E3CA8: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C1E3CDE
              • Part of subcall function 6C1E3CA8: EncodePointer.KERNEL32(00000000), ref: 6C1E3CE7
            • GetProcAddress.KERNEL32(00000000,DwmSetIconicLivePreviewBitmap), ref: 6C1FFDDC
            • EncodePointer.KERNEL32(00000000), ref: 6C1FFDE5
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Pointer$AddressEncodeProc$DecodeHandleModule
            • String ID: DwmSetIconicLivePreviewBitmap$dwmapi.dll
            • API String ID: 1102202064-1757063745
            • Opcode ID: 84b6716812ce229faf4253bc08b35ab73c861c2dc53d277472aa6282645b3ff2
            • Instruction ID: 244ce3db705b39b40e31a32b24c9a9ea4463b8287df6f54de90021eb560a13c2
            • Opcode Fuzzy Hash: 84b6716812ce229faf4253bc08b35ab73c861c2dc53d277472aa6282645b3ff2
            • Instruction Fuzzy Hash: 10F0B432642217ABCF121FA99D0899A3BFCAB197557010415FC36D7A12EB75CC22CBA0
            Function 6C1FFC38 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryloaderCOMMON
            Download Yara Rule
            APIs
            • DecodePointer.KERNEL32(00000000,?,?,6C1F8594,6C3B025C,0000002C), ref: 6C1FFC71
              • Part of subcall function 6C1E3CA8: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6C1E3CCE
              • Part of subcall function 6C1E3CA8: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C1E3CDE
              • Part of subcall function 6C1E3CA8: EncodePointer.KERNEL32(00000000), ref: 6C1E3CE7
            • GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled), ref: 6C1FFC5A
            • EncodePointer.KERNEL32(00000000,?,?,6C1F8594,6C3B025C,0000002C), ref: 6C1FFC63
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Pointer$AddressEncodeProc$DecodeHandleModule
            • String ID: DwmIsCompositionEnabled$dwmapi.dll
            • API String ID: 1102202064-1198327662
            • Opcode ID: d9c82e82898c46d0d87109993e338e0c77b5498755e89f29f064988ae0dfbaa5
            • Instruction ID: 53529757f9bf589f04dff85997de7eb87f8853ad2663696cdd2b323f1ae5dd36
            • Opcode Fuzzy Hash: d9c82e82898c46d0d87109993e338e0c77b5498755e89f29f064988ae0dfbaa5
            • Instruction Fuzzy Hash: 80F08936645726ABCF125F75CA18E9D3BFCAB1A395B010511FC36D7A00EB74C802CAA4
            Function 6C1FFCFC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryloaderCOMMON
            Download Yara Rule
            APIs
            • DecodePointer.KERNEL32(00000000), ref: 6C1FFD35
              • Part of subcall function 6C1E3CA8: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6C1E3CCE
              • Part of subcall function 6C1E3CA8: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C1E3CDE
              • Part of subcall function 6C1E3CA8: EncodePointer.KERNEL32(00000000), ref: 6C1E3CE7
            • GetProcAddress.KERNEL32(00000000,DwmSetIconicThumbnail), ref: 6C1FFD1E
            • EncodePointer.KERNEL32(00000000), ref: 6C1FFD27
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Pointer$AddressEncodeProc$DecodeHandleModule
            • String ID: DwmSetIconicThumbnail$dwmapi.dll
            • API String ID: 1102202064-2331651847
            • Opcode ID: d2ccac9b3b235fc0e88ac4a5c2067245bfd8f8015092bb886fbf35d60ea96123
            • Instruction ID: 1d3d5005abb4d0d99a4cba4396ed5f00a65f7c614a8f0ae2b571ae76bdcbacd5
            • Opcode Fuzzy Hash: d2ccac9b3b235fc0e88ac4a5c2067245bfd8f8015092bb886fbf35d60ea96123
            • Instruction Fuzzy Hash: 19F08975642616ABCF111F658D0889E3FFCAB5A3953000411FD36D7A14EB75C802CEA4
            Function 6C1FFD5E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33libraryloaderCOMMON
            Download Yara Rule
            APIs
            • DecodePointer.KERNEL32(00000000), ref: 6C1FFD97
              • Part of subcall function 6C1E3CA8: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6C1E3CCE
              • Part of subcall function 6C1E3CA8: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C1E3CDE
              • Part of subcall function 6C1E3CA8: EncodePointer.KERNEL32(00000000), ref: 6C1E3CE7
            • GetProcAddress.KERNEL32(00000000,DwmInvalidateIconicBitmaps), ref: 6C1FFD80
            • EncodePointer.KERNEL32(00000000), ref: 6C1FFD89
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Pointer$AddressEncodeProc$DecodeHandleModule
            • String ID: DwmInvalidateIconicBitmaps$dwmapi.dll
            • API String ID: 1102202064-1901905683
            • Opcode ID: f4b0d5ecd2812974276e2506df10ed0c7202909ce215a3e1820e19239f9623a8
            • Instruction ID: 211ddfb3c2a7410ac46746d28e4c155ff629bea9bd3df7694d9ebe3059f8bcd8
            • Opcode Fuzzy Hash: f4b0d5ecd2812974276e2506df10ed0c7202909ce215a3e1820e19239f9623a8
            • Instruction Fuzzy Hash: 59F0A73364271A678F221E65890899D3BFC5F5A3953050021FD37D7A04EB64C802CEE4
            Function 6C1D964B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 27COMMON
            Download Yara Rule
            APIs
            • AcquireSRWLockExclusive.KERNEL32(6C3AE068,ios_base::badbit set,ios_base::failbit set,?,6C1C2116,6C3ADE84,6C1C1FA3), ref: 6C1D9656
            • ReleaseSRWLockExclusive.KERNEL32(6C3AE068,?,6C1C2116,6C3ADE84,6C1C1FA3), ref: 6C1D9690
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: ExclusiveLock$AcquireRelease
            • String ID: h:l$ios_base::badbit set$ios_base::failbit set
            • API String ID: 17069307-2676139136
            • Opcode ID: dc10f44a15cf0d67289a8463bdcb39e05a01550129376bd4bb62de5036586a44
            • Instruction ID: bbd77b3d102e69df12122d63ed1b3f5c1514ba722196019fad001c0912b9e474
            • Opcode Fuzzy Hash: dc10f44a15cf0d67289a8463bdcb39e05a01550129376bd4bb62de5036586a44
            • Instruction Fuzzy Hash: 3DF08234600200CBCB109F66D464A69B7BCEB46735F12425BF96543A90DB342853CBA1
            Function 6C1D969A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23COMMON
            Download Yara Rule
            APIs
            • AcquireSRWLockExclusive.KERNEL32(6C3AE068,ios_base::failbit set,?,6C1C2139,6C3ADE84,?,?,?,?,?,?,6C1C2967,00000000,00000000), ref: 6C1D96A4
            • ReleaseSRWLockExclusive.KERNEL32(6C3AE068,?,6C1C2139,6C3ADE84,?,?,?,?,?,?,6C1C2967,00000000,00000000), ref: 6C1D96D7
            • WakeAllConditionVariable.KERNEL32(6C3AE064,?,6C1C2139,6C3ADE84,?,?,?,?,?,?,6C1C2967,00000000,00000000), ref: 6C1D96E2
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: ExclusiveLock$AcquireConditionReleaseVariableWake
            • String ID: h:l$ios_base::failbit set
            • API String ID: 1466638765-2049839305
            • Opcode ID: 38977164f2aa5a65bec3e0ba08bf2e3603b29755108144221fff75937893fede
            • Instruction ID: bedc4c35386442ee363da8d11890328917c32dd6d99ec7fcdb18ab6e62931616
            • Opcode Fuzzy Hash: 38977164f2aa5a65bec3e0ba08bf2e3603b29755108144221fff75937893fede
            • Instruction Fuzzy Hash: C4F03934A10240DFCB08DF9AE44899977BDFB0B301B01805BFA0583700DB79A821CFA2
            Function 6C1EA895 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
            Download Yara Rule
            APIs
            • __EH_prolog3_catch.LIBCMT ref: 6C1EA89C
            • GlobalLock.KERNEL32(00000000), ref: 6C1EA99E
            • DestroyWindow.USER32(00000000,?,00000000,00000000,6C1EB463,00000000,?,?,00000024), ref: 6C1EAA87
            • GlobalUnlock.KERNEL32(00000000), ref: 6C1EAA94
            • GlobalFree.KERNEL32(00000000), ref: 6C1EAA9B
              • Part of subcall function 6C206164: GetStockObject.GDI32(00000011), ref: 6C206186
              • Part of subcall function 6C206164: GetStockObject.GDI32(0000000D), ref: 6C206192
              • Part of subcall function 6C206164: GetObjectW.GDI32(00000000,0000005C,?), ref: 6C2061A3
              • Part of subcall function 6C206164: GetDC.USER32(00000000), ref: 6C2061B2
              • Part of subcall function 6C206164: GetDeviceCaps.GDI32(00000000,0000005A), ref: 6C2061C9
              • Part of subcall function 6C206164: MulDiv.KERNEL32(?,00000048,00000000), ref: 6C2061D5
              • Part of subcall function 6C206164: ReleaseDC.USER32(00000000,00000000), ref: 6C2061E1
              • Part of subcall function 6C206276: GlobalFree.KERNEL32(?), ref: 6C20627D
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Global$Object$FreeStock$CapsDestroyDeviceH_prolog3_catchLockReleaseUnlockWindow
            • String ID:
            • API String ID: 15253214-0
            • Opcode ID: 6a10d3c797a6ed8f15d7fcae0e9c24f09b2253c7da3544b908906930451aa558
            • Instruction ID: db97a1320f70169a4dbc47d2f055dc2e669d9857e28d71fcadbfb0dc51743f38
            • Opcode Fuzzy Hash: 6a10d3c797a6ed8f15d7fcae0e9c24f09b2253c7da3544b908906930451aa558
            • Instruction Fuzzy Hash: ED516F30E01A19DFDF01DFA4C994AEEBBB4BF18318F154159E811EB790DB349A05CBA0
            Function 6C2171D7 Relevance: 7.6, APIs: 5, Instructions: 120COMMON
            Download Yara Rule
            APIs
            • GetClientRect.USER32(?,?), ref: 6C2171FF
              • Part of subcall function 6C1DD2B5: ClientToScreen.USER32(?,6C217210), ref: 6C1DD2C4
              • Part of subcall function 6C1DD2B5: ClientToScreen.USER32(?,6C217218), ref: 6C1DD2D1
            • PtInRect.USER32(?,00000000,?), ref: 6C217219
            • PtInRect.USER32(?,?,?), ref: 6C217292
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: ClientRect$Screen
            • String ID:
            • API String ID: 3187875807-0
            • Opcode ID: fb56adc0a17da76e4ada2f32e516704a27e23e5fe0bf97d5021f71079765aa3a
            • Instruction ID: d9e88e1c38f1030933da60a7685448c99225f04dd65ab8065915f6f9dba2a334
            • Opcode Fuzzy Hash: fb56adc0a17da76e4ada2f32e516704a27e23e5fe0bf97d5021f71079765aa3a
            • Instruction Fuzzy Hash: DB413F31A0410EDFCF11CFA8CA84A9EB7F9EF49705F100565FE45EBA44E671AA45CB60
            Function 6C1FA76F Relevance: 7.6, APIs: 5, Instructions: 116COMMON
            Download Yara Rule
            APIs
            • __EH_prolog3.LIBCMT ref: 6C1FA776
              • Part of subcall function 6C1DD1DC: __EH_prolog3.LIBCMT ref: 6C1DD1E3
              • Part of subcall function 6C1DD1DC: GetWindowDC.USER32(00000000,00000004,6C1F78A0,00000000), ref: 6C1DD20F
              • Part of subcall function 6C1DC9D1: SetMapMode.GDI32(?,?), ref: 6C1DC9E5
              • Part of subcall function 6C1DC9D1: SetMapMode.GDI32(?,?), ref: 6C1DC9F7
            • LPtoDP.GDI32(?,?,00000001), ref: 6C1FA7DA
            • LPtoDP.GDI32(?,?,00000001), ref: 6C1FA7F9
            • LPtoDP.GDI32(?,?,00000001), ref: 6C1FA818
            • InvalidateRect.USER32(?,00000000,00000001), ref: 6C1FA8DC
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: H_prolog3Mode$InvalidateRectWindow
            • String ID:
            • API String ID: 1124340077-0
            • Opcode ID: a59f06d50a875c75c2d831832057aa8fa97f3440e7a382b93c4e6735abd65d62
            • Instruction ID: e780bd25b41ef9aaaeec28ab6c398bc7382d941449f0f9896ab0506c47f6f6b4
            • Opcode Fuzzy Hash: a59f06d50a875c75c2d831832057aa8fa97f3440e7a382b93c4e6735abd65d62
            • Instruction Fuzzy Hash: B741E574600709DFDB24CF79C480B9AB7F1BB4A315F10892DE5AADB750E774A812CB20
            Function 6C1E00AB Relevance: 7.6, APIs: 5, Instructions: 108keyboardCOMMON
            Download Yara Rule
            APIs
            • GetCursorPos.USER32(00000000), ref: 6C1E00C0
            • GetKeyState.USER32(00000011), ref: 6C1E00C8
            • ScreenToClient.USER32(?,00000000), ref: 6C1E0160
            • ClientToScreen.USER32(?,00000000), ref: 6C1E01AD
            • SetCursorPos.USER32(00000000,00000000), ref: 6C1E01B9
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: ClientCursorScreen$State
            • String ID:
            • API String ID: 3982492586-0
            • Opcode ID: fda0988fa9ccf6279e850ca33096ef30099d552efa8eec8f3ab9bcecdc343f58
            • Instruction ID: e6ceb56b6344f4be610843715417f905b9861e69427c3043d730b6ccfc15dff4
            • Opcode Fuzzy Hash: fda0988fa9ccf6279e850ca33096ef30099d552efa8eec8f3ab9bcecdc343f58
            • Instruction Fuzzy Hash: E331A572601945EBCB0C8F78C895BADBBB5FB4F315F11426AE413EB990DB74DA40AB40
            Function 6C1DB9D3 Relevance: 7.6, APIs: 5, Instructions: 90COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 6C1DB445: GetParent.USER32(?), ref: 6C1DB448
              • Part of subcall function 6C1DB445: GetParent.USER32(00000000), ref: 6C1DB44F
            • GetWindowLongW.USER32(?,000000EC), ref: 6C1DBA33
            • RedrawWindow.USER32(?,00000000,00000000,00000081), ref: 6C1DBA87
            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 6C1DBA96
            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000137), ref: 6C1DBAAC
            • GetClientRect.USER32(?,?), ref: 6C1DBAC0
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Window$LongParent$ClientRectRedraw
            • String ID:
            • API String ID: 556606033-0
            • Opcode ID: 3047e6ff19b2c583e5ac78b209a6ad2e8d09467f0f33a1de16ed3b00a670affb
            • Instruction ID: 3c3a3ae170f66649d010c1f332ab0e783319a496ee40e060c8c0bf53b0ebe181
            • Opcode Fuzzy Hash: 3047e6ff19b2c583e5ac78b209a6ad2e8d09467f0f33a1de16ed3b00a670affb
            • Instruction Fuzzy Hash: 5D21F132700615BBEF019EA48880AAE76BCEF59399F124275E823D73A0DB65ED118780
            Function 6C1DB6D1 Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 6C1F4E48: GetWindowLongW.USER32(?,000000F0), ref: 6C1F4E55
              • Part of subcall function 6C1DB445: GetParent.USER32(?), ref: 6C1DB448
              • Part of subcall function 6C1DB445: GetParent.USER32(00000000), ref: 6C1DB44F
            • SendMessageW.USER32(?,00000234,00000000,00000000), ref: 6C1DB745
            • SendMessageW.USER32(?,00000229,00000000,00000000), ref: 6C1DB76E
            • SendMessageW.USER32(?,00000229,00000000,00000000), ref: 6C1DB78D
            • SendMessageW.USER32(?,00000222,?,00000000), ref: 6C1DB7A7
            • SendMessageW.USER32(?,00000222,00000000,?), ref: 6C1DB7D0
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: MessageSend$Parent$LongWindow
            • String ID:
            • API String ID: 4191550487-0
            • Opcode ID: 92c22152b5176cbde9ca36b80aedd28b818a2a7dc12bc959d8da767c239cd3c7
            • Instruction ID: 713d91305e85007744ae4cb7aca4026d8810418008178194a7b649d636307d9b
            • Opcode Fuzzy Hash: 92c22152b5176cbde9ca36b80aedd28b818a2a7dc12bc959d8da767c239cd3c7
            • Instruction Fuzzy Hash: F721AE72200608BFEB159F60CCC8FAEB7BDFB08399F010219E59296AE1DB75FD558650
            Function 6C1E21FA Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
            Download Yara Rule
            APIs
            • IsWindow.USER32(00000000), ref: 6C1E2249
            • SendMessageW.USER32(?,00000455,00000000,00000000), ref: 6C1E225D
            • SendMessageW.USER32(?,00000454,00000000,00000000), ref: 6C1E2270
            • SetWindowLongW.USER32(?,000000F0,?), ref: 6C1E22A7
            • SendMessageW.USER32(?,00000454,00000000,00000000), ref: 6C1E22BC
              • Part of subcall function 6C1F4E48: GetWindowLongW.USER32(?,000000F0), ref: 6C1F4E55
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: MessageSendWindow$Long
            • String ID:
            • API String ID: 3430364388-0
            • Opcode ID: 4559f28d0de1bce9246a528fcd0a7372dee60ab0c517a2fe9fc2bbbfdcfc8820
            • Instruction ID: af9f67ec097c6f66f72a06698e72f40a947a35fdb59099a369c77974c7901b6b
            • Opcode Fuzzy Hash: 4559f28d0de1bce9246a528fcd0a7372dee60ab0c517a2fe9fc2bbbfdcfc8820
            • Instruction Fuzzy Hash: 9D21A471701A06AFEB054FA4CC98B6EBBBDFB49716F10822DB556E7690DB719C04CB10
            Function 6C20892F Relevance: 7.6, APIs: 5, Instructions: 74threadwindowCOMMON
            Download Yara Rule
            APIs
            • GetCurrentThreadId.KERNEL32 ref: 6C208941
            • SetWindowsHookExW.USER32(00000007,6C20F8A4,00000000,00000000), ref: 6C208951
            • UnhookWindowsHookEx.USER32(00000000), ref: 6C208969
            • UpdateWindow.USER32(?), ref: 6C2089E1
            • SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 6C2089FD
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: HookWindows$CurrentMessageSendThreadUnhookUpdateWindow
            • String ID:
            • API String ID: 1891640330-0
            • Opcode ID: e37c228b365f035854ce3b092efec5f137a8b5077d128110791ac3272adce4fe
            • Instruction ID: f5d89571d3cc4d4f429081b821a4d6214e3e3e8cdbc2b53586be378d1397934e
            • Opcode Fuzzy Hash: e37c228b365f035854ce3b092efec5f137a8b5077d128110791ac3272adce4fe
            • Instruction Fuzzy Hash: 3D21D831344A1B9FDB00AF14CD04B6A7BB8BF45726F100217F92993BA0CB30A841CB95
            Function 6C1DF612 Relevance: 7.6, APIs: 5, Instructions: 70COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 6C1FC870: EnterCriticalSection.KERNEL32(6C3B0410,?,?,?,?,6C1E8ABC,00000001,?,6C1E8FDB,?,AfxFrameOrView140su,00007A02,?), ref: 6C1FC8A1
              • Part of subcall function 6C1FC870: InitializeCriticalSection.KERNEL32(00000000,?,6C1E8ABC,00000001,?,6C1E8FDB,?,AfxFrameOrView140su,00007A02,?), ref: 6C1FC8B7
              • Part of subcall function 6C1FC870: LeaveCriticalSection.KERNEL32(6C3B0410,?,6C1E8ABC,00000001,?,6C1E8FDB,?,AfxFrameOrView140su,00007A02,?), ref: 6C1FC8C5
              • Part of subcall function 6C1FC870: EnterCriticalSection.KERNEL32(00000000,?,?,?,6C1E8ABC,00000001,?,6C1E8FDB,?,AfxFrameOrView140su,00007A02,?), ref: 6C1FC8D2
            • SetCursor.USER32(00000009), ref: 6C1DF65C
            • LoadCursorW.USER32(?,00007905), ref: 6C1DF6A1
            • LoadCursorW.USER32(00000000,00007F85), ref: 6C1DF6B7
            • SetCursor.USER32(?,?,00000009), ref: 6C1DF6D0
            • DestroyCursor.USER32(00000000), ref: 6C1DF6DB
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Cursor$CriticalSection$EnterLoad$DestroyInitializeLeave
            • String ID:
            • API String ID: 900973665-0
            • Opcode ID: 9ca760e59ad63c051d966cacd3cb340cc32b9267fb9c611886ea6cdbd438e1f4
            • Instruction ID: 0abc58cc1e4a8ee6b47b067998756ff58700f3fb9395906d455acf92af3186bb
            • Opcode Fuzzy Hash: 9ca760e59ad63c051d966cacd3cb340cc32b9267fb9c611886ea6cdbd438e1f4
            • Instruction Fuzzy Hash: B411CD71F052169BDF00AEA4C484F4A3A78E706309F270522F538C7E60E738E9628BA1
            Function 6C1ED1A0 Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 6C1F4E48: GetWindowLongW.USER32(?,000000F0), ref: 6C1F4E55
            • SendMessageW.USER32(?,00000086,00000001,00000000), ref: 6C1ED1FF
            • SendMessageW.USER32(?,00000086,00000000,00000000), ref: 6C1ED218
            • GetDesktopWindow.USER32 ref: 6C1ED220
            • SendMessageW.USER32(00000000,0000036D,0000000C,00000000), ref: 6C1ED240
            • GetWindow.USER32(00000000), ref: 6C1ED249
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: MessageSendWindow$DesktopLong
            • String ID:
            • API String ID: 2272707703-0
            • Opcode ID: aca260e1f6eed7c4ca5bd244facef1b941cd80893b82b4e931cd38d7a6f78e75
            • Instruction ID: 3b065c932b89961c8a9c3860493b40df83f2cd6cc5afabaf348cd6393fcc1f55
            • Opcode Fuzzy Hash: aca260e1f6eed7c4ca5bd244facef1b941cd80893b82b4e931cd38d7a6f78e75
            • Instruction Fuzzy Hash: 62110831241E067BE7222E648C44FAE3B6DAF8A799F104214BD65C5D90DF65D841C790
            Function 6C1E2035 Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON
            Download Yara Rule
            APIs
            • IsWindow.USER32(00000000), ref: 6C1E2084
            • SendMessageW.USER32(?,00000455,00000000,00000000), ref: 6C1E2098
            • SendMessageW.USER32(?,00000454,00000000,00000000), ref: 6C1E20AB
            • SetWindowLongW.USER32(?,000000F0,?), ref: 6C1E20CA
            • SendMessageW.USER32(?,00000454,00000000,00000000), ref: 6C1E20E0
              • Part of subcall function 6C1F4E48: GetWindowLongW.USER32(?,000000F0), ref: 6C1F4E55
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: MessageSendWindow$Long
            • String ID:
            • API String ID: 3430364388-0
            • Opcode ID: f8fcc8722bdc296a0967ae04d6be0d30c3d14b011c7926fe76477671e883497e
            • Instruction ID: c3dae60330b7ab37903719f358f60167455a45f8941383c529fba5c81e765243
            • Opcode Fuzzy Hash: f8fcc8722bdc296a0967ae04d6be0d30c3d14b011c7926fe76477671e883497e
            • Instruction Fuzzy Hash: D411B171741A01BFEB200F65CC18F5FBBBDBB85706F104219B112D66E0EBB19844CB60
            Function 6C1F3CE9 Relevance: 7.6, APIs: 5, Instructions: 66registryCOMMON
            Download Yara Rule
            APIs
            • RegDeleteKeyW.ADVAPI32(00000000,?), ref: 6C1F3D0D
            • RegDeleteValueW.ADVAPI32(00000000,?,?,00000000), ref: 6C1F3D2D
            • RegCloseKey.ADVAPI32(00000000), ref: 6C1F3D5E
              • Part of subcall function 6C1F40B3: RegCloseKey.ADVAPI32(00000000,?,00000000), ref: 6C1F4158
              • Part of subcall function 6C1F40B3: RegCloseKey.ADVAPI32(00000000,?,00000000), ref: 6C1F4167
            • RegSetValueExW.ADVAPI32(00000000,?,00000000,00000001,?,00000000,?,00000000), ref: 6C1F3D55
            • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 6C1F3D79
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Close$DeleteValue$PrivateProfileStringWrite
            • String ID:
            • API String ID: 222425065-0
            • Opcode ID: 5a6cff716b06195b9a7ac40ad69108bddc01bb211bd74915b7e8839fc6bbc21b
            • Instruction ID: e1b6052a58aa70601114ebe8d651c84661565bee5074a14a2fa4316827c4117d
            • Opcode Fuzzy Hash: 5a6cff716b06195b9a7ac40ad69108bddc01bb211bd74915b7e8839fc6bbc21b
            • Instruction Fuzzy Hash: 5311EC3B502665BBCB121E648C04E8F3BBDEF963A5B914524F9289B500EB32C81387F1
            Function 6C1EF2F6 Relevance: 7.6, APIs: 5, Instructions: 63windowCOMMON
            Download Yara Rule
            APIs
            • GlobalGetAtomNameW.KERNEL32(?,?,00000103), ref: 6C1EF36B
            • GlobalAddAtomW.KERNEL32(?), ref: 6C1EF378
            • GlobalGetAtomNameW.KERNEL32(?,?,00000103), ref: 6C1EF392
            • GlobalAddAtomW.KERNEL32(?), ref: 6C1EF39F
            • SendMessageW.USER32(00000000,000003E4,00000000,?), ref: 6C1EF3C4
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: AtomGlobal$Name$MessageSend
            • String ID:
            • API String ID: 1515195355-0
            • Opcode ID: bf14760d8d760e1ec7b064f2bfbae039f3a50846aaf0b3441b01e7786a5f5dc7
            • Instruction ID: c8b7e7fbc114fcf6fdb91f78d37f5053c0db0506c014297ad2f3ba3e80660403
            • Opcode Fuzzy Hash: bf14760d8d760e1ec7b064f2bfbae039f3a50846aaf0b3441b01e7786a5f5dc7
            • Instruction Fuzzy Hash: 9E219371600A14EBDF149F75C818BFD73BCFB09705F10861AE86AC6581E774D985CBA0
            Function 6C1FE9B4 Relevance: 7.6, APIs: 5, Instructions: 61memoryCOMMON
            Download Yara Rule
            APIs
            • LocalAlloc.KERNEL32(00000000,00000000), ref: 6C1FEA11
            • LocalReAlloc.KERNEL32(00000000,00000000,00000002), ref: 6C1FEA1F
            • TlsSetValue.KERNEL32 ref: 6C1FEA50
            • LeaveCriticalSection.KERNEL32(6C1DB283,?,00000000,?,6C1E871F,?,?,?,6C1E3FF4,00000000,00000000,?,?,6C1EBF77,00000004,6C1DB283), ref: 6C1FEA6E
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: AllocLocal$CriticalLeaveSectionValue
            • String ID:
            • API String ID: 901235349-0
            • Opcode ID: 97087fcc26e4371f1d5b92e4713f4bdbf3b72cd048fda5777ddc21b57890aafc
            • Instruction ID: e2d39c6fbb42d1ca92a5a8628b214925acd519fb6da610eff88b20e9114a397f
            • Opcode Fuzzy Hash: 97087fcc26e4371f1d5b92e4713f4bdbf3b72cd048fda5777ddc21b57890aafc
            • Instruction Fuzzy Hash: 75116D30201A02DFDB259F15C844A5A7BF5FF82319B14C529E86A9BB60DB31E946CF91
            Function 6C1D503F Relevance: 7.6, APIs: 5, Instructions: 61COMMON
            Download Yara Rule
            APIs
            • GetModuleHandleA.KERNEL32(?), ref: 6C1D5049
            • FindResourceW.KERNEL32(00000000,?,?), ref: 6C1D5090
            • LoadResource.KERNEL32(00000000,00000000,?,?), ref: 6C1D509E
            • SizeofResource.KERNEL32(00000000,00000000,?,?), ref: 6C1D50A8
            • LockResource.KERNEL32(00000000,?,?), ref: 6C1D50B1
              • Part of subcall function 6C1D40A8: _strlen.LIBCMT ref: 6C1D4131
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Resource$FindHandleLoadLockModuleSizeof_strlen
            • String ID:
            • API String ID: 415223560-0
            • Opcode ID: d9d199ced74443ba06c096417091f4c6711bcd99368e0fa5a33491eeafec828e
            • Instruction ID: 330bab930ea9f61b9475ee4da61c7dbd19d02766321bbbdb4a7367c8acf77431
            • Opcode Fuzzy Hash: d9d199ced74443ba06c096417091f4c6711bcd99368e0fa5a33491eeafec828e
            • Instruction Fuzzy Hash: 8911C8E1A013409FE7011F308C08AA737BCEF52219F158124FD4A86202FB76E945C7A6
            Function 6C20FC1C Relevance: 7.6, APIs: 5, Instructions: 59COMMON
            Download Yara Rule
            APIs
            • __EH_prolog3_GS.LIBCMT ref: 6C20FC23
            • GetWindowRect.USER32(00000000,00000000), ref: 6C20FC6C
            • CreateRoundRectRgn.GDI32(00000000,00000000,00000001,?,00000004,00000004), ref: 6C20FC96
            • SetWindowRgn.USER32(00000000,?,00000000), ref: 6C20FCAC
            • SetWindowRgn.USER32(00000000,00000000,00000000), ref: 6C20FCC4
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Window$Rect$CreateH_prolog3_Round
            • String ID:
            • API String ID: 2502471913-0
            • Opcode ID: 6d50b1a4be18ff002bda8af8e111cedbad54a459235bb7c39e0c2689bd3f8b55
            • Instruction ID: 9b623f707c7e78926bb6ed3ca07012f5fffad0af076e170711536e0e5943798f
            • Opcode Fuzzy Hash: 6d50b1a4be18ff002bda8af8e111cedbad54a459235bb7c39e0c2689bd3f8b55
            • Instruction Fuzzy Hash: 2E117F75A4060EEFDF04DFA4C884AEEBB79FF0934AF14021AE915A2650DB319D40CB64
            Function 6C1E0BCD Relevance: 7.6, APIs: 5, Instructions: 56windowCOMMON
            Download Yara Rule
            APIs
            • IsWindow.USER32(?), ref: 6C1E0BD6
            • SendMessageW.USER32(?,00000420,00000000,0000E800), ref: 6C1E0BFA
            • SendMessageW.USER32(?,0000041F,00000000,0000E800), ref: 6C1E0C17
            • SendMessageW.USER32(?,0000043A,00000000,00000000), ref: 6C1E0C33
            • InvalidateRect.USER32(?,00000000,00000001,?,6C1E0BBA,?,?,?,?,ToolbarWindow32,00000000,?,?,?,0000E800,00000000), ref: 6C1E0C51
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: MessageSend$InvalidateRectWindow
            • String ID:
            • API String ID: 3225880595-0
            • Opcode ID: 631cdfbc104f245c13a0f907f9b7273ead315995f59fe3f36d0d741d853b1749
            • Instruction ID: 7e2d1a28250b017276a469fffa652c7d9db7e81191027d9c5c5307ee4c50c7fb
            • Opcode Fuzzy Hash: 631cdfbc104f245c13a0f907f9b7273ead315995f59fe3f36d0d741d853b1749
            • Instruction Fuzzy Hash: A8112871140754AFEB548F25C804FBB7BF9FB89742F00892EF99B96150EB71A850DB24
            Function 6C1ED755 Relevance: 7.5, APIs: 5, Instructions: 47windowCOMMON
            Download Yara Rule
            APIs
            • PeekMessageW.USER32(?,?,00000367,00000367,00000003), ref: 6C1ED77A
            • PostMessageW.USER32(?,00000367,00000000,00000000), ref: 6C1ED78A
            • GetCapture.USER32 ref: 6C1ED790
            • ReleaseCapture.USER32 ref: 6C1ED79C
            • PostMessageW.USER32(?,0000036A,00000000,00000000), ref: 6C1ED7C3
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Message$CapturePost$PeekRelease
            • String ID:
            • API String ID: 1125932295-0
            • Opcode ID: e9168dbfd8d4fa7f4727ef8b3bf56d426d5832ec5eeb9ff1964c7190ed0a988c
            • Instruction ID: ca11ec1cf1690cb39dfaea8eb381e094230a2ffd8f6238882fd305ccbb76a665
            • Opcode Fuzzy Hash: e9168dbfd8d4fa7f4727ef8b3bf56d426d5832ec5eeb9ff1964c7190ed0a988c
            • Instruction Fuzzy Hash: 2501AD31A00A04AFEB116F338C48E6B7BBCFBD9B0EF000629F54AD2551E731A801CB61
            Function 6C1DDE13 Relevance: 7.5, APIs: 5, Instructions: 44windowCOMMON
            Download Yara Rule
            APIs
            • GetDC.USER32(?), ref: 6C1DDE1E
              • Part of subcall function 6C1F9DA1: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,?), ref: 6C1F9DE8
              • Part of subcall function 6C1F9DA1: CreatePatternBrush.GDI32(00000000), ref: 6C1F9DF5
              • Part of subcall function 6C1F9DA1: DeleteObject.GDI32(00000000), ref: 6C1F9E01
            • SelectObject.GDI32(?,?), ref: 6C1DDE3D
            • PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 6C1DDE62
            • SelectObject.GDI32(?,00000000), ref: 6C1DDE70
            • ReleaseDC.USER32(?,?), ref: 6C1DDE7C
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Object$CreateSelect$BitmapBrushDeletePatternRelease
            • String ID:
            • API String ID: 2474928807-0
            • Opcode ID: 8689acb82be8a30632b06ee44f595332beca2ae35fd57215352accd2ffe738d7
            • Instruction ID: 4ff5ea66fb77b88dd299a7f88f7f39c85db8b753a08831df792c45fa9a6180fb
            • Opcode Fuzzy Hash: 8689acb82be8a30632b06ee44f595332beca2ae35fd57215352accd2ffe738d7
            • Instruction Fuzzy Hash: C6018F32201200AFCB416FA5CC48C567FBDFF8A7563158168F519C6521DB33E812DB20
            Function 6C1F5985 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
            Download Yara Rule
            APIs
            • __EH_prolog3.LIBCMT ref: 6C1F598C
            • std::_Lockit::_Lockit.LIBCPMT ref: 6C1F5997
            • std::_Lockit::~_Lockit.LIBCPMT ref: 6C1F5A05
              • Part of subcall function 6C1F588E: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6C1F58A6
            • std::locale::_Setgloballocale.LIBCPMT ref: 6C1F59B2
            • _Yarn.LIBCPMT ref: 6C1F59C8
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
            • String ID:
            • API String ID: 1088826258-0
            • Opcode ID: 0bc1c93651d2ae000a4c8387e8a257ae09f080a903393a9ced99563f53b61eb5
            • Instruction ID: 1b62213c5fff8b84dd696e3bb90f95d758e6b2401b9e9489a1a26baa1afa93a7
            • Opcode Fuzzy Hash: 0bc1c93651d2ae000a4c8387e8a257ae09f080a903393a9ced99563f53b61eb5
            • Instruction Fuzzy Hash: B601FD76A006249BCB06DF60C850BBC7BFAFF85244B188009D8225BB80CF34AE17CBC1
            Function 6C2639B9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179COMMON
            Download Yara Rule
            APIs
            • GetSysColorBrush.USER32(0000000F), ref: 6C263B06
            • SetClassLongW.USER32(?,000000F6,00000000), ref: 6C263B12
            • GetWindowRect.USER32(?,?), ref: 6C263B30
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: BrushClassColorLongRectWindow
            • String ID: 0^6l
            • API String ID: 3059706247-2052429825
            • Opcode ID: 62fe1653c0ccbf436e95419e17b5d97bbd9b6dc98736d9cce3911222e92055b8
            • Instruction ID: 95cfbecaaf3aa0e2c79f99c68f2d118cc20de3d80a8b9b4d24a7b723598ae907
            • Opcode Fuzzy Hash: 62fe1653c0ccbf436e95419e17b5d97bbd9b6dc98736d9cce3911222e92055b8
            • Instruction Fuzzy Hash: 2C611775A002199FDF04DFA9C894AEEBBF9BF49314F14416AEC16EB740DB309851CBA1
            Function 6C20CBDB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 96windowCOMMON
            Download Yara Rule
            APIs
            • __EH_prolog3_GS.LIBCMT ref: 6C20CBE5
            • SendMessageW.USER32(00000000,0000040D,00000000,00000000), ref: 6C20CC10
            • SendMessageW.USER32(?,0000043A,-00000001,00000030), ref: 6C20CC58
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: MessageSend$H_prolog3_
            • String ID: 0
            • API String ID: 3491702567-4108050209
            • Opcode ID: 8440a50d5dcc54b283c790539807a38636c9ea736903a89a7cc845aa9e6db145
            • Instruction ID: 93ea2e8a2ea18e194b1f4a85966f0e894cac88d4c5cfe6af830ab6ff056c829c
            • Opcode Fuzzy Hash: 8440a50d5dcc54b283c790539807a38636c9ea736903a89a7cc845aa9e6db145
            • Instruction Fuzzy Hash: 7E318075700219AFDB14DB64CC84FE9B778FF45708F000299E559A6A90DB706985CF62
            Function 6C20A0B2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 74COMMON
            Download Yara Rule
            APIs
            • __EH_prolog3.LIBCMT ref: 6C20A0B9
              • Part of subcall function 6C257770: __EH_prolog3.LIBCMT ref: 6C257777
              • Part of subcall function 6C1F4F59: GetDlgCtrlID.USER32(?), ref: 6C1F4F64
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: H_prolog3$Ctrl
            • String ID: %TsMFCToolBar-%d$%TsMFCToolBar-%d%x$MFCToolBars
            • API String ID: 3879667756-2016111687
            • Opcode ID: 7a6e0ceb7fa01c3ca6a3e3f3353ac3ebb11b0307cd63d6384c307064374aaa06
            • Instruction ID: c2f83cb40dbca1387857b1f45d16c1ce661409a4e045f25e376f535eb2274756
            • Opcode Fuzzy Hash: 7a6e0ceb7fa01c3ca6a3e3f3353ac3ebb11b0307cd63d6384c307064374aaa06
            • Instruction Fuzzy Hash: 0B21A171A0021ADBDF00DFA4C890AFEB775BF55318F14456AE8216B781DB74AE09CB91
            Function 6C20A190 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66COMMON
            Download Yara Rule
            APIs
            • __EH_prolog3.LIBCMT ref: 6C20A197
              • Part of subcall function 6C257770: __EH_prolog3.LIBCMT ref: 6C257777
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: H_prolog3
            • String ID: %TsMFCToolBarParameters$LargeIcons$MFCToolBars
            • API String ID: 431132790-953485693
            • Opcode ID: bf699a6f7a4afc472f389a77f293da80b00171e312ab27c465c61b6ccd129409
            • Instruction ID: c06f707673106230a8578e3c7c8abb8cbcc161811ab41f2d2bcb2feb0b0ee2eb
            • Opcode Fuzzy Hash: bf699a6f7a4afc472f389a77f293da80b00171e312ab27c465c61b6ccd129409
            • Instruction Fuzzy Hash: 02212F75B002199FDF04DFA4C890AEEBBB5BF54304F104469E502AB781DB79A909CF51
            Function 6C1F98C9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60libraryloaderCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 6C1E391F: LoadLibraryW.KERNEL32(00000000,6C39A398,00000010,6C1F98F4,comctl32.dll,?), ref: 6C1E3960
            • GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 6C1F9908
            • FreeLibrary.KERNEL32(00000000), ref: 6C1F9954
              • Part of subcall function 6C1F9507: GetLastError.KERNEL32(6C1F98FF,comctl32.dll,?,?,00001000,?,?,?), ref: 6C1F9507
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Library$AddressErrorFreeLastLoadProc
            • String ID: DllGetVersion$comctl32.dll
            • API String ID: 2540614322-3857068685
            • Opcode ID: 6880c4488e859ff257b7532ff0e18a50b71b7d9475696da8c72343e6c14b97fa
            • Instruction ID: 6ca8a3d9a1b6f4bce925abd63055b0729f6aa9471f91a66ca50d8d20853f83dc
            • Opcode Fuzzy Hash: 6880c4488e859ff257b7532ff0e18a50b71b7d9475696da8c72343e6c14b97fa
            • Instruction Fuzzy Hash: 6011C675A0460ADBCB11EFA9C855BDE7BF9BF86314F020029E525AB740DB34D905CBA1
            Function 6C1F84C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON
            Download Yara Rule
            APIs
            • __EH_prolog3.LIBCMT ref: 6C1F84C7
            • LoadCursorW.USER32(00000000,00007F00), ref: 6C1F84EB
            • GetClassInfoW.USER32(?,?,?), ref: 6C1F8526
              • Part of subcall function 6C1E8A78: __EH_prolog3_catch.LIBCMT ref: 6C1E8A7F
              • Part of subcall function 6C1E8A78: GetClassInfoW.USER32(?,?,?), ref: 6C1E8A91
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: ClassInfo$CursorH_prolog3H_prolog3_catchLoad
            • String ID: %Ts:%x:%x:%x:%x
            • API String ID: 937286869-4057404147
            • Opcode ID: f1af19d9d6546cab84849f8f008a91112e8980e1eddb95b7ea1005ea935e6601
            • Instruction ID: f4998a148cb77ffd0ee02b2dba975c683a4d7a79971e2c97460fa7a72433c5b1
            • Opcode Fuzzy Hash: f1af19d9d6546cab84849f8f008a91112e8980e1eddb95b7ea1005ea935e6601
            • Instruction Fuzzy Hash: 77212CB0E00208AFEB40DFA5C880BDEBBF4BF09308F10412AE558E7750D7755A458BA5
            Function 6C1E8E3D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46libraryloaderCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 6C1FC870: EnterCriticalSection.KERNEL32(6C3B0410,?,?,?,?,6C1E8ABC,00000001,?,6C1E8FDB,?,AfxFrameOrView140su,00007A02,?), ref: 6C1FC8A1
              • Part of subcall function 6C1FC870: InitializeCriticalSection.KERNEL32(00000000,?,6C1E8ABC,00000001,?,6C1E8FDB,?,AfxFrameOrView140su,00007A02,?), ref: 6C1FC8B7
              • Part of subcall function 6C1FC870: LeaveCriticalSection.KERNEL32(6C3B0410,?,6C1E8ABC,00000001,?,6C1E8FDB,?,AfxFrameOrView140su,00007A02,?), ref: 6C1FC8C5
              • Part of subcall function 6C1FC870: EnterCriticalSection.KERNEL32(00000000,?,?,?,6C1E8ABC,00000001,?,6C1E8FDB,?,AfxFrameOrView140su,00007A02,?), ref: 6C1FC8D2
              • Part of subcall function 6C1FEBED: __EH_prolog3_catch.LIBCMT ref: 6C1FEBF4
              • Part of subcall function 6C1E3CA8: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6C1E3CCE
              • Part of subcall function 6C1E3CA8: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C1E3CDE
              • Part of subcall function 6C1E3CA8: EncodePointer.KERNEL32(00000000), ref: 6C1E3CE7
            • GetProcAddress.KERNEL32(00000000,HtmlHelpW), ref: 6C1E8E7F
            • FreeLibrary.KERNEL32(?,?,?,6C1E4CCA,?,?,?,?,00000004,00000004), ref: 6C1E8E8F
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: CriticalSection$AddressEnterProc$EncodeFreeH_prolog3_catchHandleInitializeLeaveLibraryModulePointer
            • String ID: HtmlHelpW$hhctrl.ocx
            • API String ID: 849444252-3773518134
            • Opcode ID: 80fcb1e5c81bdfcefd5cbe028d2a93b6ee61a556dff5cd35190057b2ec41890c
            • Instruction ID: 18c747a62763689fb13742e12464f60b197c179e30950487f51fdccbb4235a5e
            • Opcode Fuzzy Hash: 80fcb1e5c81bdfcefd5cbe028d2a93b6ee61a556dff5cd35190057b2ec41890c
            • Instruction Fuzzy Hash: 9701A731500B1BABEB216FB5CC14B8B7AA5AF09758F008826F96BDBE50DB35D4109B51
            Function 6C1F3910 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(Advapi32.dll,?,?,?,80070057), ref: 6C1F3921
            • GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 6C1F3931
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: AddressHandleModuleProc
            • String ID: Advapi32.dll$RegCreateKeyTransactedW
            • API String ID: 1646373207-2994018265
            • Opcode ID: bc36880c17350af9d1742c6fb863c9f2c21b758f9a2b4f7f137e776996c99186
            • Instruction ID: d3e370f058156494c3711022212035371e02b148e0292e49b6695e3965723d21
            • Opcode Fuzzy Hash: bc36880c17350af9d1742c6fb863c9f2c21b758f9a2b4f7f137e776996c99186
            • Instruction Fuzzy Hash: 2C016932241209EBCF131F94DC04BEA3BBAFB99356F510129FA65924A0D772C462EB91
            Function 6C1F4A62 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 6C1F4A75
            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 6C1F4A85
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: AddressHandleModuleProc
            • String ID: Advapi32.dll$RegDeleteKeyTransactedW
            • API String ID: 1646373207-2168864297
            • Opcode ID: d0a73bc701155e40f29af3fb829b737ebf2f1f58c53a194934f01c9e9d466659
            • Instruction ID: 09a092f849c107675f792698e1d8964d558d4b8d55286bc4691b8271f6ac044d
            • Opcode Fuzzy Hash: d0a73bc701155e40f29af3fb829b737ebf2f1f58c53a194934f01c9e9d466659
            • Instruction Fuzzy Hash: 1BF02437301109AFEF112EA4DC4487777EDEBA52AA710043AF56291600DA728C018B60
            Function 6C1F9657 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
            Download Yara Rule
            APIs
            • GetWindowLongW.USER32(?,000000F0), ref: 6C1F9672
            • GetClassNameW.USER32(?,?,0000000A), ref: 6C1F9687
            • CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,combobox,000000FF), ref: 6C1F969E
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: ClassCompareLongNameStringWindow
            • String ID: combobox
            • API String ID: 1414938635-2240613097
            • Opcode ID: 6b63d2c93411880f73a10e32a8147073b217cad765bb92119c01a3d22729f072
            • Instruction ID: 7b959502633230d730f82929bd37daec8607394d9e47ae85f9fab4be11cfd257
            • Opcode Fuzzy Hash: 6b63d2c93411880f73a10e32a8147073b217cad765bb92119c01a3d22729f072
            • Instruction Fuzzy Hash: EAF0AF31659119AFCB02EF68CC46EAE77B8AB07724F500315F532E61C0EA65A502C795
            Function 6C1F3980 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 6C1F3991
            • GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 6C1F39A1
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: AddressHandleModuleProc
            • String ID: Advapi32.dll$RegOpenKeyTransactedW
            • API String ID: 1646373207-3913318428
            • Opcode ID: 960746682f2d8e5296cbf27a768ce3c8587ed0ea1798f6ffdd6cca8a58720ad1
            • Instruction ID: 1765682098a9cd7c8063c8e674c0e481b893101f82382b9ee02c8ce3d117ef0b
            • Opcode Fuzzy Hash: 960746682f2d8e5296cbf27a768ce3c8587ed0ea1798f6ffdd6cca8a58720ad1
            • Instruction Fuzzy Hash: 7CF0F632300109EBCF121E55DC18B963BF9FB95756F500436FA6182850D732C453DBA1
            Function 6C2531A6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?,?,6C253572,?,00000000,?,00000024), ref: 6C2531BD
            • GetProcAddress.KERNEL32(00000000,GetFileAttributesTransactedW), ref: 6C2531CD
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: AddressHandleModuleProc
            • String ID: GetFileAttributesTransactedW$kernel32.dll
            • API String ID: 1646373207-1378992308
            • Opcode ID: f0c680b91997333f45054f72f725e25bd5859d53f5ee3572290f602fdabe49fd
            • Instruction ID: b0558e18db41aacaf70043e3d8342dfd6e271ab1d08b491e3cf2e6f137c7a13e
            • Opcode Fuzzy Hash: f0c680b91997333f45054f72f725e25bd5859d53f5ee3572290f602fdabe49fd
            • Instruction Fuzzy Hash: EBF0963120224FDFEF111F68DC44BA777E8FF0521AF504429F926C2850DBB28460CA60
            Function 6C1F8D76 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
            Download Yara Rule
            APIs
            • __EH_prolog3_GS.LIBCMT ref: 6C1F8D80
            • SystemParametersInfoW.USER32(00000029,000001F8,?,00000000), ref: 6C1F8DDB
            • CreateFontIndirectW.GDI32(?), ref: 6C1F8DE8
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: CreateFontH_prolog3_IndirectInfoParametersSystem
            • String ID: D}5l
            • API String ID: 3603398567-2402157744
            • Opcode ID: 6f2255e028fbdbe7b70b54399e390d8c29f277f09538df772811f4962ed8c835
            • Instruction ID: b9a7afad8e2d46fd73260a6b828d9af6a2b18dd78e952ba60497dfffbe7a9904
            • Opcode Fuzzy Hash: 6f2255e028fbdbe7b70b54399e390d8c29f277f09538df772811f4962ed8c835
            • Instruction Fuzzy Hash: 6B0162B1940309AFDB40DF98CC45BD9B7B8BB05304F1085A6A118D7641EB709A948F10
            Function 00E21770 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
            Download Yara Rule
            APIs
            • __current_exception.VCRUNTIME140 ref: 00E217AF
            • __current_exception_context.VCRUNTIME140 ref: 00E217B9
            • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00E217C0
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780458776.0000000000E21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
            • Associated: 00000003.00000002.1780443399.0000000000E20000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000003.00000002.1780472190.0000000000E22000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000003.00000002.1780486959.0000000000E23000.00000004.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000003.00000002.1780501099.0000000000E24000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000003.00000002.1780501099.0000000000E66000.00000002.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_e20000_Update.jbxd
            Similarity
            • API ID: __current_exception__current_exception_contextterminate
            • String ID: csm
            • API String ID: 2542180945-1018135373
            • Opcode ID: 41fdafd931ad9aaddf137b82d0d58c14b10d2b972e8e795f6593ee17b9bb6dd7
            • Instruction ID: 43b082704f521a2d8fe6360b0bad697fe8b2182ffea51c4165393b6e9331db35
            • Opcode Fuzzy Hash: 41fdafd931ad9aaddf137b82d0d58c14b10d2b972e8e795f6593ee17b9bb6dd7
            • Instruction Fuzzy Hash: 1CF082364002208F8B345F29B44551DB7ADAEB336535424D7F484ABA10CB30AF51C6D1
            Function 6C33CE93 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,6C33CF2F,?,?,00000000,?,?,?,6C33CDED,00000002,FlsGetValue,6C37C584,6C37C58C), ref: 6C33CEA0
            • GetLastError.KERNEL32(?,6C33CF2F,?,?,00000000,?,?,?,6C33CDED,00000002,FlsGetValue,6C37C584,6C37C58C,?,?,6C33117D), ref: 6C33CEAA
            • LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?), ref: 6C33CED2
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: LibraryLoad$ErrorLast
            • String ID: api-ms-
            • API String ID: 3177248105-2084034818
            • Opcode ID: 39910b9cf1fc93f8a8f35873b6a746e711593086b652bb2b7fe87cff6801e97f
            • Instruction ID: 5e40b0eac2adc5c7a824e72a1931c8f0d4d05a913343f0b61f9ee388e85e5e73
            • Opcode Fuzzy Hash: 39910b9cf1fc93f8a8f35873b6a746e711593086b652bb2b7fe87cff6801e97f
            • Instruction Fuzzy Hash: D3E04830384299BBEF002E51DC19B493F69AB01756F244220F90EA49D0E763D5508F85
            Function 6C1F54AB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 6C1C1346: InitializeCriticalSectionEx.KERNEL32(6C3ADDC8,00000000,00000000,?,6C1C1043), ref: 6C1C134C
              • Part of subcall function 6C1C1346: GetLastError.KERNEL32(?,6C1C1043), ref: 6C1C1356
            • IsDebuggerPresent.KERNEL32(?,?,?,6C1D8AD3), ref: 6C1F54DE
            • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,6C1D8AD3), ref: 6C1F54ED
            Strings
            • MZx, xrefs: 6C1F54B3
            • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 6C1F54E8
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
            • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule$MZx
            • API String ID: 3511171328-1466369552
            • Opcode ID: 506e9fc713b65a87353d832418193b1e7b699dbfbeafb4df40471de7777b416d
            • Instruction ID: 48532b1b38e8e465d7bedc958f1425e8ea116ad1d25573203f88e616fe40e8c3
            • Opcode Fuzzy Hash: 506e9fc713b65a87353d832418193b1e7b699dbfbeafb4df40471de7777b416d
            • Instruction Fuzzy Hash: 90E06DB02017418FD3209F28D008386BAF8AF1130AF41C91DE8A7D7B00FB75D84ACBA2
            Function 6C25EC79 Relevance: 6.4, APIs: 4, Instructions: 433COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Object$Delete$H_prolog3
            • String ID:
            • API String ID: 487261545-0
            • Opcode ID: 943ede404b0dd0095aa57a8dd546a0ac7cd6d59173cd95498d6920be59ca6aeb
            • Instruction ID: 27b0676356f6d71a42ab0033e01e6cc2c1a0c9e2e9822797ebb8ae4bd82d7fa9
            • Opcode Fuzzy Hash: 943ede404b0dd0095aa57a8dd546a0ac7cd6d59173cd95498d6920be59ca6aeb
            • Instruction Fuzzy Hash: 60121870D007198FDB15CFA9C890B9EFBB5BF09314F10826AE85AB7650EB70A995CF50
            Function 6C33ABE4 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetConsoleOutputCP.KERNEL32(F0C0CBE2,00000000,00000000,?), ref: 6C33AC47
              • Part of subcall function 6C332501: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6C335CE9,?,00000000,-00000008), ref: 6C332562
            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6C33AE99
            • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6C33AEDF
            • GetLastError.KERNEL32 ref: 6C33AF82
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
            • String ID:
            • API String ID: 2112829910-0
            • Opcode ID: 765027104e292931b77a87d1e0dc9b28f5a4dff7353f1bd2ce1215e5d865916a
            • Instruction ID: fb0fefb8ac062653205df38238ea2ce6a2a4740e88039c9dd49481bd50e2bc58
            • Opcode Fuzzy Hash: 765027104e292931b77a87d1e0dc9b28f5a4dff7353f1bd2ce1215e5d865916a
            • Instruction Fuzzy Hash: DFD16BB5E052999FCF05CFE8C890A9DBBB8EF09304F14426AE469EB741D731A951CF60
            Function 6C24493B Relevance: 6.3, APIs: 4, Instructions: 283keyboardCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Rect$Empty$StateWindow
            • String ID:
            • API String ID: 2684165152-0
            • Opcode ID: 99383976842629ab307a5828e21855a2d10ae0a79be8d3020b31324a0fd91bae
            • Instruction ID: 4e1f68dd36d22ed9dc25af5dad73688a51180a1c46a3537e2461099d197eea80
            • Opcode Fuzzy Hash: 99383976842629ab307a5828e21855a2d10ae0a79be8d3020b31324a0fd91bae
            • Instruction Fuzzy Hash: A4A17D32A0121A9FDF09CFA4C854BEE7BB5FF49355F148019F816A7680DB35A842CBA4
            Function 6C1FD13B Relevance: 6.2, APIs: 4, Instructions: 228COMMON
            Download Yara Rule
            APIs
            • IsThemeBackgroundPartiallyTransparent.UXTHEME(?,00000006,00000000,6C356D80), ref: 6C1FD229
            • DrawThemeParentBackground.UXTHEME(?,?,00000000), ref: 6C1FD243
            • DrawThemeBackground.UXTHEME(?,?,00000006,00000000,00000000,00000000), ref: 6C1FD25F
            • GetBkColor.GDI32(?), ref: 6C1FD271
              • Part of subcall function 6C1FA141: SetBkColor.GDI32(?,?), ref: 6C1FA15A
              • Part of subcall function 6C1FA141: ExtTextOutW.GDI32(?,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 6C1FA18C
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: BackgroundTheme$ColorDraw$ParentPartiallyTextTransparent
            • String ID:
            • API String ID: 501873518-0
            • Opcode ID: 86f1eaddf33f19e614d2cbf964ad5ad6f2d91aff200efec6ce9bee1fb628825a
            • Instruction ID: 1c4911f108b1248a37ad86c2a52b87bc3302932175d7b6044939904058ef13b1
            • Opcode Fuzzy Hash: 86f1eaddf33f19e614d2cbf964ad5ad6f2d91aff200efec6ce9bee1fb628825a
            • Instruction Fuzzy Hash: 92914671E00219ABDF01DF99C884BEEBBF6EF49714F148119E924BB694C7759842CBA0
            Function 6C1C478A Relevance: 6.2, APIs: 4, Instructions: 221COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: _strlen
            • String ID:
            • API String ID: 4218353326-0
            • Opcode ID: c9b1dac74176dee2c5499ed333dacad706ae9792bc7e5297bf2e80bb77e8d2ea
            • Instruction ID: 523f33e88ef4d22fbd63af9aae0268ea825ca97508ac5584f10c69e61939f609
            • Opcode Fuzzy Hash: c9b1dac74176dee2c5499ed333dacad706ae9792bc7e5297bf2e80bb77e8d2ea
            • Instruction Fuzzy Hash: D651E5F2E053505BD3208F69AC80A67BAE8EFA5258F150939F489C7B01FB35D51887A3
            Function 6C25DB89 Relevance: 6.2, APIs: 4, Instructions: 177COMMON
            Download Yara Rule
            APIs
            • __EH_prolog3.LIBCMT ref: 6C25DB90
            • LoadImageW.USER32(?,?,00000000,00000000,00000000,00002000), ref: 6C25DCE6
            • GetObjectW.GDI32(00000000,00000018,?), ref: 6C25DCF8
            • DeleteObject.GDI32(00000000), ref: 6C25DD50
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Object$DeleteH_prolog3ImageLoad
            • String ID:
            • API String ID: 91933946-0
            • Opcode ID: c1c31880f723b1601a4515894ad41b181b9d71b0d84f194bcd44b68024f3e0b1
            • Instruction ID: 8aff36582436be934de7361e1d863199ffd5865727781a9eee507d7017d9296e
            • Opcode Fuzzy Hash: c1c31880f723b1601a4515894ad41b181b9d71b0d84f194bcd44b68024f3e0b1
            • Instruction Fuzzy Hash: 8161EE72801609CBDF01DF64C980BEF73B5BF49315FA042A9EC246F689CB709956CB90
            Function 6C331776 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: AdjustPointer
            • String ID:
            • API String ID: 1740715915-0
            • Opcode ID: a48cff8f627ed2ea17fafe3096f1548614c41dd3faa3c23eee17fd7823eabe48
            • Instruction ID: f16894777d79155a0bc0629cb6666bfc7346caf3cbc3c4916b09dc5796f5ea78
            • Opcode Fuzzy Hash: a48cff8f627ed2ea17fafe3096f1548614c41dd3faa3c23eee17fd7823eabe48
            • Instruction Fuzzy Hash: DA514872A052A6AFEB188F54C840BEA73B4FF01718F20452DDC598BE90E732E851CF95
            Function 6C1DE8AE Relevance: 6.2, APIs: 4, Instructions: 158COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 6C1DD964: GetDlgCtrlID.USER32(?), ref: 6C1DD972
              • Part of subcall function 6C1DD964: IsChild.USER32(?,?), ref: 6C1DD980
            • GetScrollPos.USER32(?,00000002), ref: 6C1DE8F7
            • GetScrollPos.USER32(?,00000002), ref: 6C1DE923
            • SetScrollPos.USER32(?,00000002,00000000,00000000), ref: 6C1DE980
            • SetScrollPos.USER32(?,00000002,00000000,00000000), ref: 6C1DEA02
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Scroll$ChildCtrl
            • String ID:
            • API String ID: 656700424-0
            • Opcode ID: 09a2dea96572bceef6ffb9315c78d2d8ded402471c0c17ad87f335088a02ec38
            • Instruction ID: fe7ea2a018876551e21d1e1c86969eb23f349968fd4a8d8d5e6b2d846fd3f79a
            • Opcode Fuzzy Hash: 09a2dea96572bceef6ffb9315c78d2d8ded402471c0c17ad87f335088a02ec38
            • Instruction Fuzzy Hash: DF517A31B00229AFDF459F64C855BAEBBB9FF48311F11416AE916A7380DB71AE01CB90
            Function 6C1DEA64 Relevance: 6.2, APIs: 4, Instructions: 151COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 6C1DD964: GetDlgCtrlID.USER32(?), ref: 6C1DD972
              • Part of subcall function 6C1DD964: IsChild.USER32(?,?), ref: 6C1DD980
            • GetScrollPos.USER32(?,00000002), ref: 6C1DEAAD
            • GetScrollPos.USER32(?,00000002), ref: 6C1DEAD9
            • SetScrollPos.USER32(?,00000002,00000000,00000000), ref: 6C1DEB36
            • SetScrollPos.USER32(?,00000002,00000000,00000000), ref: 6C1DEBAB
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Scroll$ChildCtrl
            • String ID:
            • API String ID: 656700424-0
            • Opcode ID: 4b34585bd55843012796099d7d53b3409749a9e53743b49e670e8db5f06c790b
            • Instruction ID: cd395a699e48f5f26958f70d93d547f4de10e7e171cba17e736c907705c33630
            • Opcode Fuzzy Hash: 4b34585bd55843012796099d7d53b3409749a9e53743b49e670e8db5f06c790b
            • Instruction Fuzzy Hash: D5512635B00219AFDF05CF64C855BAEBBB6BF89311F214069E816B7390DB71AE419F90
            Function 6C2006CA Relevance: 6.1, APIs: 4, Instructions: 144registryCOMMON
            Download Yara Rule
            APIs
            • __EH_prolog3_GS.LIBCMT ref: 6C2006D4
              • Part of subcall function 6C1F40B3: RegCloseKey.ADVAPI32(00000000,?,00000000), ref: 6C1F4158
              • Part of subcall function 6C1F40B3: RegCloseKey.ADVAPI32(00000000,?,00000000), ref: 6C1F4167
            • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 6C200859
            • RegCloseKey.ADVAPI32(?), ref: 6C20086C
            • RegCloseKey.ADVAPI32(?), ref: 6C2008C6
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Close$EnumH_prolog3_Value
            • String ID:
            • API String ID: 431837299-0
            • Opcode ID: c831adde9027c6c8dd3c2534d8f24783a682a9eb66ae3f44a6d769ac1299fab5
            • Instruction ID: daa5f25b3823aa1f4af20165831fd6f3b5ec943dc9fafa7c292f79b9df9445b6
            • Opcode Fuzzy Hash: c831adde9027c6c8dd3c2534d8f24783a682a9eb66ae3f44a6d769ac1299fab5
            • Instruction Fuzzy Hash: C2511EB1A0112C9BDB21CF55CC84BDEBBBCEF49614F4001DAE609A7251DB709A89CF99
            Function 6C339368 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dcc15669a51da4cee73df5c08ef92f5d3015ea5e4d060a9aa8c5c5d877a6eee7
            • Instruction ID: d02aba4de15a26d0e5b31d9c3cfdf94b50e6ffdbb368912ae35719fec7001174
            • Opcode Fuzzy Hash: dcc15669a51da4cee73df5c08ef92f5d3015ea5e4d060a9aa8c5c5d877a6eee7
            • Instruction Fuzzy Hash: BD4127B2A04394EFE714DF78CC05B9ABBA8EB84714F10416AE159DBF80DB7299448F90
            Function 6C1F3B6A Relevance: 6.1, APIs: 4, Instructions: 117registryCOMMON
            Download Yara Rule
            APIs
            • GetPrivateProfileStringW.KERNEL32(?,?,6C390874,?,00001000,?), ref: 6C1F3CB7
              • Part of subcall function 6C1F405F: RegCloseKey.ADVAPI32(00000000,?,?,?,?,6C1F3A8E,?,00000000), ref: 6C1F40A4
            • RegQueryValueExW.ADVAPI32(00000000,?,00000000,?,00000000,?,?,00000000,F0C0CBE2,?,?,?,?,6C344E11,000000FF), ref: 6C1F3C05
            • RegQueryValueExW.ADVAPI32(00000000,?,00000000,?,00000000,?,?,?,?,?,?,6C344E11,000000FF), ref: 6C1F3C41
            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,6C344E11,000000FF), ref: 6C1F3C5B
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: CloseQueryValue$PrivateProfileString
            • String ID:
            • API String ID: 2114517702-0
            • Opcode ID: df03150d3e3f15e2d9f8935d386692954dc79e9683a3cb4a621ea32cc52478d3
            • Instruction ID: da52164940ee390f7583cb6989fea32357f36636057c8b978979128d6eb0f647
            • Opcode Fuzzy Hash: df03150d3e3f15e2d9f8935d386692954dc79e9683a3cb4a621ea32cc52478d3
            • Instruction Fuzzy Hash: 4A416071A00219EFDB25CF14CC58AEEB3B9EF08314F40419AE519A7781DB34AE56CF61
            Function 6C27771A Relevance: 6.1, APIs: 4, Instructions: 109windowstringCOMMON
            Download Yara Rule
            APIs
            • __EH_prolog3.LIBCMT ref: 6C277721
            • SendMessageW.USER32(?,00000421,00000001,?), ref: 6C2777B8
            • SendMessageW.USER32(?,00000421,00000001,?), ref: 6C2777CD
            • lstrcpyW.KERNEL32(00000000,00000010,00000000,00000010,6C20E701,00000000,?,00000002,?,?), ref: 6C2777FC
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: MessageSend$H_prolog3lstrcpy
            • String ID:
            • API String ID: 3361160815-0
            • Opcode ID: c6cf75c7aea3741773fc34feca8ae8237bdd66e8235b7adf6d76d4b387989a43
            • Instruction ID: fec9d06eaad53b313c39c2b7846e315ed837b1c1b70cba9139c430ac4e4016c5
            • Opcode Fuzzy Hash: c6cf75c7aea3741773fc34feca8ae8237bdd66e8235b7adf6d76d4b387989a43
            • Instruction Fuzzy Hash: 2241C172A0020A9BEF01CFA4C895BEE77B4FF04719F104418F9259B7D0CB74A945CB60
            Function 6C1F7176 Relevance: 6.1, APIs: 4, Instructions: 108windowCOMMON
            Download Yara Rule
            APIs
            • __EH_prolog3.LIBCMT ref: 6C1F717D
            • GetClientRect.USER32(6C3566FC,?), ref: 6C1F71CC
              • Part of subcall function 6C1E4817: GetScrollPos.USER32(?,?), ref: 6C1E4843
              • Part of subcall function 6C1FFA65: GetModuleHandleW.KERNEL32(uxtheme.dll,?,6C1F71FE,?,?,?,?,?,?,?,?,00000008), ref: 6C1FFA74
              • Part of subcall function 6C1FFA65: GetProcAddress.KERNEL32(00000000,BufferedPaintInit), ref: 6C1FFA84
              • Part of subcall function 6C1FFA65: EncodePointer.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000008), ref: 6C1FFA8D
            • CreateCompatibleDC.GDI32(?), ref: 6C1F7268
            • CreateCompatibleBitmap.GDI32(?,?,?), ref: 6C1F728E
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: CompatibleCreate$AddressBitmapClientEncodeH_prolog3HandleModulePointerProcRectScroll
            • String ID:
            • API String ID: 1015973060-0
            • Opcode ID: 0ad1795170e16e66d7bb8cbfc9f4bb70b9eabdf0e985429c6818168462262d0d
            • Instruction ID: b808feed2311eedd51533d49784f680eaf54162306a26b8d78a51a11f290b75a
            • Opcode Fuzzy Hash: 0ad1795170e16e66d7bb8cbfc9f4bb70b9eabdf0e985429c6818168462262d0d
            • Instruction Fuzzy Hash: 30412FB1600606EFD700DFA9C994B9AB7F4BF14308B15862EE42987B50DB70E955CFD0
            Function 6C1E7BD3 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 6C1F4E48: GetWindowLongW.USER32(?,000000F0), ref: 6C1F4E55
            • GetClientRect.USER32(?,?), ref: 6C1E7C3B
            • IsMenu.USER32(00000000), ref: 6C1E7C77
            • AdjustWindowRectEx.USER32(?,00000000,00000000,?), ref: 6C1E7C8F
            • GetClientRect.USER32(?,?), ref: 6C1E7CD7
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Rect$ClientWindow$AdjustLongMenu
            • String ID:
            • API String ID: 3435883281-0
            • Opcode ID: 56976cd136e61ce8de60c63a643386556933ddebd5d6586c0d26c0e3d8161ab7
            • Instruction ID: 22b7599f268d0647d39ae8d33aee71019455063b041b0623d0a7029c3b93fe42
            • Opcode Fuzzy Hash: 56976cd136e61ce8de60c63a643386556933ddebd5d6586c0d26c0e3d8161ab7
            • Instruction Fuzzy Hash: C1319475A0020AAFEB04DBB5CA48EBFB7FDEF59204F11451AE811E7641EB349941CB90
            Function 6C208A1A Relevance: 6.1, APIs: 4, Instructions: 96windowCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Window$FocusInvalidateRectUpdate
            • String ID:
            • API String ID: 593871241-0
            • Opcode ID: 7e7c58365d68e04d3bfc0dfdd89fbdb678ff616fc95e389d697488c73186db7b
            • Instruction ID: 53c32a9ae99aa4256b5c08c96cd5b220c5fc4aa18b5bdf927b36a1463a912bc5
            • Opcode Fuzzy Hash: 7e7c58365d68e04d3bfc0dfdd89fbdb678ff616fc95e389d697488c73186db7b
            • Instruction Fuzzy Hash: 40314735B0160AEFEB018F61D844BDA77F8FF4431AF618267EC04A7A50DBB0A805CB90
            Function 6C1D8410 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
            Download Yara Rule
            APIs
            • FindResourceW.KERNEL32(?,-00000002,00000006,00000000,?,00000000,?,?,6C1D83E3,00000000,?,?,?), ref: 6C1D8438
            • LoadResource.KERNEL32(?,00000000,?,6C1D83E3,00000000,?,?,?), ref: 6C1D844C
            • LockResource.KERNEL32(00000000,?,6C1D83E3,00000000,?,?,?), ref: 6C1D845E
            • SizeofResource.KERNEL32(?,00000000,?,6C1D83E3,00000000,?,?,?), ref: 6C1D8470
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Resource$FindLoadLockSizeof
            • String ID:
            • API String ID: 3473537107-0
            • Opcode ID: 8779becbd082db82fe12661c12ea99de1bc21d34e82d7d224290951449860009
            • Instruction ID: 97dcf12dbaa52d089587e191c46be21fe1e8480fe5d758d7141a58d36156f81d
            • Opcode Fuzzy Hash: 8779becbd082db82fe12661c12ea99de1bc21d34e82d7d224290951449860009
            • Instruction Fuzzy Hash: F121F3326012249BF7205F69CC84B6B77ACEF5631AB16812AFD11CB780EB25E805C7E1
            Function 6C1D8404 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
            Download Yara Rule
            APIs
            • FindResourceW.KERNEL32(?,-00000002,00000006,00000000,?,00000000,?,?,6C1D83E3,00000000,?,?,?), ref: 6C1D8438
            • LoadResource.KERNEL32(?,00000000,?,6C1D83E3,00000000,?,?,?), ref: 6C1D844C
            • LockResource.KERNEL32(00000000,?,6C1D83E3,00000000,?,?,?), ref: 6C1D845E
            • SizeofResource.KERNEL32(?,00000000,?,6C1D83E3,00000000,?,?,?), ref: 6C1D8470
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Resource$FindLoadLockSizeof
            • String ID:
            • API String ID: 3473537107-0
            • Opcode ID: c5900b92bffe4cdf44489df5e244094968b958a74192f79fc537b0f777103f07
            • Instruction ID: 4ff2fbf0184d7e681ed71b6d84a3472bf3c5660f76b8b0e21111b3621e978741
            • Opcode Fuzzy Hash: c5900b92bffe4cdf44489df5e244094968b958a74192f79fc537b0f777103f07
            • Instruction Fuzzy Hash: 6021F172A012245BF7205F69CC84B7B77ACEF5235AB16812AFC55CB380EB25E804C7E1
            Function 6C2E3FF9 Relevance: 6.1, APIs: 4, Instructions: 90COMMON
            Download Yara Rule
            APIs
            • __EH_prolog3_GS.LIBCMT ref: 6C2E4003
            • CoTaskMemFree.OLE32(?,?,?,?,?,00000000,?,00000040,6C26068C,?,00000000,00000000,0000005C), ref: 6C2E40A7
            • CoTaskMemFree.OLE32(?,?,?,00000000,?,00000040,6C26068C,?,00000000,00000000,0000005C), ref: 6C2E40E7
            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,00000003,000000FF,00000000,?,00000000,?,00000040,6C26068C,?,00000000,00000000), ref: 6C2E4105
              • Part of subcall function 6C1D9B7C: __EH_prolog3.LIBCMT ref: 6C1D9B83
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: FreeTask$CreateGlobalH_prolog3H_prolog3_Stream
            • String ID:
            • API String ID: 655328227-0
            • Opcode ID: 83f2ecf2c14bb890053d005ab82ff9ca4a0aa4ab7b130f529e6329f752b7eb8d
            • Instruction ID: 8555b830ab21c5330b006a6af77a90f235172f2c2a1ac6319fa3d8f4c3f41730
            • Opcode Fuzzy Hash: 83f2ecf2c14bb890053d005ab82ff9ca4a0aa4ab7b130f529e6329f752b7eb8d
            • Instruction Fuzzy Hash: 6331A571A0521D9BDF14DF54CC88BDDB778EF05319F0001A9E905AB790CB319A85DF91
            Function 6C1E06B7 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Rect$EqualInflateParentWindow
            • String ID:
            • API String ID: 719057501-0
            • Opcode ID: 51b981a5e543f33a5fcafb2db8539a9ecd531e008cd50cf37325a24d1c904983
            • Instruction ID: 1c483b91010412d3bccf17ebbd79a28e78f5ca01263aca72c7f5115205d96ead
            • Opcode Fuzzy Hash: 51b981a5e543f33a5fcafb2db8539a9ecd531e008cd50cf37325a24d1c904983
            • Instruction Fuzzy Hash: C4314B71A00609ABDF00DFA5C984AEEBBF9FF5D304F50452AE512E3640EB35EA458F61
            Function 6C337FC9 Relevance: 6.1, APIs: 4, Instructions: 82COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 6C332501: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6C335CE9,?,00000000,-00000008), ref: 6C332562
            • GetLastError.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 6C33802D
            • __dosmaperr.LIBCMT ref: 6C338034
            • GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 6C33806E
            • __dosmaperr.LIBCMT ref: 6C338075
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
            • String ID:
            • API String ID: 1913693674-0
            • Opcode ID: 5b2c7088ceaab0a1006335fd7f27a65f1dc09e873828756841d2b37c24583335
            • Instruction ID: 594b035ffd84b2bb15d033e961eba3ad3888d30124f703defcfde6f8c4835e61
            • Opcode Fuzzy Hash: 5b2c7088ceaab0a1006335fd7f27a65f1dc09e873828756841d2b37c24583335
            • Instruction Fuzzy Hash: 0C21D871204265BFD7108F66888488BB7ADFF053697049A1AE85DD3E40D736EC508FA2
            Function 6C222A94 Relevance: 6.1, APIs: 4, Instructions: 81COMMON
            Download Yara Rule
            APIs
            • RedrawWindow.USER32(?,00000000,00000000,00000585,?,?,00000000,?,6C222A7F,00000002,00000000,?,?,?,6C1F8704), ref: 6C222AC5
            • RedrawWindow.USER32(?,00000000,00000000,00000585,?,00000000,?,6C222A7F,00000002,00000000,?,?,?,6C1F8704,?,00000000), ref: 6C222AF2
            • RedrawWindow.USER32(?,00000000,00000000,00000185,?,00000000,?,6C222A7F,00000002,00000000,?,?,?,6C1F8704,?,00000000), ref: 6C222B2F
            • RedrawWindow.USER32(?,00000000,00000000,00000585,?,?,?,?,6C1F8704,?,00000000), ref: 6C23E708
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: RedrawWindow
            • String ID:
            • API String ID: 2219533335-0
            • Opcode ID: 8c04aa8a0d78e82d358e7716b78a374e6778e15b4100a40d898ce33da898cc2c
            • Instruction ID: 428ec64fe63a9ad799695536a8c23bf25d68f49f2f30b4f1d0befc18339cdc3d
            • Opcode Fuzzy Hash: 8c04aa8a0d78e82d358e7716b78a374e6778e15b4100a40d898ce33da898cc2c
            • Instruction Fuzzy Hash: 3B21C972751A1367EB215E21CC08F553374BF49B26F220215FC5477EE0DB66F8449B94
            Function 6C1DDD23 Relevance: 6.1, APIs: 4, Instructions: 81COMMON
            Download Yara Rule
            APIs
            • RedrawWindow.USER32(00000041,?,?,00000041), ref: 6C1DDD46
            • InflateRect.USER32(?,000000FF,000000FF), ref: 6C1DDD89
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: InflateRectRedrawWindow
            • String ID:
            • API String ID: 3190756164-0
            • Opcode ID: c74cfe9133a78a2eeeaefa9b851f545ce7bcbe8c0544a080c02bdf31ba39271d
            • Instruction ID: 0ec84ba41fc331788bc923d8c5ca093b54f473826dfecc039f523e78a7fba560
            • Opcode Fuzzy Hash: c74cfe9133a78a2eeeaefa9b851f545ce7bcbe8c0544a080c02bdf31ba39271d
            • Instruction Fuzzy Hash: 412121B160410EAFDF00DFA4CD84DAEB7BDEB16328B214229B521A31D0D7359959CF35
            Function 6C1CE62B Relevance: 6.1, APIs: 4, Instructions: 76COMMON
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,0FFFFFFE,?,?,6C1CED76,?), ref: 6C1CE640
            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?), ref: 6C1CE67F
            • WideCharToMultiByte.KERNEL32 ref: 6C1CE6A3
            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 6C1CE6D3
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: ByteCharMultiWide
            • String ID:
            • API String ID: 626452242-0
            • Opcode ID: 33b59ac300762fafafe5b30d033ff60178e637944465c37dedc8454e57bbcd19
            • Instruction ID: c4e0f7f35379252ec84cfdebef43c662ef2553ae3d7831117b139ad06592398f
            • Opcode Fuzzy Hash: 33b59ac300762fafafe5b30d033ff60178e637944465c37dedc8454e57bbcd19
            • Instruction Fuzzy Hash: EE110FB25042087FDB106F769C48CAF7EACDB462BCF054729F55946390FA32AD448BA2
            Function 6C329D87 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 06cf6c068312d77ef08bef71fac04a9587dc40829fee76f8c1c22456c4e50afa
            • Instruction ID: aff2737035f9300b64bb9f537f43fe79d57e39e7a2589734977445d4f6bb459e
            • Opcode Fuzzy Hash: 06cf6c068312d77ef08bef71fac04a9587dc40829fee76f8c1c22456c4e50afa
            • Instruction Fuzzy Hash: 5511E431604344AFDF201EA68C0CB8A7BBCEB867A9F240225E55197A90E77788409FA5
            Function 6C204A7D Relevance: 6.1, APIs: 4, Instructions: 63COMMON
            Download Yara Rule
            APIs
            • FindResourceW.KERNEL32(?,?,00000005), ref: 6C204A9B
            • LoadResource.KERNEL32(?,00000000), ref: 6C204AB0
            • LockResource.KERNEL32(00000000), ref: 6C204AC2
            • GlobalFree.KERNEL32(?), ref: 6C204B01
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Resource$FindFreeGlobalLoadLock
            • String ID:
            • API String ID: 3898064442-0
            • Opcode ID: 22fa94afb69cad4bdf619debef8b87bb3772635bafb850454c569cd59c7986a4
            • Instruction ID: 08b42addf0fa43447bf8bc7a1e817b19e43d3ba445e2a702e4559c6b2a0776fc
            • Opcode Fuzzy Hash: 22fa94afb69cad4bdf619debef8b87bb3772635bafb850454c569cd59c7986a4
            • Instruction Fuzzy Hash: AE11E931B0171AAFC7119F55C885B9AB7B8EF1536AF05C266FC1AA7B00DB30AC048BD4
            Function 6C2033BA Relevance: 6.1, APIs: 4, Instructions: 63COMMON
            Download Yara Rule
            APIs
            • BeginDeferWindowPos.USER32(?), ref: 6C2033D8
            • IsWindow.USER32(?), ref: 6C2033F3
            • DeferWindowPos.USER32(00000000,00000000,00000000,?,?,?,?,00000000), ref: 6C20343C
            • EndDeferWindowPos.USER32(00000000), ref: 6C203447
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Window$Defer$Begin
            • String ID:
            • API String ID: 2880567340-0
            • Opcode ID: b408d9cab8f9d029da8bce17172e8b7c1fd90eace727973ba670879d845497c2
            • Instruction ID: f694f0b75da910034fb87b6f0fd61f51c8a5eb16001965972dee3c6f0409649a
            • Opcode Fuzzy Hash: b408d9cab8f9d029da8bce17172e8b7c1fd90eace727973ba670879d845497c2
            • Instruction Fuzzy Hash: 4B116D71B0110AAFDB01CFA9C884FAEBBF8FF09315F10452AB901E7650D771A980CBA1
            Function 6C1E8226 Relevance: 6.1, APIs: 4, Instructions: 62windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6C1E8260
            • SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6C1E828A
            • GetCapture.USER32 ref: 6C1E82A0
            • SendMessageW.USER32(00000000,0000001F,00000000,00000000), ref: 6C1E82AF
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: MessageSend$Capture
            • String ID:
            • API String ID: 1665607226-0
            • Opcode ID: 6ad75da603d5649206f71689c634e4f1045ee1ac0f465638f6f15d1b19a8f15f
            • Instruction ID: 38aad729c055e4b7c23cb4c43e2a4c2adef0c2683f53ef10251762d5ebb5c4a0
            • Opcode Fuzzy Hash: 6ad75da603d5649206f71689c634e4f1045ee1ac0f465638f6f15d1b19a8f15f
            • Instruction Fuzzy Hash: 08118471341A1A7FFE215B648C89FBE7B6EFF4C789F000125F606AB691DF619C019660
            Function 6C1EB55A Relevance: 6.1, APIs: 4, Instructions: 60COMMON
            Download Yara Rule
            APIs
            • GetCursorPos.USER32(00000000), ref: 6C1EB5A7
            • GetWindowRect.USER32(?,?), ref: 6C1EB5C3
            • PtInRect.USER32(?,00000000,00000000), ref: 6C1EB5D3
            • CallNextHookEx.USER32(?,?,?), ref: 6C1EB5FB
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Rect$CallCursorHookNextWindow
            • String ID:
            • API String ID: 3719484595-0
            • Opcode ID: 537b0a23677eb3e7ece35f955c34d25d71361a36dbaf8da5dbaa18c06fe33dbc
            • Instruction ID: f27296f6ea069c708660e863dbdd94432c838ef80a05836f31d167a16d53a682
            • Opcode Fuzzy Hash: 537b0a23677eb3e7ece35f955c34d25d71361a36dbaf8da5dbaa18c06fe33dbc
            • Instruction Fuzzy Hash: 98218E31A0160AEBDF01CFA4C949BAE7BB9FF1E30AF244215F020E7564D7359694CB54
            Function 6C1E7E82 Relevance: 6.1, APIs: 4, Instructions: 56COMMON
            Download Yara Rule
            APIs
            • GetObjectW.GDI32(?,0000000C,?), ref: 6C1E7ECD
            • SetBkColor.GDI32(?,?), ref: 6C1E7ED7
            • GetSysColor.USER32(00000008), ref: 6C1E7EE7
            • SetTextColor.GDI32(?,?), ref: 6C1E7EEF
              • Part of subcall function 6C1F9657: GetWindowLongW.USER32(?,000000F0), ref: 6C1F9672
              • Part of subcall function 6C1F9657: GetClassNameW.USER32(?,?,0000000A), ref: 6C1F9687
              • Part of subcall function 6C1F9657: CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,combobox,000000FF), ref: 6C1F969E
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Color$ClassCompareLongNameObjectStringTextWindow
            • String ID:
            • API String ID: 3274569906-0
            • Opcode ID: 1c5c15ca40ce035813a23f2f2aa7c278a40182f06a14812af87d3d269a0fd4ae
            • Instruction ID: 15d4942b893ef8acf3a347e9754253ac71d347cab9a1895b14bfe59e37450b33
            • Opcode Fuzzy Hash: 1c5c15ca40ce035813a23f2f2aa7c278a40182f06a14812af87d3d269a0fd4ae
            • Instruction Fuzzy Hash: 87018431602904ABEB04DF688840AAF77BCEF5F714F640616F922E6D81E731DD81C791
            Function 6C1F3AE1 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON
            Download Yara Rule
            APIs
            • RegSetValueExW.ADVAPI32(00000000,?,00000000,00000004,?,00000004,?,00000000), ref: 6C1F3B1C
            • RegCloseKey.ADVAPI32(00000000), ref: 6C1F3B25
            • swprintf.LIBCMT ref: 6C1F3B42
            • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 6C1F3B53
              • Part of subcall function 6C1F405F: RegCloseKey.ADVAPI32(00000000,?,?,?,?,6C1F3A8E,?,00000000), ref: 6C1F40A4
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Close$PrivateProfileStringValueWriteswprintf
            • String ID:
            • API String ID: 581541481-0
            • Opcode ID: c480fc9c1b78f012cda9ba07b031ed98996d31f614f4f52a35f9a3b89f600c69
            • Instruction ID: 966b022b661f0405c8dcb51866e2c753801f95fa117a49723259877c360d684b
            • Opcode Fuzzy Hash: c480fc9c1b78f012cda9ba07b031ed98996d31f614f4f52a35f9a3b89f600c69
            • Instruction Fuzzy Hash: B301D632600209BBDB00DF648C45FAEB3FCEF5A608F50041AFA11E7180E7B5ED0587A1
            Function 6C3289E9 Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
            Download Yara Rule
            APIs
            • CreateThread.KERNEL32(00000000,?,6C328B14,00000000,00000004,00000000), ref: 6C328A38
            • GetLastError.KERNEL32(?,?,?,6C2727C3,6C272813,00000000,00000000,?,00000000,?,6C20AB85,00000001,00000000,?,?,6C20A81B), ref: 6C328A44
            • __dosmaperr.LIBCMT ref: 6C328A4B
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: CreateErrorLastThread__dosmaperr
            • String ID:
            • API String ID: 2744730728-0
            • Opcode ID: 5b63e9e60e91fc79198f6c42f7a9729ca7aa251971c571c0e6a90384a2fa1d69
            • Instruction ID: 5a8de7506c6255298178f1ff1b11597443b49bf99678f19dbbaf9eb84f83571e
            • Opcode Fuzzy Hash: 5b63e9e60e91fc79198f6c42f7a9729ca7aa251971c571c0e6a90384a2fa1d69
            • Instruction Fuzzy Hash: 3601C873901304ABCF008FA5CC04BDE7A7DDF8137AF204216F521965D0EB758945CAA2
            Function 6C1EE76C Relevance: 6.1, APIs: 4, Instructions: 55fileCOMMON
            Download Yara Rule
            APIs
            • SetActiveWindow.USER32(?), ref: 6C1EE788
            • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 6C1EE79B
            • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 6C1EE7C9
            • DragFinish.SHELL32(?), ref: 6C1EE7FE
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Drag$FileQuery$ActiveFinishWindow
            • String ID:
            • API String ID: 892977027-0
            • Opcode ID: 0647c6409d7486e49ea4426083edc0bd1cd3b2987ad36b7795687b15c45f9b27
            • Instruction ID: 29f6aaa4b50e622c9ace10764536b31f819ff72457bbba3b7a0649f897f9e1af
            • Opcode Fuzzy Hash: 0647c6409d7486e49ea4426083edc0bd1cd3b2987ad36b7795687b15c45f9b27
            • Instruction Fuzzy Hash: F0115175A012289BCB10DF25CC8CEDE7BB9FF8A315F000199E51A97241DB309A81CBA1
            Function 6C1E021B Relevance: 6.1, APIs: 4, Instructions: 52windowCOMMON
            Download Yara Rule
            APIs
            • GetDlgCtrlID.USER32(?), ref: 6C1E022B
            • GetScrollPos.USER32(?,00000002), ref: 6C1E023E
            • SendMessageW.USER32(?,00000114,?,?), ref: 6C1E0278
            • SetScrollPos.USER32(?,00000002,?,00000000), ref: 6C1E0296
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Scroll$CtrlMessageSend
            • String ID:
            • API String ID: 1219558039-0
            • Opcode ID: 3a2846c3828ab5cfaa205bbb16a7a4215d99a01f257865465dab5f54c5a0089e
            • Instruction ID: 3375288f5c54c628cbb7788518ccd4a46f44c13dc36655dd3a85182cea889d93
            • Opcode Fuzzy Hash: 3a2846c3828ab5cfaa205bbb16a7a4215d99a01f257865465dab5f54c5a0089e
            • Instruction Fuzzy Hash: 1311CE72600219FFEF018FA8CC49EAE7BB4FF49341F014569F9459B151EA71AC50EB60
            Function 6C1E02AC Relevance: 6.1, APIs: 4, Instructions: 52windowCOMMON
            Download Yara Rule
            APIs
            • GetDlgCtrlID.USER32(?), ref: 6C1E02BC
            • GetScrollPos.USER32(?,00000002), ref: 6C1E02CF
            • SendMessageW.USER32(?,00000115,?,?), ref: 6C1E0309
            • SetScrollPos.USER32(?,00000002,?,00000000), ref: 6C1E0327
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Scroll$CtrlMessageSend
            • String ID:
            • API String ID: 1219558039-0
            • Opcode ID: 13abf5d064e03435d9bdd60733768437d50b05e5c5d5e1b7da215224986e367b
            • Instruction ID: 8624331eed50b187bd9adea18d3ab4d7cf83fa6401885285650bcffc15d4cc80
            • Opcode Fuzzy Hash: 13abf5d064e03435d9bdd60733768437d50b05e5c5d5e1b7da215224986e367b
            • Instruction Fuzzy Hash: 6111CE32600218FFDB018F68CC89F9E7BB5FB48301F004569F941AB151E771AC50DB60
            Function 6C1DAAD1 Relevance: 6.0, APIs: 4, Instructions: 48windowCOMMON
            Download Yara Rule
            APIs
            • GetMenuItemCount.USER32(00000000), ref: 6C1DAAE1
            • GetSubMenu.USER32(00000000,-00000001), ref: 6C1DAAF0
            • GetMenuItemCount.USER32(00000000), ref: 6C1DAAFD
            • GetMenuItemID.USER32(00000000,00000000), ref: 6C1DAB13
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Menu$Item$Count
            • String ID:
            • API String ID: 879546783-0
            • Opcode ID: 9db3b0ed33de82354a8ce1c5ae270ee7b8c508349b68450e9f001c06eac66856
            • Instruction ID: 9fd5ac0355d6272133ebc3b151095320b772ae49267c5620866cf8ada696a773
            • Opcode Fuzzy Hash: 9db3b0ed33de82354a8ce1c5ae270ee7b8c508349b68450e9f001c06eac66856
            • Instruction Fuzzy Hash: EA01A270A01306AFDB04CF64DD98A8F7AFADB15345F124525EC01E6610E734EA828750
            Function 6C20D860 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
            Download Yara Rule
            APIs
            • InflateRect.USER32(?,00000002,00000002), ref: 6C20D89F
            • InvalidateRect.USER32(?,?,00000001), ref: 6C20D8B3
            • UpdateWindow.USER32(?), ref: 6C20D8BC
            • SetRectEmpty.USER32(?), ref: 6C20D8C3
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Rect$EmptyInflateInvalidateUpdateWindow
            • String ID:
            • API String ID: 3040190709-0
            • Opcode ID: 4101c5ffcff826ac15d2664c7d2ef8e2ee411765d9663bc64d088c7bb700fe80
            • Instruction ID: 547e8fb4737a31bac937eba734588a895de4573aa626c2bbbada1b8925708e89
            • Opcode Fuzzy Hash: 4101c5ffcff826ac15d2664c7d2ef8e2ee411765d9663bc64d088c7bb700fe80
            • Instruction Fuzzy Hash: 2F01AD31A00209DFDB10DF68C889F9BBBF8FB8A321F510669E516AB190D7715904CB50
            Function 6C1DB5E4 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
            Download Yara Rule
            APIs
            • GetWindowLongW.USER32(00000000,000000F0), ref: 6C1DB604
            • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 6C1DB613
            • IsWindow.USER32(00000000), ref: 6C1DB624
            • SetWindowLongW.USER32(00000000,000000F0,?), ref: 6C1DB634
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Window$Long
            • String ID:
            • API String ID: 847901565-0
            • Opcode ID: cf95fcadba164d2c872694d6c4781bc54c4bab94e66114f763062c748fc8421c
            • Instruction ID: d172e899def8fc7f13c773b6c88291fff59ad14e28d0fae89cac11b5905e184e
            • Opcode Fuzzy Hash: cf95fcadba164d2c872694d6c4781bc54c4bab94e66114f763062c748fc8421c
            • Instruction Fuzzy Hash: C1016231308114AFDF015F648C48B7E77BCAB46725B110329F813962C5EF65A8019755
            Function 6C1E8112 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
            Download Yara Rule
            APIs
            • GetTopWindow.USER32(?), ref: 6C1E8119
            • GetTopWindow.USER32(00000000), ref: 6C1E815C
            • GetWindow.USER32(00000000,00000002), ref: 6C1E817E
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Window
            • String ID:
            • API String ID: 2353593579-0
            • Opcode ID: 1b75eb45b0d9d361b7f2dd10d37e26b611e692c02c71843d027a98a318143aea
            • Instruction ID: a270dc89439df9466504fe014e767640c4abc9496c7f9e4e50fc4819941366d5
            • Opcode Fuzzy Hash: 1b75eb45b0d9d361b7f2dd10d37e26b611e692c02c71843d027a98a318143aea
            • Instruction Fuzzy Hash: BC010432101A1ABFEF035F98CC08FDE3B6AAF0E356F044516FA1090560DB36C5A1EBA1
            Function 6C1E809B Relevance: 6.0, APIs: 4, Instructions: 45COMMON
            Download Yara Rule
            APIs
            • GetDlgItem.USER32(?,00000001), ref: 6C1E80A5
            • GetTopWindow.USER32(00000000), ref: 6C1E80B2
              • Part of subcall function 6C1E809B: GetWindow.USER32(00000000,00000002), ref: 6C1E8101
            • GetTopWindow.USER32(?), ref: 6C1E80E6
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Window$Item
            • String ID:
            • API String ID: 369458955-0
            • Opcode ID: 8017a961fa6ae220fe4db34f932db19b37c45f23ebea3382e3a4cfa1c6abd68f
            • Instruction ID: 89f98ab7f975dcf28ef2a4e0a23fd895ac543aa9882a5420a980cfdf1bad900b
            • Opcode Fuzzy Hash: 8017a961fa6ae220fe4db34f932db19b37c45f23ebea3382e3a4cfa1c6abd68f
            • Instruction Fuzzy Hash: 48011D31205E2AABEF231F69CC04B9F3B78AF1A799F084212FD14D5950E772C5529791
            Function 6C1F5294 Relevance: 6.0, APIs: 4, Instructions: 41windowCOMMON
            Download Yara Rule
            APIs
            • GetParent.USER32(?), ref: 6C1F52A2
            • GetParent.USER32(?), ref: 6C1F52B5
            • GetParent.USER32(?), ref: 6C1F52CF
            • SetFocus.USER32(?,00000000,?,?,6C1EE3E3,?,6C1C1224,?), ref: 6C1F52E8
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Parent$Focus
            • String ID:
            • API String ID: 384096180-0
            • Opcode ID: b20a62329d9902c69a5b03dfcd22269c45591eba4629199c0b6e1469e0d0d3d1
            • Instruction ID: 79b89a804af3e22d727210440de8cb08f1b48acff5fab4f25841b5ae8264e844
            • Opcode Fuzzy Hash: b20a62329d9902c69a5b03dfcd22269c45591eba4629199c0b6e1469e0d0d3d1
            • Instruction Fuzzy Hash: 73F06D32700B009BCF112F748808A6E77BABF8C2063440669E556C3A20EF75D8468B51
            Function 6C3434B9 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • WriteConsoleW.KERNEL32(00000000,6C338E1C,00000000,00000000,00000000,?,6C3424A0,00000000,00000001,00000000,?,?,6C33AFD6,?,00000000,00000000), ref: 6C3434D0
            • GetLastError.KERNEL32(?,6C3424A0,00000000,00000001,00000000,?,?,6C33AFD6,?,00000000,00000000,?,?,?,6C33A91C,?), ref: 6C3434DC
              • Part of subcall function 6C34352D: CloseHandle.KERNEL32(FFFFFFFE,6C3434EC,?,6C3424A0,00000000,00000001,00000000,?,?,6C33AFD6,?,00000000,00000000,?,?), ref: 6C34353D
            • ___initconout.LIBCMT ref: 6C3434EC
              • Part of subcall function 6C34350E: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6C3434AA,6C34248D,?,?,6C33AFD6,?,00000000,00000000,?), ref: 6C343521
            • WriteConsoleW.KERNEL32(00000000,6C338E1C,00000000,00000000,?,6C3424A0,00000000,00000001,00000000,?,?,6C33AFD6,?,00000000,00000000,?), ref: 6C343501
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
            • String ID:
            • API String ID: 2744216297-0
            • Opcode ID: ec3cbbe9f4ab4e1ea8bc76b799b651269c1e905dfbd7b93061ddbf3a4a6d6653
            • Instruction ID: beff8f5085ef35e220ab0953e80e7a15edbd7d323def7688dbb2059dc1cd594c
            • Opcode Fuzzy Hash: ec3cbbe9f4ab4e1ea8bc76b799b651269c1e905dfbd7b93061ddbf3a4a6d6653
            • Instruction Fuzzy Hash: 5FF01C36600119BBCF521FD2DC089DA3FBAFB493A5F088550FA1987260D73388209F91
            Function 6C31B611 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetSystemTimeAsFileTime.KERNEL32(00000001), ref: 6C31B623
            • GetCurrentThreadId.KERNEL32 ref: 6C31B632
            • GetCurrentProcessId.KERNEL32 ref: 6C31B63B
            • QueryPerformanceCounter.KERNEL32(?), ref: 6C31B648
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
            • String ID:
            • API String ID: 2933794660-0
            • Opcode ID: cadf7a814205d088df0420ec4b9c6e7cc343e189db79d449d98fd8f242ff9702
            • Instruction ID: 27ea8091c762ecfbad5e4871b8ce76addbda3d6c12f99e482a95ebb6fb524869
            • Opcode Fuzzy Hash: cadf7a814205d088df0420ec4b9c6e7cc343e189db79d449d98fd8f242ff9702
            • Instruction Fuzzy Hash: 6EF05F74D1020DEBCF01DFB4C64999EBBF8EF1D201B918596A412E6100E730AB449B51
            Function 6C1F613C Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 204COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: __aulldiv
            • String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
            • API String ID: 3732870572-1956417402
            • Opcode ID: e3db4d2d27f3eef5f7e192af155679c10c80d832f40a75ecbf34d7595b0b68fe
            • Instruction ID: d76eadb5609daae66bbee2511d2e0bf28c38e81720968c4cda7e1fc9ddf2e7e0
            • Opcode Fuzzy Hash: e3db4d2d27f3eef5f7e192af155679c10c80d832f40a75ecbf34d7595b0b68fe
            • Instruction Fuzzy Hash: 2A61F670E0825D9ADB01CFA9C8507AEBBF5AF9A318F148159E8B4D7B41D7788543CB50
            Function 6C33DF89 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 6C332643: GetLastError.KERNEL32(00000000,?,6C3369BA), ref: 6C332647
              • Part of subcall function 6C332643: SetLastError.KERNEL32(00000000,?,?,00000028,6C32D5FE), ref: 6C3326E9
            • GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,6C332F78,?,?,?,00000055,?,-00000050,?,?,?), ref: 6C33E048
            • IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,6C332F78,?,?,?,00000055,?,-00000050,?,?), ref: 6C33E07F
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: ErrorLast$CodePageValid
            • String ID: utf8
            • API String ID: 943130320-905460609
            • Opcode ID: 134cad3b683b535b1175467537b3075df7e809d54485aa50ec398076ae2b85bb
            • Instruction ID: d2bc0ac50df5967932376ae78c267babd523d77923f952b985ebd3b57a305b41
            • Opcode Fuzzy Hash: 134cad3b683b535b1175467537b3075df7e809d54485aa50ec398076ae2b85bb
            • Instruction Fuzzy Hash: A1510631A043A5AAEB15AB71CC80FE773A8EF05708F101529F55D97A80F776EC448EE2
            Function 6C201A30 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
            Download Yara Rule
            APIs
            • __EH_prolog3_GS.LIBCMT ref: 6C201A37
            • CoCreateGuid.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,00000028), ref: 6C201A92
            Strings
            • %08lX%04X%04x%02X%02X%02X%02X%02X%02X%02X%02X, xrefs: 6C201ADC
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: CreateGuidH_prolog3_
            • String ID: %08lX%04X%04x%02X%02X%02X%02X%02X%02X%02X%02X
            • API String ID: 2971167768-1017209998
            • Opcode ID: bd1f36f6a4c3108737e2555e6bb70e6e7ad5313da4c266685da8ac68bedf35e2
            • Instruction ID: b081748e807e2fbe97e1a14a58b127df46322e3c96f4e7409950a940ce532d28
            • Opcode Fuzzy Hash: bd1f36f6a4c3108737e2555e6bb70e6e7ad5313da4c266685da8ac68bedf35e2
            • Instruction Fuzzy Hash: 13418F72A011599FDF15DBA8C864AFEBBF9AF09214F14005AE541B7680DB38AE09CB60
            Function 6C257770 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121registryCOMMON
            Download Yara Rule
            APIs
            • __EH_prolog3.LIBCMT ref: 6C257777
            • RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,?,00000008,6C209B27,?,MFCToolBars,?,000000A8), ref: 6C2578C2
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: H_prolog3QueryValue
            • String ID: SOFTWARE\
            • API String ID: 2373586757-3302998844
            • Opcode ID: f3db2d3b3109d1c0fd4d471f9e78ac94530594ad30c1d9a19f419047fbbbb16a
            • Instruction ID: 9a6f73a2bfc2cd33b90f686536e4bbe6ade587e75c3963a60b14e963a3dbf601
            • Opcode Fuzzy Hash: f3db2d3b3109d1c0fd4d471f9e78ac94530594ad30c1d9a19f419047fbbbb16a
            • Instruction Fuzzy Hash: 1F31F171210249AFDF059F60D898EFE77AEEF44618F10902AF8145BB90CB309D54DB61
            Function 6C331E73 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 119COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,6C331D74,?,?,00000000,00000000,00000000,?), ref: 6C331E98
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: EncodePointer
            • String ID: MOC$RCC
            • API String ID: 2118026453-2084237596
            • Opcode ID: bdc4a5ed01fefe1ebd19b0da630be1ca8fdcfc575b6c8c7e06d9b6f369cd58ab
            • Instruction ID: a34a583436ecb08648af646713cdeb088ead6e4c27f3008c452513a066168c5b
            • Opcode Fuzzy Hash: bdc4a5ed01fefe1ebd19b0da630be1ca8fdcfc575b6c8c7e06d9b6f369cd58ab
            • Instruction Fuzzy Hash: 38413871900159AFCF05CF94CC80AEEBBB5BF48308F245259F918A6650D336D960DF51
            Function 6C1C2BD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 110COMMON
            Download Yara Rule
            APIs
            • std::_Lockit::_Lockit.LIBCPMT ref: 6C1C2C06
            • std::_Lockit::~_Lockit.LIBCPMT ref: 6C1C2D16
              • Part of subcall function 6C1F57A9: _Yarn.LIBCPMT ref: 6C1F57C9
              • Part of subcall function 6C1F57A9: _Yarn.LIBCPMT ref: 6C1F57ED
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: LockitYarnstd::_$Lockit::_Lockit::~_
            • String ID: bad locale name
            • API String ID: 2070049627-1405518554
            • Opcode ID: aa39edd2dc2b71d8bfcc00c447d469ddadbcca004207c3b25610b01f1aeb2340
            • Instruction ID: a27eeab7087a62ab4f87182da0026bb888a0533a9e3e6eb8a762193e3f70e475
            • Opcode Fuzzy Hash: aa39edd2dc2b71d8bfcc00c447d469ddadbcca004207c3b25610b01f1aeb2340
            • Instruction Fuzzy Hash: C741ABF1A01B419BDB20CF69D845B56BBE8BF28604F04862DE459C7B40E738E418CBE6
            Function 6C1E3218 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103COMMON
            Download Yara Rule
            APIs
            • GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 6C1E32DC
            • PathFindExtensionW.SHLWAPI(?,?), ref: 6C1E32F2
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: ExtensionFileFindModuleNamePath
            • String ID: %Ts%Ts.dll
            • API String ID: 2295281026-1896370695
            • Opcode ID: d48802175b83ee8e071804ab6493bd16168d96ea752757160b9341cce09fe59a
            • Instruction ID: 3c6d75ba1876803ed8790ac9609b1ff346ef3761160c80427716d9749b0f6726
            • Opcode Fuzzy Hash: d48802175b83ee8e071804ab6493bd16168d96ea752757160b9341cce09fe59a
            • Instruction Fuzzy Hash: D1310432B0051AABDB00DAA5CC44AEBB7BDAF49318F514166E815EBA50DB74D907CBD0
            Function 6C3316DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • ___except_validate_context_record.LIBVCRUNTIME ref: 6C331956
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: ___except_validate_context_record
            • String ID: csm$csm
            • API String ID: 3493665558-3733052814
            • Opcode ID: 3707962ca9eb68c933c1afd74e34b1a535ceb28039b9f535e42f1455c8bbe280
            • Instruction ID: 012292867db44e2fd88492037ad9f8852c95c9bf7a0dd2a0bf61e14e6cd81041
            • Opcode Fuzzy Hash: 3707962ca9eb68c933c1afd74e34b1a535ceb28039b9f535e42f1455c8bbe280
            • Instruction Fuzzy Hash: B131A8725102B4DBCF128F91CC409AA7B7AFF0531AB14625AF85C49621C733D8A1DFD2
            Function 6C1F3EBC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 6C1F405F: RegCloseKey.ADVAPI32(00000000,?,?,?,?,6C1F3A8E,?,00000000), ref: 6C1F40A4
            • RegSetValueExW.ADVAPI32(00000000,?,00000000,00000003,?,?,?,00000000), ref: 6C1F3EEE
            • RegCloseKey.ADVAPI32(00000000), ref: 6C1F3EF7
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Close$Value
            • String ID: A
            • API String ID: 299128501-3554254475
            • Opcode ID: da3e6b050c7435e4c26ec4c60f16376964b38b8356f9019ca6d461e0f5418163
            • Instruction ID: 14c4a10735de57addaa35e1fd89a47df47dc334262bec95d74c570e3f58356f6
            • Opcode Fuzzy Hash: da3e6b050c7435e4c26ec4c60f16376964b38b8356f9019ca6d461e0f5418163
            • Instruction Fuzzy Hash: 18213336600224ABDB058F68C804AEE7BB9EF45320F204159F928CB291EB36CC43C7A1
            Function 6C1F8905 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
            Download Yara Rule
            APIs
            • GetMonitorInfoW.USER32(?,?), ref: 6C1F8972
            • CopyRect.USER32(?,?), ref: 6C1F8984
              • Part of subcall function 6C1D9B7C: __EH_prolog3.LIBCMT ref: 6C1D9B83
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: CopyH_prolog3InfoMonitorRect
            • String ID: (
            • API String ID: 76778085-3887548279
            • Opcode ID: b72fd7b305f1887f94f4a58a178d5d7c0557db01f96bac70d494816fc7c270b9
            • Instruction ID: c80b344df145b5c705b6081411884f74ebf8f2448a03bbdae25822f18620d131
            • Opcode Fuzzy Hash: b72fd7b305f1887f94f4a58a178d5d7c0557db01f96bac70d494816fc7c270b9
            • Instruction Fuzzy Hash: 3E214F71A00609DFCB10DFA9D544A9EB7F8FF09214B10852DE466E3690DB30EA44CB51
            Function 6C1F8808 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74windowCOMMON
            Download Yara Rule
            APIs
            • GetSysColor.USER32(00000014), ref: 6C1F8876
            • CreateDIBitmap.GDI32(?,00000028,00000004,?,00000028,00000000), ref: 6C1F88EF
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: BitmapColorCreate
            • String ID: (
            • API String ID: 2048008349-3887548279
            • Opcode ID: 2b9e979e49fa31e8dfc390c4a042ccf5225b01fc8b77b32459206e3828a4116c
            • Instruction ID: 9626f4c5aed970ae7738dedf5c6876f262cca32c1c97d9d2b22d27f6852d8191
            • Opcode Fuzzy Hash: 2b9e979e49fa31e8dfc390c4a042ccf5225b01fc8b77b32459206e3828a4116c
            • Instruction Fuzzy Hash: E321B960A1138CDBEF01CFB88842BDCB7B8BF15305F548259E545FB141EB346A89CB65
            Function 6C207508 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: EmptyH_prolog3_Rect
            • String ID: Afx:ToolBar
            • API String ID: 2941628838-177727192
            • Opcode ID: 86ddd2de1d151f379a185e41a996bde20ad7ead3ebb837b08620fa30f95bdfe1
            • Instruction ID: 38bcbd4d5e8ca3690fbcd8191acbaa9ac40f31904e56612af3e34dd958b3b942
            • Opcode Fuzzy Hash: 86ddd2de1d151f379a185e41a996bde20ad7ead3ebb837b08620fa30f95bdfe1
            • Instruction Fuzzy Hash: 7B218C31A006099FDF08CF68D895AEE7BE5EF09314F05022EF819E7790DB74AD548BA4
            Function 00E21AB7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON
            Download Yara Rule
            APIs
            • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00E21AC2
            • ___raise_securityfailure.LIBCMT ref: 00E21BAA
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780458776.0000000000E21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
            • Associated: 00000003.00000002.1780443399.0000000000E20000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000003.00000002.1780472190.0000000000E22000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000003.00000002.1780486959.0000000000E23000.00000004.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000003.00000002.1780501099.0000000000E24000.00000002.00000001.01000000.00000005.sdmpDownload File
            • Associated: 00000003.00000002.1780501099.0000000000E66000.00000002.00000001.01000000.00000005.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_e20000_Update.jbxd
            Similarity
            • API ID: FeaturePresentProcessor___raise_securityfailure
            • String ID: 0
            • API String ID: 3761405300-4015486719
            • Opcode ID: 222d5751e70f18c5779651605ca090526f1a7af87c87527cb1405040388f7d10
            • Instruction ID: 9f43fabc85b6d86f1e58b2c16a23a34194cee3cce16ffb665fcbd1d0d13ccaff
            • Opcode Fuzzy Hash: 222d5751e70f18c5779651605ca090526f1a7af87c87527cb1405040388f7d10
            • Instruction Fuzzy Hash: CA21E7B86023059ED324CF26FD46A407BE4BB08314F10502AE904AA3B0E7B9979A8F55
            Function 6C2519BE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 6C2519C9
            • ___raise_securityfailure.LIBCMT ref: 6C251A86
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: FeaturePresentProcessor___raise_securityfailure
            • String ID: ;3l
            • API String ID: 3761405300-3004056388
            • Opcode ID: 130e28f69ee10d7ea31387fa4ef387b22ff7f90b125a8e0bfc713fce5589064a
            • Instruction ID: b34e5b26f6dd8301c0147486a3159f7e3c7466ca927c6ed7cd42abf6fc7fa92d
            • Opcode Fuzzy Hash: 130e28f69ee10d7ea31387fa4ef387b22ff7f90b125a8e0bfc713fce5589064a
            • Instruction Fuzzy Hash: D611ACBAB113499FDB00DF5AD185AC53BFCFB2A380B10942AE818CB350E370D5818F89
            Function 6C1C13C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
            Download Yara Rule
            APIs
            • UnregisterClassW.USER32(?,MZx), ref: 6C1C13F0
            • DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,6C1C111A), ref: 6C1C141B
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: ClassCriticalDeleteSectionUnregister
            • String ID: MZx
            • API String ID: 1235663670-2575928145
            • Opcode ID: 7dad1596a4e6fd7866d4110cbbb18974e67337983551ce2b3bd5197e2815f878
            • Instruction ID: 4b00b7aca84130445dac637b078a6be3715fbe2383eae214da0139ed8f9ba83c
            • Opcode Fuzzy Hash: 7dad1596a4e6fd7866d4110cbbb18974e67337983551ce2b3bd5197e2815f878
            • Instruction Fuzzy Hash: 4BF08CB16003049BC7208FA6C984A17B7FCFB9E31AB20066EE49A83A10D779E445CB60
            Function 6C22CE11 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
            Download Yara Rule
            APIs
            • __EH_prolog3.LIBCMT ref: 6C22CE18
            • FindResourceW.KERNEL32(?,?,STYLE_XML,?,?,00000004,6C1F86F9,?,00000000), ref: 6C22CE56
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: FindH_prolog3Resource
            • String ID: STYLE_XML
            • API String ID: 3036663282-3909253476
            • Opcode ID: c27ee80fadfc0cf6661cb2bd4599764fb4368524cdf2822780a85eeaf5868f26
            • Instruction ID: 0f4688cc70677e5a905be2b335525daef37e6ce8c3d323c4e16dd0fb11af0cf7
            • Opcode Fuzzy Hash: c27ee80fadfc0cf6661cb2bd4599764fb4368524cdf2822780a85eeaf5868f26
            • Instruction Fuzzy Hash: B1F0CDB2A002199BEB10BFB188509EE73BCBF866187100516F9A697B40CB38C4058A25
            Function 6C1F57A9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Yarn
            • String ID: r8l
            • API String ID: 1767336200-800140480
            • Opcode ID: 02f4f2a983e190d088fad1df8ac6648574e01604bbf00a266020ef0cdb395bc3
            • Instruction ID: 05ec67531f2df07fd28b7c610c8b929da2d70685e731fb051dfce7a48ac365f8
            • Opcode Fuzzy Hash: 02f4f2a983e190d088fad1df8ac6648574e01604bbf00a266020ef0cdb395bc3
            • Instruction Fuzzy Hash: 42E0E5363083146BEF089A66AC51BF633D9DB45665F10412EF91F9AEC0EE11EC058955
            Function 6C275C39 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON
            Download Yara Rule
            APIs
            • SetRectEmpty.USER32(4X'l), ref: 6C275C44
            • GetWindowRect.USER32(?,4X'l), ref: 6C275C55
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: Rect$EmptyWindow
            • String ID: 4X'l
            • API String ID: 1559801663-2724417780
            • Opcode ID: 98a3d6c12d2179459c1ab277e7a065bf69404f5c197fd52d7a2470f70a352ed1
            • Instruction ID: b23160769199017a7192341ca08b0a9235899b262b145c9c4ce186e3e25ce76c
            • Opcode Fuzzy Hash: 98a3d6c12d2179459c1ab277e7a065bf69404f5c197fd52d7a2470f70a352ed1
            • Instruction Fuzzy Hash: 56F0A47260171AAFC760CF59C485E42FBF8FF5A765310892AE559C3A00D771F860CBA0
            Function 6C1FE6AA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
            Download Yara Rule
            APIs
            • CloseThemeData.UXTHEME(?,6C356D80), ref: 6C1FE6D6
            • OpenThemeData.UXTHEME(?,REBAR,6C356D80), ref: 6C1FE6E4
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: DataTheme$CloseOpen
            • String ID: REBAR
            • API String ID: 1809247333-925029515
            • Opcode ID: 8946e3b02b6ed682958348c9e94984495a8ba3e1522a9b1d907930feee3da9ae
            • Instruction ID: f83f2efec63bfa6855db5215c579d32fb4f15da18032b27ce00fd81e3ddde7a2
            • Opcode Fuzzy Hash: 8946e3b02b6ed682958348c9e94984495a8ba3e1522a9b1d907930feee3da9ae
            • Instruction Fuzzy Hash: 3CE08672B157106BEB10AE318C18E5B3AE9BF17156F400D29E8B5D3A10EB39C843CBC1
            Function 6C1FC870 Relevance: 5.0, APIs: 4, Instructions: 37COMMON
            Download Yara Rule
            APIs
            • EnterCriticalSection.KERNEL32(6C3B0410,?,?,?,?,6C1E8ABC,00000001,?,6C1E8FDB,?,AfxFrameOrView140su,00007A02,?), ref: 6C1FC8A1
            • InitializeCriticalSection.KERNEL32(00000000,?,6C1E8ABC,00000001,?,6C1E8FDB,?,AfxFrameOrView140su,00007A02,?), ref: 6C1FC8B7
            • LeaveCriticalSection.KERNEL32(6C3B0410,?,6C1E8ABC,00000001,?,6C1E8FDB,?,AfxFrameOrView140su,00007A02,?), ref: 6C1FC8C5
            • EnterCriticalSection.KERNEL32(00000000,?,?,?,6C1E8ABC,00000001,?,6C1E8FDB,?,AfxFrameOrView140su,00007A02,?), ref: 6C1FC8D2
              • Part of subcall function 6C1FC908: InitializeCriticalSection.KERNEL32(6C3B0410,?,?,?,6C1E8ABC,00000001,?,6C1E8FDB,?,AfxFrameOrView140su,00007A02,?), ref: 6C1FC920
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: CriticalSection$EnterInitialize$Leave
            • String ID:
            • API String ID: 713024617-0
            • Opcode ID: 041fe06e33fc25fb65eef31cce7c5d55a7714e0b9754a4913a62f5337000e63e
            • Instruction ID: fc46e66013ece37e933464b1ff35478a3eb5ce1bd37fd6c8885bd91a6eec8176
            • Opcode Fuzzy Hash: 041fe06e33fc25fb65eef31cce7c5d55a7714e0b9754a4913a62f5337000e63e
            • Instruction Fuzzy Hash: C9F0F6B2B0011C9BCE506F54CC4979DB7BCAB6332AF400125E11392941D735C8869EA6
            Function 6C1FEAA6 Relevance: 5.0, APIs: 4, Instructions: 36COMMON
            Download Yara Rule
            APIs
            • EnterCriticalSection.KERNEL32(6C3B04E0,?,?,?,?,6C1FEBCB,00000000,00000004,6C1F0223,6C1EA338,6C1F419C,?,6C1E871F), ref: 6C1FEAB2
            • TlsGetValue.KERNEL32(6C3B04C4,?,?,?,?,6C1FEBCB,00000000,00000004,6C1F0223,6C1EA338,6C1F419C,?,6C1E871F), ref: 6C1FEAC6
            • LeaveCriticalSection.KERNEL32(6C3B04E0,?,?,?,?,6C1FEBCB,00000000,00000004,6C1F0223,6C1EA338,6C1F419C,?,6C1E871F), ref: 6C1FEAE0
            • LeaveCriticalSection.KERNEL32(6C3B04E0,?,?,?,?,6C1FEBCB,00000000,00000004,6C1F0223,6C1EA338,6C1F419C,?,6C1E871F), ref: 6C1FEAEB
            Memory Dump Source
            • Source File: 00000003.00000002.1780901644.000000006C1C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C1C0000, based on PE: true
            • Associated: 00000003.00000002.1780888542.000000006C1C0000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781017666.000000006C353000.00000002.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781059733.000000006C3A8000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781076141.000000006C3AB000.00000008.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AD000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781093450.000000006C3AF000.00000004.00000001.01000000.00000006.sdmpDownload File
            • Associated: 00000003.00000002.1781128182.000000006C3B5000.00000002.00000001.01000000.00000006.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_6c1c0000_Update.jbxd
            Similarity
            • API ID: CriticalSection$Leave$EnterValue
            • String ID:
            • API String ID: 3969253408-0
            • Opcode ID: c4a49a7dac901cd14d26682932421b0c3bbc3a59a17d666c699b5e2c122b1257
            • Instruction ID: fa25ddf22497128646a2838f4b0a3d8bf6326f7dc8baffffc915ee000b928d1c
            • Opcode Fuzzy Hash: c4a49a7dac901cd14d26682932421b0c3bbc3a59a17d666c699b5e2c122b1257
            • Instruction Fuzzy Hash: 5AF06D32202115AFDB009F16C89494BB7BCFE063653054116F82697B10E661E9468BD0