Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
2.exe

Overview

General Information

Sample name:2.exe
Analysis ID:1583227
MD5:119a00350e1a20e1a3ea01153b91001b
SHA1:743b83522858dfc1b7f6dc36d8671844a2832af3
SHA256:f8d8066380ecd1341441dd2b0b8562c5ec662148c86376cbc5da494af8434cee
Tags:exemalwaretrojanxwormuser-Joker
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential key logger detected (key state polling based)
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 2.exe (PID: 7392 cmdline: "C:\Users\user\Desktop\2.exe" MD5: 119A00350E1A20E1A3EA01153B91001B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["45.207.215.58"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.4141464738.0000000005140000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    00000000.00000002.4141464738.0000000005140000.00000004.08000000.00040000.00000000.sdmprat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
    • 0x58a9:$str01: $VB$Local_Port
    • 0x589a:$str02: $VB$Local_Host
    • 0x5ba0:$str03: get_Jpeg
    • 0x5552:$str04: get_ServicePack
    • 0x656e:$str05: Select * from AntivirusProduct
    • 0x676c:$str06: PCRestart
    • 0x6780:$str07: shutdown.exe /f /r /t 0
    • 0x6832:$str08: StopReport
    • 0x6808:$str09: StopDDos
    • 0x68fe:$str10: sendPlugin
    • 0x697e:$str11: OfflineKeylogger Not Enabled
    • 0x6ad6:$str12: -ExecutionPolicy Bypass -File "
    • 0x6bff:$str13: Content-length: 5235
    00000000.00000002.4141464738.0000000005140000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x6ca8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x6d45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x6e5a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x6b1a:$cnc4: POST / HTTP/1.1
    00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
    • 0x10794:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
    Process Memory Space: 2.exe PID: 7392JoeSecurity_XWormYara detected XWormJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.2.exe.5140000.1.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
        0.2.2.exe.5140000.1.raw.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
        • 0x58a9:$str01: $VB$Local_Port
        • 0x589a:$str02: $VB$Local_Host
        • 0x5ba0:$str03: get_Jpeg
        • 0x5552:$str04: get_ServicePack
        • 0x656e:$str05: Select * from AntivirusProduct
        • 0x676c:$str06: PCRestart
        • 0x6780:$str07: shutdown.exe /f /r /t 0
        • 0x6832:$str08: StopReport
        • 0x6808:$str09: StopDDos
        • 0x68fe:$str10: sendPlugin
        • 0x697e:$str11: OfflineKeylogger Not Enabled
        • 0x6ad6:$str12: -ExecutionPolicy Bypass -File "
        • 0x6bff:$str13: Content-length: 5235
        0.2.2.exe.5140000.1.raw.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x6ca8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x6d45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x6e5a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x6b1a:$cnc4: POST / HTTP/1.1
        0.2.2.exe.5140000.1.unpackJoeSecurity_XWormYara detected XWormJoe Security
          0.2.2.exe.5140000.1.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
          • 0x3aa9:$str01: $VB$Local_Port
          • 0x3a9a:$str02: $VB$Local_Host
          • 0x3da0:$str03: get_Jpeg
          • 0x3752:$str04: get_ServicePack
          • 0x476e:$str05: Select * from AntivirusProduct
          • 0x496c:$str06: PCRestart
          • 0x4980:$str07: shutdown.exe /f /r /t 0
          • 0x4a32:$str08: StopReport
          • 0x4a08:$str09: StopDDos
          • 0x4afe:$str10: sendPlugin
          • 0x4b7e:$str11: OfflineKeylogger Not Enabled
          • 0x4cd6:$str12: -ExecutionPolicy Bypass -File "
          • 0x4dff:$str13: Content-length: 5235
          Click to see the 2 entries

          Sigma Signatures

          No Sigma rule has matched

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-01-02T09:06:03.236124+010028531931Malware Command and Control Activity Detected192.168.2.45004245.207.215.587000TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000000.00000002.4141051556.0000000002CC1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["45.207.215.58"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
          Multi AV Scanner detection for submitted file
          Source: 2.exeVirustotal: Detection: 65%Perma Link
          Source: 2.exeReversingLabs: Detection: 57%
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
          Sample uses string decryption to hide its real strings
          Source: 00000000.00000002.4141464738.0000000005140000.00000004.08000000.00040000.00000000.sdmpString decryptor: 45.207.215.58
          Source: 00000000.00000002.4141464738.0000000005140000.00000004.08000000.00040000.00000000.sdmpString decryptor: 7000
          Source: 00000000.00000002.4141464738.0000000005140000.00000004.08000000.00040000.00000000.sdmpString decryptor: <123456789>
          Source: 00000000.00000002.4141464738.0000000005140000.00000004.08000000.00040000.00000000.sdmpString decryptor: <Xwormmm>
          Source: 00000000.00000002.4141464738.0000000005140000.00000004.08000000.00040000.00000000.sdmpString decryptor: Devilsuncle V5.6
          Source: 00000000.00000002.4141464738.0000000005140000.00000004.08000000.00040000.00000000.sdmpString decryptor: USB.exe
          Source: 2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_00F97965 __EH_prolog3_GS,GetFullPathNameA,__cftof,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,_strcpy_s,0_2_00F97965

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49837 -> 45.207.215.58:7000
          Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:50042 -> 45.207.215.58:7000
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: 45.207.215.58
          Source: global trafficTCP traffic: 192.168.2.4:49731 -> 45.207.215.58:7000
          Source: Joe Sandbox ViewASN Name: SKHT-ASShenzhenKatherineHengTechnologyInformationCo SKHT-ASShenzhenKatherineHengTechnologyInformationCo
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: unknownTCP traffic detected without corresponding DNS query: 45.207.215.58
          Source: 2.exe, 00000000.00000002.4141051556.0000000002CC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_0100B18F __EH_prolog3_catch_GS,CreateCompatibleDC,CreateCompatibleBitmap,FillRect,OpenClipboard,EmptyClipboard,CloseClipboard,SetClipboardData,CloseClipboard,0_2_0100B18F
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_00FD015A GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,0_2_00FD015A
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_01006155 __EH_prolog3_GS,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,_memset,_free,SendMessageA,GetParent,0_2_01006155
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_00F8E181 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,0_2_00F8E181
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_00FDA29E GetParent,GetKeyState,GetKeyState,GetKeyState,SendMessageA,SendMessageA,SendMessageA,0_2_00FDA29E
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_00FF2373 GetKeyState,GetKeyState,GetKeyState,GetKeyState,0_2_00FF2373
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_00FB84D7 IsWindow,SendMessageA,GetCapture,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,0_2_00FB84D7
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_00FB6642 IsWindow,SendMessageA,GetCapture,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,0_2_00FB6642
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_00FAED51 SendMessageA,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageA,0_2_00FAED51
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_01021091 GetWindowRect,GetKeyState,GetKeyState,GetKeyState,KillTimer,GetFocus,SetTimer,0_2_01021091
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_010055BD GetKeyState,GetKeyState,GetKeyState,GetTickCount,SetCapture,PeekMessageA,GetCapture,PeekMessageA,PeekMessageA,PtInRect,GetTickCount,ReleaseCapture,0_2_010055BD
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_0100B5CB GetKeyState,GetKeyState,GetKeyState,0_2_0100B5CB
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_00FD96DB MessageBeep,SendMessageA,SendMessageA,SendMessageA,SendMessageA,GetKeyState,SendMessageA,GetKeyState,SendMessageA,SendMessageA,GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,SendMessageA,GetKeyState,SendMessageA,GetKeyState,SendMessageA,SendMessageA,0_2_00FD96DB

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 0.2.2.exe.5140000.1.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
          Source: 0.2.2.exe.5140000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: 0.2.2.exe.5140000.1.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
          Source: 0.2.2.exe.5140000.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: 0.2.2.exe.f80000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
          Source: 00000000.00000002.4141464738.0000000005140000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
          Source: 00000000.00000002.4141464738.0000000005140000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
          Source: C:\Users\user\Desktop\2.exeProcess Stats: CPU usage > 49%
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_00F9C5BA0_2_00F9C5BA
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_00FEE6280_2_00FEE628
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_010106F00_2_010106F0
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_00FCCAEB0_2_00FCCAEB
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_00FFCCD50_2_00FFCCD5
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_01076D2B0_2_01076D2B
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_00FA54B90_2_00FA54B9
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_00FED58C0_2_00FED58C
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_00FFD6240_2_00FFD624
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_00F81AF00_2_00F81AF0
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_00FFBA640_2_00FFBA64
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_00F81A300_2_00F81A30
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_01085BFC0_2_01085BFC
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_00FBDD8A0_2_00FBDD8A
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_051555D80_2_051555D8
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_05154D080_2_05154D08
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_051507A00_2_051507A0
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_051549C00_2_051549C0
          Source: C:\Users\user\Desktop\2.exeCode function: String function: 010762FB appears 511 times
          Source: C:\Users\user\Desktop\2.exeCode function: String function: 01076364 appears 166 times
          Source: C:\Users\user\Desktop\2.exeCode function: String function: 00F878A5 appears 32 times
          Source: C:\Users\user\Desktop\2.exeCode function: String function: 010765B0 appears 43 times
          Source: C:\Users\user\Desktop\2.exeCode function: String function: 0107632E appears 34 times
          Source: 2.exe, 00000000.00000002.4141464738.0000000005140000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs 2.exe
          Source: 2.exe, 00000000.00000000.1670089544.00000000010F8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameMicrosoft Edge.InkF vs 2.exe
          Source: 2.exeBinary or memory string: OriginalFilenameMicrosoft Edge.InkF vs 2.exe
          Source: 2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 0.2.2.exe.5140000.1.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
          Source: 0.2.2.exe.5140000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: 0.2.2.exe.5140000.1.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
          Source: 0.2.2.exe.5140000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: 0.2.2.exe.f80000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
          Source: 00000000.00000002.4141464738.0000000005140000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
          Source: 00000000.00000002.4141464738.0000000005140000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
          Source: 0.2.2.exe.5140000.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
          Source: 0.2.2.exe.5140000.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
          Source: 0.2.2.exe.5140000.1.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
          Source: 2.exe, 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: .SlN%Y
          Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_00F81150 CreateToolhelp32Snapshot,_memset,Process32First,Process32Next,Process32Next,CloseHandle,0_2_00F81150
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_00FCC81B __EH_prolog3_GS,_memset,GetVersionExA,_malloc,_memset,__cftof,CoInitializeEx,CoCreateInstance,0_2_00FCC81B
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_00F864ED FindResourceA,LoadResource,LockResource,FreeResource,0_2_00F864ED
          Source: C:\Users\user\Desktop\2.exeMutant created: NULL
          Source: C:\Users\user\Desktop\2.exeMutant created: \Sessions\1\BaseNamedObjects\AzIZuOvJY7Sxc3Jf
          Source: 2.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: 2.exeVirustotal: Detection: 65%
          Source: 2.exeReversingLabs: Detection: 57%
          Source: C:\Users\user\Desktop\2.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\2.exeSection loaded: msimg32.dllJump to behavior
          Source: C:\Users\user\Desktop\2.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\2.exeSection loaded: oleacc.dllJump to behavior
          Source: C:\Users\user\Desktop\2.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\2.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\2.exeSection loaded: dwmapi.dllJump to behavior
          Source: C:\Users\user\Desktop\2.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\2.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\2.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\2.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\2.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\2.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\2.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\2.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\2.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\2.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\2.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\2.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\2.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\2.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\2.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\2.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\2.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Users\user\Desktop\2.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Users\user\Desktop\2.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Users\user\Desktop\2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
          Source: 2.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: 2.exeStatic file information: File size 1749504 > 1048576
          Source: 2.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x117800
          Source: 2.exeStatic PE information: More than 200 imports for USER32.dll
          Source: 2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: 2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: 2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: 2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: 2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: 2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: 2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
          Source: 2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: 2.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: 2.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: 2.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: 2.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: 2.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

          Data Obfuscation

          barindex
          .NET source code contains method to dynamically call methods (often used by packers)
          Source: 0.2.2.exe.5140000.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
          Source: 0.2.2.exe.5140000.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
          .NET source code contains potential unpacker
          Source: 0.2.2.exe.5140000.1.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
          Source: 0.2.2.exe.5140000.1.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
          Source: 0.2.2.exe.5140000.1.raw.unpack, Messages.cs.Net Code: Memory
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_0107C313 DecodePointer,LoadLibraryW,GetProcAddress,GetLastError,GetLastError,GetLastError,EncodePointer,InterlockedExchange,FreeLibrary,0_2_0107C313
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_010763D3 push ecx; ret 0_2_010763E6
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_010765F5 push ecx; ret 0_2_01076608
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_05156B88 pushad ; ret 0_2_05156B89
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_00FA0095 SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageA,UpdateWindow,SendMessageA,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,0_2_00FA0095
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_00FF4859 IsIconic,PostMessageA,0_2_00FF4859
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_00FF293E IsWindow,GetFocus,IsChild,SendMessageA,IsChild,SendMessageA,IsIconic,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,IsWindowVisible,0_2_00FF293E
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_00FF33CD GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,0_2_00FF33CD
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_00FF33CD GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,0_2_00FF33CD
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_00FF33CD GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,0_2_00FF33CD
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_00FAF552 IsWindowVisible,IsIconic,0_2_00FAF552
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_00FF36CD IsWindowVisible,ScreenToClient,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetSystemMetrics,PtInRect,GetSystemMetrics,PtInRect,GetSystemMetrics,PtInRect,0_2_00FF36CD
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_00FC98FB GetClientRect,IsRectEmpty,IsIconic,BeginDeferWindowPos,GetClientRect,IsRectEmpty,IsRectEmpty,EqualRect,GetWindowRect,GetParent,EndDeferWindowPos,0_2_00FC98FB
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_00FB3CC6 IsIconic,0_2_00FB3CC6
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_00FF3C94 IsWindow,IsWindowVisible,GetWindowRect,PtInRect,GetAsyncKeyState,ScreenToClient,IsWindow,IsWindow,IsWindow,GetWindowRect,PtInRect,SendMessageA,PtInRect,SendMessageA,ScreenToClient,PtInRect,GetParent,SendMessageA,GetFocus,WindowFromPoint,SendMessageA,GetSystemMenu,IsMenu,EnableMenuItem,EnableMenuItem,EnableMenuItem,IsZoomed,IsIconic,EnableMenuItem,TrackPopupMenu,SendMessageA,0_2_00FF3C94
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_00FB3C22 SetForegroundWindow,IsIconic,0_2_00FB3C22
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_00F96406 __EH_prolog3_GS,GetDeviceCaps,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,_memset,GetTextCharsetInfo,lstrcpyA,lstrcpyA,EnumFontFamiliesA,EnumFontFamiliesA,lstrcpyA,EnumFontFamiliesA,lstrcpyA,CreateFontIndirectA,CreateFontIndirectA,CreateFontIndirectA,CreateFontIndirectA,CreateFontIndirectA,CreateFontIndirectA,GetSystemMetrics,lstrcpyA,CreateFontIndirectA,GetStockObject,GetStockObject,GetObjectA,GetObjectA,lstrcpyA,CreateFontIndirectA,CreateFontIndirectA,GetStockObject,GetObjectA,CreateFontIndirectA,CreateFontIndirectA,__EH_prolog3_GS,GetVersionExA,KiUserCallbackDispatcher,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00F96406
          Source: C:\Users\user\Desktop\2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\2.exeMemory allocated: 28B0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\2.exeMemory allocated: 2CC0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\2.exeMemory allocated: 2BF0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\2.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\2.exeWindow / User API: threadDelayed 9824Jump to behavior
          Source: C:\Users\user\Desktop\2.exeAPI coverage: 2.5 %
          Source: C:\Users\user\Desktop\2.exe TID: 7480Thread sleep time: -10145709240540247s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\2.exe TID: 7492Thread sleep count: 9824 > 30Jump to behavior
          Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
          Source: C:\Users\user\Desktop\2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_00F97965 __EH_prolog3_GS,GetFullPathNameA,__cftof,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,_strcpy_s,0_2_00F97965
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_01078561 VirtualQuery,GetSystemInfo,GetModuleHandleW,GetProcAddress,VirtualAlloc,VirtualProtect,0_2_01078561
          Source: C:\Users\user\Desktop\2.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: 2.exe, 00000000.00000002.4139838591.0000000000809000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: C:\Users\user\Desktop\2.exeAPI call chain: ExitProcess graph end nodegraph_0-87942
          Source: C:\Users\user\Desktop\2.exeProcess information queried: ProcessInformationJump to behavior

          Anti Debugging

          barindex
          Found potential dummy code loops (likely to delay analysis)
          Source: C:\Users\user\Desktop\2.exeProcess Stats: CPU usage > 42% for more than 60s
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_0107C421 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0107C421
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_01078561 VirtualProtect ?,-00000001,00000104,?0_2_01078561
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_0107C313 DecodePointer,LoadLibraryW,GetProcAddress,GetLastError,GetLastError,GetLastError,EncodePointer,InterlockedExchange,FreeLibrary,0_2_0107C313
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_010EFE2B mov eax, dword ptr fs:[00000030h]0_2_010EFE2B
          Source: C:\Users\user\Desktop\2.exeProcess token adjusted: DebugJump to behavior
          Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_0107C421 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0107C421
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_01074C92 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_01074C92
          Source: C:\Users\user\Desktop\2.exeMemory allocated: page read and write | page guardJump to behavior
          Source: C:\Users\user\Desktop\2.exeCode function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,0_2_00F82D4F
          Source: C:\Users\user\Desktop\2.exeCode function: __EH_prolog3_GS,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetNumberFormatA,GetLocaleInfoA,lstrlenA,0_2_00FCF35D
          Source: C:\Users\user\Desktop\2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_010797D1 GetSystemTimeAsFileTime,__aulldiv,0_2_010797D1
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_01082D70 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,0_2_01082D70
          Source: C:\Users\user\Desktop\2.exeCode function: 0_2_00F96406 __EH_prolog3_GS,GetDeviceCaps,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,_memset,GetTextCharsetInfo,lstrcpyA,lstrcpyA,EnumFontFamiliesA,EnumFontFamiliesA,lstrcpyA,EnumFontFamiliesA,lstrcpyA,CreateFontIndirectA,CreateFontIndirectA,CreateFontIndirectA,CreateFontIndirectA,CreateFontIndirectA,CreateFontIndirectA,GetSystemMetrics,lstrcpyA,CreateFontIndirectA,GetStockObject,GetStockObject,GetObjectA,GetObjectA,lstrcpyA,CreateFontIndirectA,CreateFontIndirectA,GetStockObject,GetObjectA,CreateFontIndirectA,CreateFontIndirectA,__EH_prolog3_GS,GetVersionExA,KiUserCallbackDispatcher,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00F96406
          Source: C:\Users\user\Desktop\2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: 2.exe, 00000000.00000002.4139838591.0000000000873000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s Defender\MsMpeng.exe
          Source: 2.exe, 2.exe, 00000000.00000000.1670026648.0000000001099000.00000002.00000001.01000000.00000003.sdmp, 2.exe, 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: 360Safe.exe
          Source: 2.exe, 00000000.00000002.4139838591.0000000000873000.00000004.00000020.00020000.00000000.sdmp, 2.exe, 00000000.00000002.4139838591.00000000007DC000.00000004.00000020.00020000.00000000.sdmp, 2.exe, 00000000.00000002.4139838591.000000000084E000.00000004.00000020.00020000.00000000.sdmp, 2.exe, 00000000.00000002.4141970539.0000000006010000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
          Source: 2.exe, 2.exe, 00000000.00000000.1670026648.0000000001099000.00000002.00000001.01000000.00000003.sdmp, 2.exe, 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: 360Tray.exe
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Users\user\Desktop\2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

          Stealing of Sensitive Information

          barindex
          Yara detected XWorm
          Source: Yara matchFile source: 0.2.2.exe.5140000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.2.exe.5140000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.4141464738.0000000005140000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 2.exe PID: 7392, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected XWorm
          Source: Yara matchFile source: 0.2.2.exe.5140000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.2.exe.5140000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.4141464738.0000000005140000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 2.exe PID: 7392, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
          Windows Management Instrumentation          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		11
          Disable or Modify Tools          		21
          Input Capture          		2
          System Time Discovery          		Remote Services21
          Input Capture          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Native API          		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts232
          Virtualization/Sandbox Evasion          		LSASS Memory231
          Security Software Discovery          		Remote Desktop Protocol11
          Archive Collected Data          		1
          Non-Standard Port          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
          Deobfuscate/Decode Files or Information          		Security Account Manager232
          Virtualization/Sandbox Evasion          		SMB/Windows Admin Shares1
          Clipboard Data          		1
          Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
          Obfuscated Files or Information          		NTDS2
          Process Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
          Software Packing          		LSA Secrets11
          Application Window Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          DLL Side-Loading          		Cached Domain Credentials1
          File and Directory Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync26
          System Information Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          2.exe65%VirustotalBrowse
          2.exe58%ReversingLabsWin32.Trojan.XWorm

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          45.207.215.580%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          No contacted domains info

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          45.207.215.58true
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name2.exe, 00000000.00000002.4141051556.0000000002CC1000.00000004.00000800.00020000.00000000.sdmpfalse
            		high

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            45.207.215.58
            		unknownSeychelles
            		135357SKHT-ASShenzhenKatherineHengTechnologyInformationCotrue

            General Information

            Joe Sandbox version:41.0.0 Charoite
            Analysis ID:1583227
            Start date and time:2025-01-02 09:02:05 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 7m 32s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:5
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:2.exe
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@1/0@0/1
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 93%
            • Number of executed functions: 39
            • Number of non-executed functions: 336
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Override analysis time to 240000 for current running targets taking high CPU consumption

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
            • Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45
            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing disassembly code.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            03:02:57API Interceptor7332576x Sleep call for process: 2.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            45.207.215.581.exeGet hashmaliciousXWormBrowse
              mIba7sY5sD.elfGet hashmaliciousOkiruBrowse

                Domains

                No context

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                SKHT-ASShenzhenKatherineHengTechnologyInformationCo1.exeGet hashmaliciousXWormBrowse
                • 45.207.215.58
                boatnet.mpsl.elfGet hashmaliciousMiraiBrowse
                • 154.216.17.216
                boatnet.arm.elfGet hashmaliciousMiraiBrowse
                • 154.216.17.216
                boatnet.arm7.elfGet hashmaliciousMiraiBrowse
                • 154.216.17.216
                boatnet.ppc.elfGet hashmaliciousMiraiBrowse
                • 154.216.17.216
                boatnet.mips.elfGet hashmaliciousMiraiBrowse
                • 154.216.17.216
                boatnet.sh4.elfGet hashmaliciousMiraiBrowse
                • 154.216.17.216
                boatnet.x86.elfGet hashmaliciousMiraiBrowse
                • 154.216.17.216
                boatnet.spc.elfGet hashmaliciousMiraiBrowse
                • 154.216.17.216
                heteronymous.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                • 154.216.18.62

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                No created / dropped files found

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                Entropy (8bit):6.555504520761382
                TrID:
                • Win32 Executable (generic) a (10002005/4) 99.96%
                • Generic Win/DOS Executable (2004/3) 0.02%
                • DOS Executable Generic (2002/1) 0.02%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:2.exe
                File size:1'749'504 bytes
                MD5:119a00350e1a20e1a3ea01153b91001b
                SHA1:743b83522858dfc1b7f6dc36d8671844a2832af3
                SHA256:f8d8066380ecd1341441dd2b0b8562c5ec662148c86376cbc5da494af8434cee
                SHA512:7b8320e44f54f6c1e9b43ba41b7c7cf8fa9b1c2a7c78ed0c3648c4835b202de2d19884cfa1f380b8210df771d661542cc9044308687269fddfa9dfeeebe43ae2
                SSDEEP:49152:9ORCQxgswnpPJDps5v/FyqnL0t9sSeO6ONSuA7MjsfdVx7X+0YRYs:9nQxgswpPJDpS9bL0t9sS2ONSuA73DVA
                TLSH:E285AD3D7A619876C6323131854EF3BAE2BA8AB04DB5575766901F3C2F304D2892C76F
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&.qNb...b...b...k...n.......O...................k...K...b...c.......a.......c.......c...Richb...........................PE..L..

                File Icon

                Icon Hash:9e1f191f6777733a

                Static PE Info

                General

                Entrypoint:0x4f5f0d
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                Time Stamp:0x675F85C6 [Mon Dec 16 01:43:34 2024 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:5
                OS Version Minor:1
                File Version Major:5
                File Version Minor:1
                Subsystem Version Major:5
                Subsystem Version Minor:1
                Import Hash:2412baa1f91d30db11660ad19c16100b

                Entrypoint Preview

                Instruction
                call 00007F7A21011CCBh
                jmp 00007F7A21007C3Eh
                mov edi, edi
                push ebp
                mov ebp, esp
                push ecx
                push ebx
                mov eax, dword ptr [ebp+0Ch]
                add eax, 0Ch
                mov dword ptr [ebp-04h], eax
                mov ebx, dword ptr fs:[00000000h]
                mov eax, dword ptr [ebx]
                mov dword ptr fs:[00000000h], eax
                mov eax, dword ptr [ebp+08h]
                mov ebx, dword ptr [ebp+0Ch]
                mov ebp, dword ptr [ebp-04h]
                mov esp, dword ptr [ebx-04h]
                jmp eax
                pop ebx
                leave
                retn 0008h
                pop eax
                pop ecx
                xchg dword ptr [esp], eax
                jmp eax
                mov edi, edi
                push ebp
                mov ebp, esp
                push ecx
                push ecx
                push ebx
                push esi
                push edi
                mov esi, dword ptr fs:[00000000h]
                mov dword ptr [ebp-04h], esi
                mov dword ptr [ebp-08h], 004F5F7Bh
                push 00000000h
                push dword ptr [ebp+0Ch]
                push dword ptr [ebp-08h]
                push dword ptr [ebp+08h]
                call 00007F7A2101D8D2h
                mov eax, dword ptr [ebp+0Ch]
                mov eax, dword ptr [eax+04h]
                and eax, FFFFFFFDh
                mov ecx, dword ptr [ebp+0Ch]
                mov dword ptr [ecx+04h], eax
                mov edi, dword ptr fs:[00000000h]
                mov ebx, dword ptr [ebp-04h]
                mov dword ptr [ebx], edi
                mov dword ptr fs:[00000000h], ebx
                pop edi
                pop esi
                pop ebx
                leave
                retn 0008h
                push ebp
                mov ebp, esp
                sub esp, 08h
                push ebx
                push esi
                push edi
                cld
                mov dword ptr [ebp-04h], eax
                xor eax, eax
                push eax
                push eax
                push eax
                push dword ptr [ebp-04h]
                push dword ptr [ebp+14h]
                push dword ptr [ebp+10h]
                push dword ptr [ebp+0Ch]
                push dword ptr [ebp+08h]
                call 00007F7A210128A5h
                add esp, 20h
                mov dword ptr [ebp-08h], eax
                pop edi
                pop esi
                pop ebx
                mov eax, dword ptr [ebp+00h]

                Rich Headers

                Programming Language:
                • [ C ] VS2008 SP1 build 30729
                • [ASM] VS2010 build 30319
                • [ C ] VS2010 build 30319
                • [C++] VS2010 build 30319
                • [IMP] VS2008 SP1 build 30729
                • [RES] VS2010 build 30319
                • [LNK] VS2010 build 30319

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x1558540x17c.rdata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x1780000x13f80.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x18c0000x197e8.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x119cf00x1c.rdata
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1407c00x40.rdata
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x1190000x92c.rdata
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x10000x11778b0x117800903291924b9b60629c10ab56d40a3783False0.5608988917151163COM executable for DOS6.533607267775877IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .rdata0x1190000x3fa200x3fc0088f6bf699551419e91214bb39b70f0fbFalse0.2682329963235294data5.096045151045352IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .data0x1590000x1e7e40x17400368c12c069e412a97ffbaf8b1214b993False0.8108303931451613data7.604032792240809IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .rsrc0x1780000x13f800x140006fa24f32af9342580a67dcda73dac792False0.73487548828125data6.835151820226615IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .reloc0x18c0000x284380x28600121aefc712dc7dfc9f7aba74f211daaeFalse0.26438540054179566data4.95101252025854IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountryZLIB Complexity
                RT_CURSOR0x178d780x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"ChineseChina0.4805194805194805
                RT_CURSOR0x178eac0xb4Targa image data - Map 32 x 65536 x 1 +16 "\001"ChineseChina0.7
                RT_CURSOR0x178f600x134AmigaOS bitmap font "(", fc_YSize 4294967264, 5120 elements, 2nd "\377\360?\377\377\370\177\377\377\374\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rdChineseChina0.36363636363636365
                RT_CURSOR0x1790940x134Targa image data - RLE 64 x 65536 x 1 +32 "\001"ChineseChina0.35714285714285715
                RT_CURSOR0x1791c80x134dataChineseChina0.37337662337662336
                RT_CURSOR0x1792fc0x134dataChineseChina0.37662337662337664
                RT_CURSOR0x1794300x134Targa image data 64 x 65536 x 1 +32 "\001"ChineseChina0.36688311688311687
                RT_CURSOR0x1795640x134Targa image data 64 x 65536 x 1 +32 "\001"ChineseChina0.37662337662337664
                RT_CURSOR0x1796980x134Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001"ChineseChina0.36688311688311687
                RT_CURSOR0x1797cc0x134Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001"ChineseChina0.38636363636363635
                RT_CURSOR0x1799000x134dataChineseChina0.44155844155844154
                RT_CURSOR0x179a340x134dataChineseChina0.4155844155844156
                RT_CURSOR0x179b680x134AmigaOS bitmap font "(", fc_YSize 4294966847, 3840 elements, 2nd "\377?\374\377\377\300\003\377\377\300\003\377\377\340\007\377\377\360\017\377\377\370\037\377\377\374?\377\377\376\177\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rdChineseChina0.5422077922077922
                RT_CURSOR0x179c9c0x134dataChineseChina0.2662337662337662
                RT_CURSOR0x179dd00x134dataChineseChina0.2824675324675325
                RT_CURSOR0x179f040x134dataChineseChina0.3246753246753247
                RT_BITMAP0x17a0380xb8Device independent bitmap graphic, 12 x 10 x 4, image size 80ChineseChina0.44565217391304346
                RT_BITMAP0x17a0f00x144Device independent bitmap graphic, 33 x 11 x 4, image size 220ChineseChina0.37962962962962965
                RT_ICON0x17a2340x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152ChineseChina0.5335365853658537
                RT_ICON0x17a89c0x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512ChineseChina0.646505376344086
                RT_ICON0x17ab840x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 288ChineseChina0.6598360655737705
                RT_ICON0x17ad6c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 128ChineseChina0.6385135135135135
                RT_ICON0x17ae940xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsChineseChina0.6260660980810234
                RT_ICON0x17bd3c0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsChineseChina0.7793321299638989
                RT_ICON0x17c5e40x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsChineseChina0.8231566820276498
                RT_ICON0x17ccac0x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsChineseChina0.6575144508670521
                RT_ICON0x17d2140x93cbPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedChineseChina0.9988106250825954
                RT_ICON0x1865e00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600ChineseChina0.5116182572614107
                RT_ICON0x188b880x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224ChineseChina0.6109287054409006
                RT_ICON0x189c300x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400ChineseChina0.6221311475409836
                RT_ICON0x18a5b80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088ChineseChina0.7402482269503546
                RT_DIALOG0x18aa200x120dataChineseChina0.6145833333333334
                RT_DIALOG0x18ab400xd8dataChineseChina0.7268518518518519
                RT_DIALOG0x18ac180xe2dataChineseChina0.6769911504424779
                RT_DIALOG0x18acfc0x34dataChineseChina0.8653846153846154
                RT_STRING0x18ad300x44dataChineseChina0.6764705882352942
                RT_STRING0x18ad740x4edataChineseChina0.8461538461538461
                RT_STRING0x18adc40x2cdataChineseChina0.5909090909090909
                RT_STRING0x18adf00x84dataChineseChina0.9166666666666666
                RT_STRING0x18ae740x1c4dataChineseChina0.8053097345132744
                RT_STRING0x18b0380x14edataChineseChina0.5179640718562875
                RT_STRING0x18b1880x10edataChineseChina0.7037037037037037
                RT_STRING0x18b2980x50dataChineseChina0.7125
                RT_STRING0x18b2e80x44dataChineseChina0.6764705882352942
                RT_STRING0x18b32c0x68dataChineseChina0.7019230769230769
                RT_STRING0x18b3940x1b2dataChineseChina0.6474654377880185
                RT_STRING0x18b5480xf4dataChineseChina0.6065573770491803
                RT_STRING0x18b63c0x24dataChineseChina0.4722222222222222
                RT_STRING0x18b6600x1a6dataChineseChina0.6658767772511849
                RT_GROUP_CURSOR0x18b8080x22Lotus unknown worksheet or configuration, revision 0x2ChineseChina1.0294117647058822
                RT_GROUP_CURSOR0x18b82c0x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina1.3
                RT_GROUP_CURSOR0x18b8400x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina1.3
                RT_GROUP_CURSOR0x18b8540x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina1.3
                RT_GROUP_CURSOR0x18b8680x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina1.3
                RT_GROUP_CURSOR0x18b87c0x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina1.3
                RT_GROUP_CURSOR0x18b8900x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina1.3
                RT_GROUP_CURSOR0x18b8a40x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina1.3
                RT_GROUP_CURSOR0x18b8b80x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina1.3
                RT_GROUP_CURSOR0x18b8cc0x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina1.3
                RT_GROUP_CURSOR0x18b8e00x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina1.3
                RT_GROUP_CURSOR0x18b8f40x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina1.3
                RT_GROUP_CURSOR0x18b9080x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina1.3
                RT_GROUP_CURSOR0x18b91c0x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina1.3
                RT_GROUP_CURSOR0x18b9300x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina1.3
                RT_GROUP_ICON0x18b9440xbcdataChineseChina0.6117021276595744
                RT_VERSION0x18ba000x314dataChineseChina0.4010152284263959
                RT_MANIFEST0x18bd140x26aASCII text, with very long lines (618), with no line terminatorsEnglishUnited States0.43042071197411

                Imports

                DLLImport
                KERNEL32.dllIsValidCodePage, GetStdHandle, LCMapStringW, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, QueryPerformanceCounter, GetStringTypeW, CompareStringW, GetTimeZoneInformation, GetConsoleCP, GetConsoleMode, WriteConsoleW, CreateFileW, FindResourceW, HeapCreate, IsProcessorFeaturePresent, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetFileType, SetStdHandle, GetSystemTimeAsFileTime, HeapSize, HeapQueryInformation, HeapReAlloc, VirtualQuery, GetSystemInfo, LoadResource, LockResource, SizeofResource, WideCharToMultiByte, CreateThread, TerminateThread, Sleep, Process32Next, Process32First, CreateToolhelp32Snapshot, FreeLibrary, VirtualAlloc, RaiseException, ExitThread, RtlUnwind, GetStartupInfoW, HeapSetInformation, GetCommandLineA, ExitProcess, HeapAlloc, HeapFree, DecodePointer, EncodePointer, FindResourceExW, SearchPathA, GetProfileIntA, GetTickCount, InitializeCriticalSectionAndSpinCount, GetNumberFormatA, GetWindowsDirectoryA, GetTempPathA, GetTempFileNameA, GetFileTime, GetFileSizeEx, GetFileAttributesA, FileTimeToLocalFileTime, GetFileAttributesExA, SetErrorMode, GetOEMCP, GetCPInfo, FileTimeToSystemTime, GetACP, GetFullPathNameA, GetVolumeInformationA, FindFirstFileA, FindClose, GetCurrentProcess, DuplicateHandle, GetFileSize, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, SetEnvironmentVariableA, ReadFile, lstrcmpiA, lstrcpyA, DeleteFileA, InterlockedIncrement, TlsFree, DeleteCriticalSection, LocalReAlloc, TlsSetValue, TlsAlloc, InitializeCriticalSection, GlobalHandle, GlobalReAlloc, EnterCriticalSection, TlsGetValue, LeaveCriticalSection, LocalAlloc, GlobalFlags, GetCurrentDirectoryA, GlobalGetAtomNameA, GlobalFindAtomA, GetVersionExA, LoadLibraryW, lstrcmpW, InterlockedDecrement, GetModuleFileNameW, ReleaseActCtx, CreateActCtxW, CopyFileA, GlobalSize, FormatMessageA, LocalFree, lstrlenW, MulDiv, GlobalUnlock, GlobalFree, FindResourceA, FreeResource, GetCurrentProcessId, GlobalAddAtomA, GetPrivateProfileStringA, WritePrivateProfileStringA, GetPrivateProfileIntA, lstrlenA, WaitForSingleObject, ResumeThread, SetThreadPriority, GlobalDeleteAtom, GetCurrentThread, GetCurrentThreadId, MultiByteToWideChar, GetUserDefaultUILanguage, ConvertDefaultLocale, GetSystemDefaultUILanguage, GetModuleFileNameA, GetLocaleInfoA, CompareStringA, ActivateActCtx, LoadLibraryA, GetLastError, DeactivateActCtx, SetLastError, InterlockedExchange, GlobalLock, lstrcmpA, GlobalAlloc, GetModuleHandleW, GetProcAddress, CloseHandle, VirtualProtect, CreateFileA, GetModuleHandleA
                USER32.dllIsDialogMessageA, SetWindowTextA, MoveWindow, ShowWindow, CharUpperA, IntersectRect, OffsetRect, LoadMenuW, SetWindowRgn, RedrawWindow, MessageBeep, NotifyWinEvent, GetAsyncKeyState, IsZoomed, IsRectEmpty, UnionRect, EnableScrollBar, SetCapture, MonitorFromPoint, IsMenu, CreatePopupMenu, SetMenuDefaultItem, GetMenuDefaultItem, UnregisterClassA, TranslateAcceleratorA, BringWindowToTop, InsertMenuItemA, LoadAcceleratorsA, LoadImageA, LoadMenuA, ReuseDDElParam, SetParent, DestroyAcceleratorTable, SetClassLongA, DrawIconEx, DrawEdge, DrawFocusRect, CopyAcceleratorTableA, ToAsciiEx, MapVirtualKeyA, GetKeyboardLayout, GetKeyboardState, LoadAcceleratorsW, CreateAcceleratorTableA, SetRect, SetCursorPos, LockWindowUpdate, InvertRect, HideCaret, GetIconInfo, CopyImage, GetNextDlgGroupItem, OpenClipboard, SetClipboardData, CloseClipboard, EmptyClipboard, LoadImageW, RegisterClipboardFormatA, FrameRect, CopyIcon, CharUpperBuffA, PostThreadMessageA, GetKeyNameTextA, DefFrameProcA, DefMDIChildProcA, DrawMenuBar, TranslateMDISysAccel, CreateMenu, IsClipboardFormatAvailable, GetUpdateRect, GetDoubleClickTime, IsCharLowerA, MapVirtualKeyExA, SubtractRect, DestroyCursor, MapDialogRect, CheckDlgButton, RegisterWindowMessageA, DeleteMenu, WaitMessage, RealChildWindowFromPoint, LoadIconA, SendDlgItemMessageA, WinHelpA, SetTimer, KillTimer, SetRectEmpty, EnumDisplayMonitors, IsChild, SetLayeredWindowAttributes, GetSysColorBrush, DrawFrameControl, DestroyIcon, GetWindowRgn, WindowFromPoint, LoadCursorW, LoadCursorA, UpdateLayeredWindow, ReleaseCapture, EnableWindow, DrawIcon, GetClientRect, GetSystemMetrics, IsIconic, SendMessageA, AppendMenuA, GetSystemMenu, LoadIconW, UnpackDDElParam, PostMessageA, PostQuitMessage, CheckMenuItem, EnableMenuItem, GetMenuState, ModifyMenuA, GetParent, GetFocus, LoadBitmapW, GetMenuCheckMarkDimensions, SetMenuItemBitmaps, ValidateRect, GetCursorPos, PeekMessageA, GetKeyState, IsWindowVisible, GetActiveWindow, DispatchMessageA, TranslateMessage, GetMessageA, CallNextHookEx, SetWindowsHookExA, SetCursor, ShowOwnedPopups, MessageBoxA, IsWindowEnabled, GetLastActivePopup, GetWindowLongA, GetWindowThreadProcessId, DrawStateA, FillRect, UpdateWindow, InvalidateRect, GetClassNameA, EndDialog, GetNextDlgTabItem, GetDlgItem, IsWindow, DestroyWindow, CreateDialogIndirectParamA, SetActiveWindow, GetDesktopWindow, RemoveMenu, GetSubMenu, GetMenuItemCount, InsertMenuA, GetMenuItemID, GetMenuStringA, TabbedTextOutA, DrawTextA, DrawTextExA, GrayStringA, ScreenToClient, ClientToScreen, GetDC, ReleaseDC, GetWindowDC, BeginPaint, EndPaint, GetSysColor, PtInRect, GetWindowRect, UnhookWindowsHookEx, CopyRect, InflateRect, GetMenuItemInfoA, DestroyMenu, SystemParametersInfoA, GetWindow, SetWindowPos, SetWindowLongA, GetMenu, CallWindowProcA, DefWindowProcA, GetDlgCtrlID, GetWindowPlacement, SetWindowPlacement, SetScrollInfo, GetScrollInfo, DeferWindowPos, EqualRect, AdjustWindowRectEx, RegisterClassA, GetClassInfoA, GetClassInfoExA, CreateWindowExA, ShowScrollBar, SetForegroundWindow, GetScrollPos, SetScrollPos, GetScrollRange, SetScrollRange, SetMenu, TrackPopupMenu, ScrollWindow, MapWindowPoints, GetMonitorInfoA, MonitorFromWindow, GetMessagePos, GetMessageTime, GetTopWindow, EndDeferWindowPos, BeginDeferWindowPos, GetForegroundWindow, GetWindowTextA, GetWindowTextLengthA, SetFocus, RemovePropA, GetPropA, SetPropA, GetClassLongA, GetCapture
                GDI32.dllSetPixelV, CreateBitmap, DeleteObject, CreateSolidBrush, GetObjectA, GetStockObject, GetDeviceCaps, CopyMetaFileA, CreateDCA, SaveDC, RestoreDC, SetBkColor, SetBkMode, SetPolyFillMode, SetROP2, SetTextColor, SetMapMode, GetClipBox, ExcludeClipRect, IntersectClipRect, LineTo, MoveToEx, SetTextAlign, GetLayout, SetLayout, SelectClipRgn, CreateRectRgn, GetViewportExtEx, GetWindowExtEx, BitBlt, GetPixel, PtVisible, RectVisible, TextOutA, ExtTextOutA, Escape, SelectObject, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowOrgEx, OffsetWindowOrgEx, SetWindowExtEx, ScaleWindowExtEx, ExtSelectClipRgn, DeleteDC, CreatePatternBrush, CreateCompatibleDC, SelectPalette, GetObjectType, CreatePen, CreateHatchBrush, CreateFontIndirectA, GetTextExtentPoint32A, CreateDIBitmap, CreateCompatibleBitmap, CreateRectRgnIndirect, GetTextMetricsA, EnumFontFamiliesA, GetTextCharsetInfo, SetRectRgn, CombineRgn, PatBlt, DPtoLP, CreateRoundRectRgn, CreateDIBSection, CreatePolygonRgn, GetBkColor, GetTextColor, CreateEllipticRgn, Polyline, Ellipse, Polygon, CreatePalette, GetPaletteEntries, GetNearestPaletteIndex, RealizePalette, GetSystemPaletteEntries, OffsetRgn, GetRgnBox, SetDIBColorTable, StretchBlt, SetPixel, Rectangle, EnumFontFamiliesExA, ExtFloodFill, SetPaletteEntries, LPtoDP, GetWindowOrgEx, GetViewportOrgEx, PtInRegion, FillRgn, FrameRgn, GetBoundsRect, GetTextFaceA
                MSIMG32.dllAlphaBlend, TransparentBlt
                COMDLG32.dllGetFileTitleA
                WINSPOOL.DRVClosePrinter, DocumentPropertiesA, OpenPrinterA
                ADVAPI32.dllRegOpenKeyExA, RegCreateKeyExA, RegCloseKey, RegQueryValueExA, RegSetValueExA, RegDeleteValueA, RegEnumKeyA, RegQueryValueA, RegEnumValueA, RegEnumKeyExA, RegDeleteKeyA
                SHELL32.dllSHGetFileInfoA, DragFinish, DragQueryFileA, SHGetDesktopFolder, SHGetPathFromIDListA, SHGetSpecialFolderLocation, ShellExecuteA, SHAppBarMessage, SHBrowseForFolderA
                COMCTL32.dllImageList_GetIconSize
                SHLWAPI.dllPathFindExtensionA, PathFindFileNameA, PathStripToRootA, PathIsUNCA, PathRemoveFileSpecW
                ole32.dllRevokeDragDrop, CoLockObjectExternal, RegisterDragDrop, OleGetClipboard, OleLockRunning, IsAccelerator, OleTranslateAccelerator, OleDestroyMenuDescriptor, OleCreateMenuDescriptor, DoDragDrop, CreateStreamOnHGlobal, CoInitializeEx, CoInitialize, CoCreateInstance, CoUninitialize, OleDuplicateData, CoTaskMemAlloc, ReleaseStgMedium, CoTaskMemFree, CoCreateGuid
                OLEAUT32.dllVariantClear, VariantChangeType, VariantInit, SysStringLen, SysAllocStringLen, SysFreeString, SysAllocString, VarBstrFromDate, SystemTimeToVariantTime, VariantTimeToSystemTime
                gdiplus.dllGdipCreateBitmapFromStream, GdipGetImagePalette, GdipGetImagePaletteSize, GdipGetImagePixelFormat, GdipGetImageHeight, GdipGetImageWidth, GdipCloneImage, GdipDrawImageRectI, GdipSetInterpolationMode, GdipCreateFromHDC, GdiplusShutdown, GdiplusStartup, GdipCreateBitmapFromHBITMAP, GdipDisposeImage, GdipDeleteGraphics, GdipAlloc, GdipFree, GdipCreateBitmapFromScan0, GdipBitmapLockBits, GdipDrawImageI, GdipGetImageGraphicsContext, GdipBitmapUnlockBits
                IPHLPAPI.DLLGetTcpTable2, SetTcpEntry
                WS2_32.dllinet_ntop, htonl
                OLEACC.dllAccessibleObjectFromWindow, LresultFromObject, CreateStdAccessibleObject
                IMM32.dllImmGetContext, ImmGetOpenStatus, ImmReleaseContext
                WINMM.dllPlaySoundA

                Possible Origin

                Language of compilation systemCountry where language is spokenMap
                ChineseChina
                EnglishUnited States

                Network Behavior

                Suricata IDS Alerts

                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                2025-01-02T09:04:10.632637+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.44983745.207.215.587000TCP
                2025-01-02T09:06:03.236124+01002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.45004245.207.215.587000TCP

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Jan 2, 2025 09:03:01.303708076 CET497317000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:01.308528900 CET70004973145.207.215.58192.168.2.4
                Jan 2, 2025 09:03:01.308599949 CET497317000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:01.482429028 CET497317000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:01.491786003 CET70004973145.207.215.58192.168.2.4
                Jan 2, 2025 09:03:03.364532948 CET70004973145.207.215.58192.168.2.4
                Jan 2, 2025 09:03:03.364617109 CET497317000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:04.876215935 CET497317000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:04.877474070 CET497327000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:04.881138086 CET70004973145.207.215.58192.168.2.4
                Jan 2, 2025 09:03:04.882340908 CET70004973245.207.215.58192.168.2.4
                Jan 2, 2025 09:03:04.882431984 CET497327000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:04.899415016 CET497327000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:04.904300928 CET70004973245.207.215.58192.168.2.4
                Jan 2, 2025 09:03:06.925477028 CET70004973245.207.215.58192.168.2.4
                Jan 2, 2025 09:03:06.925605059 CET497327000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:09.044536114 CET497327000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:09.049433947 CET70004973245.207.215.58192.168.2.4
                Jan 2, 2025 09:03:09.050333977 CET497337000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:09.055254936 CET70004973345.207.215.58192.168.2.4
                Jan 2, 2025 09:03:09.055346966 CET497337000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:09.202789068 CET497337000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:09.207705021 CET70004973345.207.215.58192.168.2.4
                Jan 2, 2025 09:03:11.077393055 CET70004973345.207.215.58192.168.2.4
                Jan 2, 2025 09:03:11.077538967 CET497337000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:12.891817093 CET497337000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:12.892528057 CET497347000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:12.896680117 CET70004973345.207.215.58192.168.2.4
                Jan 2, 2025 09:03:12.897388935 CET70004973445.207.215.58192.168.2.4
                Jan 2, 2025 09:03:12.897454977 CET497347000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:12.919740915 CET497347000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:12.924590111 CET70004973445.207.215.58192.168.2.4
                Jan 2, 2025 09:03:14.902340889 CET70004973445.207.215.58192.168.2.4
                Jan 2, 2025 09:03:14.902419090 CET497347000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:17.016803026 CET497347000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:17.017896891 CET497407000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:17.021842957 CET70004973445.207.215.58192.168.2.4
                Jan 2, 2025 09:03:17.023142099 CET70004974045.207.215.58192.168.2.4
                Jan 2, 2025 09:03:17.023216009 CET497407000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:17.043034077 CET497407000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:17.047905922 CET70004974045.207.215.58192.168.2.4
                Jan 2, 2025 09:03:19.047076941 CET70004974045.207.215.58192.168.2.4
                Jan 2, 2025 09:03:19.047445059 CET497407000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:21.969878912 CET497407000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:21.970844030 CET497427000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:21.974806070 CET70004974045.207.215.58192.168.2.4
                Jan 2, 2025 09:03:21.975714922 CET70004974245.207.215.58192.168.2.4
                Jan 2, 2025 09:03:21.975815058 CET497427000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:21.992624044 CET497427000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:21.997636080 CET70004974245.207.215.58192.168.2.4
                Jan 2, 2025 09:03:23.999439001 CET70004974245.207.215.58192.168.2.4
                Jan 2, 2025 09:03:23.999512911 CET497427000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:25.970261097 CET497427000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:25.972567081 CET497437000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:25.975065947 CET70004974245.207.215.58192.168.2.4
                Jan 2, 2025 09:03:25.977394104 CET70004974345.207.215.58192.168.2.4
                Jan 2, 2025 09:03:25.977483034 CET497437000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:25.996726990 CET497437000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:26.001929998 CET70004974345.207.215.58192.168.2.4
                Jan 2, 2025 09:03:27.979439974 CET70004974345.207.215.58192.168.2.4
                Jan 2, 2025 09:03:27.983642101 CET497437000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:29.548048973 CET497437000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:29.548813105 CET497447000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:29.581753969 CET70004974345.207.215.58192.168.2.4
                Jan 2, 2025 09:03:29.581772089 CET70004974445.207.215.58192.168.2.4
                Jan 2, 2025 09:03:29.581849098 CET497447000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:29.599633932 CET497447000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:29.604437113 CET70004974445.207.215.58192.168.2.4
                Jan 2, 2025 09:03:31.614010096 CET70004974445.207.215.58192.168.2.4
                Jan 2, 2025 09:03:31.614132881 CET497447000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:33.407783031 CET497447000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:33.408629894 CET497457000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:33.412750959 CET70004974445.207.215.58192.168.2.4
                Jan 2, 2025 09:03:33.413716078 CET70004974545.207.215.58192.168.2.4
                Jan 2, 2025 09:03:33.413811922 CET497457000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:33.433409929 CET497457000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:33.438287973 CET70004974545.207.215.58192.168.2.4
                Jan 2, 2025 09:03:35.438076019 CET70004974545.207.215.58192.168.2.4
                Jan 2, 2025 09:03:35.438205957 CET497457000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:38.188637018 CET497457000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:38.189533949 CET497467000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:38.193543911 CET70004974545.207.215.58192.168.2.4
                Jan 2, 2025 09:03:38.194284916 CET70004974645.207.215.58192.168.2.4
                Jan 2, 2025 09:03:38.194458008 CET497467000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:38.210820913 CET497467000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:38.215621948 CET70004974645.207.215.58192.168.2.4
                Jan 2, 2025 09:03:40.215435028 CET70004974645.207.215.58192.168.2.4
                Jan 2, 2025 09:03:40.215508938 CET497467000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:41.142126083 CET497467000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:41.144246101 CET497477000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:41.147070885 CET70004974645.207.215.58192.168.2.4
                Jan 2, 2025 09:03:41.149034977 CET70004974745.207.215.58192.168.2.4
                Jan 2, 2025 09:03:41.149136066 CET497477000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:41.166814089 CET497477000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:41.171624899 CET70004974745.207.215.58192.168.2.4
                Jan 2, 2025 09:03:43.194048882 CET70004974745.207.215.58192.168.2.4
                Jan 2, 2025 09:03:43.194236994 CET497477000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:43.954242945 CET497477000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:43.955105066 CET497487000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:43.959125996 CET70004974745.207.215.58192.168.2.4
                Jan 2, 2025 09:03:43.959908962 CET70004974845.207.215.58192.168.2.4
                Jan 2, 2025 09:03:43.959989071 CET497487000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:43.979909897 CET497487000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:43.984658003 CET70004974845.207.215.58192.168.2.4
                Jan 2, 2025 09:03:45.968584061 CET70004974845.207.215.58192.168.2.4
                Jan 2, 2025 09:03:45.968662024 CET497487000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:46.283066988 CET497487000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:46.283900023 CET497497000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:46.287889957 CET70004974845.207.215.58192.168.2.4
                Jan 2, 2025 09:03:46.288729906 CET70004974945.207.215.58192.168.2.4
                Jan 2, 2025 09:03:46.288830996 CET497497000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:46.304570913 CET497497000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:46.309657097 CET70004974945.207.215.58192.168.2.4
                Jan 2, 2025 09:03:48.287239075 CET70004974945.207.215.58192.168.2.4
                Jan 2, 2025 09:03:48.287293911 CET497497000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:48.958312988 CET497497000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:48.961066961 CET497507000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:48.963186026 CET70004974945.207.215.58192.168.2.4
                Jan 2, 2025 09:03:48.965893984 CET70004975045.207.215.58192.168.2.4
                Jan 2, 2025 09:03:48.965995073 CET497507000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:49.510581970 CET497507000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:49.515486002 CET70004975045.207.215.58192.168.2.4
                Jan 2, 2025 09:03:50.984214067 CET70004975045.207.215.58192.168.2.4
                Jan 2, 2025 09:03:50.984440088 CET497507000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:51.736880064 CET497507000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:51.739034891 CET497517000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:51.741823912 CET70004975045.207.215.58192.168.2.4
                Jan 2, 2025 09:03:51.743871927 CET70004975145.207.215.58192.168.2.4
                Jan 2, 2025 09:03:51.744035006 CET497517000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:52.158354998 CET497517000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:52.163336992 CET70004975145.207.215.58192.168.2.4
                Jan 2, 2025 09:03:53.784413099 CET70004975145.207.215.58192.168.2.4
                Jan 2, 2025 09:03:53.784506083 CET497517000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:54.016731024 CET497517000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:54.017436028 CET497537000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:54.021675110 CET70004975145.207.215.58192.168.2.4
                Jan 2, 2025 09:03:54.022361040 CET70004975345.207.215.58192.168.2.4
                Jan 2, 2025 09:03:54.022433996 CET497537000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:54.038189888 CET497537000192.168.2.445.207.215.58
                Jan 2, 2025 09:03:54.043055058 CET70004975345.207.215.58192.168.2.4
                Jan 2, 2025 09:04:01.313730955 CET70004975345.207.215.58192.168.2.4
                Jan 2, 2025 09:04:01.313807964 CET497537000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:01.579266071 CET497537000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:01.580008984 CET497907000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:01.584101915 CET70004975345.207.215.58192.168.2.4
                Jan 2, 2025 09:04:01.584796906 CET70004979045.207.215.58192.168.2.4
                Jan 2, 2025 09:04:01.584907055 CET497907000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:01.601016045 CET497907000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:01.605993032 CET70004979045.207.215.58192.168.2.4
                Jan 2, 2025 09:04:03.586123943 CET70004979045.207.215.58192.168.2.4
                Jan 2, 2025 09:04:03.586214066 CET497907000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:03.710297108 CET497907000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:03.713753939 CET497997000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:03.715152025 CET70004979045.207.215.58192.168.2.4
                Jan 2, 2025 09:04:03.718563080 CET70004979945.207.215.58192.168.2.4
                Jan 2, 2025 09:04:03.718658924 CET497997000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:03.825083971 CET497997000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:03.830033064 CET70004979945.207.215.58192.168.2.4
                Jan 2, 2025 09:04:05.747859001 CET70004979945.207.215.58192.168.2.4
                Jan 2, 2025 09:04:05.751301050 CET497997000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:10.313695908 CET497997000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:10.314996958 CET498377000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:10.318536043 CET70004979945.207.215.58192.168.2.4
                Jan 2, 2025 09:04:10.319823980 CET70004983745.207.215.58192.168.2.4
                Jan 2, 2025 09:04:10.319940090 CET498377000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:10.364715099 CET498377000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:10.369564056 CET70004983745.207.215.58192.168.2.4
                Jan 2, 2025 09:04:10.632637024 CET498377000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:10.637531042 CET70004983745.207.215.58192.168.2.4
                Jan 2, 2025 09:04:12.322925091 CET70004983745.207.215.58192.168.2.4
                Jan 2, 2025 09:04:12.323008060 CET498377000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:15.641906977 CET498377000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:15.643757105 CET498717000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:15.646684885 CET70004983745.207.215.58192.168.2.4
                Jan 2, 2025 09:04:15.648580074 CET70004987145.207.215.58192.168.2.4
                Jan 2, 2025 09:04:15.648663998 CET498717000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:15.734035969 CET498717000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:15.738917112 CET70004987145.207.215.58192.168.2.4
                Jan 2, 2025 09:04:15.782939911 CET498717000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:15.787692070 CET70004987145.207.215.58192.168.2.4
                Jan 2, 2025 09:04:15.970318079 CET498717000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:15.975070953 CET70004987145.207.215.58192.168.2.4
                Jan 2, 2025 09:04:16.001341105 CET498717000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:16.006175041 CET70004987145.207.215.58192.168.2.4
                Jan 2, 2025 09:04:17.672837973 CET70004987145.207.215.58192.168.2.4
                Jan 2, 2025 09:04:17.672986031 CET498717000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:21.080241919 CET498717000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:21.082750082 CET499037000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:21.084990978 CET70004987145.207.215.58192.168.2.4
                Jan 2, 2025 09:04:21.087565899 CET70004990345.207.215.58192.168.2.4
                Jan 2, 2025 09:04:21.087670088 CET499037000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:21.231132984 CET499037000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:21.235984087 CET70004990345.207.215.58192.168.2.4
                Jan 2, 2025 09:04:21.298274994 CET499037000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:21.303091049 CET70004990345.207.215.58192.168.2.4
                Jan 2, 2025 09:04:23.113632917 CET70004990345.207.215.58192.168.2.4
                Jan 2, 2025 09:04:23.115766048 CET499037000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:26.329879999 CET499037000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:26.334651947 CET70004990345.207.215.58192.168.2.4
                Jan 2, 2025 09:04:26.340576887 CET499357000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:26.346913099 CET70004993545.207.215.58192.168.2.4
                Jan 2, 2025 09:04:26.346997023 CET499357000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:26.537020922 CET499357000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:26.541817904 CET70004993545.207.215.58192.168.2.4
                Jan 2, 2025 09:04:26.564013004 CET499357000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:26.568785906 CET70004993545.207.215.58192.168.2.4
                Jan 2, 2025 09:04:26.595413923 CET499357000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:26.600203037 CET70004993545.207.215.58192.168.2.4
                Jan 2, 2025 09:04:28.354948044 CET70004993545.207.215.58192.168.2.4
                Jan 2, 2025 09:04:28.355030060 CET499357000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:31.832075119 CET499357000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:31.833544970 CET499717000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:31.838854074 CET70004993545.207.215.58192.168.2.4
                Jan 2, 2025 09:04:31.840286016 CET70004997145.207.215.58192.168.2.4
                Jan 2, 2025 09:04:31.840399027 CET499717000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:32.575788021 CET499717000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:32.580712080 CET70004997145.207.215.58192.168.2.4
                Jan 2, 2025 09:04:33.873929024 CET70004997145.207.215.58192.168.2.4
                Jan 2, 2025 09:04:33.874042034 CET499717000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:37.847111940 CET499717000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:37.847723961 CET500127000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:37.851962090 CET70004997145.207.215.58192.168.2.4
                Jan 2, 2025 09:04:37.852545977 CET70005001245.207.215.58192.168.2.4
                Jan 2, 2025 09:04:37.852668047 CET500127000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:37.981811047 CET500127000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:37.986676931 CET70005001245.207.215.58192.168.2.4
                Jan 2, 2025 09:04:39.853543043 CET70005001245.207.215.58192.168.2.4
                Jan 2, 2025 09:04:39.853631973 CET500127000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:43.051588058 CET500127000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:43.056360006 CET70005001245.207.215.58192.168.2.4
                Jan 2, 2025 09:04:43.118995905 CET500277000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:43.123919010 CET70005002745.207.215.58192.168.2.4
                Jan 2, 2025 09:04:43.124002934 CET500277000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:43.707171917 CET500277000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:43.712052107 CET70005002745.207.215.58192.168.2.4
                Jan 2, 2025 09:04:43.970274925 CET500277000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:43.975099087 CET70005002745.207.215.58192.168.2.4
                Jan 2, 2025 09:04:44.345160007 CET500277000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:44.349971056 CET70005002745.207.215.58192.168.2.4
                Jan 2, 2025 09:04:44.360763073 CET500277000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:44.365601063 CET70005002745.207.215.58192.168.2.4
                Jan 2, 2025 09:04:44.376528978 CET500277000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:44.381383896 CET70005002745.207.215.58192.168.2.4
                Jan 2, 2025 09:04:44.517134905 CET500277000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:44.521925926 CET70005002745.207.215.58192.168.2.4
                Jan 2, 2025 09:04:45.140489101 CET70005002745.207.215.58192.168.2.4
                Jan 2, 2025 09:04:45.142718077 CET500277000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:45.142718077 CET500277000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:45.145600080 CET500287000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:45.148932934 CET70005002745.207.215.58192.168.2.4
                Jan 2, 2025 09:04:45.150624990 CET70005002845.207.215.58192.168.2.4
                Jan 2, 2025 09:04:45.151572943 CET500287000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:45.349035025 CET500287000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:45.353934050 CET70005002845.207.215.58192.168.2.4
                Jan 2, 2025 09:04:47.150453091 CET70005002845.207.215.58192.168.2.4
                Jan 2, 2025 09:04:47.150517941 CET500287000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:50.364182949 CET500287000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:50.367523909 CET500297000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:50.368998051 CET70005002845.207.215.58192.168.2.4
                Jan 2, 2025 09:04:50.372406006 CET70005002945.207.215.58192.168.2.4
                Jan 2, 2025 09:04:50.372477055 CET500297000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:50.419919014 CET500297000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:50.424885035 CET70005002945.207.215.58192.168.2.4
                Jan 2, 2025 09:04:52.389048100 CET70005002945.207.215.58192.168.2.4
                Jan 2, 2025 09:04:52.389106035 CET500297000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:55.602356911 CET500297000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:55.605817080 CET500307000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:55.607259035 CET70005002945.207.215.58192.168.2.4
                Jan 2, 2025 09:04:55.610673904 CET70005003045.207.215.58192.168.2.4
                Jan 2, 2025 09:04:55.611633062 CET500307000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:55.738368988 CET500307000192.168.2.445.207.215.58
                Jan 2, 2025 09:04:55.743329048 CET70005003045.207.215.58192.168.2.4
                Jan 2, 2025 09:04:57.620404959 CET70005003045.207.215.58192.168.2.4
                Jan 2, 2025 09:04:57.620475054 CET500307000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:00.899028063 CET500307000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:00.904040098 CET70005003045.207.215.58192.168.2.4
                Jan 2, 2025 09:05:00.924504042 CET500317000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:00.930437088 CET70005003145.207.215.58192.168.2.4
                Jan 2, 2025 09:05:00.930505037 CET500317000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:01.976555109 CET500317000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:01.981431961 CET70005003145.207.215.58192.168.2.4
                Jan 2, 2025 09:05:02.972819090 CET70005003145.207.215.58192.168.2.4
                Jan 2, 2025 09:05:02.972946882 CET500317000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:07.251416922 CET500317000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:07.252501011 CET500327000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:07.256356001 CET70005003145.207.215.58192.168.2.4
                Jan 2, 2025 09:05:07.257318974 CET70005003245.207.215.58192.168.2.4
                Jan 2, 2025 09:05:07.257414103 CET500327000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:07.294564962 CET500327000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:07.299416065 CET70005003245.207.215.58192.168.2.4
                Jan 2, 2025 09:05:07.454746008 CET500327000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:07.459640026 CET70005003245.207.215.58192.168.2.4
                Jan 2, 2025 09:05:07.501585007 CET500327000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:07.506433964 CET70005003245.207.215.58192.168.2.4
                Jan 2, 2025 09:05:08.142288923 CET500327000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:08.147154093 CET70005003245.207.215.58192.168.2.4
                Jan 2, 2025 09:05:09.280343056 CET70005003245.207.215.58192.168.2.4
                Jan 2, 2025 09:05:09.280392885 CET500327000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:12.673245907 CET500327000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:12.677206039 CET500337000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:12.678112030 CET70005003245.207.215.58192.168.2.4
                Jan 2, 2025 09:05:12.682082891 CET70005003345.207.215.58192.168.2.4
                Jan 2, 2025 09:05:12.682157993 CET500337000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:12.717817068 CET500337000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:12.722618103 CET70005003345.207.215.58192.168.2.4
                Jan 2, 2025 09:05:14.727057934 CET70005003345.207.215.58192.168.2.4
                Jan 2, 2025 09:05:14.730068922 CET500337000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:17.720139027 CET500337000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:17.721863031 CET500347000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:17.725147009 CET70005003345.207.215.58192.168.2.4
                Jan 2, 2025 09:05:17.726732969 CET70005003445.207.215.58192.168.2.4
                Jan 2, 2025 09:05:17.726804018 CET500347000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:17.773340940 CET500347000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:17.778130054 CET70005003445.207.215.58192.168.2.4
                Jan 2, 2025 09:05:18.658195972 CET500347000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:18.663049936 CET70005003445.207.215.58192.168.2.4
                Jan 2, 2025 09:05:19.753040075 CET70005003445.207.215.58192.168.2.4
                Jan 2, 2025 09:05:19.753976107 CET500347000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:23.005716085 CET500347000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:23.010565996 CET70005003445.207.215.58192.168.2.4
                Jan 2, 2025 09:05:23.023736954 CET500357000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:23.028731108 CET70005003545.207.215.58192.168.2.4
                Jan 2, 2025 09:05:23.031157017 CET500357000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:23.139477968 CET500357000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:23.144349098 CET70005003545.207.215.58192.168.2.4
                Jan 2, 2025 09:05:25.047983885 CET70005003545.207.215.58192.168.2.4
                Jan 2, 2025 09:05:25.048057079 CET500357000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:28.409687042 CET500357000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:28.410166025 CET500367000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:28.414609909 CET70005003545.207.215.58192.168.2.4
                Jan 2, 2025 09:05:28.414979935 CET70005003645.207.215.58192.168.2.4
                Jan 2, 2025 09:05:28.415090084 CET500367000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:28.519191027 CET500367000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:28.524025917 CET70005003645.207.215.58192.168.2.4
                Jan 2, 2025 09:05:30.438448906 CET70005003645.207.215.58192.168.2.4
                Jan 2, 2025 09:05:30.438535929 CET500367000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:33.627372980 CET500367000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:33.630132914 CET500377000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:33.632280111 CET70005003645.207.215.58192.168.2.4
                Jan 2, 2025 09:05:33.635021925 CET70005003745.207.215.58192.168.2.4
                Jan 2, 2025 09:05:33.638330936 CET500377000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:33.682832003 CET500377000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:33.687639952 CET70005003745.207.215.58192.168.2.4
                Jan 2, 2025 09:05:33.892293930 CET500377000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:33.897213936 CET70005003745.207.215.58192.168.2.4
                Jan 2, 2025 09:05:35.680099010 CET70005003745.207.215.58192.168.2.4
                Jan 2, 2025 09:05:35.681726933 CET500377000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:38.954583883 CET500377000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:38.957581997 CET500387000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:38.959462881 CET70005003745.207.215.58192.168.2.4
                Jan 2, 2025 09:05:38.962403059 CET70005003845.207.215.58192.168.2.4
                Jan 2, 2025 09:05:38.962594986 CET500387000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:39.062500000 CET500387000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:39.067276001 CET70005003845.207.215.58192.168.2.4
                Jan 2, 2025 09:05:39.157738924 CET500387000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:39.162522078 CET70005003845.207.215.58192.168.2.4
                Jan 2, 2025 09:05:39.173362970 CET500387000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:39.178177118 CET70005003845.207.215.58192.168.2.4
                Jan 2, 2025 09:05:39.220274925 CET500387000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:39.225080967 CET70005003845.207.215.58192.168.2.4
                Jan 2, 2025 09:05:40.970660925 CET70005003845.207.215.58192.168.2.4
                Jan 2, 2025 09:05:40.970853090 CET500387000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:44.424174070 CET500387000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:44.429001093 CET70005003845.207.215.58192.168.2.4
                Jan 2, 2025 09:05:44.512080908 CET500397000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:44.516906977 CET70005003945.207.215.58192.168.2.4
                Jan 2, 2025 09:05:44.517929077 CET500397000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:44.829353094 CET500397000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:44.834280014 CET70005003945.207.215.58192.168.2.4
                Jan 2, 2025 09:05:46.550199986 CET70005003945.207.215.58192.168.2.4
                Jan 2, 2025 09:05:46.550542116 CET500397000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:49.923655033 CET500397000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:49.929672003 CET70005003945.207.215.58192.168.2.4
                Jan 2, 2025 09:05:49.937818050 CET500407000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:49.942569971 CET70005004045.207.215.58192.168.2.4
                Jan 2, 2025 09:05:49.942643881 CET500407000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:49.972322941 CET500407000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:49.977154016 CET70005004045.207.215.58192.168.2.4
                Jan 2, 2025 09:05:51.946372032 CET70005004045.207.215.58192.168.2.4
                Jan 2, 2025 09:05:51.946511030 CET500407000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:55.941458941 CET500407000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:55.946301937 CET70005004045.207.215.58192.168.2.4
                Jan 2, 2025 09:05:55.948683023 CET500417000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:55.953584909 CET70005004145.207.215.58192.168.2.4
                Jan 2, 2025 09:05:55.953651905 CET500417000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:55.980709076 CET500417000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:55.985601902 CET70005004145.207.215.58192.168.2.4
                Jan 2, 2025 09:05:57.173657894 CET500417000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:57.178565025 CET70005004145.207.215.58192.168.2.4
                Jan 2, 2025 09:05:57.220413923 CET500417000192.168.2.445.207.215.58
                Jan 2, 2025 09:05:57.225258112 CET70005004145.207.215.58192.168.2.4
                Jan 2, 2025 09:05:57.965637922 CET70005004145.207.215.58192.168.2.4
                Jan 2, 2025 09:05:57.965709925 CET500417000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:02.428996086 CET500417000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:02.433866978 CET70005004145.207.215.58192.168.2.4
                Jan 2, 2025 09:06:02.439076900 CET500427000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:02.443907976 CET70005004245.207.215.58192.168.2.4
                Jan 2, 2025 09:06:02.444178104 CET500427000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:02.889173031 CET500427000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:02.894026041 CET70005004245.207.215.58192.168.2.4
                Jan 2, 2025 09:06:03.236124039 CET500427000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:03.240994930 CET70005004245.207.215.58192.168.2.4
                Jan 2, 2025 09:06:03.267329931 CET500427000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:03.272193909 CET70005004245.207.215.58192.168.2.4
                Jan 2, 2025 09:06:03.361197948 CET500427000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:03.366115093 CET70005004245.207.215.58192.168.2.4
                Jan 2, 2025 09:06:03.376686096 CET500427000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:03.381501913 CET70005004245.207.215.58192.168.2.4
                Jan 2, 2025 09:06:03.392292976 CET500427000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:03.397119999 CET70005004245.207.215.58192.168.2.4
                Jan 2, 2025 09:06:03.423532009 CET500427000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:03.428313017 CET70005004245.207.215.58192.168.2.4
                Jan 2, 2025 09:06:03.454782963 CET500427000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:03.459604979 CET70005004245.207.215.58192.168.2.4
                Jan 2, 2025 09:06:04.451268911 CET70005004245.207.215.58192.168.2.4
                Jan 2, 2025 09:06:04.454458952 CET500427000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:08.517297983 CET500427000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:08.517988920 CET500437000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:08.522212982 CET70005004245.207.215.58192.168.2.4
                Jan 2, 2025 09:06:08.522839069 CET70005004345.207.215.58192.168.2.4
                Jan 2, 2025 09:06:08.523001909 CET500437000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:08.564228058 CET500437000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:08.569077969 CET70005004345.207.215.58192.168.2.4
                Jan 2, 2025 09:06:08.736455917 CET500437000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:08.741271973 CET70005004345.207.215.58192.168.2.4
                Jan 2, 2025 09:06:08.767225027 CET500437000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:08.772080898 CET70005004345.207.215.58192.168.2.4
                Jan 2, 2025 09:06:08.782821894 CET500437000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:08.787657022 CET70005004345.207.215.58192.168.2.4
                Jan 2, 2025 09:06:08.876674891 CET500437000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:08.881592989 CET70005004345.207.215.58192.168.2.4
                Jan 2, 2025 09:06:08.907953978 CET500437000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:08.912812948 CET70005004345.207.215.58192.168.2.4
                Jan 2, 2025 09:06:09.548494101 CET500437000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:09.553416967 CET70005004345.207.215.58192.168.2.4
                Jan 2, 2025 09:06:10.524324894 CET70005004345.207.215.58192.168.2.4
                Jan 2, 2025 09:06:10.524395943 CET500437000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:14.033998966 CET500437000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:14.034173965 CET500447000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:14.039011955 CET70005004345.207.215.58192.168.2.4
                Jan 2, 2025 09:06:14.039031982 CET70005004445.207.215.58192.168.2.4
                Jan 2, 2025 09:06:14.039158106 CET500447000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:14.113933086 CET500447000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:14.118853092 CET70005004445.207.215.58192.168.2.4
                Jan 2, 2025 09:06:14.439208031 CET500447000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:14.444066048 CET70005004445.207.215.58192.168.2.4
                Jan 2, 2025 09:06:14.470418930 CET500447000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:14.475208044 CET70005004445.207.215.58192.168.2.4
                Jan 2, 2025 09:06:14.564237118 CET500447000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:14.569158077 CET70005004445.207.215.58192.168.2.4
                Jan 2, 2025 09:06:16.070152998 CET70005004445.207.215.58192.168.2.4
                Jan 2, 2025 09:06:16.070271969 CET500447000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:19.683967113 CET500447000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:19.686758995 CET500457000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:19.690243959 CET70005004445.207.215.58192.168.2.4
                Jan 2, 2025 09:06:19.693007946 CET70005004545.207.215.58192.168.2.4
                Jan 2, 2025 09:06:19.695091009 CET500457000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:19.882862091 CET500457000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:19.952939987 CET70005004545.207.215.58192.168.2.4
                Jan 2, 2025 09:06:21.717936993 CET70005004545.207.215.58192.168.2.4
                Jan 2, 2025 09:06:21.718121052 CET500457000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:24.971887112 CET500457000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:24.976772070 CET70005004545.207.215.58192.168.2.4
                Jan 2, 2025 09:06:25.008598089 CET500467000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:25.014595032 CET70005004645.207.215.58192.168.2.4
                Jan 2, 2025 09:06:25.014712095 CET500467000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:25.409828901 CET500467000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:25.414777040 CET70005004645.207.215.58192.168.2.4
                Jan 2, 2025 09:06:25.626779079 CET500467000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:25.631683111 CET70005004645.207.215.58192.168.2.4
                Jan 2, 2025 09:06:27.051207066 CET70005004645.207.215.58192.168.2.4
                Jan 2, 2025 09:06:27.051281929 CET500467000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:30.739999056 CET500467000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:30.741808891 CET500477000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:30.744832039 CET70005004645.207.215.58192.168.2.4
                Jan 2, 2025 09:06:30.746699095 CET70005004745.207.215.58192.168.2.4
                Jan 2, 2025 09:06:30.746805906 CET500477000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:30.773370028 CET500477000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:30.778188944 CET70005004745.207.215.58192.168.2.4
                Jan 2, 2025 09:06:32.764533997 CET70005004745.207.215.58192.168.2.4
                Jan 2, 2025 09:06:32.764641047 CET500477000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:35.829711914 CET500477000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:35.832724094 CET500487000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:35.834582090 CET70005004745.207.215.58192.168.2.4
                Jan 2, 2025 09:06:35.837546110 CET70005004845.207.215.58192.168.2.4
                Jan 2, 2025 09:06:35.837620974 CET500487000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:35.875992060 CET500487000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:35.880868912 CET70005004845.207.215.58192.168.2.4
                Jan 2, 2025 09:06:37.841651917 CET70005004845.207.215.58192.168.2.4
                Jan 2, 2025 09:06:37.841795921 CET500487000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:41.064078093 CET500487000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:41.067167997 CET500497000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:41.068895102 CET70005004845.207.215.58192.168.2.4
                Jan 2, 2025 09:06:41.071975946 CET70005004945.207.215.58192.168.2.4
                Jan 2, 2025 09:06:41.072094917 CET500497000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:41.142064095 CET500497000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:41.146934986 CET70005004945.207.215.58192.168.2.4
                Jan 2, 2025 09:06:43.080264091 CET70005004945.207.215.58192.168.2.4
                Jan 2, 2025 09:06:43.080518961 CET500497000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:46.331840038 CET500497000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:46.336741924 CET70005004945.207.215.58192.168.2.4
                Jan 2, 2025 09:06:46.338282108 CET500507000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:46.343126059 CET70005005045.207.215.58192.168.2.4
                Jan 2, 2025 09:06:46.343347073 CET500507000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:46.449507952 CET500507000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:46.454407930 CET70005005045.207.215.58192.168.2.4
                Jan 2, 2025 09:06:46.691838026 CET500507000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:46.696768999 CET70005005045.207.215.58192.168.2.4
                Jan 2, 2025 09:06:48.362284899 CET70005005045.207.215.58192.168.2.4
                Jan 2, 2025 09:06:48.366183996 CET500507000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:51.814172029 CET500507000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:51.816540956 CET500517000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:51.818949938 CET70005005045.207.215.58192.168.2.4
                Jan 2, 2025 09:06:51.821321964 CET70005005145.207.215.58192.168.2.4
                Jan 2, 2025 09:06:51.821402073 CET500517000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:51.848881960 CET500517000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:51.853704929 CET70005005145.207.215.58192.168.2.4
                Jan 2, 2025 09:06:53.828413963 CET70005005145.207.215.58192.168.2.4
                Jan 2, 2025 09:06:53.828485966 CET500517000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:56.939084053 CET500517000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:56.941797972 CET500527000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:56.943968058 CET70005005145.207.215.58192.168.2.4
                Jan 2, 2025 09:06:56.946614027 CET70005005245.207.215.58192.168.2.4
                Jan 2, 2025 09:06:56.946753979 CET500527000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:57.172271967 CET500527000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:57.177098989 CET70005005245.207.215.58192.168.2.4
                Jan 2, 2025 09:06:57.329967976 CET500527000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:57.334779024 CET70005005245.207.215.58192.168.2.4
                Jan 2, 2025 09:06:57.345784903 CET500527000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:57.350613117 CET70005005245.207.215.58192.168.2.4
                Jan 2, 2025 09:06:57.377079964 CET500527000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:57.381859064 CET70005005245.207.215.58192.168.2.4
                Jan 2, 2025 09:06:57.392632008 CET500527000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:57.397419930 CET70005005245.207.215.58192.168.2.4
                Jan 2, 2025 09:06:57.471155882 CET500527000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:57.475939989 CET70005005245.207.215.58192.168.2.4
                Jan 2, 2025 09:06:57.502029896 CET500527000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:57.506807089 CET70005005245.207.215.58192.168.2.4
                Jan 2, 2025 09:06:57.533149958 CET500527000192.168.2.445.207.215.58
                Jan 2, 2025 09:06:57.537885904 CET70005005245.207.215.58192.168.2.4
                Jan 2, 2025 09:06:58.951889992 CET70005005245.207.215.58192.168.2.4
                Jan 2, 2025 09:06:58.954866886 CET500527000192.168.2.445.207.215.58
                Jan 2, 2025 09:07:02.595381021 CET500527000192.168.2.445.207.215.58
                Jan 2, 2025 09:07:02.597515106 CET500537000192.168.2.445.207.215.58
                Jan 2, 2025 09:07:02.600193977 CET70005005245.207.215.58192.168.2.4
                Jan 2, 2025 09:07:02.602364063 CET70005005345.207.215.58192.168.2.4
                Jan 2, 2025 09:07:02.602447987 CET500537000192.168.2.445.207.215.58
                Jan 2, 2025 09:07:02.633047104 CET500537000192.168.2.445.207.215.58
                Jan 2, 2025 09:07:02.637893915 CET70005005345.207.215.58192.168.2.4
                Jan 2, 2025 09:07:02.704991102 CET500537000192.168.2.445.207.215.58
                Jan 2, 2025 09:07:02.709789991 CET70005005345.207.215.58192.168.2.4
                Jan 2, 2025 09:07:02.767663956 CET500537000192.168.2.445.207.215.58
                Jan 2, 2025 09:07:02.773781061 CET70005005345.207.215.58192.168.2.4
                Jan 2, 2025 09:07:02.986287117 CET500537000192.168.2.445.207.215.58
                Jan 2, 2025 09:07:02.991173983 CET70005005345.207.215.58192.168.2.4
                Jan 2, 2025 09:07:03.080180883 CET500537000192.168.2.445.207.215.58
                Jan 2, 2025 09:07:03.085108995 CET70005005345.207.215.58192.168.2.4
                Jan 2, 2025 09:07:03.111217022 CET500537000192.168.2.445.207.215.58
                Jan 2, 2025 09:07:03.116053104 CET70005005345.207.215.58192.168.2.4
                Jan 2, 2025 09:07:03.142483950 CET500537000192.168.2.445.207.215.58
                Jan 2, 2025 09:07:03.147319078 CET70005005345.207.215.58192.168.2.4
                Jan 2, 2025 09:07:04.611331940 CET70005005345.207.215.58192.168.2.4
                Jan 2, 2025 09:07:04.611399889 CET500537000192.168.2.445.207.215.58

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                System Behavior

                General

                Target ID:0
                Start time:03:02:56
                Start date:02/01/2025
                Path:C:\Users\user\Desktop\2.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\2.exe"
                Imagebase:0xf80000
                File size:1'749'504 bytes
                MD5 hash:119A00350E1A20E1A3EA01153B91001B
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.4141464738.0000000005140000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                • Rule: rat_win_xworm_v3, Description: Finds XWorm (version XClient, v3) samples based on characteristic strings, Source: 00000000.00000002.4141464738.0000000005140000.00000004.08000000.00040000.00000000.sdmp, Author: Sekoia.io
                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.4141464738.0000000005140000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                Reputation:low
                Has exited:false

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:2.6%
                  Dynamic/Decrypted Code Coverage:26.2%
                  Signature Coverage:9.8%
                  Total number of Nodes:367
                  Total number of Limit Nodes:20
                  execution_graph 88100 51514e0 88101 51514e4 88100->88101 88105 515165f 88101->88105 88110 5151778 88101->88110 88115 51517e1 88101->88115 88107 515169c 88105->88107 88106 51517a1 88106->88101 88107->88106 88121 51517ff 88107->88121 88125 5151810 88107->88125 88112 515174f 88110->88112 88111 51517a1 88111->88101 88112->88111 88113 5151810 3 API calls 88112->88113 88114 51517ff 3 API calls 88112->88114 88113->88112 88114->88112 88116 51517ea 88115->88116 88118 515174f 88115->88118 88116->88101 88117 51517a1 88117->88101 88118->88117 88119 5151810 3 API calls 88118->88119 88120 51517ff 3 API calls 88118->88120 88119->88118 88120->88118 88122 5151810 88121->88122 88129 5152463 88122->88129 88123 5151916 88126 5151835 88125->88126 88128 5152463 3 API calls 88126->88128 88127 5151916 88128->88127 88130 515249d 88129->88130 88134 51572f8 88130->88134 88139 5157308 88130->88139 88131 51526fa 88131->88123 88135 5157306 88134->88135 88136 5157287 88134->88136 88143 5157597 88135->88143 88136->88131 88137 515738f 88137->88131 88140 515732d 88139->88140 88142 5157597 3 API calls 88140->88142 88141 515738f 88141->88131 88142->88141 88147 51575d0 88143->88147 88155 51575e0 88143->88155 88144 51575b6 88144->88137 88148 51575e0 88147->88148 88149 51575ed 88148->88149 88164 5156f64 88148->88164 88149->88144 88151 5157636 88151->88144 88153 51576fe GlobalMemoryStatusEx 88154 515772e 88153->88154 88154->88144 88156 5157615 88155->88156 88157 51575ed 88155->88157 88158 5156f64 GlobalMemoryStatusEx 88156->88158 88157->88144 88161 5157632 88158->88161 88159 5157636 88159->88144 88160 515769b 88160->88144 88161->88159 88161->88160 88162 51576fe GlobalMemoryStatusEx 88161->88162 88163 515772e 88162->88163 88163->88144 88165 51576b8 GlobalMemoryStatusEx 88164->88165 88167 5157632 88165->88167 88167->88151 88167->88153 87873 f82410 87874 f8243f ctype 87873->87874 87875 f82454 87874->87875 87894 f82200 100 API calls 3 library calls 87874->87894 87877 f82478 87875->87877 87880 f82490 87875->87880 87895 f8ae4d 130 API calls ctype 87877->87895 87880->87880 87884 f825b0 87880->87884 87881 f8248e 87882 f82481 87882->87881 87896 f81ea0 106 API calls ctype 87882->87896 87885 f825be 87884->87885 87889 f825c9 87884->87889 87905 f824d0 100 API calls ctype 87885->87905 87887 f825c3 87887->87881 87888 f82200 100 API calls ctype 87888->87889 87889->87888 87893 f8263f 87889->87893 87897 f82160 87889->87897 87906 1075d24 66 API calls 2 library calls 87889->87906 87907 1075c37 66 API calls 3 library calls 87889->87907 87893->87881 87894->87875 87895->87882 87896->87881 87898 f82170 87897->87898 87899 f82178 87898->87899 87903 f82183 87898->87903 87908 f82090 87899->87908 87900 f821b0 87900->87889 87903->87900 87916 f82120 100 API calls ctype 87903->87916 87905->87887 87906->87889 87907->87889 87909 f820ab 87908->87909 87917 f87ac2 87909->87917 87911 f820c4 87922 1075c37 66 API calls 3 library calls 87911->87922 87914 f820e0 87914->87889 87916->87900 87918 f820b9 87917->87918 87919 f87ad6 87917->87919 87918->87911 87921 f82110 100 API calls ctype 87918->87921 87923 10752fc 87919->87923 87921->87911 87922->87914 87924 1075379 87923->87924 87932 107530a 87923->87932 87946 107be95 DecodePointer 87924->87946 87926 107537f 87947 10768cc 66 API calls __getptd_noexit 87926->87947 87929 1075338 RtlAllocateHeap 87929->87932 87939 1075371 87929->87939 87931 1075365 87944 10768cc 66 API calls __getptd_noexit 87931->87944 87932->87929 87932->87931 87936 1075363 87932->87936 87937 1075315 87932->87937 87943 107be95 DecodePointer 87932->87943 87945 10768cc 66 API calls __getptd_noexit 87936->87945 87937->87932 87940 107be4d 66 API calls __NMSG_WRITE 87937->87940 87941 107bc9e 66 API calls 5 library calls 87937->87941 87942 10753bb GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 87937->87942 87939->87918 87940->87937 87941->87937 87943->87932 87944->87936 87945->87939 87946->87926 87947->87939 87948 fb0f76 SetErrorMode SetErrorMode 87961 f8a432 87948->87961 87953 f8a432 ctype 130 API calls 87954 fb0fa8 87953->87954 87955 fb0fc5 87954->87955 87976 fb0da9 87954->87976 87957 f8a432 ctype 130 API calls 87955->87957 87958 fb0fca 87957->87958 87959 fb0fd6 87958->87959 87999 f84788 87958->87999 88005 f92673 87961->88005 87963 f8a441 87964 f8a464 87963->87964 88016 f9217f 7 API calls 3 library calls 87963->88016 87966 f89bca GetModuleFileNameW 87964->87966 87967 f89c0b 87966->87967 87968 f89ca9 87966->87968 87970 f89c1f CreateActCtxWWorker 87967->87970 87971 f89c12 SetLastError 87967->87971 88055 1074c92 87968->88055 87973 f89c69 CreateActCtxWWorker 87970->87973 87974 f89c82 87970->87974 87971->87968 87972 f89cbc 87972->87953 87973->87974 87974->87968 87975 f89c8b CreateActCtxWWorker 87974->87975 87975->87968 87977 f8a432 ctype 130 API calls 87976->87977 87978 fb0dc8 GetModuleFileNameA 87977->87978 87979 fb0df0 87978->87979 87980 fb0df9 PathFindExtensionA 87979->87980 88072 f8830a RaiseException __CxxThrowException@8 87979->88072 87982 fb0e10 87980->87982 87983 fb0e15 87980->87983 88073 f8830a RaiseException __CxxThrowException@8 87982->88073 88064 fb0d63 87983->88064 87986 fb0e32 87987 fb0e3b 87986->87987 88074 f8830a RaiseException __CxxThrowException@8 87986->88074 87990 fb0e4d ctype 87987->87990 88075 1076bf7 66 API calls 4 library calls 87987->88075 87991 f8adf3 135 API calls 87990->87991 87993 fb0f67 87990->87993 87998 1076bf7 66 API calls __strdup 87990->87998 88076 f87975 RaiseException __CxxThrowException@8 87990->88076 88077 1076546 66 API calls _wmemcpy_s 87990->88077 88078 1076b8a 66 API calls _wmemcpy_s 87990->88078 87991->87990 87995 1074c92 __NMSG_WRITE 5 API calls 87993->87995 87997 fb0f74 87995->87997 87997->87955 87998->87990 88000 f8a432 ctype 130 API calls 87999->88000 88001 f8478d 88000->88001 88002 f847b5 88001->88002 88080 f89e63 88001->88080 88002->87959 88006 f9267f __EH_prolog3 88005->88006 88008 f926cd 88006->88008 88017 f92389 TlsAlloc 88006->88017 88021 f92271 EnterCriticalSection 88006->88021 88043 f879ad 88006->88043 88036 f92113 EnterCriticalSection 88008->88036 88013 f926e0 88046 f92430 108 API calls 4 library calls 88013->88046 88014 f926f3 ~_Task_impl 88014->87963 88016->87963 88018 f923ba InitializeCriticalSection 88017->88018 88019 f923b5 88017->88019 88018->88006 88047 f87975 RaiseException __CxxThrowException@8 88019->88047 88022 f92294 88021->88022 88023 f92353 _memset 88022->88023 88025 f922cd 88022->88025 88026 f922e2 GlobalHandle GlobalUnlock 88022->88026 88024 f9236a LeaveCriticalSection 88023->88024 88024->88006 88048 f87b95 88025->88048 88028 f87b95 ctype 100 API calls 88026->88028 88030 f92300 GlobalReAlloc 88028->88030 88031 f9230c 88030->88031 88032 f92333 GlobalLock 88031->88032 88033 f92325 LeaveCriticalSection 88031->88033 88034 f92317 GlobalHandle GlobalLock 88031->88034 88032->88023 88052 f87975 RaiseException __CxxThrowException@8 88033->88052 88034->88033 88037 f9212e 88036->88037 88038 f92155 LeaveCriticalSection 88036->88038 88037->88038 88040 f92133 TlsGetValue 88037->88040 88039 f9215e 88038->88039 88039->88013 88039->88014 88040->88038 88041 f9213f 88040->88041 88041->88038 88042 f92144 LeaveCriticalSection 88041->88042 88042->88039 88054 1078515 RaiseException 88043->88054 88045 f879c8 88046->88014 88049 f87baa ctype 88048->88049 88050 f87bb7 GlobalAlloc 88049->88050 88053 f82200 100 API calls 3 library calls 88049->88053 88050->88031 88053->88050 88054->88045 88056 1074c9c IsDebuggerPresent 88055->88056 88057 1074c9a 88055->88057 88063 1087828 88056->88063 88057->87972 88060 107b8e1 SetUnhandledExceptionFilter UnhandledExceptionFilter 88061 107b906 GetCurrentProcess TerminateProcess 88060->88061 88062 107b8fe __call_reportfault 88060->88062 88061->87972 88062->88061 88063->88060 88065 fb0d6e 88064->88065 88066 fb0d73 PathFindFileNameA 88064->88066 88067 f879ad ~_Task_impl RaiseException 88065->88067 88068 fb0d8c 88066->88068 88069 fb0d82 lstrlenA 88066->88069 88067->88066 88079 10783f1 76 API calls __mbsnbcpy_s_l 88068->88079 88071 fb0d9a ctype 88069->88071 88071->87986 88072->87980 88073->87983 88074->87987 88075->87990 88077->87990 88078->87990 88079->88071 88081 f92673 ctype 124 API calls 88080->88081 88082 f84799 GetCurrentThreadId SetWindowsHookExA 88081->88082 88082->88002 88083 fe4a50 88084 fe4a5c __EH_prolog3 moneypunct ctype 88083->88084 88093 f81ff0 88084->88093 88086 fe4ab7 88087 fe4b4a 88086->88087 88088 fe4b21 CreateCompatibleDC CreateCompatibleDC 88086->88088 88098 fe4678 381 API calls 4 library calls 88087->88098 88089 fe4b41 88088->88089 88089->88087 88097 f882ee RaiseException __CxxThrowException@8 88089->88097 88092 fe4bdc ~_Task_impl 88094 f81ffd 88093->88094 88096 f82007 88093->88096 88099 f82200 100 API calls 3 library calls 88094->88099 88096->88086 88098->88092 88099->88096 88168 10ea390 88169 10ee33a 88168->88169 88170 10ea39a 88168->88170 88189 10efe2b GetPEB 88169->88189 88172 10ee35a 88173 10efe2b GetPEB 88172->88173 88174 10ee36e 88173->88174 88175 10ee387 VirtualAlloc 88174->88175 88188 10ee4eb 88174->88188 88176 10ee39e 88175->88176 88175->88188 88177 10efe2b GetPEB 88176->88177 88176->88188 88178 10ee410 88177->88178 88179 10ee42e LoadLibraryA 88178->88179 88181 10ee43e 88178->88181 88178->88188 88179->88179 88179->88181 88180 10efe2b GetPEB 88180->88181 88181->88180 88182 10ee47a 88181->88182 88181->88188 88185 10ee4cb 88182->88185 88182->88188 88191 10ee7ea LoadLibraryA 88182->88191 88185->88188 88211 10ef1fc 88185->88211 88190 10efe3f 88189->88190 88190->88172 88192 10ee807 88191->88192 88193 10ee4b8 88191->88193 88192->88193 88194 10ee82f VirtualProtect 88192->88194 88193->88188 88201 10ee8d0 LoadLibraryA 88193->88201 88194->88193 88195 10ee843 88194->88195 88196 10ee85d VirtualProtect 88195->88196 88197 10ee879 88196->88197 88197->88193 88198 10ee88d VirtualProtect 88197->88198 88198->88193 88199 10ee89d 88198->88199 88200 10ee8b2 VirtualProtect 88199->88200 88200->88193 88202 10ee8ed 88201->88202 88203 10ee8e7 88201->88203 88202->88203 88204 10ee915 VirtualProtect 88202->88204 88203->88185 88204->88203 88205 10ee929 88204->88205 88206 10ee943 VirtualProtect 88205->88206 88207 10ee95f 88206->88207 88207->88203 88208 10ee973 VirtualProtect 88207->88208 88208->88203 88209 10ee983 88208->88209 88210 10ee998 VirtualProtect 88209->88210 88210->88203 88213 10ef21e 88211->88213 88212 10ef2bc SysAllocString 88214 10ef2dc 88212->88214 88213->88212 88213->88214 88214->88188 88215 100ba9e 88218 1005714 88215->88218 88217 100baa8 88219 1005720 __EH_prolog3 88218->88219 88228 f83dfe 88219->88228 88223 1005758 88224 1005760 GetProfileIntA GetProfileIntA 88223->88224 88225 1005796 88223->88225 88224->88225 88241 f96d6f LeaveCriticalSection RaiseException ~_Task_impl 88225->88241 88227 100579d ~_Task_impl 88227->88217 88229 f8a432 ctype 130 API calls 88228->88229 88230 f83e08 88229->88230 88231 f96cfd 88230->88231 88232 f96d0d 88231->88232 88233 f96d12 88231->88233 88234 f879ad ~_Task_impl RaiseException 88232->88234 88235 f96d20 88233->88235 88242 f96c94 InitializeCriticalSection 88233->88242 88234->88233 88237 f96d5c EnterCriticalSection 88235->88237 88238 f96d32 EnterCriticalSection 88235->88238 88237->88223 88239 f96d3e InitializeCriticalSection 88238->88239 88240 f96d51 LeaveCriticalSection 88238->88240 88239->88240 88240->88237 88241->88227 88242->88235 88243 f827c7 88244 f827d0 88243->88244 88248 f81400 88244->88248 88259 f826fd 88244->88259 88258 f81420 88248->88258 88249 f81330 89 API calls 88249->88258 88250 f81448 TerminateThread CloseHandle 88250->88258 88251 f81461 TerminateThread CloseHandle 88251->88258 88252 f81515 Sleep 88252->88258 88253 f8148b CreateThread 88253->88258 88254 f814a8 CreateThread 88254->88258 88255 f814d7 CreateThread 88255->88258 88265 f813c0 88255->88265 88256 f814f4 CreateThread 88256->88258 88257 1075910 104 API calls _wprintf 88257->88258 88258->88249 88258->88250 88258->88251 88258->88252 88258->88253 88258->88254 88258->88255 88258->88256 88258->88257 88260 f82733 88259->88260 88262 f827ba 88259->88262 88261 f82734 RegOpenKeyExA 88260->88261 88260->88262 88263 f82751 RegQueryValueExA 88260->88263 88264 f827a3 RegCloseKey 88260->88264 88261->88260 88263->88260 88264->88260 88271 f81150 CreateToolhelp32Snapshot 88265->88271 88270 f813f1 88272 f811d3 88271->88272 88273 f81177 _memset 88271->88273 88274 1074c92 __NMSG_WRITE 5 API calls 88272->88274 88276 f81194 Process32First 88273->88276 88275 f811e0 88274->88275 88282 f811f0 88275->88282 88277 f811ab 88276->88277 88280 f811c0 88276->88280 88278 f811b1 Process32Next 88277->88278 88278->88278 88278->88280 88281 f811cc CloseHandle 88280->88281 88293 1075613 66 API calls _doexit 88280->88293 88281->88272 88283 f8120b __resetstkoflw 88282->88283 88294 f81590 88283->88294 88285 f81247 88304 108ba31 88285->88304 88287 f8124f ctype 88288 108ba31 std::tr1::_Random_device 75 API calls 88287->88288 88290 f81288 moneypunct 88288->88290 88289 f812ff Sleep 88291 1074c92 __NMSG_WRITE 5 API calls 88289->88291 88290->88289 88292 f8131e VirtualProtect 88291->88292 88292->88270 88293->88281 88296 f8159d 88294->88296 88295 f815df 88297 f815ee 88295->88297 88312 108b976 67 API calls 2 library calls 88295->88312 88296->88295 88300 f815c2 88296->88300 88303 f815fd _memmove 88297->88303 88313 f817b0 67 API calls 5 library calls 88297->88313 88311 f81660 67 API calls 2 library calls 88300->88311 88302 f815dd 88302->88285 88303->88285 88314 107c313 DecodePointer 88304->88314 88306 108ba42 88307 108ba6f 88306->88307 88341 1074e46 66 API calls std::exception::_Copy_str 88306->88341 88307->88287 88309 108ba5a 88342 1078515 RaiseException 88309->88342 88311->88302 88312->88297 88313->88303 88315 107c345 88314->88315 88316 107c32f 88314->88316 88318 107c351 LoadLibraryW 88315->88318 88328 107c3de 88315->88328 88343 10768cc 66 API calls __getptd_noexit 88316->88343 88320 107c363 88318->88320 88321 107c379 GetProcAddress 88318->88321 88319 107c334 88344 107c59c 11 API calls _wmemcpy_s 88319->88344 88345 10768cc 66 API calls __getptd_noexit 88320->88345 88324 107c3b3 EncodePointer 88321->88324 88325 107c38b 88321->88325 88349 107c5ac EncodePointer 88324->88349 88347 10768cc 66 API calls __getptd_noexit 88325->88347 88327 107c368 88346 107c59c 11 API calls _wmemcpy_s 88327->88346 88330 107c33e __dosmaperr 88328->88330 88350 10768cc 66 API calls __getptd_noexit 88328->88350 88330->88306 88331 107c3c2 InterlockedExchange 88331->88328 88336 107c3d5 FreeLibrary 88331->88336 88334 107c390 GetLastError 88335 107c3a0 __dosmaperr 88334->88335 88348 107c59c 11 API calls _wmemcpy_s 88335->88348 88336->88328 88337 107c3ee 88351 10768cc 66 API calls __getptd_noexit 88337->88351 88340 107c3a8 GetLastError 88340->88330 88341->88309 88342->88307 88343->88319 88344->88330 88345->88327 88346->88330 88347->88334 88348->88340 88349->88331 88350->88337 88351->88330

                  Executed Functions

                  Function 00F96406 Relevance: 103.8, APIs: 48, Strings: 11, Instructions: 557libraryloaderstringCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 0 f96406-f9645d call 1076364 call f88adb GetDeviceCaps 5 f96478 0->5 6 f9645f-f9646e 0->6 7 f9647a 5->7 6->7 8 f96470-f96476 6->8 9 f9647c-f9648a 7->9 8->9 10 f96499-f964a7 9->10 11 f9648c-f9648f 9->11 12 f964a9-f964ac 10->12 13 f964b6-f964c4 10->13 11->10 14 f96491-f96497 call f88cb4 DeleteObject 11->14 12->13 15 f964ae-f964b4 call f88cb4 DeleteObject 12->15 16 f964d3-f964db 13->16 17 f964c6-f964c9 13->17 14->10 15->13 22 f964ea-f964f8 16->22 23 f964dd-f964e0 16->23 17->16 21 f964cb-f964d1 call f88cb4 DeleteObject 17->21 21->16 24 f964fa-f964fd 22->24 25 f96507-f9650f 22->25 23->22 28 f964e2-f964e8 call f88cb4 DeleteObject 23->28 24->25 29 f964ff-f96505 call f88cb4 DeleteObject 24->29 30 f9651e-f96526 25->30 31 f96511-f96514 25->31 28->22 29->25 36 f96528-f9652b 30->36 37 f96535-f9653d 30->37 31->30 35 f96516-f9651c call f88cb4 DeleteObject 31->35 35->30 36->37 43 f9652d-f96533 call f88cb4 DeleteObject 36->43 39 f9654c-f9655a 37->39 40 f9653f-f96542 37->40 45 f96569-f96571 39->45 46 f9655c-f9655f 39->46 40->39 44 f96544-f9654a call f88cb4 DeleteObject 40->44 43->37 44->39 51 f96580-f965ce call f951cb call 1076b10 GetTextCharsetInfo 45->51 52 f96573-f96576 45->52 46->45 50 f96561-f96567 call f88cb4 DeleteObject 46->50 50->45 64 f965d0-f965d3 51->64 65 f965d5 51->65 52->51 56 f96578-f9657e call f88cb4 DeleteObject 52->56 56->51 66 f965d6-f965dc 64->66 65->66 67 f965de 66->67 68 f965e0-f965f8 lstrcpyA 66->68 67->68 69 f965fa-f96601 68->69 70 f96660-f966b1 CreateFontIndirectA call f88c86 call 107945a call 1079200 68->70 69->70 72 f96603-f9661f EnumFontFamiliesA 69->72 83 f966b3 70->83 84 f966b6-f967ad CreateFontIndirectA call f88c86 call f951cb CreateFontIndirectA call f88c86 CreateFontIndirectA call f88c86 CreateFontIndirectA call f88c86 GetSystemMetrics lstrcpyA CreateFontIndirectA call f88c86 GetStockObject 70->84 74 f96621-f96631 lstrcpyA 72->74 75 f96633-f9664d EnumFontFamiliesA 72->75 74->70 77 f9664f-f96655 75->77 78 f96657 75->78 80 f9665d-f9665e lstrcpyA 77->80 78->80 80->70 83->84 97 f967b3-f967c3 GetObjectA 84->97 98 f96835-f96890 GetStockObject call f88c72 GetObjectA CreateFontIndirectA call f88c86 CreateFontIndirectA call f88c86 call f95267 84->98 97->98 99 f967c5-f96830 lstrcpyA CreateFontIndirectA call f88c86 CreateFontIndirectA call f88c86 97->99 111 f968be-f968c0 98->111 99->98 112 f96892-f96896 111->112 113 f968c2-f968d6 call f822f0 111->113 114 f96898-f968a6 112->114 115 f968f0-f96a84 call f879ad call 1076364 GetVersionExA KiUserCallbackDispatcher 112->115 119 f968db-f968ef call f88b2f call 10763e7 113->119 114->115 118 f968a8-f968b2 call f8d81b 114->118 130 f96a96 115->130 131 f96a86-f96a8d 115->131 118->111 127 f968b4-f968b6 118->127 127->111 132 f96a9c-f96a9e 130->132 134 f96a98-f96a9a 130->134 131->132 133 f96a8f 131->133 135 f96a9f-f96ade call f95ead call f8c62f 132->135 133->130 134->135 140 f96b4f-f96b6d 135->140 141 f96ae0-f96b4d GetProcAddress * 6 135->141 142 f96b73-f96b86 call f8c62f 140->142 141->142 145 f96b88-f96bbc GetProcAddress * 3 142->145 146 f96bbe-f96bca 142->146 147 f96bd0-f96c0d call f96406 145->147 146->147 149 f96c12-f96c93 call f94e7a call 10763e7 147->149
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00F96410
                    • Part of subcall function 00F88ADB: __EH_prolog3.LIBCMT ref: 00F88AE2
                    • Part of subcall function 00F88ADB: GetWindowDC.USER32(00000000,00000004,00F95F09,00000000,?,?,010A4E00), ref: 00F88B0E
                  • GetDeviceCaps.GDI32(?,00000058), ref: 00F96436
                  • DeleteObject.GDI32(00000000), ref: 00F96497
                  • DeleteObject.GDI32(00000000), ref: 00F964B4
                  • DeleteObject.GDI32(00000000), ref: 00F964D1
                  • DeleteObject.GDI32(00000000), ref: 00F964E8
                  • DeleteObject.GDI32(00000000), ref: 00F96505
                  • DeleteObject.GDI32(00000000), ref: 00F9651C
                  • DeleteObject.GDI32(00000000), ref: 00F96533
                  • DeleteObject.GDI32(00000000), ref: 00F9654A
                  • DeleteObject.GDI32(00000000), ref: 00F96567
                  • DeleteObject.GDI32(00000000), ref: 00F9657E
                  • _memset.LIBCMT ref: 00F96595
                  • GetTextCharsetInfo.GDI32(?,00000000,00000000), ref: 00F965A5
                  • lstrcpyA.KERNEL32(?,?), ref: 00F965F4
                  • EnumFontFamiliesA.GDI32(?,00000000,Function_000163BD), ref: 00F9661B
                  • lstrcpyA.KERNEL32(?), ref: 00F9662B
                  • EnumFontFamiliesA.GDI32(?,00000000,Function_000163BD), ref: 00F96646
                  • lstrcpyA.KERNEL32(?), ref: 00F9665E
                  • CreateFontIndirectA.GDI32(?), ref: 00F9666A
                  • CreateFontIndirectA.GDI32(?), ref: 00F966BA
                  • CreateFontIndirectA.GDI32(?), ref: 00F966F5
                  • CreateFontIndirectA.GDI32(?), ref: 00F9671D
                  • CreateFontIndirectA.GDI32(?), ref: 00F9673A
                  • GetSystemMetrics.USER32(00000048), ref: 00F96755
                  • lstrcpyA.KERNEL32(?), ref: 00F96769
                  • CreateFontIndirectA.GDI32(?), ref: 00F9676F
                  • GetStockObject.GDI32(00000011), ref: 00F9679D
                  • GetObjectA.GDI32(?,0000003C,?), ref: 00F967BF
                  • lstrcpyA.KERNEL32(?), ref: 00F967F8
                  • CreateFontIndirectA.GDI32(?), ref: 00F96802
                  • CreateFontIndirectA.GDI32(?), ref: 00F96821
                  • GetStockObject.GDI32(00000011), ref: 00F96837
                  • GetObjectA.GDI32(?,0000003C,?), ref: 00F96848
                  • CreateFontIndirectA.GDI32(?), ref: 00F96852
                  • CreateFontIndirectA.GDI32(?), ref: 00F96875
                  • __EH_prolog3_GS.LIBCMT ref: 00F96900
                  • GetVersionExA.KERNEL32(?,0000009C), ref: 00F96A56
                  • KiUserCallbackDispatcher.NTDLL(00001000), ref: 00F96A61
                  • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 00F96AE6
                  • GetProcAddress.KERNEL32(?,DrawThemeTextEx), ref: 00F96AF9
                  • GetProcAddress.KERNEL32(?,BufferedPaintInit), ref: 00F96B0C
                  • GetProcAddress.KERNEL32(?,BufferedPaintUnInit), ref: 00F96B1F
                  • GetProcAddress.KERNEL32(?,BeginBufferedPaint), ref: 00F96B32
                  • GetProcAddress.KERNEL32(?,EndBufferedPaint), ref: 00F96B45
                  • GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea), ref: 00F96B8E
                  • GetProcAddress.KERNEL32(?,DwmDefWindowProc), ref: 00F96BA1
                  • GetProcAddress.KERNEL32(?,DwmIsCompositionEnabled), ref: 00F96BB4
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Object$Font$CreateDeleteIndirect$AddressProc$lstrcpy$EnumFamiliesH_prolog3_Stock$CallbackCapsCharsetDeviceDispatcherH_prolog3InfoMetricsSystemTextUserVersionWindow_memset
                  • String ID: BeginBufferedPaint$BufferedPaintInit$BufferedPaintUnInit$DrawThemeParentBackground$DrawThemeTextEx$DwmDefWindowProc$DwmExtendFrameIntoClientArea$DwmIsCompositionEnabled$EndBufferedPaint$UxTheme.dll$dwmapi.dll
                  • API String ID: 2460119550-1174303547
                  • Opcode ID: babb57fde49750fa82a347335cf9f0803fa699ce1759fe2d9990d429804e7c44
                  • Instruction ID: e8a08ae6ad711d8aca981f9a0ef6f99518dae1b0392e4adf716455312be2090d
                  • Opcode Fuzzy Hash: babb57fde49750fa82a347335cf9f0803fa699ce1759fe2d9990d429804e7c44
                  • Instruction Fuzzy Hash: 6F3243B0C017189FDB21AFB5C954BDAFBF8AF54300F04885EE4AAE6255DB746A40DF50
                  Function 00F81150 Relevance: 7.6, APIs: 5, Instructions: 52processCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 642 f81150-f81175 CreateToolhelp32Snapshot 643 f811d3-f811e3 call 1074c92 642->643 644 f81177-f811a9 call 1076b10 Process32First 642->644 649 f811ab 644->649 650 f811c5-f811c7 call 1075613 644->650 651 f811b1-f811be Process32Next 649->651 654 f811cc-f811cd CloseHandle 650->654 651->651 653 f811c0-f811c3 651->653 653->650 653->654 654->643
                  APIs
                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00F8116A
                  • _memset.LIBCMT ref: 00F8118F
                  • Process32First.KERNEL32(00000000,00000128), ref: 00F811A1
                  • Process32Next.KERNEL32(00000000,00000128), ref: 00F811BA
                  • CloseHandle.KERNEL32(00000000,00000001), ref: 00F811CD
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memset
                  • String ID:
                  • API String ID: 2526126748-0
                  • Opcode ID: a25dd6429c47441e0361e44aa54dd88fdd02b2fcd4ee8bb5a12c681af1a92220
                  • Instruction ID: e5c28a76777d7931f6ba862e00a645e620091dcae8cefc0aeb5acd15b3100319
                  • Opcode Fuzzy Hash: a25dd6429c47441e0361e44aa54dd88fdd02b2fcd4ee8bb5a12c681af1a92220
                  • Instruction Fuzzy Hash: A301D831B012196BEB30BA74EC99FFE73ACFB49724F000298EA45921C0DB756E45CB91
                  Function 05154D08 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4141479624.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_5150000_2.jbxd
                  Similarity
                  • API ID:
                  • String ID: \V]m
                  • API String ID: 0-4105700344
                  • Opcode ID: 4a354c0f3cc3b99abc0cc4546156c69938b32ba59d4f02cf8e10fa99818ffc4d
                  • Instruction ID: 5de54f2a32ff14a913582f9c3db8d117ed5c40028be364dd872ec178066ba132
                  • Opcode Fuzzy Hash: 4a354c0f3cc3b99abc0cc4546156c69938b32ba59d4f02cf8e10fa99818ffc4d
                  • Instruction Fuzzy Hash: 0CB15170E04209DFDF14CFA9C885BADBBF2BF88324F158529D825A7254EB759885CF81
                  Function 051555D8 Relevance: .3, Instructions: 266COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4141479624.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_5150000_2.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a88217c788155d7360dcdc3c3f7c2d744ceff5ccc5257c7e562ae97c9fdefdd1
                  • Instruction ID: cff4eceac1cf9922e4850f14fe0455ad6e1894577a910a83e4905d31f3e51162
                  • Opcode Fuzzy Hash: a88217c788155d7360dcdc3c3f7c2d744ceff5ccc5257c7e562ae97c9fdefdd1
                  • Instruction Fuzzy Hash: 88B14C70E04249DFDF14CFA9C8857ADBBF2BF88324F158529D825AB294EB749845CB81
                  Function 00F95EAD Relevance: 64.8, APIs: 43, Instructions: 304COMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00F95EB4
                  • GetSysColor.USER32(00000016), ref: 00F95EC3
                  • GetSysColor.USER32(0000000F), ref: 00F95ED0
                  • GetSysColor.USER32(00000015), ref: 00F95EE3
                  • GetSysColor.USER32(0000000F), ref: 00F95EEB
                  • GetDeviceCaps.GDI32(?,0000000C), ref: 00F95F11
                  • GetSysColor.USER32(0000000F), ref: 00F95F1F
                  • GetSysColor.USER32(00000010), ref: 00F95F29
                  • GetSysColor.USER32(00000015), ref: 00F95F33
                  • GetSysColor.USER32(00000016), ref: 00F95F3D
                  • GetSysColor.USER32(00000014), ref: 00F95F47
                  • GetSysColor.USER32(00000012), ref: 00F95F51
                  • GetSysColor.USER32(00000011), ref: 00F95F5B
                  • GetSysColor.USER32(00000006), ref: 00F95F62
                  • GetSysColor.USER32(0000000D), ref: 00F95F69
                  • GetSysColor.USER32(0000000E), ref: 00F95F70
                  • GetSysColor.USER32(00000005), ref: 00F95F77
                  • GetSysColor.USER32(00000008), ref: 00F95F81
                  • GetSysColor.USER32(00000009), ref: 00F95F88
                  • GetSysColor.USER32(00000007), ref: 00F95F8F
                  • GetSysColor.USER32(00000002), ref: 00F95F96
                  • GetSysColor.USER32(00000003), ref: 00F95F9D
                  • GetSysColor.USER32(0000001B), ref: 00F95FA4
                  • GetSysColor.USER32(0000001C), ref: 00F95FAE
                  • GetSysColor.USER32(0000000A), ref: 00F95FB8
                  • GetSysColor.USER32(0000000B), ref: 00F95FC2
                  • GetSysColor.USER32(00000013), ref: 00F95FCC
                  • GetSysColor.USER32(0000001A), ref: 00F95FE6
                  • GetSysColorBrush.USER32(00000010), ref: 00F96001
                  • GetSysColorBrush.USER32(00000014), ref: 00F96018
                  • GetSysColorBrush.USER32(00000005), ref: 00F9602A
                  • CreateSolidBrush.GDI32(?), ref: 00F9604E
                  • CreateSolidBrush.GDI32(?), ref: 00F9606A
                  • CreateSolidBrush.GDI32(?), ref: 00F96086
                  • CreateSolidBrush.GDI32(?), ref: 00F960A2
                  • CreateSolidBrush.GDI32(?), ref: 00F960BE
                  • CreateSolidBrush.GDI32(?), ref: 00F960DA
                  • CreateSolidBrush.GDI32(?), ref: 00F960F6
                  • CreatePen.GDI32(00000000,00000001), ref: 00F9611F
                  • CreatePen.GDI32(00000000,00000001), ref: 00F96142
                  • CreatePen.GDI32(00000000,00000001), ref: 00F96165
                  • CreateSolidBrush.GDI32(?), ref: 00F961E9
                  • CreatePatternBrush.GDI32(00000000), ref: 00F9622A
                    • Part of subcall function 00F88CE0: DeleteObject.GDI32(00000000), ref: 00F88CEF
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Color$BrushCreate$Solid$CapsDeleteDeviceH_prolog3ObjectPattern
                  • String ID:
                  • API String ID: 3754413814-0
                  • Opcode ID: 65c4889476132c1ba031675ac95dc53b01f2c3a3c50e9156e48ab8da71ee70d5
                  • Instruction ID: 6012546f7276bd4f9921b9675184e8b24142fd252b7d1ca4895a7d3bc5855abe
                  • Opcode Fuzzy Hash: 65c4889476132c1ba031675ac95dc53b01f2c3a3c50e9156e48ab8da71ee70d5
                  • Instruction Fuzzy Hash: 40B18C70A01B449EDB34BF71CC5ABEBBAE0BF80740F00492DE19796591DE79A549EF20
                  Function 00FE4678 Relevance: 40.7, APIs: 22, Strings: 1, Instructions: 421windowCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 238 fe4678-fe468e call 10762fb 241 fe4789-fe478e call 10763d3 238->241 242 fe4694-fe46a7 238->242 243 fe46a9-fe46bb 242->243 244 fe4716 242->244 247 fe46bd-fe46c4 243->247 248 fe46ca-fe4714 243->248 249 fe4718-fe4720 244->249 247->248 248->249 250 fe4735-fe4742 call fdfaee 249->250 251 fe4722-fe4725 249->251 259 fe4744-fe474e call fe0c61 250->259 260 fe4753-fe4772 call f91da7 * 2 250->260 253 fe478f-fe4795 251->253 254 fe4727-fe472e 251->254 253->241 256 fe4797-fe47ab call f91da7 253->256 255 fe4730 call fe416b 254->255 255->250 256->250 264 fe47ad-fe47b3 256->264 259->260 273 fe477e-fe4783 260->273 274 fe4774-fe4779 call fe083d 260->274 266 fe47bb-fe47c4 264->266 268 fe4a4a-fe4b1f call f879ad call 10762fb call f8837d call f87abc call f81ff0 call f9c2fb call fdfdac call f9c32e 266->268 269 fe47ca-fe47da 266->269 328 fe4b55-fe4b57 268->328 329 fe4b21-fe4b3f CreateCompatibleDC * 2 268->329 269->268 272 fe47e0-fe480a call fe2971 269->272 281 fe480c-fe4819 call f88cb4 272->281 282 fe481b-fe4823 272->282 273->241 274->273 281->282 288 fe484d-fe4868 GetObjectA 281->288 283 fe483a-fe484a LoadImageW 282->283 284 fe4825-fe482b 282->284 283->288 284->283 287 fe482d-fe4833 284->287 287->283 291 fe4835 287->291 292 fe487a-fe487f 288->292 293 fe486a-fe4875 call fdfcd0 288->293 291->283 296 fe4886-fe488c 292->296 297 fe4881-fe4884 292->297 301 fe4a15-fe4a3f call fe4be4 DeleteObject call f822f0 293->301 300 fe4892-fe4895 296->300 296->301 297->296 297->300 300->301 303 fe489b-fe48cb call f8837d CreateCompatibleDC call f889b2 GetObjectA 300->303 317 fe47b5-fe47b8 301->317 318 fe4a45 301->318 319 fe4a09-fe4a10 call f88a33 303->319 320 fe48d1-fe48de SelectObject 303->320 317->266 318->250 319->301 320->319 322 fe48e4-fe4906 CreateCompatibleBitmap 320->322 325 fe4908-fe4910 SelectObject 322->325 326 fe4915-fe4940 call f8837d CreateCompatibleDC call f889b2 SelectObject 322->326 325->319 341 fe4958-fe4979 BitBlt 326->341 342 fe4942-fe4953 SelectObject DeleteObject 326->342 334 fe4b58-fe4be3 call fe4678 call 10763d3 328->334 331 fe4b45 call f882ee 329->331 332 fe4b41-fe4b43 329->332 335 fe4b4a-fe4b53 331->335 332->331 332->335 335->334 345 fe49de-fe49fa SelectObject * 2 DeleteObject 341->345 346 fe497b-fe4981 341->346 344 fe49fd-fe4a04 call f88a33 342->344 344->319 345->344 349 fe49d3-fe49dc 346->349 350 fe4983-fe499a GetPixel 346->350 349->345 349->346 351 fe49ac-fe49ae call fdfb27 350->351 352 fe499c-fe49a2 350->352 355 fe49b3-fe49b6 351->355 352->351 354 fe49a4-fe49aa call fdfba9 352->354 354->355 358 fe49c8-fe49d1 355->358 359 fe49b8-fe49c2 SetPixel 355->359 358->349 358->350 359->358
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00FE4682
                  • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002000), ref: 00FE4844
                  • GetObjectA.GDI32(00000082,00000018,?), ref: 00FE4856
                  • CreateCompatibleDC.GDI32(00000000), ref: 00FE48A8
                  • GetObjectA.GDI32(00000082,00000018,?), ref: 00FE48C3
                  • SelectObject.GDI32(?,00000082), ref: 00FE48D7
                  • CreateCompatibleBitmap.GDI32(?,?,?), ref: 00FE48FB
                  • SelectObject.GDI32(?,00000000), ref: 00FE490E
                  • CreateCompatibleDC.GDI32(?), ref: 00FE4924
                  • SelectObject.GDI32(?,?), ref: 00FE4939
                  • SelectObject.GDI32(?,00000000), ref: 00FE4948
                  • DeleteObject.GDI32(?), ref: 00FE494D
                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00FE496D
                  • GetPixel.GDI32(?,?,?), ref: 00FE498C
                  • SetPixel.GDI32(?,?,?,00000000), ref: 00FE49C2
                  • SelectObject.GDI32(?,?), ref: 00FE49E4
                  • SelectObject.GDI32(?,00000000), ref: 00FE49EC
                  • DeleteObject.GDI32(00000082), ref: 00FE49F1
                  • DeleteObject.GDI32(00000082), ref: 00FE4A23
                  • __EH_prolog3.LIBCMT ref: 00FE4A57
                  • CreateCompatibleDC.GDI32(00000000), ref: 00FE4B22
                  • CreateCompatibleDC.GDI32(00000000), ref: 00FE4B2E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Object$Select$CompatibleCreate$Delete$H_prolog3Pixel$BitmapImageLoad
                  • String ID:
                  • API String ID: 1197801157-3916222277
                  • Opcode ID: bd2cfff8492581d35bb240e31aece26b63915419fd2bdbbbd3eea19a4206d478
                  • Instruction ID: dd1bb68c451cff1932e01300ad9735f4c83d54c35fda49442408feb493443a2b
                  • Opcode Fuzzy Hash: bd2cfff8492581d35bb240e31aece26b63915419fd2bdbbbd3eea19a4206d478
                  • Instruction Fuzzy Hash: 0F025A70C00269DFCF15EFA5C880AAEBBB5FF08710F10406EF855AA25AD7759945EFA0
                  Function 00F81400 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 113threadsleepCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 360 f81400-f81419 361 f81420-f8143d call f81330 * 2 360->361 366 f8143f-f81442 361->366 367 f81444-f81446 361->367 366->367 368 f814c2 366->368 369 f81448-f81458 TerminateThread CloseHandle 367->369 370 f8145a-f8145f 367->370 371 f814c8-f814cc 368->371 369->370 372 f81478-f81489 370->372 373 f81461-f81471 TerminateThread CloseHandle 370->373 374 f814ce-f814d0 371->374 375 f81515-f81522 Sleep 371->375 376 f8148b-f814a0 CreateThread 372->376 377 f814a2-f814a6 372->377 373->372 379 f814e8-f814f2 374->379 380 f814d2-f814d5 374->380 381 f81531-f81535 375->381 382 f81524-f81529 call 1075910 375->382 376->377 377->371 378 f814a8-f814c0 CreateThread 377->378 378->371 379->375 384 f814f4-f81507 CreateThread 379->384 380->379 383 f814d7-f814e6 CreateThread 380->383 381->361 386 f8153b-f81548 call 1075910 381->386 388 f8152e 382->388 387 f8150e 383->387 384->387 386->361 387->375 388->381
                  APIs
                    • Part of subcall function 00F81330: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00F8134A
                    • Part of subcall function 00F81330: Process32First.KERNEL32(00000000,?), ref: 00F81369
                    • Part of subcall function 00F81330: Process32Next.KERNEL32(00000000,00000128), ref: 00F8138F
                    • Part of subcall function 00F81330: CloseHandle.KERNEL32(00000000), ref: 00F813A2
                  • TerminateThread.KERNEL32(00000000,00000000), ref: 00F8144B
                  • CloseHandle.KERNEL32(00000000), ref: 00F81452
                  • TerminateThread.KERNEL32(?,00000000), ref: 00F81464
                  • CloseHandle.KERNEL32(?), ref: 00F8146B
                  • CreateThread.KERNEL32(00000000,00000000,reloc_00001080,?,00000000,?), ref: 00F8149E
                  • CreateThread.KERNEL32(00000000,00000000,reloc_00001080,00000000,00000000,?), ref: 00F814BB
                  • CreateThread.KERNEL32(?,?,Function_000013C0,?,?,?), ref: 00F814E4
                  • CreateThread.KERNEL32(00000000,00000000,Function_000013C0,00000000,00000000,?), ref: 00F81505
                  • Sleep.KERNEL32(00001388), ref: 00F8151A
                  • _wprintf.LIBCMT ref: 00F81529
                  • _wprintf.LIBCMT ref: 00F81540
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Thread$Create$CloseHandle$Process32Terminate_wprintf$FirstNextSleepSnapshotToolhelp32
                  • String ID: 360Safe.exe$360Tray.exe
                  • API String ID: 2471507311-80816502
                  • Opcode ID: 00e248873c6f002d72e838d9ffa8760b923199eca75d2bb4f6fd3b206b5a5dc8
                  • Instruction ID: c210f7ba77207533d96471894397a39bdf9e1f8b5bb5bb903cc8979e1f5115bc
                  • Opcode Fuzzy Hash: 00e248873c6f002d72e838d9ffa8760b923199eca75d2bb4f6fd3b206b5a5dc8
                  • Instruction Fuzzy Hash: 4D418D71D40319ABDB20EB908C46BEFBBBCBF55B10F104209F545B7184D7B46A42DBA6
                  Function 00FB0DA9 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 142COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 391 fb0da9-fb0dee call f8a432 GetModuleFileNameA 394 fb0df0-fb0df2 391->394 395 fb0df4 call f8830a 391->395 394->395 396 fb0df9-fb0e0e PathFindExtensionA 394->396 395->396 398 fb0e10 call f8830a 396->398 399 fb0e15-fb0e34 call fb0d63 396->399 398->399 403 fb0e3b-fb0e3f 399->403 404 fb0e36 call f8830a 399->404 405 fb0e5a-fb0e5e 403->405 406 fb0e41-fb0e53 call 1076bf7 403->406 404->403 409 fb0e93-fb0e97 405->409 410 fb0e60-fb0e71 call f8adf3 405->410 406->405 416 fb0e55 call f87975 406->416 411 fb0e99-fb0eb1 call f8adf3 409->411 412 fb0ed2-fb0edc 409->412 419 fb0e76-fb0e78 410->419 428 fb0eb3-fb0ec3 call 1076bf7 411->428 429 fb0ec5 411->429 417 fb0f2f-fb0f33 412->417 418 fb0ede-fb0eeb 412->418 416->405 422 fb0f67-fb0f75 call 1074c92 417->422 423 fb0f35-fb0f61 call 1076b8a call f82967 call 1076bf7 417->423 424 fb0eed-fb0ef2 418->424 425 fb0ef4 418->425 426 fb0e7a-fb0e81 419->426 427 fb0e83 419->427 423->416 423->422 431 fb0ef9-fb0f20 call 1076546 call f82967 call 1076bf7 424->431 425->431 432 fb0e86-fb0e91 call 1076bf7 426->432 427->432 435 fb0ecc-fb0ed0 428->435 429->435 431->416 451 fb0f26-fb0f2c 431->451 432->409 432->416 435->412 435->416 451->417
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: __strdup$ExtensionFileFindModuleNamePath_strcat_s_strcpy_s
                  • String ID: .CHM$.HLP$.INI
                  • API String ID: 3308358609-4017452060
                  • Opcode ID: 722534875438fb3884cc1fa73ceeb5561f1c969d01193f010726a5bf6b497cbf
                  • Instruction ID: 18c7ae50bd96fdcbd6a44accf289b6e71a1b00165f224bd0e9dbf5f84eb7908b
                  • Opcode Fuzzy Hash: 722534875438fb3884cc1fa73ceeb5561f1c969d01193f010726a5bf6b497cbf
                  • Instruction Fuzzy Hash: 49515CB1D00709AAEB30EB65CC54BDB73E8AF04714F004CAAE586D2541DFB4E984DF20
                  Function 00F92271 Relevance: 16.6, APIs: 11, Instructions: 106memoryCOMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 452 f92271-f92292 EnterCriticalSection 453 f922a1-f922a6 452->453 454 f92294-f9229b 452->454 455 f922a8-f922ab 453->455 456 f922c3-f922cb 453->456 454->453 457 f9235f-f92362 454->457 458 f922ae-f922b1 455->458 461 f922cd-f922e0 call f87b95 GlobalAlloc 456->461 462 f922e2-f92306 GlobalHandle GlobalUnlock call f87b95 GlobalReAlloc 456->462 459 f9236a-f92388 LeaveCriticalSection 457->459 460 f92364-f92367 457->460 463 f922bb-f922bd 458->463 464 f922b3-f922b9 458->464 460->459 469 f9230c-f9230e 461->469 462->469 463->456 463->457 464->458 464->463 470 f92310-f92315 469->470 471 f92333-f9235c GlobalLock call 1076b10 469->471 473 f92325-f9232e LeaveCriticalSection call f87975 470->473 474 f92317-f9231f GlobalHandle GlobalLock 470->474 471->457 473->471 474->473
                  APIs
                  • EnterCriticalSection.KERNEL32(010F1E48,?,?,00000000,010F1E2C,010F1E2C,?,00F926C7,00000004,00F8A441,00F843A7,00F83614,00000214,00F8101B), ref: 00F92284
                  • GlobalAlloc.KERNEL32(00000002,00000000,?,?,00000000,010F1E2C,010F1E2C,?,00F926C7,00000004,00F8A441,00F843A7,00F83614,00000214,00F8101B), ref: 00F922DA
                  • GlobalHandle.KERNEL32(007A5B48), ref: 00F922E3
                  • GlobalUnlock.KERNEL32(00000000), ref: 00F922ED
                  • GlobalReAlloc.KERNEL32(?,00000000,00002002), ref: 00F92306
                  • GlobalHandle.KERNEL32(007A5B48), ref: 00F92318
                  • GlobalLock.KERNEL32(00000000), ref: 00F9231F
                  • LeaveCriticalSection.KERNEL32(00000001,?,?,00000000,010F1E2C,010F1E2C,?,00F926C7,00000004,00F8A441,00F843A7,00F83614,00000214,00F8101B), ref: 00F92328
                  • GlobalLock.KERNEL32(00000000), ref: 00F92334
                  • _memset.LIBCMT ref: 00F9234E
                  • LeaveCriticalSection.KERNEL32(00000001), ref: 00F9237C
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
                  • String ID:
                  • API String ID: 496899490-0
                  • Opcode ID: 1cf55d9a38ad88ed2d1bad75c07ff382b5e0bb4c53bd49fbe68a19279da26ea7
                  • Instruction ID: 9494b3bc02bb592c2f8c41f6dcac8e948086a4f6c794ce25d1dea5b9710b0130
                  • Opcode Fuzzy Hash: 1cf55d9a38ad88ed2d1bad75c07ff382b5e0bb4c53bd49fbe68a19279da26ea7
                  • Instruction Fuzzy Hash: 3D317971A00704BFEB219F74CC8AE5ABBA9FF84314B14892DE496D7684DB79E840DB50
                  Function 00F89BCA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 477 f89bca-f89c05 GetModuleFileNameW 478 f89c0b-f89c10 477->478 479 f89cb0-f89cbd call 1074c92 477->479 481 f89c1f-f89c67 CreateActCtxWWorker 478->481 482 f89c12-f89c1a SetLastError 478->482 484 f89c69-f89c7c CreateActCtxWWorker 481->484 485 f89c82-f89c89 481->485 482->479 484->485 485->479 486 f89c8b-f89ca7 CreateActCtxWWorker 485->486 486->479 487 f89ca9 486->487 487->479
                  APIs
                  • GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 00F89BFD
                  • SetLastError.KERNEL32(0000006F), ref: 00F89C14
                  • CreateActCtxWWorker.KERNEL32(?), ref: 00F89C5C
                  • CreateActCtxWWorker.KERNEL32(00000020), ref: 00F89C7A
                  • CreateActCtxWWorker.KERNEL32(00000020), ref: 00F89C9C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateWorker$ErrorFileLastModuleName
                  • String ID:
                  • API String ID: 3218422885-3916222277
                  • Opcode ID: 6189c66bad5c230ce046c888fa1703eaa73093a2efcdd51053e650e8a66eb10a
                  • Instruction ID: fc1f1a4ae2075df15a3d785df4198d2cde42824f0f0c4d5915e46426572e809c
                  • Opcode Fuzzy Hash: 6189c66bad5c230ce046c888fa1703eaa73093a2efcdd51053e650e8a66eb10a
                  • Instruction Fuzzy Hash: 21214C708002199EDB20EF65D8487EAB7F8BF55324F14869DD069E3180DBB55A89DF60
                  Function 01005714 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 39COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • __EH_prolog3.LIBCMT ref: 0100571B
                    • Part of subcall function 00F96CFD: EnterCriticalSection.KERNEL32(010F2290,?,?,00000000,?,00F9219A,00000010,00000008,00F8A460,00F8A3F7,00F843A7,00F83614,00000214,00F8101B), ref: 00F96D37
                    • Part of subcall function 00F96CFD: InitializeCriticalSection.KERNEL32(?,?,?,00000000,?,00F9219A,00000010,00000008,00F8A460,00F8A3F7,00F843A7,00F83614,00000214,00F8101B), ref: 00F96D49
                    • Part of subcall function 00F96CFD: LeaveCriticalSection.KERNEL32(010F2290,?,?,00000000,?,00F9219A,00000010,00000008,00F8A460,00F8A3F7,00F843A7,00F83614,00000214,00F8101B), ref: 00F96D56
                    • Part of subcall function 00F96CFD: EnterCriticalSection.KERNEL32(?,?,?,00000000,?,00F9219A,00000010,00000008,00F8A460,00F8A3F7,00F843A7,00F83614,00000214,00F8101B), ref: 00F96D66
                  • GetProfileIntA.KERNEL32(windows,DragMinDist,00000002), ref: 01005773
                  • GetProfileIntA.KERNEL32(windows,DragDelay,000000C8), ref: 01005785
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: CriticalSection$EnterProfile$H_prolog3InitializeLeave
                  • String ID: DragDelay$DragMinDist$windows
                  • API String ID: 3965097884-2101198082
                  • Opcode ID: 60cce52b24eb93d1011cfb3e6d8f7efee02d2bd91a37855fe1fe42dc9bf9d067
                  • Instruction ID: 1510879bc550b93e9c9945fcbcd33618ae1ad6fbd300c189dbdea497502e4500
                  • Opcode Fuzzy Hash: 60cce52b24eb93d1011cfb3e6d8f7efee02d2bd91a37855fe1fe42dc9bf9d067
                  • Instruction Fuzzy Hash: 650125B0940B009BD771EF96C85164AFAF4BFE4710F40454FE1C59BA51C7B95501CF44
                  Function 010EE7EA Relevance: 7.6, APIs: 5, Instructions: 90memorylibraryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 598 10ee7ea-10ee7ff LoadLibraryA 599 10ee807-10ee818 598->599 600 10ee801-10ee802 598->600 603 10ee81e-10ee829 599->603 604 10ee8c8 599->604 601 10ee8cc-10ee8cf 600->601 603->604 605 10ee82f-10ee83d VirtualProtect 603->605 606 10ee8ca-10ee8cb 604->606 605->604 607 10ee843-10ee87d call 10efe21 call 10f00be VirtualProtect 605->607 606->601 607->604 613 10ee87f-10ee88b 607->613 613->604 614 10ee88d-10ee89b VirtualProtect 613->614 614->604 615 10ee89d-10ee8c6 call 10efe21 call 10f00be VirtualProtect 614->615 615->606
                  APIs
                  • LoadLibraryA.KERNEL32(?,00000000,00000002,?,010EE4B8,00000000), ref: 010EE7F8
                  • VirtualProtect.KERNEL32(00000000,0000000C,00000040,?,?,010EE4B8,00000000), ref: 010EE838
                  • VirtualProtect.KERNEL32(00000000,0000000C,?,?), ref: 010EE86B
                  • VirtualProtect.KERNEL32(00000000,004014A4,00000040,?), ref: 010EE896
                  • VirtualProtect.KERNEL32(00000000,004014A4,?,?), ref: 010EE8C0
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: ProtectVirtual$LibraryLoad
                  • String ID:
                  • API String ID: 895956442-0
                  • Opcode ID: 37e3d411deaf8316fac3a5409ea6f1d30f4815463f8cd534134295cee1b328aa
                  • Instruction ID: 7068cd0c84905cf85210677e5d5f882eabcc7533ce3fa18d54da1550f716decc
                  • Opcode Fuzzy Hash: 37e3d411deaf8316fac3a5409ea6f1d30f4815463f8cd534134295cee1b328aa
                  • Instruction Fuzzy Hash: 0D2186B220030A6FE760AA66DD4CE7BBBECEB85700F04083DBB87D1551EB65F5098671
                  Function 010EE8D0 Relevance: 7.6, APIs: 5, Instructions: 90memorylibraryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 620 10ee8d0-10ee8e5 LoadLibraryA 621 10ee8ed-10ee8fe 620->621 622 10ee8e7-10ee8e8 620->622 625 10ee9ae 621->625 626 10ee904-10ee90f 621->626 623 10ee9b2-10ee9b5 622->623 627 10ee9b0-10ee9b1 625->627 626->625 628 10ee915-10ee923 VirtualProtect 626->628 627->623 628->625 629 10ee929-10ee963 call 10efe21 call 10f00be VirtualProtect 628->629 629->625 635 10ee965-10ee971 629->635 635->625 636 10ee973-10ee981 VirtualProtect 635->636 636->625 637 10ee983-10ee9ac call 10efe21 call 10f00be VirtualProtect 636->637 637->627
                  APIs
                  • LoadLibraryA.KERNEL32(?,00000000,00000002,00000000,010EE4CB,00000000), ref: 010EE8DE
                  • VirtualProtect.KERNEL32(00000000,000016CC,00000040,?), ref: 010EE91E
                  • VirtualProtect.KERNEL32(00000000,000016CC,?,?), ref: 010EE951
                  • VirtualProtect.KERNEL32(00000000,00402AD1,00000040,?), ref: 010EE97C
                  • VirtualProtect.KERNEL32(00000000,00402AD1,?,?), ref: 010EE9A6
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: ProtectVirtual$LibraryLoad
                  • String ID:
                  • API String ID: 895956442-0
                  • Opcode ID: 1e70e2575075489d053cc6fb2dca748f7a53306e9098dcd260615f23523f6c56
                  • Instruction ID: 9acb61ad71245dd2457b9ccbd3b386adf3089c7ffe794cb6158fa939d6f20812
                  • Opcode Fuzzy Hash: 1e70e2575075489d053cc6fb2dca748f7a53306e9098dcd260615f23523f6c56
                  • Instruction Fuzzy Hash: A82160B220430A6FE3A09AB6CD4CE7B7BECEF84601B04083DBB8BD1551EB65E5458665
                  Function 00F81330 Relevance: 6.0, APIs: 4, Instructions: 48processCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 655 f81330-f81355 CreateToolhelp32Snapshot 656 f813a8-f813b9 call 1074c92 655->656 657 f81357-f81371 Process32First 655->657 659 f813a1-f813a2 CloseHandle 657->659 660 f81373-f81385 call 10758f9 657->660 659->656 664 f8139b 660->664 665 f81387-f81397 Process32Next 660->665 664->659 665->660 666 f81399 665->666 666->659
                  APIs
                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00F8134A
                  • Process32First.KERNEL32(00000000,?), ref: 00F81369
                  • Process32Next.KERNEL32(00000000,00000128), ref: 00F8138F
                  • CloseHandle.KERNEL32(00000000), ref: 00F813A2
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                  • String ID:
                  • API String ID: 420147892-0
                  • Opcode ID: d17aff9a4757ffe20b2d031e2f65128025f3c3a94289ee26f1721412a5f4ba63
                  • Instruction ID: 179dae68d5aa745dd2c98b5d5888c5dc6fa41d0d23c09ee5699d5839548b84ed
                  • Opcode Fuzzy Hash: d17aff9a4757ffe20b2d031e2f65128025f3c3a94289ee26f1721412a5f4ba63
                  • Instruction Fuzzy Hash: 8A018431E01118ABDB21AB659C19AFE77BCFB89325F04039CEC4592180EB359E46CBA1
                  Function 00FE4A50 Relevance: 4.6, APIs: 3, Instructions: 119COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00FE4A57
                  • CreateCompatibleDC.GDI32(00000000), ref: 00FE4B22
                  • CreateCompatibleDC.GDI32(00000000), ref: 00FE4B2E
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: CompatibleCreate$H_prolog3
                  • String ID:
                  • API String ID: 2193723985-0
                  • Opcode ID: 905be7d77c9e33a20a60e6ee3bb54519a3afb54641e8cc21f09024f4d685fcf3
                  • Instruction ID: ba68ddfcc076031308435d9307a01f7993c58b9da598b47ae1c590ec8eb41c52
                  • Opcode Fuzzy Hash: 905be7d77c9e33a20a60e6ee3bb54519a3afb54641e8cc21f09024f4d685fcf3
                  • Instruction Fuzzy Hash: 0651EDB09117648FCB54DF69C48128A7BA8BF09B10F1081AFED59DF24ADBB88541DFA0
                  Function 00F811F0 Relevance: 4.6, APIs: 3, Instructions: 83sleepCOMMON
                  Download Yara Rule
                  APIs
                  • std::tr1::_Random_device.LIBCPMT ref: 00F8124A
                    • Part of subcall function 0108BA31: _rand_s.LIBCMT ref: 0108BA3D
                    • Part of subcall function 0108BA31: std::exception::exception.LIBCMT ref: 0108BA55
                    • Part of subcall function 0108BA31: __CxxThrowException@8.LIBCMT ref: 0108BA6A
                  • std::tr1::_Random_device.LIBCPMT ref: 00F81283
                  • Sleep.KERNEL32(00000000,?,?,?,00F813D3), ref: 00F81300
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Random_devicestd::tr1::_$Exception@8SleepThrow_rand_sstd::exception::exception
                  • String ID:
                  • API String ID: 1608111520-0
                  • Opcode ID: ea6597e896e0c156b2074258245e846124a53d9806f03951af0985f5638b3084
                  • Instruction ID: e03f3cff23745c3adbea7d0cfde81f8fceb42ed9b4df30d808c04f284fc96e41
                  • Opcode Fuzzy Hash: ea6597e896e0c156b2074258245e846124a53d9806f03951af0985f5638b3084
                  • Instruction Fuzzy Hash: 2D31C271D04218CFCB24EF68C9546EEB7B8FB05700F4006AEE49AD3685DB795A45CF45
                  Function 00F826FD Relevance: 4.6, APIs: 3, Instructions: 70registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExA.KERNEL32(80000001,010D9008,00000000,00000001,?), ref: 00F82742
                  • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,00000004), ref: 00F82762
                  • RegCloseKey.ADVAPI32(?), ref: 00F827A6
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseOpenQueryValue
                  • String ID:
                  • API String ID: 3677997916-0
                  • Opcode ID: ec38c7479c1c879e42cc6ef783ea34328bd27315090f1287ab3121579f1f2b38
                  • Instruction ID: 8fe0149d907b03ed4042fbb7cb8694a91c0d297f2c208e7ade5e7fc07ec9171f
                  • Opcode Fuzzy Hash: ec38c7479c1c879e42cc6ef783ea34328bd27315090f1287ab3121579f1f2b38
                  • Instruction Fuzzy Hash: A5215E71D00209EFDF14DF86D884AEEBBB8FF80314F2040AEE855A6200D7716A44DB11
                  Function 010EA390 Relevance: 3.7, APIs: 2, Instructions: 690memorylibraryCOMMON
                  Download Yara Rule
                  APIs
                  • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,52C1C1F0), ref: 010EE392
                  • LoadLibraryA.KERNEL32(00000238), ref: 010EE42F
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocLibraryLoadVirtual
                  • String ID:
                  • API String ID: 3550616410-0
                  • Opcode ID: 7e0c79198661b2741ae01facc8f50133e8dbab772c3c929e1b7d7c48f3c945cb
                  • Instruction ID: 7139232693fdf612acf3edf04af92d96f4a2e7d98913af4a4a1563e428e3a0c1
                  • Opcode Fuzzy Hash: 7e0c79198661b2741ae01facc8f50133e8dbab772c3c929e1b7d7c48f3c945cb
                  • Instruction Fuzzy Hash: 87321771A04A0E9FDF95EBADC888FAEBBF1FB58310F500565E189D7251DB34E9808B50
                  Function 00F825B0 Relevance: 3.1, APIs: 2, Instructions: 66COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: _memmove_s
                  • String ID:
                  • API String ID: 800865076-0
                  • Opcode ID: 7b7bb65bdce02bb0fb6c1ba5f9a34970ee3d8059c002633c0defbe5097d4451d
                  • Instruction ID: 2116d2c83a3ba411c6e596d1ea5a43a1ea805f1eda121193e0e9195dff36e369
                  • Opcode Fuzzy Hash: 7b7bb65bdce02bb0fb6c1ba5f9a34970ee3d8059c002633c0defbe5097d4451d
                  • Instruction Fuzzy Hash: 7911BF32A019199FDB44FB58DC98EEEB3D9EF95320B10815AF8009F215DA34BD41ABA0
                  Function 00FB0F76 Relevance: 3.0, APIs: 2, Instructions: 36COMMON
                  Download Yara Rule
                  APIs
                  • SetErrorMode.KERNEL32(00000000), ref: 00FB0F84
                  • SetErrorMode.KERNEL32(00000000), ref: 00FB0F8C
                    • Part of subcall function 00F89BCA: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 00F89BFD
                    • Part of subcall function 00F89BCA: SetLastError.KERNEL32(0000006F), ref: 00F89C14
                    • Part of subcall function 00FB0DA9: GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 00FB0DE6
                    • Part of subcall function 00FB0DA9: PathFindExtensionA.SHLWAPI(?), ref: 00FB0E00
                    • Part of subcall function 00FB0DA9: __strdup.LIBCMT ref: 00FB0E48
                    • Part of subcall function 00FB0DA9: __strdup.LIBCMT ref: 00FB0E86
                    • Part of subcall function 00FB0DA9: __strdup.LIBCMT ref: 00FB0EBA
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Error__strdup$FileModeModuleName$ExtensionFindLastPath
                  • String ID:
                  • API String ID: 3517913719-0
                  • Opcode ID: 2cf893c5e681c6c49e6fa7b31358ccbaff039021cab5dfe9f181e9c62b240c96
                  • Instruction ID: 9f9e276141264ac610dd56b6a9d4cadda38c5a8bf1a5e4b1e5b1e7e47825989b
                  • Opcode Fuzzy Hash: 2cf893c5e681c6c49e6fa7b31358ccbaff039021cab5dfe9f181e9c62b240c96
                  • Instruction Fuzzy Hash: CFF06D71A102145FDB60FFA5D805EEA3B98EF44320F0A405AF5889B262DE78DC41DFA6
                  Function 00F8C62F Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • ActivateActCtx.KERNEL32(?,?,010C9830,00000010,00F8F176,hhctrl.ocx,00F8E3A8,0000000C), ref: 00F8C64F
                  • LoadLibraryW.KERNEL32(?), ref: 00F8C666
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: ActivateLibraryLoad
                  • String ID:
                  • API String ID: 389599620-0
                  • Opcode ID: 5e787faf84a35b882e17b11bc6978efe3f49e07f591c75a41a514ada9e1cd34f
                  • Instruction ID: 3ab039c9a15bbacd14ae092fedb57f47ac1a335a8210fcee0c9a027c0383aff4
                  • Opcode Fuzzy Hash: 5e787faf84a35b882e17b11bc6978efe3f49e07f591c75a41a514ada9e1cd34f
                  • Instruction Fuzzy Hash: 52F01CB0D00619DFCF21AFA1CC059DDBA70BF18B10F10852AE495A7264D6794A41EFA0
                  Function 00F84788 Relevance: 3.0, APIs: 2, Instructions: 15threadCOMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentThreadId.KERNEL32 ref: 00F8479B
                  • SetWindowsHookExA.USER32(000000FF,Function_000045ED,00000000,00000000), ref: 00F847AB
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: CurrentHookThreadWindows
                  • String ID:
                  • API String ID: 1904029216-0
                  • Opcode ID: 110d99ffbecaee40575b9d715cb240b8dc3c9874d1edd2bc5c9808e67e85e7c4
                  • Instruction ID: 88e4d37f31b3e495ba518a6229f7cb7e10564ecb3b1eb9f19484ed283885552c
                  • Opcode Fuzzy Hash: 110d99ffbecaee40575b9d715cb240b8dc3c9874d1edd2bc5c9808e67e85e7c4
                  • Instruction Fuzzy Hash: ACD0A931C093512FFB21BBB07C0DFD93A84EB05738F09034AF4A1960C5D6B898809BA2
                  Function 010EF1FC Relevance: 1.7, APIs: 1, Instructions: 180memoryCOMMON
                  Download Yara Rule
                  APIs
                  • SysAllocString.OLEAUT32(?), ref: 010EF2C3
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocString
                  • String ID:
                  • API String ID: 2525500382-0
                  • Opcode ID: 13055a546d3acc03fdeffe086f9be721a6484159b398ff6ac3d898ad76acf673
                  • Instruction ID: 201a9e57bae8defe64375f4e1cc45718c343e4dd9331c428899bdb08963a8dd1
                  • Opcode Fuzzy Hash: 13055a546d3acc03fdeffe086f9be721a6484159b398ff6ac3d898ad76acf673
                  • Instruction Fuzzy Hash: 04616E75200207AFC720CF26C888ADBBBE9FF88751F14856DEA99CB105D731EA45CB61
                  Function 051575E0 Relevance: 1.6, APIs: 1, Instructions: 130COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4141479624.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_5150000_2.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4d2fe86d082cadcaeb48be0158bf789e2e60bf552a8cab46c842e7d1915fc97d
                  • Instruction ID: 899963e16061a9b0d4935f61b6c84f28d9ee079dbc5a13b50fedbc737e806306
                  • Opcode Fuzzy Hash: 4d2fe86d082cadcaeb48be0158bf789e2e60bf552a8cab46c842e7d1915fc97d
                  • Instruction Fuzzy Hash: B141E471D043558BCB14DFB9D8046AEBBF5EF89320F14866AD919A7341DB789844CBE0
                  Function 00F82090 Relevance: 1.6, APIs: 1, Instructions: 60COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: _memcpy_s
                  • String ID:
                  • API String ID: 2001391462-0
                  • Opcode ID: 5b416640b6ef417d491efd08cf7416a5a782b5374264adfd0911f3906c76619b
                  • Instruction ID: 5339b4fc705385e750c01517d466a6c2046e8d4cc731acda37c62317b6bc6fef
                  • Opcode Fuzzy Hash: 5b416640b6ef417d491efd08cf7416a5a782b5374264adfd0911f3906c76619b
                  • Instruction Fuzzy Hash: 54114F75600A05AFD718DF5CC881CAAB3A9FF89320710865DE5558B390DB31ED01CBD0
                  Function 051576B0 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                  Download Yara Rule
                  APIs
                  • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,05157632), ref: 0515771F
                  Memory Dump Source
                  • Source File: 00000000.00000002.4141479624.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_5150000_2.jbxd
                  Similarity
                  • API ID: GlobalMemoryStatus
                  • String ID:
                  • API String ID: 1890195054-0
                  • Opcode ID: b388dd5e59a940513d1e3a54a59807b4cfc0f000135f1a109d0c0950edb6df59
                  • Instruction ID: 2b20a8c1e4936cc2acb6ab704bb188674ba460f9ddffc5fb3fcbb99ec59114ed
                  • Opcode Fuzzy Hash: b388dd5e59a940513d1e3a54a59807b4cfc0f000135f1a109d0c0950edb6df59
                  • Instruction Fuzzy Hash: AE1106B1C00659DBCB10CFAAD445BDEFBF4EB48320F14851AD918B7640D778A954CFA1
                  Function 05156F64 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                  Download Yara Rule
                  APIs
                  • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,05157632), ref: 0515771F
                  Memory Dump Source
                  • Source File: 00000000.00000002.4141479624.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_5150000_2.jbxd
                  Similarity
                  • API ID: GlobalMemoryStatus
                  • String ID:
                  • API String ID: 1890195054-0
                  • Opcode ID: d23ffce58d2ed5f21245926dd1f38a2b1cf05e2c5995391715a1d8f556def7d0
                  • Instruction ID: d097ac6f68cf3309b0ccff0d54096cf730f6a731912268fd8c6d0effb033d534
                  • Opcode Fuzzy Hash: d23ffce58d2ed5f21245926dd1f38a2b1cf05e2c5995391715a1d8f556def7d0
                  • Instruction Fuzzy Hash: 981136B1C04659DBCB10CFAAC445BAEFBF4EB48320F14816AD828B7240D778A900CFE1
                  Function 00F8ADF3 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00F81E10: FindResourceW.KERNEL32(?,?,00000006), ref: 00F81E28
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,-00000002,?,00000001,?,00000000,00000000,?,?,00000000,?,00F8796A,?,?,00000080), ref: 00F8AE3C
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharFindMultiResourceWide
                  • String ID:
                  • API String ID: 3726879926-0
                  • Opcode ID: d6491f2fa8c34b1888e97dab306e4cb32c90dd950a57288da93772c7ea5f0d20
                  • Instruction ID: 31f62fb5b40d0748dc6f4a62cede0a72b0aa17bf948ae04448ea2a69f835e18a
                  • Opcode Fuzzy Hash: d6491f2fa8c34b1888e97dab306e4cb32c90dd950a57288da93772c7ea5f0d20
                  • Instruction Fuzzy Hash: 3BF090731052596FA7203BA69CC9DAB7B9CEA81374315482BF6408B101D5259C40E372
                  Function 00F92673 Relevance: 1.5, APIs: 1, Instructions: 43COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00F9267A
                    • Part of subcall function 00F879AD: __CxxThrowException@8.LIBCMT ref: 00F879C3
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Exception@8H_prolog3Throw
                  • String ID:
                  • API String ID: 3670251406-0
                  • Opcode ID: 86f1bd521537ec38dfe3942517496d3e16aa519fbc3679c29fba589b023ed55a
                  • Instruction ID: 9a708e459a5e3e5edd6ced38565110f0f402fae91403f1c40ee2fc1e772d8f24
                  • Opcode Fuzzy Hash: 86f1bd521537ec38dfe3942517496d3e16aa519fbc3679c29fba589b023ed55a
                  • Instruction Fuzzy Hash: 2A017C35A00242EBFF68BF75C822B6936A5AF54370B14442CE5C18B690DF798D81EB14
                  Function 00F81E10 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                  Download Yara Rule
                  APIs
                  • FindResourceW.KERNEL32(?,?,00000006), ref: 00F81E28
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: FindResource
                  • String ID:
                  • API String ID: 1635176832-0
                  • Opcode ID: 95808f9d4ddf1bfaf957453e6c323851f2fcd79c9be2efcf5640e6af4ed41ad8
                  • Instruction ID: 99dcc4af54d09158ab8935d94b93beabf41676dec66dce1b8ebc208ac5dc0408
                  • Opcode Fuzzy Hash: 95808f9d4ddf1bfaf957453e6c323851f2fcd79c9be2efcf5640e6af4ed41ad8
                  • Instruction Fuzzy Hash: 91E08C26B0002836A520695EBC41AFBB75CDAC2ABAB00012AFD49DA200D265A81262F0
                  Function 00F87AC2 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: _malloc
                  • String ID:
                  • API String ID: 1579825452-0
                  • Opcode ID: 347b4c30a17fa66d3bef1b85aeaf0289839753c852e0d35e3b254d052ab95f8e
                  • Instruction ID: e244a663ef5c19ef57f8f655a567767a471054ff8d564b01300ceb892424ef47
                  • Opcode Fuzzy Hash: 347b4c30a17fa66d3bef1b85aeaf0289839753c852e0d35e3b254d052ab95f8e
                  • Instruction Fuzzy Hash: 85E06D335082165BC704AB59D404B8ABBECEFA1371B26C426E404DB2B1CAB9E9048BA0
                  Function 0107DC9B Relevance: 1.5, APIs: 1, Instructions: 23COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: __flsbuf
                  • String ID:
                  • API String ID: 2056685748-0
                  • Opcode ID: 17efb198e9d50810feac4ec53801595fed1016d72db0f62af5d22e3c61262916
                  • Instruction ID: 81a0a236ea50502011d6e50663eac1c442637f92c9dac00e357974cf045b24bb
                  • Opcode Fuzzy Hash: 17efb198e9d50810feac4ec53801595fed1016d72db0f62af5d22e3c61262916
                  • Instruction Fuzzy Hash: 45E0923081450589D6650BA4D0057307FA4AF02619B3486CEC7CC881E3C3BA8042CB28
                  Function 00F813C0 Relevance: 1.5, APIs: 1, Instructions: 18memoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00F81150: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00F8116A
                    • Part of subcall function 00F81150: _memset.LIBCMT ref: 00F8118F
                    • Part of subcall function 00F81150: Process32First.KERNEL32(00000000,00000128), ref: 00F811A1
                    • Part of subcall function 00F81150: Process32Next.KERNEL32(00000000,00000128), ref: 00F811BA
                    • Part of subcall function 00F81150: CloseHandle.KERNEL32(00000000,00000001), ref: 00F811CD
                    • Part of subcall function 00F811F0: std::tr1::_Random_device.LIBCPMT ref: 00F8124A
                    • Part of subcall function 00F811F0: std::tr1::_Random_device.LIBCPMT ref: 00F81283
                    • Part of subcall function 00F811F0: Sleep.KERNEL32(00000000,?,?,?,00F813D3), ref: 00F81300
                  • VirtualProtect.KERNEL32(010DE7D8,00011999,00000040,?), ref: 00F813E4
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process32Random_devicestd::tr1::_$CloseCreateFirstHandleNextProtectSleepSnapshotToolhelp32Virtual_memset
                  • String ID:
                  • API String ID: 3549678049-0
                  • Opcode ID: 7a4be20b71cf79d41d8129803bb203f5aca77326fa65e7f67a5139832d307fdd
                  • Instruction ID: 471e0517e40f9c65e19c9ef5b47236c5e014f4e94c05ef637d83101c9a02735a
                  • Opcode Fuzzy Hash: 7a4be20b71cf79d41d8129803bb203f5aca77326fa65e7f67a5139832d307fdd
                  • Instruction Fuzzy Hash: 58D0A7B225470857A114B6F89C0BEE572CCBB80B20F000379BF94996C0FD545510A2BB
                  Function 00F951CB Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00FAD61B: GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 00FAD64E
                    • Part of subcall function 00FAD61B: _memset.LIBCMT ref: 00FAD667
                  • SystemParametersInfoA.USER32(00000029,-00000158,?,00000000), ref: 00F951EF
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressInfoParametersProcSystem_memset
                  • String ID:
                  • API String ID: 831922234-0
                  • Opcode ID: 653a71ebf5ecd5a2908d8e588c1fcfccf8c8800e31e8869f3addf256858d593f
                  • Instruction ID: 4ece0b9dd375598eb7a3cb6811fe4d716248b512df7f0bfaf35d2ec6f3f7ffd7
                  • Opcode Fuzzy Hash: 653a71ebf5ecd5a2908d8e588c1fcfccf8c8800e31e8869f3addf256858d593f
                  • Instruction Fuzzy Hash: 8BD0A7B3590A04AFE3001B74EC0EF7A370DEBA2725F540A24B519CB2C0DB7AD800C210
                  Function 00F88CE0 Relevance: 1.5, APIs: 1, Instructions: 8COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • DeleteObject.GDI32(00000000), ref: 00F88CEF
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: DeleteObject
                  • String ID:
                  • API String ID: 1531683806-0
                  • Opcode ID: f5cc0b8e78d9699c898f50da3e963be694dbd75d18ec8932d3a2d7e9e48d3e01
                  • Instruction ID: 08e7c52e7bb0d268a559d29d4e1265c05b57b992e39f3a08b39c6d26328447b5
                  • Opcode Fuzzy Hash: f5cc0b8e78d9699c898f50da3e963be694dbd75d18ec8932d3a2d7e9e48d3e01
                  • Instruction Fuzzy Hash: 5BB09270802100AEDE9077709A0A79636646B8239AF408898B404D1009EE3E844AA720
                  Function 026FD334 Relevance: .1, Instructions: 76COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140502398.00000000026FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026FD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_26fd000_2.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 478e8796ddeb604b9446254fffde211a0a13ff9ed46d595cdf28d7e4b5c4427c
                  • Instruction ID: d4faf2bf35b3dfa2595ba902963a23542078e995e47702f4448fd8b9e71ebd7d
                  • Opcode Fuzzy Hash: 478e8796ddeb604b9446254fffde211a0a13ff9ed46d595cdf28d7e4b5c4427c
                  • Instruction Fuzzy Hash: AB21F572504244DFDF49CF14D9C0B26BFA5FB89314F24C569EB094B256C33AE416CBA1
                  Function 026FD32F Relevance: .1, Instructions: 57COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140502398.00000000026FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026FD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_26fd000_2.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a5278cc6fbb14a0929445a03b45188c5d19622b0962ac886420b8d3bf4074872
                  • Instruction ID: cb55a930e6a7bebb62f4b3f783e34951180b63243eb3f854eb44f8c3c36628db
                  • Opcode Fuzzy Hash: a5278cc6fbb14a0929445a03b45188c5d19622b0962ac886420b8d3bf4074872
                  • Instruction Fuzzy Hash: A521AF76504284DFDF16CF10D9C4B16BF72FB84314F24C2A9DA484B656C33AE42ACBA1
                  Function 026FD006 Relevance: .0, Instructions: 45COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140502398.00000000026FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026FD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_26fd000_2.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 79a54fe828139a4f153be4f3c2756a7b8770105757ed015ac241bd1ba431301b
                  • Instruction ID: cabe4eb55f695b4ceb8cfe9bea2105ec81856fca6db5d515507c247011a0c39c
                  • Opcode Fuzzy Hash: 79a54fe828139a4f153be4f3c2756a7b8770105757ed015ac241bd1ba431301b
                  • Instruction Fuzzy Hash: 2A01527100E3C09ED7128B258C94B52BFB4DF43224F1DC1CBD9888F2A3C2699849C772
                  Function 026FD01D Relevance: .0, Instructions: 45COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140502398.00000000026FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026FD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_26fd000_2.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f480f64539969a18bee1463b6fc82f604ac969cccf25496df2c0a0891d6ffc21
                  • Instruction ID: d94f16f8a2e12afb1d53b830a2249e434da67d1454e920ac8974f5be5913a88a
                  • Opcode Fuzzy Hash: f480f64539969a18bee1463b6fc82f604ac969cccf25496df2c0a0891d6ffc21
                  • Instruction Fuzzy Hash: C601DB71408380AAEB608F26CC84B67BFD8DF45764F18C51AEE494F642C379A846C6B1

                  Non-executed Functions

                  Function 01006155 Relevance: 37.1, APIs: 20, Strings: 1, Instructions: 325windowkeyboardCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 0100615F
                  • GetKeyState.USER32(00000001), ref: 010061A4
                  • GetKeyState.USER32(00000002), ref: 010061B1
                  • GetKeyState.USER32(00000004), ref: 010061BE
                  • GetParent.USER32(?), ref: 010061E3
                  • SendMessageA.USER32(?,00000401,00000000,00000000), ref: 01006297
                  • _memset.LIBCMT ref: 010062AB
                  • ScreenToClient.USER32(?,?), ref: 010062D2
                  • _memset.LIBCMT ref: 010062E0
                  • GetCursorPos.USER32(?), ref: 01006336
                  • SendMessageA.USER32(?,00000412,00000000,?), ref: 0100635A
                  • SendMessageA.USER32(?,00000404,00000000,?), ref: 010063BA
                  • SendMessageA.USER32(?,00000401,00000001,00000000), ref: 010063E0
                  • SendMessageA.USER32(?,00000411,00000001,?), ref: 010063FC
                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000213), ref: 0100640F
                  • SendMessageA.USER32(?,00000405,00000000,?), ref: 0100643A
                  • _memset.LIBCMT ref: 01006462
                  • _free.LIBCMT ref: 0100648C
                  • SendMessageA.USER32(?,00000401,00000000,00000000), ref: 010064A3
                  • GetParent.USER32(?), ref: 010064D0
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: MessageSend$State_memset$Parent$ClientCursorH_prolog3_ScreenWindow_free
                  • String ID: ,
                  • API String ID: 2464378573-3772416878
                  • Opcode ID: 49035cb0144ab7289adbf1697d6f22f0d65f4c026bdaca41d9b3c30424da1a11
                  • Instruction ID: 2d689e03e00886d8979aa6ba385586a3911e178abc03d4d5245c528302dd1b84
                  • Opcode Fuzzy Hash: 49035cb0144ab7289adbf1697d6f22f0d65f4c026bdaca41d9b3c30424da1a11
                  • Instruction Fuzzy Hash: 0EC1A070A006159FFF769F68C884B9D7BB2BF04310F2142A9EA85A71D6DB779861CF40
                  Function 010106F0 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 340COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 010106F7
                    • Part of subcall function 00FE0358: FillRect.USER32(?,00000020), ref: 00FE036C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: FillH_prolog3Rect
                  • String ID: d
                  • API String ID: 1863035756-2564639436
                  • Opcode ID: a9bfd9ffe7766a970ba690f2d71f29076a7931abc0c2cf8a579286c5d9b1baae
                  • Instruction ID: 789c624f5d34b15373392fc31dc905cd9dc4558520133ba1819a12209aa98863
                  • Opcode Fuzzy Hash: a9bfd9ffe7766a970ba690f2d71f29076a7931abc0c2cf8a579286c5d9b1baae
                  • Instruction Fuzzy Hash: C2C1CB71A0021A9FDF15DFA8CC919EEBBF5FF08300F104269F5D1A6299C7389991DBA0
                  Function 00FB84D7 Relevance: 21.3, APIs: 14, Instructions: 280keyboardwindowCOMMON
                  Download Yara Rule
                  APIs
                  • IsWindow.USER32(?), ref: 00FB85BB
                  • SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 00FB85D7
                  • GetCapture.USER32 ref: 00FB8651
                  • GetKeyState.USER32(00000011), ref: 00FB86B3
                  • GetKeyState.USER32(00000010), ref: 00FB86C0
                  • ImmGetContext.IMM32(?), ref: 00FB86CE
                  • ImmGetOpenStatus.IMM32(00000000,?), ref: 00FB86DB
                  • ImmReleaseContext.IMM32(?,00000000,?), ref: 00FB86FD
                  • GetFocus.USER32 ref: 00FB8727
                  • IsWindow.USER32(?), ref: 00FB8768
                  • IsWindow.USER32(?), ref: 00FB87EE
                  • ClientToScreen.USER32(?,?), ref: 00FB87FE
                  • IsWindow.USER32(?), ref: 00FB8824
                  • ClientToScreen.USER32(?,?), ref: 00FB8853
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Window$ClientContextScreenState$CaptureFocusMessageOpenReleaseSendStatus
                  • String ID:
                  • API String ID: 1155058817-0
                  • Opcode ID: a3c9a3d041ed2c10e82c76b19943adcc6a3895f8ceac9de8a73ab3b828707cbc
                  • Instruction ID: 32aa917ae0808149f1d270307dcf471e93830b5f9eda4829d4cbd46a2ad93eac
                  • Opcode Fuzzy Hash: a3c9a3d041ed2c10e82c76b19943adcc6a3895f8ceac9de8a73ab3b828707cbc
                  • Instruction Fuzzy Hash: 71A18171900606ABDF34AF62CC80AFEB7A9BF843A4F284429E59692451DF35DD52FF40
                  Function 00FB6642 Relevance: 21.3, APIs: 14, Instructions: 268keyboardwindowCOMMON
                  Download Yara Rule
                  APIs
                  • IsWindow.USER32(?), ref: 00FB671B
                  • SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 00FB6737
                  • GetCapture.USER32 ref: 00FB67B7
                  • GetKeyState.USER32(00000011), ref: 00FB680A
                  • GetKeyState.USER32(00000010), ref: 00FB6817
                  • ImmGetContext.IMM32(?), ref: 00FB6825
                  • ImmGetOpenStatus.IMM32(00000000,?), ref: 00FB6832
                  • ImmReleaseContext.IMM32(00000000,00000000,?), ref: 00FB6854
                  • GetFocus.USER32 ref: 00FB687E
                  • IsWindow.USER32(?), ref: 00FB68BF
                  • IsWindow.USER32(?), ref: 00FB6945
                  • ClientToScreen.USER32(?,?), ref: 00FB6955
                  • IsWindow.USER32(?), ref: 00FB697B
                  • ClientToScreen.USER32(?,?), ref: 00FB69AA
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Window$ClientContextScreenState$CaptureFocusMessageOpenReleaseSendStatus
                  • String ID:
                  • API String ID: 1155058817-0
                  • Opcode ID: a4029a847aad24357e8b582070ad0e51b6ae38fba21c291d9111c576b28f5345
                  • Instruction ID: c55725ae2f672351aadf455adcc1ec6dbf185f9b7140f3eea772ac13a6e86934
                  • Opcode Fuzzy Hash: a4029a847aad24357e8b582070ad0e51b6ae38fba21c291d9111c576b28f5345
                  • Instruction Fuzzy Hash: 7A919E31900606ABDF24AFA2C894AF9B7A9FF04328F20842EE695D5461DF3DD950EF01
                  Function 00FA0095 Relevance: 21.3, APIs: 14, Instructions: 262windowCOMMON
                  Download Yara Rule
                  APIs
                  • SetRectEmpty.USER32(?), ref: 00FA0112
                  • RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 00FA0130
                  • ReleaseCapture.USER32 ref: 00FA0136
                  • SetCapture.USER32(?), ref: 00FA0149
                  • ReleaseCapture.USER32 ref: 00FA01BE
                  • SetCapture.USER32(?), ref: 00FA01D1
                  • SendMessageA.USER32(?,00000362,0000E001,00000000), ref: 00FA02AA
                  • UpdateWindow.USER32(?), ref: 00FA030D
                  • SendMessageA.USER32(?,00000111,000000FF,00000000), ref: 00FA0355
                  • IsWindow.USER32(?), ref: 00FA0360
                  • IsIconic.USER32(?), ref: 00FA036D
                  • IsZoomed.USER32(?), ref: 00FA037A
                  • IsWindow.USER32(?), ref: 00FA038E
                  • UpdateWindow.USER32(?), ref: 00FA03DA
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Window$Capture$MessageReleaseSendUpdate$EmptyIconicRectRedrawZoomed
                  • String ID:
                  • API String ID: 2500574155-0
                  • Opcode ID: 6e40f58d85c0483f55858f97d2f2d1cac4254926afc6ee428817c4636942644a
                  • Instruction ID: f21bfda7854e805df37c8badfa9dd024c9dc540f3d417db8f86a29334269afbd
                  • Opcode Fuzzy Hash: 6e40f58d85c0483f55858f97d2f2d1cac4254926afc6ee428817c4636942644a
                  • Instruction Fuzzy Hash: 3AA15B71A00204AFDF219F24DC98AAD3BB6BF49324F1441B8FC5A9B2A5CF35D945EB50
                  Function 00FF293E Relevance: 16.7, APIs: 11, Instructions: 220windowkeyboardCOMMON
                  Download Yara Rule
                  APIs
                  • IsWindow.USER32(?), ref: 00FF296C
                  • GetFocus.USER32 ref: 00FF297A
                  • IsChild.USER32(?,?), ref: 00FF29AE
                  • SendMessageA.USER32(?,00000010,00000000,00000000), ref: 00FF29E2
                  • IsChild.USER32(?,?), ref: 00FF29FE
                  • SendMessageA.USER32(?,00000100,?,00000000), ref: 00FF2A2D
                  • IsIconic.USER32(?), ref: 00FF2A6E
                  • GetAsyncKeyState.USER32(00000011), ref: 00FF2AF4
                  • GetAsyncKeyState.USER32(00000012), ref: 00FF2B06
                  • GetAsyncKeyState.USER32(00000010), ref: 00FF2B13
                  • IsWindowVisible.USER32(?), ref: 00FF2B74
                    • Part of subcall function 010206BF: RedrawWindow.USER32(?,00000000,00000000,00000105,00000000), ref: 010206EC
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: AsyncStateWindow$ChildMessageSend$FocusIconicRedrawVisible
                  • String ID:
                  • API String ID: 763474574-0
                  • Opcode ID: e447904a8ca75c24753a4e04aa846c04e28a1dfe6b075d9e77019ef447622800
                  • Instruction ID: 2692a3b28fd91f3a016707c36ce54daeaf35b66089bfce2b51a1b1536e3b24d9
                  • Opcode Fuzzy Hash: e447904a8ca75c24753a4e04aa846c04e28a1dfe6b075d9e77019ef447622800
                  • Instruction Fuzzy Hash: E5719132A002599FDFB0AF64C881BBD7BB5BF44364F0440A9EB859B171DB799C40EB50
                  Function 00FCCAEB Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 429COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00FCCAF2
                  • _strlen.LIBCMT ref: 00FCCBB1
                  • _strlen.LIBCMT ref: 00FCCBBB
                  • _strlen.LIBCMT ref: 00FCCC2B
                  • _memcpy_s.LIBCMT ref: 00FCCC71
                    • Part of subcall function 00F87861: __EH_prolog3.LIBCMT ref: 00F87868
                  • _strlen.LIBCMT ref: 00FCCC86
                  • _memcpy_s.LIBCMT ref: 00FCCCD1
                    • Part of subcall function 00F879AD: __CxxThrowException@8.LIBCMT ref: 00F879C3
                  • PathRemoveFileSpecW.SHLWAPI(?,00000000), ref: 00FCCDE8
                    • Part of subcall function 00F87071: _wmemcpy_s.LIBCPMT ref: 00F870B5
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: _strlen$H_prolog3_memcpy_s$Exception@8FilePathRemoveSpecThrow_wmemcpy_s
                  • String ID:
                  • API String ID: 1975291721-3916222277
                  • Opcode ID: 81c48340a9a0b4ec226c335feddbda56fe39de549f051ad62aaf408b44627425
                  • Instruction ID: 8cf39f6f49b8ea3f45ee108bb91d8d233e6f0eabcf7db983bfcbf0bb2631360e
                  • Opcode Fuzzy Hash: 81c48340a9a0b4ec226c335feddbda56fe39de549f051ad62aaf408b44627425
                  • Instruction Fuzzy Hash: 90028171D002078FDB18DBA4CA46FBEB7B5BF44321F14426DE556AB291DB349901EBA0
                  Function 00FCC81B Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 182comCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: _memset$CreateH_prolog3_InitializeInstanceVersion__cftof_malloc
                  • String ID: X
                  • API String ID: 173258153-3081909835
                  • Opcode ID: faa9a061568a28295a518673126f4d1df9e364b562fb637d2bc2dfa2eeff6050
                  • Instruction ID: 44c0d78fb56c5bcf277e06438d0efd258298dbccfa1780af65c31d1045a637b0
                  • Opcode Fuzzy Hash: faa9a061568a28295a518673126f4d1df9e364b562fb637d2bc2dfa2eeff6050
                  • Instruction Fuzzy Hash: B38148B0A0071A9FDB60DF24C985F9ABBF4BF09304F10849DE59E9B242D734A985DF51
                  Function 00FFCCD5 Relevance: 15.7, APIs: 10, Instructions: 694windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00FFCCDF
                  • SetRectEmpty.USER32(?), ref: 00FFCCF5
                  • SetRectEmpty.USER32(?), ref: 00FFCD57
                  • SendMessageA.USER32(?,0000040D,00000000,00000000), ref: 00FFCD89
                  • OffsetRect.USER32(?,00000000,00000002), ref: 00FFD053
                  • SetRectEmpty.USER32(?), ref: 00FFD0D1
                  • OffsetRect.USER32(?,00000000,00000002), ref: 00FFD421
                  • InflateRect.USER32(?,000000FE,000000FE), ref: 00FFD538
                  • OffsetRect.USER32(?,00000000,?), ref: 00FFD569
                  • IsRectEmpty.USER32(?), ref: 00FFD5C7
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Rect$Empty$Offset$H_prolog3_InflateMessageSend
                  • String ID:
                  • API String ID: 1582263272-0
                  • Opcode ID: 941f654b7d553409ba1f0fcf81e783d920bd219211a1bdf4190ace2899c620ac
                  • Instruction ID: fbebb7a10f3c5fe7a9b317b49f780965b5525857a472be638d452413e9b5aa24
                  • Opcode Fuzzy Hash: 941f654b7d553409ba1f0fcf81e783d920bd219211a1bdf4190ace2899c620ac
                  • Instruction Fuzzy Hash: 0E620771D01619CFDB24DF68C9C4AADB7B2BF44310F28427AD949AF26AD731A841DF60
                  Function 00F9C5BA Relevance: 15.7, APIs: 10, Instructions: 664COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00F9C5C4
                  • GetClientRect.USER32(?,?), ref: 00F9C615
                    • Part of subcall function 00F95AF2: __EH_prolog3.LIBCMT ref: 00F95AF9
                    • Part of subcall function 00F95AF2: GetClientRect.USER32(?,?), ref: 00F95B4C
                  • GetClientRect.USER32(?,?), ref: 00F9C6D4
                  • SetRectEmpty.USER32(?), ref: 00F9CA28
                  • IntersectRect.USER32(?,?,?), ref: 00F9CA63
                    • Part of subcall function 00F95C46: __EH_prolog3_GS.LIBCMT ref: 00F95C4D
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Rect$Client$H_prolog3_$EmptyH_prolog3Intersect
                  • String ID:
                  • API String ID: 1307055728-0
                  • Opcode ID: 45a3323c672697bb4dc5da248ce0a960293db8d2d6aa820eac533261773d30e1
                  • Instruction ID: e8979e9a0cf5d11abc98c0e0d3cd27d3807a6990e0b661ef950a738d0574e201
                  • Opcode Fuzzy Hash: 45a3323c672697bb4dc5da248ce0a960293db8d2d6aa820eac533261773d30e1
                  • Instruction Fuzzy Hash: 06428C71E00229DFEF24DF64C984BADBBB5BF48710F0441AAE54AA7250DB349E84DF91
                  Function 0100B18F Relevance: 13.6, APIs: 9, Instructions: 121clipboardwindowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_catch_GS.LIBCMT ref: 0100B196
                    • Part of subcall function 00F88ADB: __EH_prolog3.LIBCMT ref: 00F88AE2
                    • Part of subcall function 00F88ADB: GetWindowDC.USER32(00000000,00000004,00F95F09,00000000,?,?,010A4E00), ref: 00F88B0E
                  • CreateCompatibleDC.GDI32(00000000), ref: 0100B1C9
                  • CreateCompatibleBitmap.GDI32(?,00000010,00000010), ref: 0100B1EC
                  • FillRect.USER32(?,00000000), ref: 0100B264
                  • OpenClipboard.USER32(?), ref: 0100B29B
                  • EmptyClipboard.USER32 ref: 0100B2AD
                  • CloseClipboard.USER32 ref: 0100B2C4
                  • SetClipboardData.USER32(00000002,00000000), ref: 0100B2DA
                  • CloseClipboard.USER32 ref: 0100B2F1
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Clipboard$CloseCompatibleCreate$BitmapDataEmptyFillH_prolog3H_prolog3_catch_OpenRectWindow
                  • String ID:
                  • API String ID: 2025026072-0
                  • Opcode ID: 5c7b089d5d2563f4c363489f60214a5eb5804ca1f3820c0b5d3fd910761793c8
                  • Instruction ID: 50e2de2376298873ed3d975de8379334f58ee2e4373cf179e2faf8bbe12b9a50
                  • Opcode Fuzzy Hash: 5c7b089d5d2563f4c363489f60214a5eb5804ca1f3820c0b5d3fd910761793c8
                  • Instruction Fuzzy Hash: DB416B74C00248EFEB12EBE4CC49AEDBBB4BF18354F508159E491B22D6DF395A05DB61
                  Function 01021091 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 110COMMON
                  Download Yara Rule
                  APIs
                  • GetWindowRect.USER32(?,?), ref: 010210C7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: RectWindow
                  • String ID: y
                  • API String ID: 861336768-4225443349
                  • Opcode ID: c40452c7116b3dfc25a3cc1cb635aaa4dc9145f82f91d4ef4d1bb6a6acd74e7a
                  • Instruction ID: 89613a4b7da1b1aa0679fdea491ffcc5a0d689cb4d7860f5121360b5cd2c076e
                  • Opcode Fuzzy Hash: c40452c7116b3dfc25a3cc1cb635aaa4dc9145f82f91d4ef4d1bb6a6acd74e7a
                  • Instruction Fuzzy Hash: EB31D372D00229ABDF609F6CC8857EE7BF5FF48304F6144BAE995E7242DA348540CB90
                  Function 00FEE628 Relevance: 9.4, APIs: 6, Instructions: 383COMMON
                  Download Yara Rule
                  APIs
                  • SetRectEmpty.USER32(?), ref: 00FEE65E
                  • SetRectEmpty.USER32(?), ref: 00FEE667
                  • InflateRect.USER32(?), ref: 00FEE749
                    • Part of subcall function 00FED58C: __EH_prolog3_GS.LIBCMT ref: 00FED596
                    • Part of subcall function 00FED58C: InflateRect.USER32(000000FE,000000FD,00000000), ref: 00FED609
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Rect$EmptyInflate$H_prolog3_
                  • String ID:
                  • API String ID: 3226488205-0
                  • Opcode ID: 630810f5af44ef7094163e9491aded9184ba3742b15b255d6848e80be3476862
                  • Instruction ID: 81a0f3c634dcda9171b84d4fa60245732b415b6a9ac18b1936bf1c50b7dcb747
                  • Opcode Fuzzy Hash: 630810f5af44ef7094163e9491aded9184ba3742b15b255d6848e80be3476862
                  • Instruction Fuzzy Hash: 49D18831D00649DFCF15CFA9D885AEE77B2FF48320F184229EC15AB249DA319D45EBA1
                  Function 00FAED51 Relevance: 9.1, APIs: 6, Instructions: 116keyboardwindowCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageA.USER32(?,00000362,0000E002,00000000), ref: 00FAEDD3
                  • UpdateWindow.USER32(?), ref: 00FAEDEA
                  • GetKeyState.USER32(00000079), ref: 00FAEE0F
                  • GetKeyState.USER32(00000012), ref: 00FAEE1C
                  • GetParent.USER32(?), ref: 00FAEED2
                  • PostMessageA.USER32(?,0000036A,00000000,00000000), ref: 00FAEEEE
                    • Part of subcall function 00F879AD: __CxxThrowException@8.LIBCMT ref: 00F879C3
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: MessageState$Exception@8ParentPostSendThrowUpdateWindow
                  • String ID:
                  • API String ID: 3830675576-0
                  • Opcode ID: c9bad33d08e5717c672941c8d8f5639f22f0827487fefef13c82e1b41e3e24d0
                  • Instruction ID: 4491c75f57d9d2dd5f52ffe48fce4f7636f8212c0a98ba5141ea3f5248e05729
                  • Opcode Fuzzy Hash: c9bad33d08e5717c672941c8d8f5639f22f0827487fefef13c82e1b41e3e24d0
                  • Instruction Fuzzy Hash: 0F41D7B1A00702DBEB309F24C888FAAB7F5BF55364F11892CE49A571D1DB75AC40EB50
                  Function 00F82D4F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryCOMMON
                  Download Yara Rule
                  APIs
                  • _strcpy_s.LIBCMT ref: 00F82D81
                    • Part of subcall function 010768CC: __getptd_noexit.LIBCMT ref: 010768CC
                  • GetLocaleInfoA.KERNEL32(00000800,00000003,?,00000004), ref: 00F82D99
                  • __snwprintf_s.LIBCMT ref: 00F82DCE
                  • LoadLibraryA.KERNEL32(?), ref: 00F82E09
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: InfoLibraryLoadLocale__getptd_noexit__snwprintf_s_strcpy_s
                  • String ID: LOC
                  • API String ID: 1155623865-519433814
                  • Opcode ID: eb49039cf1a082a8517d015f5cdf5ef06afb925d7b3e35c7605902377456f273
                  • Instruction ID: c893d16322f2baa730aada708a6e2dba3cff485bc09d0062575397c70cb28055
                  • Opcode Fuzzy Hash: eb49039cf1a082a8517d015f5cdf5ef06afb925d7b3e35c7605902377456f273
                  • Instruction Fuzzy Hash: 30210A72D00209ABDBA0BB64CC45FE937A8AF01310F1044B5B64597080DE76AD45ABB8
                  Function 00FDA29E Relevance: 7.6, APIs: 5, Instructions: 86keyboardwindowCOMMON
                  Download Yara Rule
                  APIs
                  • GetParent.USER32(?), ref: 00FDA2D2
                  • GetKeyState.USER32(00000012), ref: 00FDA304
                  • GetKeyState.USER32(00000011), ref: 00FDA30D
                  • SendMessageA.USER32(?,00000157,00000000,00000000), ref: 00FDA326
                  • SendMessageA.USER32(?,0000014F,00000001,00000000), ref: 00FDA337
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: MessageSendState$Parent
                  • String ID:
                  • API String ID: 1284845784-0
                  • Opcode ID: 793f85e9786410ed3700316c9ead6da96b189b2df2296b0640490aa55be38c65
                  • Instruction ID: 3563c850fbe7237d29d262c3cee86108f9e44a6ea14235e97af5ce041f59affb
                  • Opcode Fuzzy Hash: 793f85e9786410ed3700316c9ead6da96b189b2df2296b0640490aa55be38c65
                  • Instruction Fuzzy Hash: D421D332600600ABDF3666798C05B6D7657BBC4760F2C411AF1825A394EA279801E75A
                  Function 01074C92 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • IsDebuggerPresent.KERNEL32 ref: 0107B8CF
                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0107B8E4
                  • UnhandledExceptionFilter.KERNEL32(010BCAA0), ref: 0107B8EF
                  • GetCurrentProcess.KERNEL32(C0000409), ref: 0107B90B
                  • TerminateProcess.KERNEL32(00000000), ref: 0107B912
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                  • String ID:
                  • API String ID: 2579439406-0
                  • Opcode ID: ae6908180f4757f5450e103844097014b56ae5ba3dc5df7334913c6531796d87
                  • Instruction ID: 66a7b1cdd2ba327d7ee5790cfbede64c0f5a154c911500f3b8dfc4447d3475f7
                  • Opcode Fuzzy Hash: ae6908180f4757f5450e103844097014b56ae5ba3dc5df7334913c6531796d87
                  • Instruction Fuzzy Hash: C021E0B4801304DFD760EF68F84A6483BF4FB08314FA0405EE4C9A7A88E7BA5882CF55
                  Function 00F864ED Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                  Download Yara Rule
                  APIs
                  • FindResourceA.KERNEL32(?,00000000,00000005), ref: 00F86518
                  • LoadResource.KERNEL32(?,00000000), ref: 00F86520
                  • LockResource.KERNEL32(00000000), ref: 00F86532
                  • FreeResource.KERNEL32(00000000), ref: 00F86580
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Resource$FindFreeLoadLock
                  • String ID:
                  • API String ID: 1078018258-0
                  • Opcode ID: 9d0e63259a1439717fa3995adcbff93d25635c0ee96636bf1f733ae101b569a4
                  • Instruction ID: d5b4540ed8f03007e0b6871fec2b3332fbb8fe2cf0edb5c6a450d2216cb64d24
                  • Opcode Fuzzy Hash: 9d0e63259a1439717fa3995adcbff93d25635c0ee96636bf1f733ae101b569a4
                  • Instruction Fuzzy Hash: 8F110135900610EFDB30AFA5C888BF6B3B4FF04725F188169E89297694E774ED44E7A0
                  Function 00F8E181 Relevance: 6.0, APIs: 4, Instructions: 42keyboardwindowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00F911CD: GetWindowLongA.USER32(?,000000F0), ref: 00F911D8
                  • GetKeyState.USER32(00000010), ref: 00F8E1A7
                  • GetKeyState.USER32(00000011), ref: 00F8E1B0
                  • GetKeyState.USER32(00000012), ref: 00F8E1B9
                  • SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 00F8E1CF
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: State$LongMessageSendWindow
                  • String ID:
                  • API String ID: 1063413437-0
                  • Opcode ID: c08d3da4e33e2e1189232b12343140fe709ca51e9d7d8ad726f0a8b76d1ad558
                  • Instruction ID: 8258503bc87ea19a56a5825e84c078118fe9454fd8d7a6b2d763a956090b7ce8
                  • Opcode Fuzzy Hash: c08d3da4e33e2e1189232b12343140fe709ca51e9d7d8ad726f0a8b76d1ad558
                  • Instruction Fuzzy Hash: 11F0A73674065B6BEE2476708D0AFE55925AF94BE9F100435BF83EA4C1DEB5D802B3B0
                  Function 00FD015A Relevance: 4.6, APIs: 3, Instructions: 62keyboardCOMMON
                  Download Yara Rule
                  APIs
                  • GetAsyncKeyState.USER32(00000011), ref: 00FD017C
                  • GetAsyncKeyState.USER32(00000012), ref: 00FD018E
                  • GetAsyncKeyState.USER32(00000010), ref: 00FD019B
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: AsyncState
                  • String ID:
                  • API String ID: 425341421-0
                  • Opcode ID: e5123572d3fad187d55d59c7cbc0011fd9bd823c4179e268c81c4816a6ee12b0
                  • Instruction ID: be06ec554f80cf851b52d9d883a48ba8b2ea3bb440848cb4b83f5a45fa1f64e7
                  • Opcode Fuzzy Hash: e5123572d3fad187d55d59c7cbc0011fd9bd823c4179e268c81c4816a6ee12b0
                  • Instruction Fuzzy Hash: 0711D331604248ABDB24CB15C840FED7BA6AF05724F0CC06AF9498F381CBB5D901EB60
                  Function 00FF2373 Relevance: 4.5, APIs: 3, Instructions: 32keyboardCOMMON
                  Download Yara Rule
                  APIs
                  • GetKeyState.USER32(00000010), ref: 00FF239E
                  • GetKeyState.USER32(00000011), ref: 00FF23A7
                  • GetKeyState.USER32(00000012), ref: 00FF23B0
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: State
                  • String ID:
                  • API String ID: 1649606143-0
                  • Opcode ID: 670fe5bf0a6c58caf6575cc941e7697da8f4d072405c577c4cf20847249b3f84
                  • Instruction ID: 938e44037074d9990d0f008d36cff76b7d312b47f6d373a24a2ab6937c8299c2
                  • Opcode Fuzzy Hash: 670fe5bf0a6c58caf6575cc941e7697da8f4d072405c577c4cf20847249b3f84
                  • Instruction Fuzzy Hash: A7F0E5B560231D9FDFB06A508C00FFD7E549F00794F008869AFC4671B1DAA8E941A6A4
                  Function 00FF4859 Relevance: 3.1, APIs: 2, Instructions: 57windowCOMMON
                  Download Yara Rule
                  APIs
                  • IsIconic.USER32(?), ref: 00FF48AD
                  • PostMessageA.USER32(?,00000112,0000F060,00000000), ref: 00FF48FD
                    • Part of subcall function 00F911CD: GetWindowLongA.USER32(?,000000F0), ref: 00F911D8
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: IconicLongMessagePostWindow
                  • String ID:
                  • API String ID: 1855654840-0
                  • Opcode ID: 54717b657607585647b255f7ca6bd78554928e3a634d953cfc2ff1d4db126a38
                  • Instruction ID: c67855e857ac3dea8f690be2709252df1436859ec88085d912786686f5ff5c79
                  • Opcode Fuzzy Hash: 54717b657607585647b255f7ca6bd78554928e3a634d953cfc2ff1d4db126a38
                  • Instruction Fuzzy Hash: 6011AD77A106498BE7349A78CD45B7B72A6FF58364F080629E292C22A5D668FC00F610
                  Function 00FE416B Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 323fileCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00FE4175
                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,00000584,00FE4735,?,00000000,00000084,00FE4BDC,0000000A,0000000A,0000000A,00000000,00000014,00FDCBFB), ref: 00FE4224
                  • __splitpath_s.LIBCMT ref: 00FE4253
                  • __splitpath_s.LIBCMT ref: 00FE4272
                  • __makepath_s.LIBCMT ref: 00FE42A2
                  • _strlen.LIBCMT ref: 00FE42AE
                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000584,00FE4735,?,00000000,00000084,00FE4BDC,0000000A,0000000A), ref: 00FE42E6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: File__splitpath_s$CreateH_prolog3_ModuleName__makepath_s_strlen
                  • String ID:
                  • API String ID: 114649838-3916222277
                  • Opcode ID: aef8aa56a8a4e0d0e2b12a40a641070ecb83b7aa3bb270accb1619c83922c540
                  • Instruction ID: 13bac1ac01dec2e8c5d92497ce87c307174edfcf2feb584a55e5dce6bce39e49
                  • Opcode Fuzzy Hash: aef8aa56a8a4e0d0e2b12a40a641070ecb83b7aa3bb270accb1619c83922c540
                  • Instruction Fuzzy Hash: 3FD11A71C00628AFDF21AF60CC94BEEBBB9BF19356F0045E9E509A2151DB356E84EF10
                  Function 00F8A93D Relevance: 47.7, APIs: 25, Strings: 2, Instructions: 428windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00F8A947
                  • _memset.LIBCMT ref: 00F8A985
                  • GetMenuItemInfoA.USER32 ref: 00F8A9B6
                  • GetMenuItemInfoA.USER32(?,?,00000000,00000030), ref: 00F8A9EC
                    • Part of subcall function 00F84CF8: _strnlen.LIBCMT ref: 00F84D13
                  • CopyRect.USER32(?,?), ref: 00F8AA19
                  • GetObjectA.GDI32(?,00000018,?), ref: 00F8AA46
                  • GetSystemMetrics.USER32(00000032), ref: 00F8AA59
                  • GetSystemMetrics.USER32(00000031), ref: 00F8AA63
                  • GetSysColor.USER32(00000004), ref: 00F8AAA4
                  • CreateCompatibleDC.GDI32(00000000), ref: 00F8AAB9
                  • CopyRect.USER32(?,?), ref: 00F8AB08
                  • GetSysColor.USER32(0000000D), ref: 00F8AB19
                  • GetSysColor.USER32(00000010), ref: 00F8AB49
                  • GetSysColor.USER32(00000014), ref: 00F8AB4E
                  • GetSysColor.USER32(0000000D), ref: 00F8AB78
                  • GetSysColor.USER32(0000000E), ref: 00F8AB93
                    • Part of subcall function 00F9A128: SetBkColor.GDI32(?,?), ref: 00F9A14C
                    • Part of subcall function 00F9A128: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 00F9A15F
                  • GetSysColor.USER32(00000014), ref: 00F8ABCF
                    • Part of subcall function 00F88073: SetBkMode.GDI32(?,?), ref: 00F88090
                    • Part of subcall function 00F88073: SetBkMode.GDI32(?,?), ref: 00F8809D
                  • ExtTextOutA.GDI32(?,?,00000002,00000002,00000000,?,?,00000000), ref: 00F8AC25
                  • GetSysColor.USER32(00000011), ref: 00F8AC32
                  • GetSysColor.USER32(00000014), ref: 00F8AC86
                  • GetSysColor.USER32(00000010), ref: 00F8AC8B
                  • GetSysColor.USER32(00000007), ref: 00F8ACBB
                  • ExtTextOutA.GDI32(?,?,?,00000002,00000000,?,?,00000000), ref: 00F8ACF7
                  • CreateCompatibleDC.GDI32(00000000), ref: 00F8AD5B
                  • InflateRect.USER32(?,000000FF,000000FF), ref: 00F8AD89
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Color$RectText$CompatibleCopyCreateInfoItemMenuMetricsModeSystem$H_prolog3_InflateObject_memset_strnlen
                  • String ID: 0$@
                  • API String ID: 3352428527-1545510068
                  • Opcode ID: 94db501386e55fbae09418514026a122db1787fd33bfe03f325a05eb7361175b
                  • Instruction ID: fac76fa2894b1da3210278d9c96c279f378ff60d0776f67482c658740becde3f
                  • Opcode Fuzzy Hash: 94db501386e55fbae09418514026a122db1787fd33bfe03f325a05eb7361175b
                  • Instruction Fuzzy Hash: B0F10171E00209AFDB14EFE8C889EEEBBB9FF48300F144119E515AB295DB38A941DF51
                  Function 00FE4BE4 Relevance: 37.8, APIs: 25, Instructions: 260COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00FE4BEE
                  • CopyImage.USER32(?,00000000,00000000,00000000,00002000), ref: 00FE4C31
                  • GetObjectA.GDI32(?,00000018,?), ref: 00FE4C6B
                  • DeleteObject.GDI32(?), ref: 00FE4CE8
                  • CreateCompatibleDC.GDI32(00000000), ref: 00FE4D22
                  • GetObjectA.GDI32(?,00000018,?), ref: 00FE4D3E
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Object$CompatibleCopyCreateDeleteH_prolog3_Image
                  • String ID:
                  • API String ID: 641560573-0
                  • Opcode ID: a8cc465e14b6b3c8899ead2a31f426acb94067222af4c7b14ac38f2b04e8e784
                  • Instruction ID: 0e6fe15b9a39fae4b02d422a3f800d0dbeb7cddb51b19b8f6bad3ecc29f058ce
                  • Opcode Fuzzy Hash: a8cc465e14b6b3c8899ead2a31f426acb94067222af4c7b14ac38f2b04e8e784
                  • Instruction Fuzzy Hash: 86C1D1718002689FCB31AF61CC84BEDBBB5BF48314F1041EDE599A2261DB356EA4EF50
                  Function 00FB04F5 Relevance: 37.2, APIs: 19, Strings: 2, Instructions: 451windowstringCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00FB04FF
                  • lstrlenA.KERNEL32(ReBarWindow32,00000000,00000188), ref: 00FB0531
                  • GetClassNameA.USER32(?,00000000,00000001), ref: 00FB054A
                    • Part of subcall function 00F84CF8: _strnlen.LIBCMT ref: 00F84D13
                  • SendMessageA.USER32 ref: 00FB068B
                  • SendMessageA.USER32(?,00000409,?,?), ref: 00FB06A3
                  • lstrlenA.KERNEL32(ToolbarWindow32), ref: 00FB06AA
                  • GetClassNameA.USER32(?,00000000,?), ref: 00FB06D0
                  • SendMessageA.USER32(?,00000418,00000000,00000000), ref: 00FB0764
                  • SendMessageA.USER32(?,0000041D,00000000,?), ref: 00FB078A
                  • IntersectRect.USER32(?,?,?), ref: 00FB0798
                  • _memset.LIBCMT ref: 00FB07B6
                  • CreatePopupMenu.USER32 ref: 00FB0804
                  • CreateCompatibleDC.GDI32(?), ref: 00FB081C
                  • CopyRect.USER32(?,?), ref: 00FB0917
                  • OffsetRect.USER32(?,?,?), ref: 00FB092D
                  • CreateCompatibleBitmap.GDI32(?,?,?), ref: 00FB0964
                  • GetSysColor.USER32(00000004), ref: 00FB09B9
                    • Part of subcall function 00F81EA0: FindResourceW.KERNEL32(?,?,00000006), ref: 00F81EBB
                  • InsertMenuItemA.USER32(?,?,00000001,?), ref: 00FB0AA3
                  • CopyRect.USER32(?,?), ref: 00FB0ACB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: MessageRectSend$Create$ClassCompatibleCopyMenuNamelstrlen$BitmapColorFindH_prolog3_InsertIntersectItemOffsetPopupResource_memset_strnlen
                  • String ID: ReBarWindow32$ToolbarWindow32
                  • API String ID: 2916602031-2283011909
                  • Opcode ID: 0d5d7fff7ca81d39521432bd35d0921fde778b40137aaa2b2685da5189d7fe6e
                  • Instruction ID: f9046fddafb1cda76bd51491e25838becb842aac4cd44e3f43799a1df7c3496d
                  • Opcode Fuzzy Hash: 0d5d7fff7ca81d39521432bd35d0921fde778b40137aaa2b2685da5189d7fe6e
                  • Instruction Fuzzy Hash: CC1226719001299FDF25EBA4CC95BEEB7B9BF08300F0045E9E54AA7251DB345E85EF60
                  Function 00FE51E4 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 277windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00FE51EB
                  • LoadImageA.USER32(?,?,00000000,00000000,00000000,00002000), ref: 00FE52C6
                  • GetObjectA.GDI32(?,00000018,?), ref: 00FE52F7
                  • DeleteObject.GDI32(?), ref: 00FE5304
                  • CreateCompatibleDC.GDI32(00000000), ref: 00FE5360
                  • GetObjectA.GDI32(?,00000018,?), ref: 00FE5378
                  • SelectObject.GDI32(?,?), ref: 00FE539E
                  • CreateCompatibleBitmap.GDI32(?,?,?), ref: 00FE53BC
                  • SelectObject.GDI32(?,?), ref: 00FE53CF
                  • CreateCompatibleDC.GDI32(?), ref: 00FE53E5
                  • SelectObject.GDI32(?,?), ref: 00FE53FA
                  • SelectObject.GDI32(?,?), ref: 00FE5409
                  • DeleteObject.GDI32(?), ref: 00FE540E
                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00FE542E
                  • GetPixel.GDI32(?,?,?), ref: 00FE544D
                  • SetPixel.GDI32(?,?,?,00000000), ref: 00FE5483
                  • SelectObject.GDI32(?,?), ref: 00FE54A5
                  • SelectObject.GDI32(?,?), ref: 00FE54AD
                  • DeleteObject.GDI32(?), ref: 00FE54B2
                  • DeleteObject.GDI32(?), ref: 00FE5534
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Object$Select$Delete$CompatibleCreate$Pixel$BitmapH_prolog3ImageLoad
                  • String ID:
                  • API String ID: 2657855633-3916222277
                  • Opcode ID: c80d73323f5d7ce9d15ef084f56536febdbbe1e34899cb1522b229d10b9dc14d
                  • Instruction ID: 66fb32c69c2413292b99a19b3c904952a0e27133ca9b3be45fdb329bbf70d3d7
                  • Opcode Fuzzy Hash: c80d73323f5d7ce9d15ef084f56536febdbbe1e34899cb1522b229d10b9dc14d
                  • Instruction Fuzzy Hash: 9CB18A71D0064AEFCF10EFA1CC909EDBB76FF04358F108029F956A6161DB399A95EB90
                  Function 00FEA533 Relevance: 33.5, APIs: 22, Instructions: 455windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00FEA53A
                  • CreatePopupMenu.USER32 ref: 00FEA57C
                  • AppendMenuA.USER32(?,00000000,0000009A,?), ref: 00FEA5D9
                  • AppendMenuA.USER32(?,00000000,00000099,?), ref: 00FEA60B
                  • AppendMenuA.USER32(?,00000000,00000096,?), ref: 00FEA63D
                  • AppendMenuA.USER32(?,00000000,00000098,?), ref: 00FEA673
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Menu$Append$CreateH_prolog3Popup
                  • String ID:
                  • API String ID: 4042005471-0
                  • Opcode ID: bc3ccdd6d2b0282761e81744577a44a5a2fefd11560df287c98877fc9343d69d
                  • Instruction ID: b9b61d1487f0f4674e40aaca32af5954a489e43188ef24e46592e7f7be42769e
                  • Opcode Fuzzy Hash: bc3ccdd6d2b0282761e81744577a44a5a2fefd11560df287c98877fc9343d69d
                  • Instruction Fuzzy Hash: 78F19F30B002129FDF249F65CC99BBE7AA9AF45720F050279B516EB2E1DB34EC01EB51
                  Function 00FE117E Relevance: 31.9, APIs: 17, Strings: 1, Instructions: 394windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00FE1188
                  • GetObjectA.GDI32(?,00000054,?), ref: 00FE1215
                  • CreateCompatibleDC.GDI32(00000000), ref: 00FE13A6
                  • GetObjectA.GDI32(?,00000018,?), ref: 00FE13C7
                  • SelectObject.GDI32(?,?), ref: 00FE13EC
                  • CreateCompatibleBitmap.GDI32(?,?,?), ref: 00FE1419
                  • SelectObject.GDI32(?,?), ref: 00FE142F
                  • CreateCompatibleDC.GDI32(?), ref: 00FE144B
                  • SelectObject.GDI32(?,?), ref: 00FE1466
                  • SelectObject.GDI32(?,?), ref: 00FE147B
                  • DeleteObject.GDI32(?), ref: 00FE1480
                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00FE14A6
                  • GetPixel.GDI32(?,?,?), ref: 00FE14E6
                  • SetPixel.GDI32(?,?,?,00000000), ref: 00FE1613
                  • SelectObject.GDI32(?,?), ref: 00FE1643
                  • SelectObject.GDI32(?,?), ref: 00FE164E
                  • DeleteObject.GDI32(?), ref: 00FE1656
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Object$Select$CompatibleCreate$DeletePixel$BitmapH_prolog3_
                  • String ID:
                  • API String ID: 1136552931-3916222277
                  • Opcode ID: 5f86397e311634beae913aa7fc0a83c2a7dd6c8c249b30a0b8cb20e23200089f
                  • Instruction ID: fb50b9fb59dc98d8f067718752585d6b04fbfb08a541c2b999ac5fd5ddf6209b
                  • Opcode Fuzzy Hash: 5f86397e311634beae913aa7fc0a83c2a7dd6c8c249b30a0b8cb20e23200089f
                  • Instruction Fuzzy Hash: 63E1B372D00259EADF26AF91CD44BDDBB74FB44340F208998E5DAB21A5EB310E949F90
                  Function 00FFC84F Relevance: 31.9, APIs: 17, Strings: 1, Instructions: 352windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00FFC856
                  • GetParent.USER32(?), ref: 00FFC909
                  • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 00FFC92D
                  • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 00FFC985
                  • BringWindowToTop.USER32(?), ref: 00FFC9A9
                  • GetParent.USER32(?), ref: 00FFCA2B
                  • GetParent.USER32(?), ref: 00FFCAA1
                  • RedrawWindow.USER32(?,00000000,00000000,00000401), ref: 00FFCABD
                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00FFCAF2
                  • UpdateWindow.USER32(?), ref: 00FFCAFB
                  • GetSystemMenu.USER32(?,00000000), ref: 00FFCB5B
                  • _memset.LIBCMT ref: 00FFCB79
                  • GetMenuItemInfoA.USER32 ref: 00FFCB9A
                  • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 00FFCBE4
                  • GetWindowRect.USER32(?,?), ref: 00FFCC05
                  • GetParent.USER32(?), ref: 00FFCC12
                  • RedrawWindow.USER32(?,00000000,00000000,00000185), ref: 00FFCC3B
                    • Part of subcall function 00FFB501: GetParent.USER32(?), ref: 00FFB54A
                    • Part of subcall function 00FFB501: SendMessageA.USER32(?,00000222,?,00000000), ref: 00FFB561
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: ParentWindow$MessageSend$MenuRectRedraw$BringH_prolog3_InfoInvalidateItemSystemUpdate_memset
                  • String ID: 0
                  • API String ID: 264336371-4108050209
                  • Opcode ID: 47a04255eb1ccb6f6be43f0ada52f914cc3ce631ba4ae395aaf7fc73540fbef2
                  • Instruction ID: 8ad1e39a0b32e8d428c04b8011553f1fb4287694930a39582643f460f0981a01
                  • Opcode Fuzzy Hash: 47a04255eb1ccb6f6be43f0ada52f914cc3ce631ba4ae395aaf7fc73540fbef2
                  • Instruction Fuzzy Hash: 44D1A230A006189FDB319F64C998EBEBBF5FF88710F14062DF296972A1DB765840EB50
                  Function 00FE2C39 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 237COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00FE2C43
                  • GetObjectA.GDI32(?,00000018,?), ref: 00FE2C85
                  • CreateCompatibleDC.GDI32(00000000), ref: 00FE2CC1
                  • SelectObject.GDI32(?,?), ref: 00FE2CE4
                  • _memset.LIBCMT ref: 00FE2D14
                  • GetObjectA.GDI32(?,00000054,?), ref: 00FE2D35
                  • CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 00FE2D97
                  • CreateCompatibleDC.GDI32(?), ref: 00FE2DDC
                  • SelectObject.GDI32(?,?), ref: 00FE2DFA
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Object$Create$CompatibleSelect$H_prolog3_Section_memset
                  • String ID: (
                  • API String ID: 1904682052-3887548279
                  • Opcode ID: a94c8491194e904f25915a70acb8cf38695de7a8c6315be1f9837e3fc542a61c
                  • Instruction ID: 356837df0b825d13edc0993ca7ec466b1ae2981278c86a41a076edf937b1f79a
                  • Opcode Fuzzy Hash: a94c8491194e904f25915a70acb8cf38695de7a8c6315be1f9837e3fc542a61c
                  • Instruction Fuzzy Hash: 7AB14A70900358EFDB61DF65CC84F9ABBB5FF49700F1080A9E98DA6255EB319A84DF21
                  Function 00F8D185 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 191windowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00F911CD: GetWindowLongA.USER32(?,000000F0), ref: 00F911D8
                  • GetParent.USER32(?), ref: 00F8D1BF
                  • SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 00F8D1E0
                  • GetWindowRect.USER32(?,?), ref: 00F8D1FF
                  • GetWindowLongA.USER32(00000000,000000F0), ref: 00F8D231
                  • MonitorFromWindow.USER32(00000000,00000001), ref: 00F8D265
                  • GetMonitorInfoA.USER32(00000000), ref: 00F8D26C
                  • CopyRect.USER32(?,?), ref: 00F8D280
                  • CopyRect.USER32(?,?), ref: 00F8D28A
                  • GetWindowRect.USER32(00000000,?), ref: 00F8D293
                  • MonitorFromWindow.USER32(00000000,00000002), ref: 00F8D2A0
                  • GetMonitorInfoA.USER32(00000000), ref: 00F8D2A7
                  • CopyRect.USER32(?,?), ref: 00F8D2B5
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Window$Rect$Monitor$Copy$FromInfoLong$MessageParentSend
                  • String ID: (
                  • API String ID: 783970248-3887548279
                  • Opcode ID: 05c19106731efed044db44fe8df86305355ad32a10fcc34236f0e239bd32e260
                  • Instruction ID: 724e3f601374d477938b1cf2b4c2e2e6f5817102bc8c0d42ec00b19bf10b5688
                  • Opcode Fuzzy Hash: 05c19106731efed044db44fe8df86305355ad32a10fcc34236f0e239bd32e260
                  • Instruction Fuzzy Hash: 45613D71D00219ABDB10DFA8CD889EEBBB9FF08714F14411AF915F7285C775A901DBA0
                  Function 00FCE9A6 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 315windowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00F879AD: __CxxThrowException@8.LIBCMT ref: 00F879C3
                  • SendMessageA.USER32(?,00001032,00000000,00000000), ref: 00FCEA0B
                  • SendMessageA.USER32(?,0000100C,00000000,00000002), ref: 00FCEA3E
                  • ClientToScreen.USER32(?,?), ref: 00FCEA78
                  • ScreenToClient.USER32(?,?), ref: 00FCEA90
                  • SendMessageA.USER32(?,00001012,00000000,?), ref: 00FCEAAA
                  • _memset.LIBCMT ref: 00FCEAE6
                  • SendMessageA.USER32(?,00001005,00000000,00000004), ref: 00FCEB18
                  • SendMessageA.USER32(?,0000100C,000000FF,00000002), ref: 00FCEB4A
                  • SendMessageA.USER32(?,00001005,00000000,00000004), ref: 00FCEB67
                  • CreatePopupMenu.USER32 ref: 00FCEBF6
                  • TrackPopupMenu.USER32(?,00000102,?,?,00000000,?,00000000), ref: 00FCEC3B
                  • GetMenuDefaultItem.USER32(?,00000000,00000000), ref: 00FCEC57
                  • GetParent.USER32(?), ref: 00FCECA7
                  • GetParent.USER32(?), ref: 00FCECE4
                  • GetParent.USER32(?), ref: 00FCECF7
                  • SendMessageA.USER32(?,?,00000000,00000000), ref: 00FCED10
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: MessageSend$MenuParent$ClientPopupScreen$CreateDefaultException@8ItemThrowTrack_memset
                  • String ID: $
                  • API String ID: 3245692163-3993045852
                  • Opcode ID: ccea6b6b302a50306ee5f144cd325134486686894c02553304ae623786466c50
                  • Instruction ID: 23ea0c4eae0502b37ef87818a58d19c14801d557e626448294eb67748a6eca88
                  • Opcode Fuzzy Hash: ccea6b6b302a50306ee5f144cd325134486686894c02553304ae623786466c50
                  • Instruction Fuzzy Hash: 39C1D2B1A0020AEFDB20DFA4D985EAEBBB9FF48314F14852DE546AB250D735AD41DF10
                  Function 00FE083D Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 263windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00FE0847
                  • CreateCompatibleDC.GDI32(00000000), ref: 00FE087C
                  • GetObjectA.GDI32(?,00000018,?), ref: 00FE089D
                  • SelectObject.GDI32(?,?), ref: 00FE08EF
                  • CreateCompatibleDC.GDI32(?), ref: 00FE091C
                  • CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 00FE0984
                  • SelectObject.GDI32(?,?), ref: 00FE09A0
                  • SelectObject.GDI32(?,00000000), ref: 00FE09BD
                  • SelectObject.GDI32(?,?), ref: 00FE09D5
                  • DeleteObject.GDI32(?), ref: 00FE09DD
                  • BitBlt.GDI32(?,00000000,00000000,?,000000FF,?,00000000,00000000,00CC0020), ref: 00FE0A06
                  • GetObjectA.GDI32(?,00000054,?), ref: 00FE0A3C
                  • SelectObject.GDI32(?,?), ref: 00FE0C31
                  • SelectObject.GDI32(?,?), ref: 00FE0C3F
                  • DeleteObject.GDI32(?), ref: 00FE0C47
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Object$Select$Create$CompatibleDelete$H_prolog3_Section
                  • String ID: $(
                  • API String ID: 339215182-55695022
                  • Opcode ID: 4d8521f813b103e9a1e9ea792508b862fea159a9ccbf8e967eabd7c5b400ec9f
                  • Instruction ID: 53d164687c12d4ba8d9564c3bd301b72980827dc91f51239e6298ff0ea4ef20a
                  • Opcode Fuzzy Hash: 4d8521f813b103e9a1e9ea792508b862fea159a9ccbf8e967eabd7c5b400ec9f
                  • Instruction Fuzzy Hash: 6AC13570D00268DBDB24DF65CD45BEDBBB5BF49300F0080EAE58DA6292DA744A84DF61
                  Function 00FE055D Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 237windowCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00FE0567
                  • CreateCompatibleDC.GDI32(00000000), ref: 00FE05CE
                  • GetObjectA.GDI32(?,00000018,000000FF), ref: 00FE05EC
                  • SelectObject.GDI32(?,?), ref: 00FE062A
                  • CreateCompatibleDC.GDI32(?), ref: 00FE0648
                  • CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 00FE069E
                  • SelectObject.GDI32(?,?), ref: 00FE06B3
                  • SelectObject.GDI32(?,00000000), ref: 00FE06C9
                  • SelectObject.GDI32(?,?), ref: 00FE06D8
                  • DeleteObject.GDI32(?), ref: 00FE06DF
                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00FE0731
                  • GetPixel.GDI32(?,?,00000000), ref: 00FE07F9
                  • SetPixel.GDI32(?,?,00000000,?), ref: 00FE080E
                  • SelectObject.GDI32(?,?), ref: 00FE082B
                  • SelectObject.GDI32(?,?), ref: 00FE0833
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Object$Select$Create$CompatiblePixel$DeleteH_prolog3_Section
                  • String ID: (
                  • API String ID: 1942225872-3887548279
                  • Opcode ID: f491ca7e94ab0b989f58adc795b98ad2dd84cd6c4041e1540c903f8fa2ba63d8
                  • Instruction ID: f69c5c3cc4936c605a7282b0c48a1dc46b222061cb0853c22e11ef0c6d107976
                  • Opcode Fuzzy Hash: f491ca7e94ab0b989f58adc795b98ad2dd84cd6c4041e1540c903f8fa2ba63d8
                  • Instruction Fuzzy Hash: FDA12271C00259EFDF20EFA5C884AEDBBB5FF48310F20412AE556A3261DB756986EF10
                  Function 0105B0CB Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 186COMMON
                  Download Yara Rule
                  APIs
                  • GetDlgItem.USER32(?,00003020), ref: 0105B0F3
                  • GetDlgItem.USER32(?,00003020), ref: 0105B126
                  • GetWindowRect.USER32(00000000,?), ref: 0105B140
                  • MapDialogRect.USER32(?,?), ref: 0105B164
                  • SetWindowPos.USER32(?,00000000,00000000,00000000,?,00000020,00000016), ref: 0105B191
                  • GetDlgItem.USER32(?,?), ref: 0105B1A6
                  • GetWindowRect.USER32(00000000,?), ref: 0105B1B8
                  • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000015), ref: 0105B1D7
                  • GetWindowRect.USER32(?,?), ref: 0105B1EE
                  • GetWindowRect.USER32(?,?), ref: 0105B243
                  • GetDlgItem.USER32(?,00000001), ref: 0105B256
                  • GetWindowRect.USER32(00000000,?), ref: 0105B265
                  • GetDlgItem.USER32(?,?), ref: 0105B290
                  • ShowWindow.USER32(00000000,00000000), ref: 0105B29E
                  • EnableWindow.USER32(00000000,00000000), ref: 0105B2A6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Window$Rect$Item$DialogEnableShow
                  • String ID:
                  • API String ID: 763981185-3916222277
                  • Opcode ID: 95e046ebc514747602c2b91ee288a2d69bd390346e411e8c91df6ad3804d9a7b
                  • Instruction ID: db1a016f0f7ec09370b97c32ef1b9ebf6580ac4d0a9fd97a2ecfcb876649ea80
                  • Opcode Fuzzy Hash: 95e046ebc514747602c2b91ee288a2d69bd390346e411e8c91df6ad3804d9a7b
                  • Instruction Fuzzy Hash: A761F071900209AFDB61DFA9CD88DEFFBF9FF88700F10051AE592A2255DB75A940CB64
                  Function 00FD209F Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 230windowCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: MessageSend$ClientCreateDesktopFolderH_prolog3_MenuParentPopupScreen_memset
                  • String ID: $
                  • API String ID: 937397865-3993045852
                  • Opcode ID: 03016b180ab987cb55ca0cfbd6c6247591eb185a705a9f8e211dd1b672d4eb4f
                  • Instruction ID: 8e042cbbd24bf8376296fd0c13ff4b85ac333b72612935302706617c4427ce4c
                  • Opcode Fuzzy Hash: 03016b180ab987cb55ca0cfbd6c6247591eb185a705a9f8e211dd1b672d4eb4f
                  • Instruction Fuzzy Hash: F6914AB0E01218AFCB11DFA4C8899EDBBBAFF18720B14415AF545E7264C77A9D41DFA0
                  Function 00FBCECA Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 73libraryloaderCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00F8C62F: ActivateActCtx.KERNEL32(?,?,010C9830,00000010,00F8F176,hhctrl.ocx,00F8E3A8,0000000C), ref: 00F8C64F
                  • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 00FBCF2C
                  • GetProcAddress.KERNEL32(?,CloseThemeData), ref: 00FBCF39
                  • GetProcAddress.KERNEL32(?,DrawThemeBackground), ref: 00FBCF46
                  • GetProcAddress.KERNEL32(?,GetThemeColor), ref: 00FBCF53
                  • GetProcAddress.KERNEL32(?,GetThemeSysColor), ref: 00FBCF60
                  • GetProcAddress.KERNEL32(?,GetCurrentThemeName), ref: 00FBCF6D
                  • GetProcAddress.KERNEL32(?,GetWindowTheme), ref: 00FBCF7A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$Activate
                  • String ID: CloseThemeData$DrawThemeBackground$GetCurrentThemeName$GetThemeColor$GetThemeSysColor$GetWindowTheme$OpenThemeData$UxTheme.dll
                  • API String ID: 2388279185-1975976892
                  • Opcode ID: 85101cac3a744e561e00d5609bf44b3817d6ee936493a12d33cf32396571a18a
                  • Instruction ID: 5123aff13c01b84067bcd072fcef02dfcf9306145ab7be6ba393cf1b4ed71276
                  • Opcode Fuzzy Hash: 85101cac3a744e561e00d5609bf44b3817d6ee936493a12d33cf32396571a18a
                  • Instruction Fuzzy Hash: B73131B0950B949ECB30AF6B9944847FBF9BEA4A103118D1FE5C686A20D7B6A040DF40
                  Function 00FC4F7D Relevance: 25.8, APIs: 17, Instructions: 271windowCOMMON
                  Download Yara Rule
                  APIs
                  • InflateRect.USER32(?,00000004,00000004), ref: 00FC4FDA
                  • InvalidateRect.USER32(?,?,00000001), ref: 00FC4FEC
                  • UpdateWindow.USER32(?), ref: 00FC4FF5
                  • GetMessageA.USER32(?,00000000,0000000F,0000000F), ref: 00FC5034
                  • DispatchMessageA.USER32(?), ref: 00FC5042
                  • PeekMessageA.USER32(?,00000000,0000000F,0000000F,00000000), ref: 00FC5050
                  • GetCapture.USER32 ref: 00FC505C
                  • SetCapture.USER32(?), ref: 00FC5068
                  • GetCapture.USER32 ref: 00FC5074
                  • GetWindowRect.USER32(?,?), ref: 00FC509E
                  • SetCursorPos.USER32(?,?), ref: 00FC50C1
                  • GetCapture.USER32 ref: 00FC50C7
                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00FC50DF
                  • DispatchMessageA.USER32(?), ref: 00FC5105
                  • ReleaseCapture.USER32 ref: 00FC5143
                  • IsWindow.USER32(?), ref: 00FC514C
                  • SendMessageA.USER32(?,00000010,00000000,00000000), ref: 00FC5165
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Message$Capture$RectWindow$Dispatch$CursorInflateInvalidatePeekReleaseSendUpdate
                  • String ID:
                  • API String ID: 4077352625-0
                  • Opcode ID: ef41809e95d3cfa95a60f377d71c71a534bc5750acfa9e780b659a0c00e7cfee
                  • Instruction ID: 798997be380d1b6ad5ebcd4929ebb2a510af54d49d585fa188e856e7e8ccd4f4
                  • Opcode Fuzzy Hash: ef41809e95d3cfa95a60f377d71c71a534bc5750acfa9e780b659a0c00e7cfee
                  • Instruction Fuzzy Hash: B091607290050AAFDF20EFA4DD99EAEBBB8FF48710B15042DF541A7140DB35AD80DB50
                  Function 00FACA34 Relevance: 25.0, APIs: 11, Strings: 3, Instructions: 472windowCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: CountH_prolog3_ItemMenuMessageParentSend_memset
                  • String ID: 0$7$@
                  • API String ID: 2290845328-3997377745
                  • Opcode ID: 12c8b5f7412216d466b980fbe62eb07c6a0f2e44fb44e9b0edfd6de0762d5d67
                  • Instruction ID: 25af5761f71f659bf43a209fc6936b1e2b5fd5578601e6179f8deba77e61c9a3
                  • Opcode Fuzzy Hash: 12c8b5f7412216d466b980fbe62eb07c6a0f2e44fb44e9b0edfd6de0762d5d67
                  • Instruction Fuzzy Hash: 06128BB09002199FDF20EF64CC85AEEB7B5BF4A310F1042ADE559A7251DB359E80EF90
                  Function 00F82E21 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 130libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00F82C42: ActivateActCtx.KERNEL32(?,?,010C8EC8,00000010,00F82E57,KERNEL32.DLL), ref: 00F82C62
                  • GetProcAddress.KERNEL32(00000000,GetThreadPreferredUILanguages), ref: 00F82E66
                  • _memset.LIBCMT ref: 00F82E92
                  • _wcstoul.LIBCMT ref: 00F82EDA
                    • Part of subcall function 01076AF2: wcstoxl.LIBCMT ref: 01076B02
                  • _wcslen.LIBCMT ref: 00F82EFB
                    • Part of subcall function 010768CC: __getptd_noexit.LIBCMT ref: 010768CC
                  • GetUserDefaultUILanguage.KERNEL32 ref: 00F82F0B
                  • ConvertDefaultLocale.KERNEL32(?), ref: 00F82F32
                  • ConvertDefaultLocale.KERNEL32(?), ref: 00F82F41
                  • GetSystemDefaultUILanguage.KERNEL32 ref: 00F82F4A
                  • ConvertDefaultLocale.KERNEL32(?), ref: 00F82F66
                  • ConvertDefaultLocale.KERNEL32(?), ref: 00F82F75
                  • GetModuleFileNameA.KERNEL32(00F80000,?,00000105), ref: 00F82FA6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Default$ConvertLocale$Language$ActivateAddressFileModuleNameProcSystemUser__getptd_noexit_memset_wcslen_wcstoulwcstoxl
                  • String ID: GetThreadPreferredUILanguages$KERNEL32.DLL$e
                  • API String ID: 2246399177-2285706205
                  • Opcode ID: 117c92a616fe4ff3566cebee1af3897783914620b988502df01ab6f8c26b5ecc
                  • Instruction ID: 2ef5e2747bfc8039c2df029e7216e0b7535a1d7cff06c5c24e36c8e401e58ec9
                  • Opcode Fuzzy Hash: 117c92a616fe4ff3566cebee1af3897783914620b988502df01ab6f8c26b5ecc
                  • Instruction Fuzzy Hash: A941A271A00229ABDB60AF64DC48BED77B4EB44714F1104A9D909E7180DB79AE81DF50
                  Function 00F9A338 Relevance: 24.2, APIs: 16, Instructions: 245windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00F9A33F
                  • CreateRectRgnIndirect.GDI32(?), ref: 00F9A37C
                  • CopyRect.USER32(?,?), ref: 00F9A392
                  • InflateRect.USER32(?,?,?), ref: 00F9A3A8
                  • IntersectRect.USER32(?,?,?), ref: 00F9A3B6
                  • CreateRectRgnIndirect.GDI32(?), ref: 00F9A3C0
                  • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00F9A3D5
                    • Part of subcall function 00F9A16B: CombineRgn.GDI32(?,?,?,?), ref: 00F9A190
                  • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00F9A43D
                  • SetRectRgn.GDI32(?,0000000A,?,?,?), ref: 00F9A45A
                  • CopyRect.USER32(?,0000000A), ref: 00F9A465
                  • InflateRect.USER32(?,?,?), ref: 00F9A47B
                  • IntersectRect.USER32(?,?,0000000A), ref: 00F9A487
                  • SetRectRgn.GDI32(?,?,?,?,0000000A), ref: 00F9A49C
                  • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00F9A4C8
                    • Part of subcall function 00F9A19A: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,?), ref: 00F9A1E3
                    • Part of subcall function 00F9A19A: CreatePatternBrush.GDI32(00000000), ref: 00F9A1F0
                    • Part of subcall function 00F9A19A: DeleteObject.GDI32(00000000), ref: 00F9A1FC
                    • Part of subcall function 00F88D99: SelectObject.GDI32(?,00000000), ref: 00F88DBF
                    • Part of subcall function 00F88D99: SelectObject.GDI32(?,?), ref: 00F88DD5
                  • PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 00F9A539
                  • PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 00F9A58E
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Rect$Create$Object$CopyIndirectInflateIntersectSelect$BitmapBrushCombineDeleteH_prolog3_Pattern
                  • String ID:
                  • API String ID: 3107162742-0
                  • Opcode ID: a30a1fee9cbfce6a8dcf293e226b8811f2fdeaa4417ef0b630018f0b52b046fe
                  • Instruction ID: 591f43f9bcbe8cdc5983802df02f00719800e3b1f4ae9a8b3f6835778f520f6d
                  • Opcode Fuzzy Hash: a30a1fee9cbfce6a8dcf293e226b8811f2fdeaa4417ef0b630018f0b52b046fe
                  • Instruction Fuzzy Hash: 0FA1F2B1A00218AFDF15EFE4DD99DEEBBB9BF48300F144019F506A2245DB39AA05DB61
                  Function 00F89184 Relevance: 24.2, APIs: 16, Instructions: 245windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00F8918B
                  • CreateCompatibleDC.GDI32(00000000), ref: 00F891E6
                  • CreateCompatibleDC.GDI32(00000000), ref: 00F891FA
                  • CreateCompatibleDC.GDI32(00000000), ref: 00F8920E
                  • GetObjectA.GDI32(00000004,00000018,?), ref: 00F8922A
                  • CreateBitmap.GDI32(?,?,?,?,00000000), ref: 00F89257
                  • CreateBitmap.GDI32(00000008,00000008,00000001,00000001,0109AF0C), ref: 00F89277
                  • CreatePatternBrush.GDI32(?), ref: 00F89285
                    • Part of subcall function 00F88CE0: DeleteObject.GDI32(00000000), ref: 00F88CEF
                  • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00F892A7
                    • Part of subcall function 00F88D3D: SelectObject.GDI32(?,?), ref: 00F88D48
                  • GetPixel.GDI32(?,00000000,00000000), ref: 00F892E7
                    • Part of subcall function 00F88040: SetBkColor.GDI32(?,?), ref: 00F8805E
                    • Part of subcall function 00F88040: SetBkColor.GDI32(?,?), ref: 00F8806B
                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00F89313
                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00EE0086), ref: 00F89337
                  • FillRect.USER32(?,?,?), ref: 00F8939B
                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 00F893CB
                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,008800C6), ref: 00F893E2
                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 00F893F5
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Create$BitmapCompatibleObject$Color$BrushDeleteFillH_prolog3_PatternPixelRectSelect
                  • String ID:
                  • API String ID: 1818846147-0
                  • Opcode ID: 8d45920e42d6d58b88ce3036ca3b67b8c7f8d83cbe0d695c5641481709be0fed
                  • Instruction ID: 343ae6dcc9419a075c64ec6d85b76067e739704ad50af62f114bc29ef2452561
                  • Opcode Fuzzy Hash: 8d45920e42d6d58b88ce3036ca3b67b8c7f8d83cbe0d695c5641481709be0fed
                  • Instruction Fuzzy Hash: CE91FEB1C00208AEDF11AFA4CC859EEBFB9FF08380F548029F515B6161DA765D56EB20
                  Function 00FE0376 Relevance: 24.2, APIs: 16, Instructions: 157windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00FE037D
                  • CreateCompatibleDC.GDI32(00000000), ref: 00FE03B3
                  • GetObjectA.GDI32(?,00000018,?), ref: 00FE03CA
                  • SelectObject.GDI32(?,?), ref: 00FE03F6
                  • CreateCompatibleBitmap.GDI32(?,?,?), ref: 00FE0418
                  • SelectObject.GDI32(?,00000000), ref: 00FE042B
                  • CreateCompatibleDC.GDI32(?), ref: 00FE043E
                  • SelectObject.GDI32(?,?), ref: 00FE044F
                  • SelectObject.GDI32(?,00000000), ref: 00FE0460
                  • DeleteObject.GDI32(?), ref: 00FE0465
                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00FE0491
                  • GetPixel.GDI32(?,?,?), ref: 00FE04B0
                  • SetPixel.GDI32(?,?,?,00000000), ref: 00FE04F7
                  • SelectObject.GDI32(?,?), ref: 00FE051B
                  • SelectObject.GDI32(?,00000000), ref: 00FE0523
                  • DeleteObject.GDI32(?), ref: 00FE052B
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Object$Select$CompatibleCreate$DeletePixel$BitmapH_prolog3
                  • String ID:
                  • API String ID: 3639146769-0
                  • Opcode ID: cc04cecd5239e91b4f5489c45bf8cd8d5905192d8d65ffe7ae7600390fd4f073
                  • Instruction ID: 79f84bba26704a6df706f177e97fa22b296d58d6bc5f80a748f215902e3a95f3
                  • Opcode Fuzzy Hash: cc04cecd5239e91b4f5489c45bf8cd8d5905192d8d65ffe7ae7600390fd4f073
                  • Instruction Fuzzy Hash: 72511531C0024AEFCF21EFA1CD45AEEBB72FF44360F244129F555A21A0DB754A96EB61
                  Function 00FA6C3E Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 335windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00FA6C48
                  • GetClientRect.USER32(?,?), ref: 00FA6C6A
                  • CreateCompatibleDC.GDI32(?), ref: 00FA6CA6
                  • CreateCompatibleBitmap.GDI32(?,?,?), ref: 00FA6CEE
                  • CreateDIBSection.GDI32 ref: 00FA6D6B
                  • CreateDIBSection.GDI32(?,00000028,00000000,?,00000000,00000000), ref: 00FA6D9E
                  • CreateDIBSection.GDI32(?,00000028,00000000,?,00000000,00000000), ref: 00FA6DD1
                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 00FA6E35
                  • _memmove.LIBCMT ref: 00FA6E4E
                  • GetWindowRect.USER32(?,?), ref: 00FA6E9D
                  • BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 00FA6FB6
                  • BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 00FA702C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Create$Section$CompatibleRect$BitmapClientH_prolog3_Window_memmove
                  • String ID: (
                  • API String ID: 498668396-3887548279
                  • Opcode ID: 9661842e321e69a2f0ff3d7193d81421f1a312d486e2a5d5a42bff1d19b2db10
                  • Instruction ID: 329346ba9e9be537569f4b179bd4d7c8c50ebc11c2915a4e29dc423b667d14c4
                  • Opcode Fuzzy Hash: 9661842e321e69a2f0ff3d7193d81421f1a312d486e2a5d5a42bff1d19b2db10
                  • Instruction Fuzzy Hash: 29D107B5A006099FCB21DFA4CD84DEEBBB9FF49340F248529E156E7251DB31A941EF10
                  Function 00FAC2E8 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 285windowkeyboardCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00FAC2EF
                  • CreatePopupMenu.USER32 ref: 00FAC308
                  • AppendMenuA.USER32(20000000,?,?,?), ref: 00FAC3DC
                  • AppendMenuA.USER32(00000001,00000000,?,?), ref: 00FAC3FA
                  • SetMenuDefaultItem.USER32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,0000001C), ref: 00FAC41A
                  • GetKeyState.USER32(00000010), ref: 00FAC49F
                  • GetAsyncKeyState.USER32(00000011), ref: 00FAC4FE
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Menu$AppendState$AsyncCreateDefaultH_prolog3ItemPopup
                  • String ID: P
                  • API String ID: 1421082015-3110715001
                  • Opcode ID: 463eb1737ea80ac3439d73206fb2afb3eab7e7f74d87599e5afd5504b022dae5
                  • Instruction ID: 29012cd94f67f4c958fb1917cf619d1cc69a263c8bfe9417ae74b5b4ed4f745e
                  • Opcode Fuzzy Hash: 463eb1737ea80ac3439d73206fb2afb3eab7e7f74d87599e5afd5504b022dae5
                  • Instruction Fuzzy Hash: B2B171B2E002189FDF24DFA4C884AEEBBB5FF49720F154529E945BB250CB749D40EB90
                  Function 00FA709A Relevance: 22.7, APIs: 15, Instructions: 232timeCOMMON
                  Download Yara Rule
                  APIs
                  • GetClientRect.USER32(?,?), ref: 00FA70D0
                  • InflateRect.USER32(?,00000000,00000000), ref: 00FA70FF
                  • SetRectEmpty.USER32(?), ref: 00FA719D
                  • SetRectEmpty.USER32(?), ref: 00FA71A6
                  • GetSystemMetrics.USER32(00000002), ref: 00FA71C7
                  • KillTimer.USER32(?,00000002), ref: 00FA7261
                  • EqualRect.USER32(?,?), ref: 00FA7283
                  • EqualRect.USER32(?,?), ref: 00FA7294
                  • EqualRect.USER32(?,?), ref: 00FA72E5
                  • InvalidateRect.USER32(?,?,00000001), ref: 00FA72FE
                  • InvalidateRect.USER32(?,?,00000001), ref: 00FA7306
                  • EqualRect.USER32(?,?), ref: 00FA731A
                  • InvalidateRect.USER32(?,?,00000001), ref: 00FA732D
                  • InvalidateRect.USER32(?,?,00000001), ref: 00FA7335
                  • UpdateWindow.USER32(?), ref: 00FA7348
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Rect$EqualInvalidate$Empty$ClientInflateKillMetricsSystemTimerUpdateWindow
                  • String ID:
                  • API String ID: 2140115980-0
                  • Opcode ID: d36b219d5ced5fd004785ef0e0b8a1312f3ac4933178e176cbaa9fca6cbba23a
                  • Instruction ID: 0d5e43fb93a3b49073fc48539aa6357111e2d2602767691f777d59b4d36f0e5c
                  • Opcode Fuzzy Hash: d36b219d5ced5fd004785ef0e0b8a1312f3ac4933178e176cbaa9fca6cbba23a
                  • Instruction Fuzzy Hash: 939106B290021A9FCF11DFA4C984AEE77B5FF09310F1445B9EC09AB249DB75A941DFA0
                  Function 00FAF0B3 Relevance: 22.7, APIs: 15, Instructions: 199windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetDlgCtrlID.USER32(?), ref: 00FAF11D
                  • GetDlgItem.USER32(?,?), ref: 00FAF1A7
                  • ShowWindow.USER32(00000000,00000000), ref: 00FAF1B2
                  • GetMenu.USER32(?), ref: 00FAF1C4
                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00FAF1DF
                    • Part of subcall function 00F879AD: __CxxThrowException@8.LIBCMT ref: 00F879C3
                  • GetDlgItem.USER32(?,0000E900), ref: 00FAF21C
                  • SetWindowLongA.USER32(00000000,000000F4,0000EA21), ref: 00FAF239
                  • GetDlgItem.USER32(0000EA21,0000EA21), ref: 00FAF252
                  • GetDlgItem.USER32(0000E900,0000E900), ref: 00FAF268
                  • SetWindowLongA.USER32(00000000,000000F4,0000EA21), ref: 00FAF27A
                  • SetWindowLongA.USER32(?,000000F4,0000E900), ref: 00FAF286
                  • InvalidateRect.USER32(00000001,00000000,00000001), ref: 00FAF299
                  • SetMenu.USER32(00000000,00000000), ref: 00FAF2B0
                  • GetDlgItem.USER32(?,00000000), ref: 00FAF2F7
                  • ShowWindow.USER32(?,00000005), ref: 00FAF305
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: ItemWindow$Long$InvalidateMenuRectShow$CtrlException@8Throw
                  • String ID:
                  • API String ID: 3179827820-0
                  • Opcode ID: 50d513af432a632c6587807ce038083c4e4e936b88e95636844052aeb74ed03a
                  • Instruction ID: 23f11b51c8e58689df4d44f74b60e2a3f9a34a0489015288c8b5bed7323b7099
                  • Opcode Fuzzy Hash: 50d513af432a632c6587807ce038083c4e4e936b88e95636844052aeb74ed03a
                  • Instruction Fuzzy Hash: BE816074A00600EFCB219F64C888BAABBF5FF4A711F148569F49ADB2A5DB35D844DF40
                  Function 00FDCF16 Relevance: 22.7, APIs: 15, Instructions: 161windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00FDCF1D
                  • GetIconInfo.USER32(?,?), ref: 00FDCFCE
                  • GetObjectA.GDI32(?,00000018,?), ref: 00FDCFDD
                  • CreateCompatibleDC.GDI32(00000000), ref: 00FDD009
                  • CopyImage.USER32(?,00000000,00000000,00000000,00002000), ref: 00FDD023
                  • SelectObject.GDI32(?,00000000), ref: 00FDD034
                  • FillRect.USER32(?,?), ref: 00FDD061
                  • DrawIconEx.USER32(?,00000000,00000000,?,?,?,00000000,00000000,00000003), ref: 00FDD07F
                  • SelectObject.GDI32(?,00000000), ref: 00FDD08D
                  • DeleteObject.GDI32(?), ref: 00FDD096
                  • DeleteObject.GDI32(?), ref: 00FDD0AE
                  • DeleteObject.GDI32(?), ref: 00FDD0B7
                  • DestroyCursor.USER32(?), ref: 00FDD109
                  • DestroyCursor.USER32(?), ref: 00FDD113
                  • DestroyCursor.USER32(?), ref: 00FDD11D
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Object$CursorDeleteDestroy$IconSelect$CompatibleCopyCreateDrawFillH_prolog3_ImageInfoRect
                  • String ID:
                  • API String ID: 233185908-0
                  • Opcode ID: d202d781eae447cf02de3f989b64852fb4bb8e2ccf898c2ad07f53227e91491b
                  • Instruction ID: 042ad8a2b853185a900b6efbefae6aa1ce59d2e64adc1287612fd8b919cc9b04
                  • Opcode Fuzzy Hash: d202d781eae447cf02de3f989b64852fb4bb8e2ccf898c2ad07f53227e91491b
                  • Instruction Fuzzy Hash: D4611671D00609EFCF21DFA4D8849DEFBB6FF88310F28412AE555A2254D7369945EF60
                  Function 00FDE5FC Relevance: 21.3, APIs: 2, Strings: 10, Instructions: 280windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00FDE603
                    • Part of subcall function 00F9897D: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000), ref: 00F989A0
                    • Part of subcall function 00FCF57A: __EH_prolog3.LIBCMT ref: 00FCF581
                    • Part of subcall function 00FCF5B7: __EH_prolog3.LIBCMT ref: 00FCF5BE
                    • Part of subcall function 00FCF5B7: __fassign.LIBCMT ref: 00FCF6A1
                  • LoadIconA.USER32(?,00000000), ref: 00FDE87B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: H_prolog3$ByteCharIconLoadMultiWide__fassign
                  • String ID: MFCButton_Autosize$MFCButton_CursorType$MFCButton_FullTextTool$MFCButton_ImageID$MFCButton_ImageOnRight$MFCButton_ImageOnTop$MFCButton_ImageType$MFCButton_Style$MFCButton_Tooltip$TRUE
                  • API String ID: 1416016541-3825445498
                  • Opcode ID: 181247a7c5a4dc8e4ad320e5a3f17986f097e336f19b00bd780d9dfdf3a08d3e
                  • Instruction ID: a876504559d8e6aaf37b5d103c5b1ebc0388bd4e28ac80178d3d9815e9d12479
                  • Opcode Fuzzy Hash: 181247a7c5a4dc8e4ad320e5a3f17986f097e336f19b00bd780d9dfdf3a08d3e
                  • Instruction Fuzzy Hash: 23A1A771D00109AEDB14FBA4CD81EFEBBAAAF14310F18452AF511AB291DF789D44FB61
                  Function 00FFA8CE Relevance: 21.3, APIs: 14, Instructions: 264windowCOMMON
                  Download Yara Rule
                  APIs
                  • ClientToScreen.USER32(?,?), ref: 00FFA907
                  • GetSystemMetrics.USER32(00000015), ref: 00FFAA08
                  • GetSystemMetrics.USER32(00000015), ref: 00FFAA17
                  • InflateRect.USER32(?,00000000,00000001), ref: 00FFAA57
                  • InvalidateRect.USER32(?,?,00000001), ref: 00FFAA66
                  • InflateRect.USER32(?,00000000,00000000), ref: 00FFAA8A
                  • InvalidateRect.USER32(?,?,00000001), ref: 00FFAA99
                  • UpdateWindow.USER32(?), ref: 00FFAAA2
                  • GetCapture.USER32 ref: 00FFAABF
                  • GetCursorPos.USER32(?), ref: 00FFAAF7
                  • GetSystemMetrics.USER32(00000044), ref: 00FFAB17
                  • GetCapture.USER32 ref: 00FFAB20
                  • GetParent.USER32(?), ref: 00FFAB57
                  • SendMessageA.USER32(?,?,?,00000000), ref: 00FFAB7D
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Rect$MetricsSystem$CaptureInflateInvalidate$ClientCursorMessageParentScreenSendUpdateWindow
                  • String ID:
                  • API String ID: 2772127108-0
                  • Opcode ID: ef39d4ae9eb46617fb0861a67c544084e0d9fdd47915d6e460017d1429e42090
                  • Instruction ID: 06d8aee867f86dd67a763ce1115b73607274385ae3909d19a5102f80ad848097
                  • Opcode Fuzzy Hash: ef39d4ae9eb46617fb0861a67c544084e0d9fdd47915d6e460017d1429e42090
                  • Instruction Fuzzy Hash: 15A180B1A00509DFCF14DFA8C888AED7BB6FF88310F1541B9EA09EB265DB359940DB51
                  Function 00FAAE84 Relevance: 21.2, APIs: 14, Instructions: 206timewindowCOMMON
                  Download Yara Rule
                  APIs
                  • KillTimer.USER32(?,00000001), ref: 00FAAE95
                  • KillTimer.USER32(?,00000002), ref: 00FAAE9C
                  • IsWindow.USER32(?), ref: 00FAAEEC
                  • PostMessageA.USER32(?,00000010,00000000,00000000), ref: 00FAAF09
                  • GetCursorPos.USER32(?), ref: 00FAAF46
                  • ScreenToClient.USER32(?,?), ref: 00FAAF53
                  • KillTimer.USER32(?,00000001), ref: 00FAAF68
                  • PtInRect.USER32(?,?,?), ref: 00FAAF97
                  • KillTimer.USER32(?,00000002), ref: 00FAB00C
                  • GetParent.USER32(?), ref: 00FAB021
                  • PtInRect.USER32(?,?,?), ref: 00FAB04C
                  • KillTimer.USER32(?,00000014), ref: 00FAB09A
                  • GetClientRect.USER32(?,?), ref: 00FAB0B3
                  • PtInRect.USER32(?,?,?), ref: 00FAB0C3
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: KillTimer$Rect$Client$CursorMessageParentPostScreenWindow
                  • String ID:
                  • API String ID: 2803392424-0
                  • Opcode ID: e12903e3ddc8483438eb6b220fd325394c9dc2a38820c25b7aea977302ea8f4e
                  • Instruction ID: 43c1cbf424ff18c0a973dce1be95131e872dfcbbd750bb795aed527023a573f1
                  • Opcode Fuzzy Hash: e12903e3ddc8483438eb6b220fd325394c9dc2a38820c25b7aea977302ea8f4e
                  • Instruction Fuzzy Hash: 7E71C3B1A007009FDF219F65C888EAEBBB6FF88315F10452DF59696251DB36A840EB51
                  Function 0100107A Relevance: 21.2, APIs: 14, Instructions: 197windowCOMMON
                  Download Yara Rule
                  APIs
                  • RedrawWindow.USER32(?,?,00000000,00000105,?,?,00000000), ref: 010010B7
                  • PtInRect.USER32(?,?,?), ref: 010010C4
                  • SendMessageA.USER32(?,00000010,00000000,00000000), ref: 010010E7
                  • GetParent.USER32(?), ref: 01001103
                  • SendMessageA.USER32(?,?,?,00000000), ref: 0100112D
                  • SendMessageA.USER32(?,?,?,010B1F14), ref: 01001173
                  • ReleaseCapture.USER32 ref: 01001183
                  • ReleaseCapture.USER32 ref: 01001226
                  • ReleaseCapture.USER32 ref: 01001274
                  • IsRectEmpty.USER32(?), ref: 010012D2
                  • InvalidateRect.USER32(?,?,00000000,?,?,00000000), ref: 010012EA
                  • IsRectEmpty.USER32(?), ref: 010012F0
                  • InvalidateRect.USER32(?,?,00000000,?,?,00000000), ref: 01001302
                  • UpdateWindow.USER32(?), ref: 01001307
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Rect$CaptureMessageReleaseSend$EmptyInvalidateWindow$ParentRedrawUpdate
                  • String ID:
                  • API String ID: 1443145988-0
                  • Opcode ID: 0bc9538fd7b54181a5c0619b18c1180d51b65fe89a3faf10fb3ca3e06751e5ee
                  • Instruction ID: 6e8e66c7312d460f5a0ffc1c87b67a64586b45347200cb6538e4ffa0d07008a9
                  • Opcode Fuzzy Hash: 0bc9538fd7b54181a5c0619b18c1180d51b65fe89a3faf10fb3ca3e06751e5ee
                  • Instruction Fuzzy Hash: 97815C716007059FEB769F79C888AEEBBF5BF48300F10496DE5EA92290DB35A900CB50
                  Function 00F98A61 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 185COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00F98A68
                    • Part of subcall function 00F8266A: _malloc.LIBCMT ref: 00F82688
                    • Part of subcall function 00FDCBB7: __EH_prolog3.LIBCMT ref: 00FDCBBE
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: H_prolog3$_malloc
                  • String ID: MFCButton$MFCColorButton$MFCEditBrowse$MFCFontComboBox$MFCLink$MFCMaskedEdit$MFCMenuButton$MFCPropertyGrid$MFCShellList$MFCShellTree$MFCVSListBox
                  • API String ID: 1683881009-2110171958
                  • Opcode ID: 8abe7436283b59893850ce374b163fe345e561370349850b90ffc01a35e2e0ab
                  • Instruction ID: 818a2e9811f42597747d4660c9ecbb07b904e2db2acec4be0c3a8e5c0cc3cec3
                  • Opcode Fuzzy Hash: 8abe7436283b59893850ce374b163fe345e561370349850b90ffc01a35e2e0ab
                  • Instruction Fuzzy Hash: 4351B531B0A204A7EF58F778DD22BBD76902F16B90F14001EF44AD6281EF749A46B766
                  Function 00FE0C61 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 172COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00FE0C6B
                  • GetObjectA.GDI32(00000000,00000018,?), ref: 00FE0C9D
                  • GetObjectA.GDI32(?,00000054,?), ref: 00FE0CD5
                  • CreateCompatibleDC.GDI32(00000000), ref: 00FE0D6B
                  • SelectObject.GDI32(?,?), ref: 00FE0D8A
                  • GetPixel.GDI32(?,?,00000000), ref: 00FE0E17
                  • GetPixel.GDI32(?,?,00000000), ref: 00FE0E29
                  • SetPixel.GDI32(?,?,00000000,00000000), ref: 00FE0E38
                  • SetPixel.GDI32(?,?,00000000,?), ref: 00FE0E4A
                  • SelectObject.GDI32(?,?), ref: 00FE0E81
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: ObjectPixel$Select$CompatibleCreateH_prolog3_
                  • String ID: $
                  • API String ID: 1266819874-227171996
                  • Opcode ID: 2728c6a7dc40b4ed9179dd255c14b43e1ec2c68a8e0bc7382f50aa49a6769f70
                  • Instruction ID: d6c1b7416d088f0a2c6db04ab3da31d5bb3bf08f32b6f2220c3a8ab751f33e91
                  • Opcode Fuzzy Hash: 2728c6a7dc40b4ed9179dd255c14b43e1ec2c68a8e0bc7382f50aa49a6769f70
                  • Instruction Fuzzy Hash: B1711371D00219DFDF20DFAACC84AADBBB1FF58314F204169E549A7252DB71A981EF50
                  Function 00F88F04 Relevance: 19.7, APIs: 13, Instructions: 209windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00F88F0B
                  • GetSysColor.USER32(00000014), ref: 00F88F48
                    • Part of subcall function 00F88EC1: __EH_prolog3.LIBCMT ref: 00F88EC8
                    • Part of subcall function 00F88EC1: CreateSolidBrush.GDI32(00000000), ref: 00F88EE3
                  • GetSysColor.USER32(00000010), ref: 00F88F59
                  • CreateCompatibleDC.GDI32(00000000), ref: 00F88F6F
                  • CreateCompatibleDC.GDI32(00000000), ref: 00F88F83
                  • GetObjectA.GDI32(00000004,00000018,?), ref: 00F88FA2
                  • CreateBitmap.GDI32(?,?,?,?,00000000), ref: 00F88FC7
                  • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00F88FE5
                    • Part of subcall function 00F88D3D: SelectObject.GDI32(?,?), ref: 00F88D48
                  • GetPixel.GDI32(?,00000000,00000000), ref: 00F8902A
                    • Part of subcall function 00F88040: SetBkColor.GDI32(?,?), ref: 00F8805E
                    • Part of subcall function 00F88040: SetBkColor.GDI32(?,?), ref: 00F8806B
                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00F89057
                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,001100A6), ref: 00F8907C
                  • BitBlt.GDI32(?,00000001,00000001,?,?,?,00000000,00000000,00E20746), ref: 00F890DC
                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00E20746), ref: 00F890FB
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Create$Color$BitmapCompatibleH_prolog3Object$BrushPixelSelectSolid
                  • String ID:
                  • API String ID: 758415642-0
                  • Opcode ID: 69ef09d6c4533fc5932f3a835b49c0e4fbdac22b38c61c26b70ec930007b85a1
                  • Instruction ID: b23c26bd9b423f73e29464b9fe65d5b5d17d67ee54e298e797fae6072edca94d
                  • Opcode Fuzzy Hash: 69ef09d6c4533fc5932f3a835b49c0e4fbdac22b38c61c26b70ec930007b85a1
                  • Instruction Fuzzy Hash: 0B8112B1C0010DBEDF11AFE0DC859EEBBB9FF18384F548029F515A61A1DA395E46EB60
                  Function 00FE0ED6 Relevance: 19.7, APIs: 13, Instructions: 192COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00FE0EE0
                  • GetObjectA.GDI32(00000000,00000018,?), ref: 00FE0F12
                  • GetObjectA.GDI32(?,00000054,?), ref: 00FE0F47
                  • _memmove.LIBCMT ref: 00FE0FD7
                  • _memmove.LIBCMT ref: 00FE0FE3
                  • _memmove.LIBCMT ref: 00FE0FEF
                  • CreateCompatibleDC.GDI32(00000000), ref: 00FE102E
                  • SelectObject.GDI32(?,?), ref: 00FE104D
                  • GetPixel.GDI32(?,00000000,?), ref: 00FE10CB
                  • GetPixel.GDI32(?,00000000,?), ref: 00FE10DD
                  • SetPixel.GDI32(?,00000000,?,00000000), ref: 00FE10EA
                  • SetPixel.GDI32(?,00000000,?,?), ref: 00FE10FC
                  • SelectObject.GDI32(?,?), ref: 00FE1129
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: ObjectPixel$_memmove$Select$CompatibleCreateH_prolog3_
                  • String ID:
                  • API String ID: 1415242115-0
                  • Opcode ID: 962954290e5bd988e22fec248b54bcf7d9430e02c9750e50b45760b8b636290b
                  • Instruction ID: 420aa8f190b4fa311e203012c3568ef479b84a2684555b098e4103e8ba253ea3
                  • Opcode Fuzzy Hash: 962954290e5bd988e22fec248b54bcf7d9430e02c9750e50b45760b8b636290b
                  • Instruction Fuzzy Hash: 84710371D00269DFDF209FA6CC81ADDBBB6FF08314F20406AE549A7252DB319995EF50
                  Function 00FAC441 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 397keyboardwindowCOMMON
                  Download Yara Rule
                  APIs
                  • GetKeyState.USER32(00000010), ref: 00FAC49F
                  • GetAsyncKeyState.USER32(00000011), ref: 00FAC4FE
                  • IsRectEmpty.USER32(?), ref: 00FAC5C5
                  • IsRectEmpty.USER32(?), ref: 00FAC66C
                  • SendMessageA.USER32(?,00000100,00000024,00000000), ref: 00FAC7A3
                  • SendMessageA.USER32(?,00000362,0000E001,00000000), ref: 00FAC870
                  • GetClientRect.USER32(?,?), ref: 00FAC8D8
                  • InvalidateRect.USER32(?,?,00000001), ref: 00FAC911
                  • InvalidateRect.USER32(?,?,00000001), ref: 00FAC91C
                  • UpdateWindow.USER32(?), ref: 00FAC921
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Rect$EmptyInvalidateMessageSendState$AsyncClientUpdateWindow
                  • String ID: !
                  • API String ID: 348497913-2657877971
                  • Opcode ID: c0cc9aa10c0b49546e17f604738f40039c30e8a4fe17c7b1380efc9f0ca41259
                  • Instruction ID: 2c2cee2d5a4cbe26ed4fa49d94f281196938a507950aa516dd9ff03fe6334ccc
                  • Opcode Fuzzy Hash: c0cc9aa10c0b49546e17f604738f40039c30e8a4fe17c7b1380efc9f0ca41259
                  • Instruction Fuzzy Hash: 45E16EB1E002149FDF24DF64C894BADB7B5BF4A724F194169E849AB255DB30AC40EFE0
                  Function 00FC0258 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 154COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: _memset$H_prolog3H_prolog3___splitpath_s_strlen
                  • String ID: Aero$Luna$homestead$metallic$normalcolor$royale
                  • API String ID: 3363187346-2881773410
                  • Opcode ID: 24396207f40180e02e8b9d9cbabf21458b6ab0f8e961b64acaad763194c39f42
                  • Instruction ID: b5a44123d640179533e7e8d45e8067e724be9e815fdf618e857824c897a3aaf0
                  • Opcode Fuzzy Hash: 24396207f40180e02e8b9d9cbabf21458b6ab0f8e961b64acaad763194c39f42
                  • Instruction Fuzzy Hash: 6C51B23190062DABDB24E764CD52FFFB66CAF05711F000699B519A2092EE709F81DFA1
                  Function 00FEA350 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 146COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00FEA357
                    • Part of subcall function 01008548: __EH_prolog3.LIBCMT ref: 0100854F
                  • GetWindowRect.USER32(?,?), ref: 00FEA422
                    • Part of subcall function 00F912A0: GetDlgCtrlID.USER32(?), ref: 00F912A9
                    • Part of subcall function 00FE9A02: GetWindowRect.USER32(?,?), ref: 00FE9A12
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: H_prolog3RectWindow$Ctrl
                  • String ID: %sPane-%d$%sPane-%d%x$IsFloating$MRUWidth$PinState$RecentFrameAlignment$RecentRowIndex$RectRecentDocked$RectRecentFloat
                  • API String ID: 2598721110-1120251949
                  • Opcode ID: 5a7ee72053631ef9ad9a4f35a410ce52916f0a3250d83372f0f72a07f0804b9c
                  • Instruction ID: f6cf97b4ea43c726de8e6f6b677b3047d7a1e4cd40bf51909f42c7753498e6cb
                  • Opcode Fuzzy Hash: 5a7ee72053631ef9ad9a4f35a410ce52916f0a3250d83372f0f72a07f0804b9c
                  • Instruction Fuzzy Hash: 16519C31600245AFCF11EFA1CC89AFEBBB2BF48310F10451CF9569B2A1DB75A950EB51
                  Function 010102F9 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 137COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 01010300
                  • GetObjectA.GDI32(00000018,00000018,010A4E00), ref: 0101031C
                  • _memmove.LIBCMT ref: 0101037A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: H_prolog3Object_memmove
                  • String ID:
                  • API String ID: 107514201-3916222277
                  • Opcode ID: 44c97cdcdfc7ca6f11d698a411817436e4a4ba52960a145c6c183613fad4aadc
                  • Instruction ID: e7f70c69a63790cd6fe0854c3161c6bce01a24b18abec0307c1d7adda8c88e3f
                  • Opcode Fuzzy Hash: 44c97cdcdfc7ca6f11d698a411817436e4a4ba52960a145c6c183613fad4aadc
                  • Instruction Fuzzy Hash: D1417C71C00119AFDF15EFA4DC809EEBBB5FF04340F508069F591A71A8DB395A85DB90
                  Function 00FD454A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 137windowCOMMON
                  Download Yara Rule
                  APIs
                  • SetRectEmpty.USER32(?), ref: 00FD4573
                  • LoadCursorW.USER32(?,00007904), ref: 00FD459A
                  • LoadCursorW.USER32(?,00007905), ref: 00FD45BC
                  • SendMessageA.USER32(?,00001201,00000000,00000006), ref: 00FD4603
                  • SendMessageA.USER32(?,00001201,00000001,00000006), ref: 00FD4627
                  • SendMessageA.USER32(?,00000401,00000001,00000000), ref: 00FD4661
                  • SendMessageA.USER32(?,00000418,00000000,FFFFFFFF), ref: 00FD467B
                  • GetParent.USER32(?), ref: 00FD46A5
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: MessageSend$CursorLoad$EmptyParentRect
                  • String ID: Property$Value$d
                  • API String ID: 2284761715-1409410049
                  • Opcode ID: dce9cf7b4953820480f820014787201209146a565fde959a325b7f9057027b4f
                  • Instruction ID: 1209beab911fa243a181ea0f8cc474d47fca4b74a34b80fe6403ae63ac033fe2
                  • Opcode Fuzzy Hash: dce9cf7b4953820480f820014787201209146a565fde959a325b7f9057027b4f
                  • Instruction Fuzzy Hash: DF517F70A00204AFDB11EF65CC49EAEBBF9FF58714F140569F296D72A1DBB9A900CB50
                  Function 00FAAB6C Relevance: 18.3, APIs: 12, Instructions: 257timewindowCOMMON
                  Download Yara Rule
                  APIs
                  • IsWindow.USER32(?), ref: 00FAAB87
                  • GetCursorPos.USER32(?), ref: 00FAABA6
                  • ScreenToClient.USER32(?,?), ref: 00FAABB3
                  • GetParent.USER32(?), ref: 00FAAC56
                  • SetTimer.USER32(?,00000002,FFFFFFFE,00000000), ref: 00FAACAF
                  • InvalidateRect.USER32(?,000000AB,00000001), ref: 00FAACBE
                  • UpdateWindow.USER32(?), ref: 00FAACC7
                  • KillTimer.USER32(00000002,00000002,00000000), ref: 00FAACD4
                  • KillTimer.USER32(?,00000002), ref: 00FAAD8A
                  • GetParent.USER32(?), ref: 00FAADA5
                  • GetParent.USER32(?), ref: 00FAADFB
                  • SendMessageA.USER32(?,0000011F,00000000,?), ref: 00FAAE77
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: ParentTimer$KillWindow$ClientCursorInvalidateMessageRectScreenSendUpdate
                  • String ID:
                  • API String ID: 2010726786-0
                  • Opcode ID: 28f288b5bfcc37d140e91304d12ce82af2a314a7132df354713a7782991dbf03
                  • Instruction ID: b4fe8cd4551a9daa357081462971f40e15cd972154fb54dd212bb0c011558795
                  • Opcode Fuzzy Hash: 28f288b5bfcc37d140e91304d12ce82af2a314a7132df354713a7782991dbf03
                  • Instruction Fuzzy Hash: 1F91D1B1A003019FEF25AFA0C899BAE77B5FF85325F14446CE4868B690DB35DC44EB51
                  Function 00FE2FF3 Relevance: 18.2, APIs: 12, Instructions: 226windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00FE2FFA
                  • TransparentBlt.MSIMG32(00000000,?,00000000,00000000,00000000,?,?,00000000,00000000,00000000,000000FF,00000048,00FE3C23,00000000,?,?), ref: 00FE3052
                  • CreateCompatibleDC.GDI32(?), ref: 00FE3097
                  • CreateCompatibleDC.GDI32(?), ref: 00FE30B4
                  • CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 00FE30D2
                  • StretchBlt.GDI32(00000000,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00FE3136
                  • BitBlt.GDI32(00000000,00000000,00000000,00000000,00000000,?,?,00000000,00CC0020), ref: 00FE3164
                  • CreateBitmap.GDI32(00000000,00000000,00000001,00000001,00000000), ref: 00FE3171
                  • BitBlt.GDI32(00FC10F2,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00CC0020), ref: 00FE31AA
                  • BitBlt.GDI32(00000000,00000000,00000000,00000000,00000000,00FC10F2,00000000,00000000,008800C6), ref: 00FE31D8
                  • BitBlt.GDI32(?,?,00000000,00000000,00000000,00FC10F2,00000000,00000000,008800C6), ref: 00FE3205
                  • BitBlt.GDI32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00EE0086), ref: 00FE3220
                    • Part of subcall function 00F88A33: DeleteDC.GDI32(00000000), ref: 00F88A45
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Create$Compatible$Bitmap$DeleteH_prolog3StretchTransparent
                  • String ID:
                  • API String ID: 646174778-0
                  • Opcode ID: bd620cf1746c4ea869e7fc9ef4164eb618d8e10a812f5b1f65fea59cfec97844
                  • Instruction ID: 6cd9ef47b8db084e396bf07bceb0d1392edf72387835c3c2442df7653ef060e2
                  • Opcode Fuzzy Hash: bd620cf1746c4ea869e7fc9ef4164eb618d8e10a812f5b1f65fea59cfec97844
                  • Instruction Fuzzy Hash: 7691F171800049AFCF12EF90CD89DEEBB76FF18394F504118F610621A1DB369E26EB60
                  Function 00FDC2B1 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 234windowCOMMON
                  Download Yara Rule
                  APIs
                  • RealizePalette.GDI32(?), ref: 00FDC2F9
                  • InflateRect.USER32(?,000000FE,000000FE), ref: 00FDC3D0
                  • InflateRect.USER32(?,000000FF,000000FF), ref: 00FDC3EC
                    • Part of subcall function 00FDC17C: __EH_prolog3.LIBCMT ref: 00FDC183
                    • Part of subcall function 00FDC17C: GetSystemPaletteEntries.GDI32(?,00000000,00000100,00000004), ref: 00FDC1EB
                    • Part of subcall function 00FDC17C: CreatePalette.GDI32(00000000), ref: 00FDC236
                  • InflateRect.USER32(?,000000FF,000000FF), ref: 00FDC408
                  • GetNearestPaletteIndex.GDI32(?,000000FF), ref: 00FDC42B
                  • FillRect.USER32(?,?,?), ref: 00FDC451
                  • InflateRect.USER32(?,000000FE,000000FE), ref: 00FDC478
                  • FillRect.USER32(?,?), ref: 00FDC4CA
                  • InflateRect.USER32(?,000000FF,000000FF), ref: 00FDC511
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Rect$Inflate$Palette$Fill$CreateEntriesH_prolog3IndexNearestRealizeSystem
                  • String ID: iii
                  • API String ID: 1028858568-940974255
                  • Opcode ID: 6a87ae9483d72320878e06ec51afe80162afe2f2bc29ed91b38faea6ee6432cf
                  • Instruction ID: 6e2848adbd6a8b4e2391aecd12aad4d29047a596a490c650ed12533a88fc06e3
                  • Opcode Fuzzy Hash: 6a87ae9483d72320878e06ec51afe80162afe2f2bc29ed91b38faea6ee6432cf
                  • Instruction Fuzzy Hash: 86914831900209AFCF11DFA4C985ADEB7BAFF49324F144219F825A7291CB7AAA05DF50
                  Function 010089F7 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 199windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 01008A01
                  • GetSystemMenu.USER32(?,00000000,00000214,00FB660E,00000000,00000000,00000001,?), ref: 01008A63
                  • IsMenu.USER32(?), ref: 01008A7C
                  • IsMenu.USER32(?), ref: 01008A96
                  • SendMessageA.USER32(?,0000007F,00000000,00000000), ref: 01008ACB
                  • GetClassLongA.USER32(?,000000DE), ref: 01008AE1
                  • GetWindowLongA.USER32(?,000000F0), ref: 01008B2C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Menu$Long$ClassH_prolog3_MessageSendSystemWindow
                  • String ID: 0
                  • API String ID: 859179710-4108050209
                  • Opcode ID: bb37d5129aaf0ac0a4fa3af6a877eabcb351428f47eed19c7482143f29f5821e
                  • Instruction ID: b66b20c33934b3be0ecf9b7a79581b3000e4825cba7fd13d92c2fd4307315002
                  • Opcode Fuzzy Hash: bb37d5129aaf0ac0a4fa3af6a877eabcb351428f47eed19c7482143f29f5821e
                  • Instruction Fuzzy Hash: 99813F309006459FFB62DF28C884FEEB7F4BF45310F1486AEE5AA96291DB305A81CF40
                  Function 00FCE43C Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 163windowCOMMON
                  Download Yara Rule
                  APIs
                  • _memset.LIBCMT ref: 00FCE451
                  • SendMessageA.USER32(?,00001005,00000000,?), ref: 00FCE473
                  • SHGetDesktopFolder.SHELL32(?), ref: 00FCE4B2
                  • CreatePopupMenu.USER32 ref: 00FCE526
                  • GetMenuDefaultItem.USER32(00000000,00000000,00000000), ref: 00FCE555
                  • GetParent.USER32(?), ref: 00FCE582
                  • GetParent.USER32(?), ref: 00FCE5C7
                  • GetParent.USER32(?), ref: 00FCE5D6
                  • SendMessageA.USER32(?,?,00000000,00000000), ref: 00FCE5EB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Parent$MenuMessageSend$CreateDefaultDesktopFolderItemPopup_memset
                  • String ID: $
                  • API String ID: 2190390364-3993045852
                  • Opcode ID: 216f139e2b4fa9f71eba53d4cdf88b2a260ac2b13ab1634a2609a0076388d160
                  • Instruction ID: 4dd9e6a893a8338dd83c6363bfd9f88cf6c5403d0cef5802a803d3f78e5bf916
                  • Opcode Fuzzy Hash: 216f139e2b4fa9f71eba53d4cdf88b2a260ac2b13ab1634a2609a0076388d160
                  • Instruction Fuzzy Hash: D05156B5A00229AFCB20DFA5C989EDEBFB8FF48754B144459F809EB250DB35D940DB90
                  Function 00F8A6E9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 112windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00F8A6F0
                  • GetObjectA.GDI32(?,00000018,?), ref: 00F8A70B
                  • GetSystemMetrics.USER32(00000032), ref: 00F8A72A
                  • GetSystemMetrics.USER32(00000031), ref: 00F8A734
                  • _memset.LIBCMT ref: 00F8A755
                  • GetMenuItemInfoA.USER32 ref: 00F8A77D
                  • GetMenuItemInfoA.USER32(?,?,00000000,?), ref: 00F8A7A4
                  • GetSystemMetrics.USER32(0000000F), ref: 00F8A809
                  • GetSystemMetrics.USER32(0000000F), ref: 00F8A812
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: MetricsSystem$InfoItemMenu$H_prolog3Object_memset
                  • String ID: @
                  • API String ID: 3341327673-2766056989
                  • Opcode ID: b86b2ad2751762f999f90a984816bc1736713ac139916afe6bb0ae7499c4b3c1
                  • Instruction ID: 32d6b3bd1ab8f2e635b55310e895f6d5acde7216c563f74048d9136edcd2c459
                  • Opcode Fuzzy Hash: b86b2ad2751762f999f90a984816bc1736713ac139916afe6bb0ae7499c4b3c1
                  • Instruction Fuzzy Hash: 47414971900209AFDB00EFA4CC92FEEB7B4FF18314F148119E615AB281DB74AA45DBA0
                  Function 00FA6766 Relevance: 16.9, APIs: 11, Instructions: 442windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00FA676D
                  • GetClientRect.USER32(?,?), ref: 00FA678F
                  • SetRectEmpty.USER32(?), ref: 00FA67DF
                  • MapWindowPoints.USER32(?,?,?), ref: 00FA6827
                  • MapWindowPoints.USER32(?,?,?,00000002), ref: 00FA689F
                  • GetWindowRect.USER32(?,?), ref: 00FA68D2
                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 00FA68FC
                  • OffsetRect.USER32(?,?,00000000), ref: 00FA69A1
                  • InflateRect.USER32(?,00000000,00000000), ref: 00FA69D8
                  • IsRectEmpty.USER32(?), ref: 00FA6ABC
                    • Part of subcall function 00F911E7: GetWindowLongA.USER32(?,000000EC), ref: 00F911F2
                  • IsRectEmpty.USER32(?), ref: 00FA6BE8
                    • Part of subcall function 01010AD9: __EH_prolog3_GS.LIBCMT ref: 01010AE0
                    • Part of subcall function 01010AD9: UnionRect.USER32(?,?,?), ref: 01010B38
                    • Part of subcall function 01010AD9: EqualRect.USER32(?,?), ref: 01010B46
                    • Part of subcall function 01010AD9: CreateCompatibleDC.GDI32(?), ref: 01010B7D
                    • Part of subcall function 01010AD9: CreateCompatibleBitmap.GDI32(?,?,?), ref: 01010BAD
                    • Part of subcall function 01010AD9: SelectObject.GDI32(?,00000000), ref: 01010C0D
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Rect$Window$Empty$CompatibleCreateH_prolog3_Points$BitmapClientEqualInflateLongObjectOffsetSelectUnion
                  • String ID:
                  • API String ID: 3848083076-0
                  • Opcode ID: 456318abe82a3cea927004b9ffd496a3513012a723ce3a80eb8d12325a95bf04
                  • Instruction ID: c091717dc96c7e9ddd0c1f9dfd67afd7da3069cfe9eb15713e958abc48e17c64
                  • Opcode Fuzzy Hash: 456318abe82a3cea927004b9ffd496a3513012a723ce3a80eb8d12325a95bf04
                  • Instruction Fuzzy Hash: 21F1BBB1D00219DFDF11DFA4C885AEEBBB6FF4A700F184169E802AF249DB759905DB90
                  Function 01000044 Relevance: 16.9, APIs: 11, Instructions: 410windowCOMMON
                  Download Yara Rule
                  APIs
                  • SetRectEmpty.USER32(?), ref: 01000146
                  • GetCursorPos.USER32(?), ref: 01000175
                  • GetParent.USER32(?), ref: 010001DD
                  • ReleaseCapture.USER32 ref: 01000321
                  • GetParent.USER32(?), ref: 01000332
                  • SendMessageA.USER32(?,00000363,00000000,00000000), ref: 01000348
                  • GetWindowRect.USER32(?,?), ref: 0100038D
                  • GetParent.USER32(?), ref: 0100046A
                  • InvalidateRect.USER32(?,00000000,00000001,00000000), ref: 01000479
                  • GetParent.USER32(?), ref: 01000482
                  • UpdateWindow.USER32(?), ref: 0100048D
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Parent$Rect$Window$CaptureCursorEmptyInvalidateMessageReleaseSendUpdate
                  • String ID:
                  • API String ID: 2800639987-0
                  • Opcode ID: e5514484c528e74b66557a2c24a284c04f6d98aa90345a487b260d5de59d33c6
                  • Instruction ID: 72f402dab8e4042fa2beaef88a31a7e0617fd808829b8a7a03447c5104add278
                  • Opcode Fuzzy Hash: e5514484c528e74b66557a2c24a284c04f6d98aa90345a487b260d5de59d33c6
                  • Instruction Fuzzy Hash: CDE18E70600205AFEB16DFA8C888FAEBBF5FF48740F1540A9F9869B295CF359840CB51
                  Function 00FE8ECD Relevance: 16.8, APIs: 11, Instructions: 343windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetWindowRect.USER32(?,?), ref: 00FE8F29
                  • GetCursorPos.USER32(?), ref: 00FE8F4E
                  • ClientToScreen.USER32(?,?), ref: 00FE8F6D
                  • ScreenToClient.USER32(?,?), ref: 00FE9036
                  • SendMessageA.USER32(?,00000202,0000FFFF,?), ref: 00FE905D
                  • SendMessageA.USER32(?,00000202,00000000,?), ref: 00FE9097
                  • GetParent.USER32(?), ref: 00FE90A0
                  • GetWindowRect.USER32(?,?), ref: 00FE9191
                  • ClientToScreen.USER32(?,?), ref: 00FE91B0
                  • OffsetRect.USER32(?,?,?), ref: 00FE920A
                  • RedrawWindow.USER32(?,?,00000000,000005B1), ref: 00FE9266
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: ClientRectScreenWindow$MessageSend$CursorOffsetParentRedraw
                  • String ID:
                  • API String ID: 1197204355-0
                  • Opcode ID: 0b88010e021d487fd0dfcd22426c81a112cbefd354429d025401d3c3d9b965ca
                  • Instruction ID: db642554b23a1a415b13f36efa8e70c12ba580085f205e1d80847dbb8385b256
                  • Opcode Fuzzy Hash: 0b88010e021d487fd0dfcd22426c81a112cbefd354429d025401d3c3d9b965ca
                  • Instruction Fuzzy Hash: 4CD14470A002159FCF14DFA9C898AEEBBFAFF89300F1401A9F906DB255DB749905CB60
                  Function 00FB33FA Relevance: 16.8, APIs: 11, Instructions: 269COMMON
                  Download Yara Rule
                  APIs
                  • GetWindowRect.USER32(?,?), ref: 00FB3498
                  • GetParent.USER32(?), ref: 00FB34A5
                  • IsZoomed.USER32(?), ref: 00FB3509
                  • SetWindowRgn.USER32(?,00000000,00000001), ref: 00FB3568
                  • GetClientRect.USER32(?,?), ref: 00FB3590
                  • GetClientRect.USER32(?,?), ref: 00FB35A5
                    • Part of subcall function 00F88828: ClientToScreen.USER32(?,00FA73A3), ref: 00F88839
                    • Part of subcall function 00F88828: ClientToScreen.USER32(?,00FA73AB), ref: 00F88846
                  • GetWindowRect.USER32(?,?), ref: 00FB35C5
                    • Part of subcall function 00F913B6: SetWindowPos.USER32(?,000000FF,000000FF,?,?,00000000,00F8D36C,?,00F8D36C,00000000,?,?,000000FF,000000FF,00000015), ref: 00F913DE
                  • SetWindowRgn.USER32(?,00000000,00000001), ref: 00FB3750
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Window$ClientRect$Screen$ParentZoomed
                  • String ID:
                  • API String ID: 2314217310-0
                  • Opcode ID: 8a80acc3a5a7c62ff2310aa6b9f8cff22764b4b3e42c0d985045b984e583b7f8
                  • Instruction ID: 0bed75cbc0f79438453403c5066902c9c39dc7e9b0bef321c3ca8226e6f97ae3
                  • Opcode Fuzzy Hash: 8a80acc3a5a7c62ff2310aa6b9f8cff22764b4b3e42c0d985045b984e583b7f8
                  • Instruction Fuzzy Hash: B8B15EB1D00219AFDF11DFA9C984AEEBBB9FF48710F140169F905AB245DB349A41DFA0
                  Function 00FA870C Relevance: 16.7, APIs: 11, Instructions: 192timeCOMMON
                  Download Yara Rule
                  APIs
                  • GetCursorPos.USER32(?), ref: 00FA873F
                  • ScreenToClient.USER32(?,?), ref: 00FA874C
                  • PtInRect.USER32(?,?,?), ref: 00FA877A
                  • PtInRect.USER32(?,?,?), ref: 00FA879F
                  • KillTimer.USER32(?,00000002), ref: 00FA87CF
                  • InvalidateRect.USER32(?,?,00000001), ref: 00FA87ED
                  • InvalidateRect.USER32(?,?,00000001), ref: 00FA87FB
                  • _clock.LIBCMT ref: 00FA8810
                  • KillTimer.USER32(?,00000001), ref: 00FA8915
                  • ValidateRect.USER32(?,00000000), ref: 00FA8931
                  • RedrawWindow.USER32(?,00000000,00000000,00000185), ref: 00FA896F
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Rect$InvalidateKillTimer$ClientCursorRedrawScreenValidateWindow_clock
                  • String ID:
                  • API String ID: 3482734790-0
                  • Opcode ID: c7b4a77b42c1aa79864dbeaa8844d8d6f4970db30f26264e98212648a49893d2
                  • Instruction ID: 325db3b832708a0efb737cedd9f7526dd25ec84422d933ea2a8c7614886cfcfa
                  • Opcode Fuzzy Hash: c7b4a77b42c1aa79864dbeaa8844d8d6f4970db30f26264e98212648a49893d2
                  • Instruction Fuzzy Hash: E87192B1A00605DFCB30DF34C984AAABBF5FF8A784F10442DE09AD6154DFB5A942EB41
                  Function 00F86795 Relevance: 16.6, APIs: 11, Instructions: 139COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_catch.LIBCMT ref: 00F8679C
                  • FindResourceA.KERNEL32(?,?,00000005), ref: 00F867D2
                  • LoadResource.KERNEL32(?,00000000,?,?), ref: 00F867DA
                    • Part of subcall function 00F8D8AA: UnhookWindowsHookEx.USER32(?), ref: 00F8D8DA
                  • LockResource.KERNEL32(?,00000024,00FEBCF9,?,?,?), ref: 00F867EB
                  • GetDesktopWindow.USER32 ref: 00F8681E
                  • IsWindowEnabled.USER32(?), ref: 00F8682C
                  • EnableWindow.USER32(?,00000000), ref: 00F8683B
                    • Part of subcall function 00F9134B: IsWindowEnabled.USER32(?), ref: 00F91354
                    • Part of subcall function 00F91366: EnableWindow.USER32(?,?), ref: 00F91377
                  • EnableWindow.USER32(?,00000001), ref: 00F86920
                  • GetActiveWindow.USER32 ref: 00F8692B
                  • SetActiveWindow.USER32(?,?,00000024,00FEBCF9,?,?,?), ref: 00F86939
                  • FreeResource.KERNEL32(?,?,00000024,00FEBCF9,?,?,?), ref: 00F86955
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Window$Resource$Enable$ActiveEnabled$DesktopFindFreeH_prolog3_catchHookLoadLockUnhookWindows
                  • String ID:
                  • API String ID: 964565984-0
                  • Opcode ID: afd219e63e78a277ac42a8cc3555ed743a176c2d91e88d2b220a87e8676e99bf
                  • Instruction ID: 01a0911391ad386f7066f85415c765d5d8b19456c479729e7ef48af12931322f
                  • Opcode Fuzzy Hash: afd219e63e78a277ac42a8cc3555ed743a176c2d91e88d2b220a87e8676e99bf
                  • Instruction Fuzzy Hash: 6D51BF30E00605CBEF21BFA5C859AEEBBB1BF48711F10002DE156A22E5CB7A8D40EB51
                  Function 00FD4099 Relevance: 16.6, APIs: 11, Instructions: 137windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetCapture.USER32 ref: 00FD40D5
                  • ReleaseCapture.USER32 ref: 00FD40DF
                  • GetClientRect.USER32(?,?), ref: 00FD40F8
                  • GetSystemMetrics.USER32(00000015), ref: 00FD411F
                  • GetSystemMetrics.USER32(00000015), ref: 00FD4143
                  • SendMessageA.USER32(?,00001204,00000000,00000001), ref: 00FD417C
                  • SendMessageA.USER32(?,00001204,00000001,00000001), ref: 00FD419E
                  • GetCapture.USER32 ref: 00FD41C3
                  • ReleaseCapture.USER32 ref: 00FD41CD
                  • GetClientRect.USER32(?,?), ref: 00FD41E6
                  • RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 00FD4234
                    • Part of subcall function 00FD33F9: __EH_prolog3_GS.LIBCMT ref: 00FD3400
                    • Part of subcall function 00FD33F9: IsRectEmpty.USER32(?), ref: 00FD341B
                    • Part of subcall function 00FD33F9: InvertRect.USER32(?,?), ref: 00FD3431
                    • Part of subcall function 00FD33F9: SetRectEmpty.USER32(?), ref: 00FD343F
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Rect$Capture$ClientEmptyMessageMetricsReleaseSendSystem$H_prolog3_InvertRedrawWindow
                  • String ID:
                  • API String ID: 174338775-0
                  • Opcode ID: 51a570797266209d1e58bbac6d6210a11638e6f8201c4a8a675aa190e242a1c3
                  • Instruction ID: 5c3b41fb73d349eab1d5ab42d754d959e1aef34e39f7292ac642b71bc680f48e
                  • Opcode Fuzzy Hash: 51a570797266209d1e58bbac6d6210a11638e6f8201c4a8a675aa190e242a1c3
                  • Instruction Fuzzy Hash: 63513B71A00609DFCB21DFA8CC949AEBBB6FF48314F15452EE59AA7240D730AA41CF90
                  Function 00FFA68D Relevance: 16.6, APIs: 11, Instructions: 120COMMON
                  Download Yara Rule
                  APIs
                  • PtInRect.USER32(?,?,?), ref: 00FFA6D7
                  • GetParent.USER32(?), ref: 00FFA6ED
                    • Part of subcall function 00F879AD: __CxxThrowException@8.LIBCMT ref: 00F879C3
                  • IsRectEmpty.USER32(?), ref: 00FFA732
                  • GetCursorPos.USER32(?), ref: 00FFA746
                  • ScreenToClient.USER32(?,?), ref: 00FFA74F
                  • PtInRect.USER32(?,?,?), ref: 00FFA75E
                  • SetCursor.USER32(00000000), ref: 00FFA76E
                  • IsRectEmpty.USER32(?), ref: 00FFA780
                  • GetCursorPos.USER32(?), ref: 00FFA794
                  • ScreenToClient.USER32(?,?), ref: 00FFA79D
                  • PtInRect.USER32(?,?,?), ref: 00FFA7AC
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Rect$Cursor$ClientEmptyScreen$Exception@8ParentThrow
                  • String ID:
                  • API String ID: 957070538-0
                  • Opcode ID: 4241694799de56a21de3a4810131e128c83c886c6cfcce44c360ab7370bd8e6f
                  • Instruction ID: ecd620eba4529b90b72fa2cee23d716c23bb3c06ea0421e7cf82f2c0eb7e3454
                  • Opcode Fuzzy Hash: 4241694799de56a21de3a4810131e128c83c886c6cfcce44c360ab7370bd8e6f
                  • Instruction Fuzzy Hash: 8D418477910209EFCB219BB5DC88EAAB7FCFF48315F144429E64AD2010E739E940EB61
                  Function 00F94707 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 329windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00F94711
                  • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 00F948E7
                  • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 00F94A4B
                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00F94A63
                  • UpdateWindow.USER32(?), ref: 00F94A7B
                  • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 00F94B02
                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00F94B1A
                  • UpdateWindow.USER32(?), ref: 00F94B32
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: MessageSend$InvalidateRectUpdateWindow$H_prolog3_
                  • String ID: :/\
                  • API String ID: 2009545923-2793184486
                  • Opcode ID: 5122558095f3550f0071fa90729f2d8b63825652fae33bc8449341e91e3ad31e
                  • Instruction ID: 064951df3ed3a80d242b33480d88c930d62d17904bfef49efb631cd40975517b
                  • Opcode Fuzzy Hash: 5122558095f3550f0071fa90729f2d8b63825652fae33bc8449341e91e3ad31e
                  • Instruction Fuzzy Hash: 7AD18B31A006149FDB25EB64CC59FEEB7B5BF54300F100289F15AAB2A1DB34AE80EF50
                  Function 00FE24A4 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 240windowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00FDF540: GdipGetImagePixelFormat.GDIPLUS(?,010F3B94,00000000,00000000,?,00FE24CE,00000000,00000000,010F3B94), ref: 00FDF550
                  • _free.LIBCMT ref: 00FE25D7
                  • _free.LIBCMT ref: 00FE2623
                  • GdipBitmapLockBits.GDIPLUS(?,00000000,00000001,00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,00000000,010F3B94), ref: 00FE26EC
                  • _free.LIBCMT ref: 00FE271C
                    • Part of subcall function 00FDF562: GdipGetImagePaletteSize.GDIPLUS(?,00000000,00000000,00000000,?,00FE2588,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00FDF576
                  • GdipBitmapUnlockBits.GDIPLUS(00000005,?,?,00000000,00000001,00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,00000000,010F3B94), ref: 00FE2798
                  • _free.LIBCMT ref: 00FE2813
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Gdip_free$BitmapBitsImage$FormatLockPalettePixelSizeUnlock
                  • String ID: &
                  • API String ID: 4092590016-3042966939
                  • Opcode ID: d3320d6acc5ea5a3cc12ec18efdee8dad61be5faff3d0c825b2e5f14634b9620
                  • Instruction ID: af882e4ed0fa002149afb4c07ad6b33337d13c5e853fd91b7c6217bde9a5f880
                  • Opcode Fuzzy Hash: d3320d6acc5ea5a3cc12ec18efdee8dad61be5faff3d0c825b2e5f14634b9620
                  • Instruction Fuzzy Hash: 2DA17BB1D002289BCB71DF15CD80BE9B7B9AF44310F1481EAEA49A7251DB349EC5DF58
                  Function 01044BCD Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 152keyboardCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 01044BD4
                  • _strlen.LIBCMT ref: 01044C00
                  • _memset.LIBCMT ref: 01044C11
                  • GetKeyboardLayout.USER32(00000000), ref: 01044C1A
                  • MapVirtualKeyExA.USER32(?,00000000,00000000), ref: 01044C23
                  • GetKeyNameTextA.USER32(00000000,?,00000032), ref: 01044C4A
                  • _strlen.LIBCMT ref: 01044C54
                  • IsCharLowerA.USER32(?,?,00000000), ref: 01044C8A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: _strlen$CharH_prolog3_KeyboardLayoutLowerNameTextVirtual_memset
                  • String ID: Pause
                  • API String ID: 1867771141-375111145
                  • Opcode ID: 7d3a59c1638cbd11a20a87294f9c6038889fce6cb4e6bad250db5f38cec21af8
                  • Instruction ID: cf0bdabb8ace870613869123bab7f37fa5db3097b9c5c0d2ccca8ba972fc2c13
                  • Opcode Fuzzy Hash: 7d3a59c1638cbd11a20a87294f9c6038889fce6cb4e6bad250db5f38cec21af8
                  • Instruction Fuzzy Hash: 1B41D671A00208ABEB25FBA8CCD4FEEBBE8AF51700F184419F5C1E7191DBA5A941D764
                  Function 00FF2EAB Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145COMMON
                  Download Yara Rule
                  APIs
                  • GetWindowRect.USER32(?,?), ref: 00FF2F14
                  • MonitorFromPoint.USER32(?,?,00000002), ref: 00FF2F4D
                  • GetMonitorInfoA.USER32(00000000), ref: 00FF2F54
                  • CopyRect.USER32(?,?), ref: 00FF2F6C
                  • CopyRect.USER32(?,?), ref: 00FF2F76
                    • Part of subcall function 00F879AD: __CxxThrowException@8.LIBCMT ref: 00F879C3
                  • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00FF2FAD
                  • GetSystemMetrics.USER32(00000022), ref: 00FF302B
                  • GetSystemMetrics.USER32(00000023), ref: 00FF3032
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: RectSystem$CopyInfoMetricsMonitor$Exception@8FromParametersPointThrowWindow
                  • String ID: (
                  • API String ID: 3121098504-3887548279
                  • Opcode ID: 444a40ef9f278d51a7ab6afaf7e651401d20fa1e3f581b2969e5230bd810c97c
                  • Instruction ID: 205622e0e89ee53a055a079888ecb0f64dd73fd0d1445f66ae5133a872ed8756
                  • Opcode Fuzzy Hash: 444a40ef9f278d51a7ab6afaf7e651401d20fa1e3f581b2969e5230bd810c97c
                  • Instruction Fuzzy Hash: 265106B1E002099FDB14DFA9C995AEEBBF9FF88314F14412AE545E7254DB34AA00CF60
                  Function 00FD50B1 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 119COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00FD50B8
                    • Part of subcall function 00F9897D: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000), ref: 00F989A0
                    • Part of subcall function 00FCF57A: __EH_prolog3.LIBCMT ref: 00FCF581
                    • Part of subcall function 00F9890C: __EH_prolog3.LIBCMT ref: 00F98913
                    • Part of subcall function 00FD33A4: RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 00FD33CE
                  Strings
                  • Value, xrefs: 00FD5172
                  • MFCPropertyGrid_HeaderCtrl, xrefs: 00FD515D
                  • MFCPropertyGrid_DescriptionRows, xrefs: 00FD5128
                  • MFCPropertyGrid_VSDotNetLook, xrefs: 00FD51D2
                  • MFCPropertyGrid_DescriptionArea, xrefs: 00FD50F1
                  • Property, xrefs: 00FD5177
                  • MFCPropertyGrid_ModifiedProperties, xrefs: 00FD51AE
                  • MFCPropertyGrid_AlphabeticMode, xrefs: 00FD518E
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: H_prolog3$ByteCharMultiRedrawWideWindow
                  • String ID: MFCPropertyGrid_AlphabeticMode$MFCPropertyGrid_DescriptionArea$MFCPropertyGrid_DescriptionRows$MFCPropertyGrid_HeaderCtrl$MFCPropertyGrid_ModifiedProperties$MFCPropertyGrid_VSDotNetLook$Property$Value
                  • API String ID: 370596894-2695045869
                  • Opcode ID: 90ed28b03020f69554bcd5fddfcdb456ab42de20458825829c913274b818cfea
                  • Instruction ID: 2b5b23f0b08fe3ad3efd61cdf2755ee928018a35ee5e637e3dd88c26e883b2cb
                  • Opcode Fuzzy Hash: 90ed28b03020f69554bcd5fddfcdb456ab42de20458825829c913274b818cfea
                  • Instruction Fuzzy Hash: EF412E71910209AADF05FBE0CD42FFEB77AAF04750F58012AB551A6291DF389905EB21
                  Function 00FFAD07 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 113stringCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00FFAD11
                  • GetSystemMetrics.USER32(00000003), ref: 00FFAD28
                  • GetObjectA.GDI32(0000003C,?), ref: 00FFAD51
                  • _memset.LIBCMT ref: 00FFAD5E
                  • lstrcpyA.KERNEL32 ref: 00FFAD82
                    • Part of subcall function 00F88A4C: __EH_prolog3.LIBCMT ref: 00F88A53
                    • Part of subcall function 00F88A4C: GetDC.USER32(00000000), ref: 00F88A7F
                  • CreateFontIndirectA.GDI32(?), ref: 00FFADAE
                    • Part of subcall function 00F88D99: SelectObject.GDI32(?,00000000), ref: 00F88DBF
                    • Part of subcall function 00F88D99: SelectObject.GDI32(?,?), ref: 00F88DD5
                  • GetTextMetricsA.GDI32(?,?), ref: 00FFADE8
                  • CreateFontIndirectA.GDI32(?), ref: 00FFAE45
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Object$CreateFontIndirectMetricsSelect$H_prolog3H_prolog3_SystemText_memsetlstrcpy
                  • String ID: Arial
                  • API String ID: 1699662471-493054409
                  • Opcode ID: 878251243482f83d7dd53e9a1275fe12759c5257855dde2663825521e5a61a09
                  • Instruction ID: 71fff693844aa8635867f747c4ad7eeaf6578e85017675318b788718b72246a8
                  • Opcode Fuzzy Hash: 878251243482f83d7dd53e9a1275fe12759c5257855dde2663825521e5a61a09
                  • Instruction Fuzzy Hash: 254192B1D01209DBDB24EBB5CC55BEDB7B8BF04300F448569E15AE3191DB34A945DF21
                  Function 00FB0BFC Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 92COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00FB0C03
                    • Part of subcall function 00F911CD: GetWindowLongA.USER32(?,000000F0), ref: 00F911D8
                  • swprintf.LIBCMT ref: 00FB0C4D
                  • _strlen.LIBCMT ref: 00FB0C56
                    • Part of subcall function 00F834E7: _strnlen.LIBCMT ref: 00F83519
                    • Part of subcall function 00F834E7: _memcpy_s.LIBCMT ref: 00F8354D
                  • _strlen.LIBCMT ref: 00FB0C71
                  • _strlen.LIBCMT ref: 00FB0CA8
                  • swprintf.LIBCMT ref: 00FB0CD4
                  • _strlen.LIBCMT ref: 00FB0CDD
                    • Part of subcall function 00F837A7: _strlen.LIBCMT ref: 00F837B9
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: _strlen$swprintf$H_prolog3_LongWindow_memcpy_s_strnlen
                  • String ID: - $:%d
                  • API String ID: 3048052868-2359489159
                  • Opcode ID: f0157eb6bfea6fa169e0369872a962d3350728f9225cd849401979bf15a83ff4
                  • Instruction ID: 9fb05b7ea3840a7b1dcc17dc2a8e7c7c751c38ef3d6cf99cac21f17007fa96fd
                  • Opcode Fuzzy Hash: f0157eb6bfea6fa169e0369872a962d3350728f9225cd849401979bf15a83ff4
                  • Instruction Fuzzy Hash: 643186B2D00105BBEB15FBE0DD86EEEB76DBF10710F140525B542A7152EF25AE04EBA4
                  Function 00FD8A72 Relevance: 15.4, APIs: 10, Instructions: 369windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00FD8A79
                    • Part of subcall function 00F911CD: GetWindowLongA.USER32(?,000000F0), ref: 00F911D8
                  • SendMessageA.USER32(?,000000B0,?,?), ref: 00FD8AC2
                  • MessageBeep.USER32(000000FF), ref: 00FD8B39
                    • Part of subcall function 0107A977: __mbctoupper_l.LIBCMT ref: 0107A981
                  • SendMessageA.USER32(?,000000C2,00000001,00000000), ref: 00FD8BB3
                  • SendMessageA.USER32(?,000000B0,?,?), ref: 00FD8BE9
                  • SendMessageA.USER32(?,000000B0,?,?), ref: 00FD8C54
                  • MessageBeep.USER32(000000FF), ref: 00FD8CE1
                  • SendMessageA.USER32(?,000000C2,00000001,?), ref: 00FD8DED
                    • Part of subcall function 00FD5831: __EH_prolog3.LIBCMT ref: 00FD5838
                    • Part of subcall function 00FD5831: _memset.LIBCMT ref: 00FD5869
                    • Part of subcall function 00F834E7: _strnlen.LIBCMT ref: 00F83519
                    • Part of subcall function 00F834E7: _memcpy_s.LIBCMT ref: 00F8354D
                  • SendMessageA.USER32(?,000000B0,?,?), ref: 00FD8E61
                  • MessageBeep.USER32(000000FF), ref: 00FD8E77
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Message$Send$Beep$H_prolog3$LongWindow__mbctoupper_l_memcpy_s_memset_strnlen
                  • String ID:
                  • API String ID: 3613179997-0
                  • Opcode ID: c3625944e3e06c32b764b64df0203937e00f9264daa6ffc4253ed8a903d09a1b
                  • Instruction ID: e12ea27c51af92ca1574650eb3595a480674129656e89fba12e96b14b93a650e
                  • Opcode Fuzzy Hash: c3625944e3e06c32b764b64df0203937e00f9264daa6ffc4253ed8a903d09a1b
                  • Instruction Fuzzy Hash: 16D18271A00509AFDF15DBA4CC91EFEB7B6EF44350F18021AE411A7391DB35AD42EB60
                  Function 01003150 Relevance: 15.3, APIs: 10, Instructions: 266COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00F879AD: __CxxThrowException@8.LIBCMT ref: 00F879C3
                  • __EH_prolog3_GS.LIBCMT ref: 01003199
                    • Part of subcall function 0105B0CB: GetDlgItem.USER32(?,00003020), ref: 0105B0F3
                    • Part of subcall function 0105B0CB: GetDlgItem.USER32(?,00003020), ref: 0105B126
                    • Part of subcall function 0105B0CB: GetWindowRect.USER32(00000000,?), ref: 0105B140
                    • Part of subcall function 0105B0CB: MapDialogRect.USER32(?,?), ref: 0105B164
                    • Part of subcall function 0105B0CB: SetWindowPos.USER32(?,00000000,00000000,00000000,?,00000020,00000016), ref: 0105B191
                    • Part of subcall function 0105B0CB: GetDlgItem.USER32(?,?), ref: 0105B1A6
                    • Part of subcall function 0105B0CB: GetWindowRect.USER32(00000000,?), ref: 0105B1B8
                    • Part of subcall function 0105B0CB: SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000015), ref: 0105B1D7
                    • Part of subcall function 0105B0CB: GetWindowRect.USER32(?,?), ref: 0105B1EE
                  • GetClientRect.USER32(?,?), ref: 010031BD
                    • Part of subcall function 00F91143: GetDlgItem.USER32(?,?), ref: 00F91154
                    • Part of subcall function 00F91324: ShowWindow.USER32(00000000,?,?,00F84876,00000000,00000000,00000363,00000001,00000000,00000001,00000001,?,00000000,00000363,00000001,00000000), ref: 00F91335
                    • Part of subcall function 00F91366: EnableWindow.USER32(?,?), ref: 00F91377
                  • GetClientRect.USER32(?,?), ref: 010031FB
                  • MapWindowPoints.USER32(?,?,?,00000002), ref: 0100320E
                  • GetWindowRect.USER32(?,?), ref: 01003227
                    • Part of subcall function 00F913B6: SetWindowPos.USER32(?,000000FF,000000FF,?,?,00000000,00F8D36C,?,00F8D36C,00000000,?,?,000000FF,000000FF,00000015), ref: 00F913DE
                  • GetWindowRect.USER32(?,?), ref: 010032E8
                  • GetSystemMetrics.USER32(00000000), ref: 010032F5
                  • GetSystemMetrics.USER32(0000003E), ref: 010032FC
                  • GetSystemMetrics.USER32(00000001), ref: 01003303
                  • GetSystemMetrics.USER32(0000003E), ref: 0100330A
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Window$Rect$ItemMetricsSystem$Client$DialogEnableException@8H_prolog3_PointsShowThrow
                  • String ID:
                  • API String ID: 1662298456-0
                  • Opcode ID: 6d8f894ffa1c073623de1548a98bd3194c5c87d1e4b4df6ce6ebc3c0ad3096dc
                  • Instruction ID: c6895204b0a10343f30c4f48ce186b78efedeb8bdf7ade9822398e66ef69d67b
                  • Opcode Fuzzy Hash: 6d8f894ffa1c073623de1548a98bd3194c5c87d1e4b4df6ce6ebc3c0ad3096dc
                  • Instruction Fuzzy Hash: D4918571A01219AFEF16EFA8CC85EEE7BB9FF48700F144129F541AB281CB759941CB90
                  Function 00FD521D Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00FD5227
                    • Part of subcall function 00F88A4C: __EH_prolog3.LIBCMT ref: 00F88A53
                    • Part of subcall function 00F88A4C: GetDC.USER32(00000000), ref: 00F88A7F
                    • Part of subcall function 00FD316B: GetStockObject.GDI32(00000011), ref: 00FD317C
                    • Part of subcall function 00FD316B: SelectObject.GDI32(?,?), ref: 00FD318E
                  • GetTextMetricsA.GDI32(?,?), ref: 00FD5262
                  • GetClientRect.USER32(?,?), ref: 00FD528D
                  • GetStockObject.GDI32(00000011), ref: 00FD52BA
                  • SendMessageA.USER32(?,00000030,?,00000000), ref: 00FD52D9
                  • SendMessageA.USER32(?,00001204,00000000,00000001), ref: 00FD5336
                  • SendMessageA.USER32(?,00001204,00000001,00000001), ref: 00FD535E
                  • SelectObject.GDI32(?,?), ref: 00FD537C
                  • GetSystemMetrics.USER32(00000015), ref: 00FD53E7
                  • RedrawWindow.USER32(?,00000000,00000000,00000105,00000000,00000000,00000000,00000000,00000000,00000014,?,00000094), ref: 00FD5465
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Object$MessageSend$MetricsSelectStock$ClientH_prolog3H_prolog3_RectRedrawSystemTextWindow
                  • String ID:
                  • API String ID: 591413167-0
                  • Opcode ID: df77a4f40493e00cb2c496fd79d75a69156a547a1ea6eddf7db2463012d0b772
                  • Instruction ID: 5312c5b5bc1eca4716a63abe4fd752757d090e8daefb49360daa6c1ecf344930
                  • Opcode Fuzzy Hash: df77a4f40493e00cb2c496fd79d75a69156a547a1ea6eddf7db2463012d0b772
                  • Instruction Fuzzy Hash: 53719B71A006099FDF15DFA8C888AEE7BB6FF48700F1801BAE9099F256DB755841DF20
                  Function 00FDA5B9 Relevance: 15.2, APIs: 10, Instructions: 174stringwindowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00FDA5C0
                  • CopyRect.USER32(?,?), ref: 00FDA5FF
                  • DrawFocusRect.USER32(?,?), ref: 00FDA612
                  • CreateSolidBrush.GDI32 ref: 00FDA63D
                  • GetBkColor.GDI32(?), ref: 00FDA65E
                  • CreateSolidBrush.GDI32(00000000), ref: 00FDA665
                  • FillRect.USER32(?,?,00000000), ref: 00FDA687
                  • GetObjectA.GDI32(0000003C,?), ref: 00FDA708
                  • lstrcpyA.KERNEL32(?,00000001), ref: 00FDA715
                  • CreateFontIndirectA.GDI32(00000004), ref: 00FDA739
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateRect$BrushSolid$ColorCopyDrawFillFocusFontH_prolog3_IndirectObjectlstrcpy
                  • String ID:
                  • API String ID: 3396929888-0
                  • Opcode ID: 9c9a738c4d38340076fb708c232f95366cf161e8b05a3ce4b1f9ce2a1228aa11
                  • Instruction ID: 8b389a6f29483ebb797f05ea1246e44f60d872d11992dbb72cef613a6ff0c8fc
                  • Opcode Fuzzy Hash: 9c9a738c4d38340076fb708c232f95366cf161e8b05a3ce4b1f9ce2a1228aa11
                  • Instruction Fuzzy Hash: A071CD71900208EFDF25EFA4C819BEDBBB6BF04314F18821DE552A7291CB79AA05DF51
                  Function 00FF3048 Relevance: 15.1, APIs: 10, Instructions: 112windowCOMMON
                  Download Yara Rule
                  APIs
                  • IsWindowVisible.USER32(00000000), ref: 00FF307B
                  • IsWindowVisible.USER32(00000000), ref: 00FF308A
                  • GetSystemMetrics.USER32(00000021), ref: 00FF30BC
                  • GetSystemMetrics.USER32(00000021), ref: 00FF30C3
                  • GetSystemMetrics.USER32(00000020), ref: 00FF30C9
                    • Part of subcall function 00F879AD: __CxxThrowException@8.LIBCMT ref: 00F879C3
                  • IsWindowVisible.USER32(00000000), ref: 00FF30F1
                  • IsWindowVisible.USER32(00000000), ref: 00FF3100
                  • IsZoomed.USER32(00000000), ref: 00FF3126
                  • GetSystemMetrics.USER32 ref: 00FF3142
                  • GetSystemMetrics.USER32(00000004), ref: 00FF3185
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: MetricsSystem$VisibleWindow$Exception@8ThrowZoomed
                  • String ID:
                  • API String ID: 1497512716-0
                  • Opcode ID: 07b1f61b7147ff5be016af6677dd8e119a0c8ac680c3def6991407aad5b771b9
                  • Instruction ID: 40449d3c1ccbf38d7b2af0a00df8b54d041f5ef8948ab26b4621aa780a390d36
                  • Opcode Fuzzy Hash: 07b1f61b7147ff5be016af6677dd8e119a0c8ac680c3def6991407aad5b771b9
                  • Instruction Fuzzy Hash: 8241CF31A007099FEB209F75C948BB677E1FF04368F044069E6998B2B2EB75ED40EB51
                  Function 00FB40FB Relevance: 15.1, APIs: 10, Instructions: 111windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00FB4102
                    • Part of subcall function 00FB20D0: GetObjectA.GDI32(?,00000054,?), ref: 00FB20EF
                    • Part of subcall function 00F88A4C: __EH_prolog3.LIBCMT ref: 00F88A53
                    • Part of subcall function 00F88A4C: GetDC.USER32(00000000), ref: 00F88A7F
                  • CreateCompatibleDC.GDI32(?), ref: 00FB4152
                  • SelectObject.GDI32(?,?), ref: 00FB416D
                  • GdipCreateBitmapFromHBITMAP.GDIPLUS(?,?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000074), ref: 00FB419C
                  • GdipDisposeImage.GDIPLUS(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000074), ref: 00FB41AF
                  • GdipCreateFromHDC.GDIPLUS(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00000000), ref: 00FB41BE
                  • GdipSetInterpolationMode.GDIPLUS(?,00000007,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00FB41CF
                  • GdipDeleteGraphics.GDIPLUS(?,?,00000007,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00FB4209
                  • GdipDisposeImage.GDIPLUS(?,?,?,00000007,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00FB4211
                  • SelectObject.GDI32(?,?), ref: 00FB4221
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Gdip$CreateObject$DisposeFromH_prolog3ImageSelect$BitmapCompatibleDeleteGraphicsInterpolationMode
                  • String ID:
                  • API String ID: 3579439469-0
                  • Opcode ID: 48125e3cc015ab88db390df12a2c0cbc2f36cf9d109845fac9e5915970b7f8ef
                  • Instruction ID: 928c896572d2b9ff4fc0a36af5be029de392e6547fd3abe6ff84b0a3fb76b217
                  • Opcode Fuzzy Hash: 48125e3cc015ab88db390df12a2c0cbc2f36cf9d109845fac9e5915970b7f8ef
                  • Instruction Fuzzy Hash: 94414975C00219EFCF15EFA8CD909EEBBB4BF18310F14442AE945A7252CB35AA44EF50
                  Function 00FD33F9 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00FD3400
                    • Part of subcall function 00F88A4C: __EH_prolog3.LIBCMT ref: 00F88A53
                    • Part of subcall function 00F88A4C: GetDC.USER32(00000000), ref: 00F88A7F
                  • IsRectEmpty.USER32(?), ref: 00FD341B
                  • InvertRect.USER32(?,?), ref: 00FD3431
                  • SetRectEmpty.USER32(?), ref: 00FD343F
                  • GetClientRect.USER32(?,?), ref: 00FD3486
                  • GetSystemMetrics.USER32(00000015), ref: 00FD34AD
                  • GetSystemMetrics.USER32(00000015), ref: 00FD34D1
                  • SendMessageA.USER32(?,00001204,00000000,00000001), ref: 00FD350A
                  • SendMessageA.USER32(?,00001204,00000001,00000001), ref: 00FD352C
                  • InvertRect.USER32(?,?), ref: 00FD3534
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Rect$EmptyInvertMessageMetricsSendSystem$ClientH_prolog3H_prolog3_
                  • String ID:
                  • API String ID: 3401445556-0
                  • Opcode ID: 11d99df26f783604ec1017fcdf6b25e1fd6007f93da79cadfd4ab8b82d85dd13
                  • Instruction ID: aae1dd334364d5b5a106cc8dd35b0d526251b5760711d57826ec72a415634a0d
                  • Opcode Fuzzy Hash: 11d99df26f783604ec1017fcdf6b25e1fd6007f93da79cadfd4ab8b82d85dd13
                  • Instruction Fuzzy Hash: 02415632900218DFDF05DFA4D888AEE7BB5FF08305F09006EE949AB254CB356A40DBA1
                  Function 00FEEFA9 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 146COMMON
                  Download Yara Rule
                  APIs
                  • IsWindow.USER32(?), ref: 00FEEFC8
                  • IsWindow.USER32(?), ref: 00FEEFD8
                  • MonitorFromPoint.USER32(?,?,00000002), ref: 00FEF054
                  • GetMonitorInfoA.USER32(00000000), ref: 00FEF05B
                  • CopyRect.USER32(?,?), ref: 00FEF06D
                  • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00FEF07D
                  • GetWindowRect.USER32(?,?), ref: 00FEF0CF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Window$InfoMonitorRect$CopyFromParametersPointSystem
                  • String ID: (
                  • API String ID: 731732153-3887548279
                  • Opcode ID: 077b68d2f4b8921ce4ca0b78527ffbacb6664bb1e4836f1e688387c6f556caa9
                  • Instruction ID: 571843830ecea24508da9efdc41b6ea8017d73e6eee35d4b78e11b4c81958f08
                  • Opcode Fuzzy Hash: 077b68d2f4b8921ce4ca0b78527ffbacb6664bb1e4836f1e688387c6f556caa9
                  • Instruction Fuzzy Hash: C9515B71A0024A9FDB24DFA5C984DEEBBF9FF88310F20452AE557D7215DB35A904DB20
                  Function 00F9833C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64COMMON
                  Download Yara Rule
                  APIs
                  • GetStockObject.GDI32(00000011), ref: 00F98364
                  • GetStockObject.GDI32(0000000D), ref: 00F9836C
                  • GetObjectA.GDI32(00000000,0000003C,?), ref: 00F98379
                  • GetDC.USER32(00000000), ref: 00F98388
                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F9839C
                  • MulDiv.KERNEL32(00000000,00000048,00000000), ref: 00F983A8
                  • ReleaseDC.USER32(00000000,00000000), ref: 00F983B4
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Object$Stock$CapsDeviceRelease
                  • String ID: System
                  • API String ID: 46613423-3470857405
                  • Opcode ID: 79de531aa23ba7651cdc2d9c3b62475de17e57272db20fc2223fb52695f3d8ea
                  • Instruction ID: 32781b83461020be7b241e4cb93a5806578dc2303b1ac81b9f7ca0c11943a07b
                  • Opcode Fuzzy Hash: 79de531aa23ba7651cdc2d9c3b62475de17e57272db20fc2223fb52695f3d8ea
                  • Instruction Fuzzy Hash: F211BC71A01218EBEF209BA1DC59FAE7BB8FB45B85F000019FA42A6180DF759D02DB60
                  Function 0105A5D6 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 40COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 0105A5DD
                    • Part of subcall function 00F96CFD: EnterCriticalSection.KERNEL32(010F2290,?,?,00000000,?,00F9219A,00000010,00000008,00F8A460,00F8A3F7,00F843A7,00F83614,00000214,00F8101B), ref: 00F96D37
                    • Part of subcall function 00F96CFD: InitializeCriticalSection.KERNEL32(?,?,?,00000000,?,00F9219A,00000010,00000008,00F8A460,00F8A3F7,00F843A7,00F83614,00000214,00F8101B), ref: 00F96D49
                    • Part of subcall function 00F96CFD: LeaveCriticalSection.KERNEL32(010F2290,?,?,00000000,?,00F9219A,00000010,00000008,00F8A460,00F8A3F7,00F843A7,00F83614,00000214,00F8101B), ref: 00F96D56
                    • Part of subcall function 00F96CFD: EnterCriticalSection.KERNEL32(?,?,?,00000000,?,00F9219A,00000010,00000008,00F8A460,00F8A3F7,00F843A7,00F83614,00000214,00F8101B), ref: 00F96D66
                  • GetProfileIntA.KERNEL32(windows,DragScrollInset,0000000B), ref: 0105A62D
                  • GetProfileIntA.KERNEL32(windows,DragScrollDelay,00000032), ref: 0105A63C
                  • GetProfileIntA.KERNEL32(windows,DragScrollInterval,00000032), ref: 0105A64B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: CriticalSection$Profile$Enter$H_prolog3InitializeLeave
                  • String ID: DragScrollDelay$DragScrollInset$DragScrollInterval$windows
                  • API String ID: 4229786687-1024936294
                  • Opcode ID: cb566d69ab4be9de5ec593167e0a1ffdcb37193fbefc3c5518300d51c9c684a1
                  • Instruction ID: 7001803036c8ab9adb39b69df6ac2a40652ef67ac794aa79122340c4d37e9ca0
                  • Opcode Fuzzy Hash: cb566d69ab4be9de5ec593167e0a1ffdcb37193fbefc3c5518300d51c9c684a1
                  • Instruction Fuzzy Hash: 870184B0A407019AD771AFA6CC8664AFAE4FB95B00F40055EF2C89B681C7B94504CB04
                  Function 00FD8E94 Relevance: 13.9, APIs: 9, Instructions: 357windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00FD8E9B
                  • SendMessageA.USER32(?,000000B0,?,?), ref: 00FD8EB3
                  • MessageBeep.USER32(000000FF), ref: 00FD8F56
                  • MessageBeep.USER32(000000FF), ref: 00FD92A2
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Message$Beep$H_prolog3Send
                  • String ID:
                  • API String ID: 491126482-0
                  • Opcode ID: 226d30142197ec10225c7ad15d60997eda2bc37d3dacf84f6ed0bb6f6facd03e
                  • Instruction ID: 48c43013db18b4903e2de651a9a298074221d8586a0d5489c5c325ab65c0f841
                  • Opcode Fuzzy Hash: 226d30142197ec10225c7ad15d60997eda2bc37d3dacf84f6ed0bb6f6facd03e
                  • Instruction Fuzzy Hash: ADD1AE3190450AAFDF11DBE4CC95FEEBBB7AF48310F28414AE152B7291CB356941EBA0
                  Function 00FD92BF Relevance: 13.8, APIs: 9, Instructions: 348windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00FD92C6
                  • SendMessageA.USER32(?,000000B0,?,?), ref: 00FD92E4
                  • SendMessageA.USER32(?,000000B0,?,?), ref: 00FD92F2
                  • MessageBeep.USER32(000000FF), ref: 00FD935E
                  • SendMessageA.USER32(?,000000B0,?,?), ref: 00FD9500
                  • MessageBeep.USER32(000000FF), ref: 00FD9593
                  • SendMessageA.USER32(?,000000C2,00000001,?), ref: 00FD9646
                  • SendMessageA.USER32(?,000000B0,?,?), ref: 00FD96A8
                  • MessageBeep.USER32(000000FF), ref: 00FD96BE
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Message$Send$Beep$H_prolog3
                  • String ID:
                  • API String ID: 204075910-0
                  • Opcode ID: cda2b9f916ea689c6ef13cd5e1098496f3035718fb3c07111c98921599d424de
                  • Instruction ID: 787c91f07325c296c8cd7ea4c95a05faccf91699cdc0c3eb8571966bf2a42aca
                  • Opcode Fuzzy Hash: cda2b9f916ea689c6ef13cd5e1098496f3035718fb3c07111c98921599d424de
                  • Instruction Fuzzy Hash: 8DD1D231D08509AFCF12DBE4C890FEEBBBABF48314F18411AE552B7291D775A941EB60
                  Function 00FC811C Relevance: 13.8, APIs: 9, Instructions: 286keyboardCOMMON
                  Download Yara Rule
                  APIs
                  • GetKeyState.USER32(00000011), ref: 00FC813A
                  • GetWindowRect.USER32(?,?), ref: 00FC81A2
                  • GetCursorPos.USER32(?), ref: 00FC81EC
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: CursorRectStateWindow
                  • String ID:
                  • API String ID: 3412758350-0
                  • Opcode ID: 46c4b6c2dae2efcd881ca19ecc5bdd1c382cf63c2f41bd20db76ccbae148bc35
                  • Instruction ID: 01554d9c6f465cbc4d99d42f626627739e25dd6813ec861101940c416b0f7075
                  • Opcode Fuzzy Hash: 46c4b6c2dae2efcd881ca19ecc5bdd1c382cf63c2f41bd20db76ccbae148bc35
                  • Instruction Fuzzy Hash: B8B10471E0020AEFCF24DFA5D985AEDBBF6BF48364F24542EE546A7240DB305841DB54
                  Function 00FB4250 Relevance: 13.7, APIs: 9, Instructions: 242COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00FB425A
                  • GetWindowRect.USER32(?,?), ref: 00FB42A9
                  • OffsetRect.USER32(?,?,?), ref: 00FB42BF
                    • Part of subcall function 00F88A4C: __EH_prolog3.LIBCMT ref: 00F88A53
                    • Part of subcall function 00F88A4C: GetDC.USER32(00000000), ref: 00F88A7F
                  • CreateCompatibleDC.GDI32(?), ref: 00FB4330
                  • SelectObject.GDI32(?,?), ref: 00FB4350
                  • SelectObject.GDI32(?,?), ref: 00FB4392
                  • CreateCompatibleDC.GDI32(?), ref: 00FB44AB
                  • SelectObject.GDI32(?,?), ref: 00FB44CB
                  • SelectObject.GDI32(?,00000000), ref: 00FB44FB
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: ObjectSelect$CompatibleCreateRect$H_prolog3H_prolog3_OffsetWindow
                  • String ID:
                  • API String ID: 2818906880-0
                  • Opcode ID: f8f74f8a94160f8cfb6db9b3541bd814c602da6bfab9a09248a870359d715fa8
                  • Instruction ID: ec3d74d52af49886ea99c76f4e4a7748af3a8e51e297f7abd030dbfc88994853
                  • Opcode Fuzzy Hash: f8f74f8a94160f8cfb6db9b3541bd814c602da6bfab9a09248a870359d715fa8
                  • Instruction Fuzzy Hash: 9DA11371D0021AEFCF25EFA5C984AEDBBB5FF08300F14415AE919B7251DA346A45EF60
                  Function 01010AD9 Relevance: 13.7, APIs: 9, Instructions: 240windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 01010AE0
                  • UnionRect.USER32(?,?,?), ref: 01010B38
                  • EqualRect.USER32(?,?), ref: 01010B46
                  • CreateCompatibleDC.GDI32(?), ref: 01010B7D
                  • CreateCompatibleBitmap.GDI32(?,?,?), ref: 01010BAD
                  • SelectObject.GDI32(?,00000000), ref: 01010C0D
                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 01010C37
                  • BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 01010D45
                  • DeleteObject.GDI32(?), ref: 01010D65
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: CompatibleCreateObjectRect$BitmapDeleteEqualH_prolog3_SelectUnion
                  • String ID:
                  • API String ID: 1408062871-0
                  • Opcode ID: 7339e87870734221fc4624b46404e68dc447e5779ac9185d35d1beddce9fb12e
                  • Instruction ID: 5b974c294bf781c23a224a5ececf1ed1728643cf578ee1084b68a91e2b4976a7
                  • Opcode Fuzzy Hash: 7339e87870734221fc4624b46404e68dc447e5779ac9185d35d1beddce9fb12e
                  • Instruction Fuzzy Hash: 8DA1F275A00209EFCF14EFA8D9948EDBBB5FF08304B14802AF585AB259DB35A985CF50
                  Function 00F87267 Relevance: 13.7, APIs: 9, Instructions: 233filecomstringCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00F8726E
                  • OleDuplicateData.OLE32(?,?,00000000), ref: 00F872EF
                  • GlobalLock.KERNEL32(00000000), ref: 00F8731E
                  • CopyMetaFileA.GDI32(?,00000000), ref: 00F8732A
                  • GlobalUnlock.KERNEL32(?), ref: 00F8733A
                  • GlobalFree.KERNEL32(?), ref: 00F87343
                  • GlobalUnlock.KERNEL32(?), ref: 00F8734F
                    • Part of subcall function 00F87223: __EH_prolog3.LIBCMT ref: 00F8722A
                  • lstrlenW.KERNEL32(?,0000005C,0105535C,?,?,?), ref: 00F873AF
                  • CopyFileA.KERNEL32(?,?,00000000), ref: 00F874A7
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Global$CopyFileUnlock$DataDuplicateFreeH_prolog3H_prolog3_LockMetalstrlen
                  • String ID:
                  • API String ID: 3994854817-0
                  • Opcode ID: 62ace2cf6ed0ea3b6349c87bc1052c5b503561116d0ee0bab7094938c23f14c5
                  • Instruction ID: e2426c6824bc3d6455dbce6151a02e971f70437225fba664237c57722d831080
                  • Opcode Fuzzy Hash: 62ace2cf6ed0ea3b6349c87bc1052c5b503561116d0ee0bab7094938c23f14c5
                  • Instruction Fuzzy Hash: D68170B2908605EFDB24BFA4CD88AAABBB9FF44314720851DF456D7650D731EC11EB60
                  Function 01001325 Relevance: 13.7, APIs: 9, Instructions: 207COMMON
                  Download Yara Rule
                  APIs
                  • PtInRect.USER32(?,?,00000000), ref: 0100135D
                  • RedrawWindow.USER32(?,?,00000000,00000105,?,?,?,?,00000000), ref: 01001389
                  • ClientToScreen.USER32(?,?), ref: 010013BE
                  • WindowFromPoint.USER32(?,?,?,?,?,?,00000000), ref: 010013CA
                  • ReleaseCapture.USER32 ref: 010013E2
                  • SetCapture.USER32(?,?,?,?,?,00000000), ref: 01001454
                  • ReleaseCapture.USER32 ref: 01001486
                  • ClientToScreen.USER32(?,?), ref: 01001574
                  • SetCursorPos.USER32(?,?,?,?,?,?,00000000), ref: 01001580
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Capture$ClientReleaseScreenWindow$CursorFromPointRectRedraw
                  • String ID:
                  • API String ID: 2024412728-0
                  • Opcode ID: ff5603fb82cb1c9bf912af025d3112b54c135aff8f74127b3d0b98544a19bf8a
                  • Instruction ID: 968828c834efe5e77b0f5860c074dd0128635791d252e138579f246113538fcf
                  • Opcode Fuzzy Hash: ff5603fb82cb1c9bf912af025d3112b54c135aff8f74127b3d0b98544a19bf8a
                  • Instruction Fuzzy Hash: FD813F70600606DFDB22DF68C884AEEBBF5FF48301F15456EE9AA872A0DB31A541CF51
                  Function 00FFE81F Relevance: 13.7, APIs: 9, Instructions: 182windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00FFE826
                  • CreatePopupMenu.USER32 ref: 00FFE84C
                  • IsWindow.USER32(?), ref: 00FFEA26
                    • Part of subcall function 00F957CD: _strlen.LIBCMT ref: 00F957E6
                    • Part of subcall function 00F957CD: _strlen.LIBCMT ref: 00F95808
                    • Part of subcall function 00F957CD: _strlen.LIBCMT ref: 00F95848
                    • Part of subcall function 00F957CD: _strlen.LIBCMT ref: 00F95909
                  • GetMenuItemCount.USER32(?), ref: 00FFE8F5
                  • GetMenuItemCount.USER32(?), ref: 00FFE949
                  • AppendMenuA.USER32(?,00000000,0000009C,?), ref: 00FFE95D
                  • SendMessageA.USER32(CC0004C2,0000007F,00000000,00000000), ref: 00FFE978
                  • GetClassLongA.USER32(CC0004C2,000000DE), ref: 00FFE9BA
                    • Part of subcall function 00F8A68E: GetMenuStringA.USER32(?,?,00000000,00000000,?), ref: 00F8A6AB
                    • Part of subcall function 00F8A68E: GetMenuStringA.USER32(?,?,00000000,00000001,?), ref: 00F8A6CC
                  • InsertMenuA.USER32(?,00000000,00000400,0000009C,?), ref: 00FFE99D
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Menu$_strlen$CountItemString$AppendClassCreateH_prolog3InsertLongMessagePopupSendWindow
                  • String ID:
                  • API String ID: 829882271-0
                  • Opcode ID: 6b3443977fef309cdba2dba526e59d3506fb47b784643308919308a38f61eeb2
                  • Instruction ID: e053e0f26c7f205eb956597cd99b5857b5374ab4f6235570d67f5486131c58d4
                  • Opcode Fuzzy Hash: 6b3443977fef309cdba2dba526e59d3506fb47b784643308919308a38f61eeb2
                  • Instruction Fuzzy Hash: 57718A70A0020ADFDF15EFA4CC55BEEBBB5FF08310F140219E655B62A2DB795A00EB61
                  Function 00FB27E5 Relevance: 13.7, APIs: 9, Instructions: 168windowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 01017D90: GetParent.USER32(?), ref: 01017D9C
                    • Part of subcall function 01017D90: GetParent.USER32(00000000), ref: 01017D9F
                    • Part of subcall function 00F911CD: GetWindowLongA.USER32(?,000000F0), ref: 00F911D8
                  • GetParent.USER32(?), ref: 00FB2846
                  • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 00FB285B
                  • GetClientRect.USER32(?,?), ref: 00FB28C2
                  • GetClientRect.USER32(?,?), ref: 00FB28D7
                    • Part of subcall function 00F88828: ClientToScreen.USER32(?,00FA73A3), ref: 00F88839
                    • Part of subcall function 00F88828: ClientToScreen.USER32(?,00FA73AB), ref: 00F88846
                  • GetWindowRect.USER32(?,?), ref: 00FB28F7
                    • Part of subcall function 00F913B6: SetWindowPos.USER32(?,000000FF,000000FF,?,?,00000000,00F8D36C,?,00F8D36C,00000000,?,?,000000FF,000000FF,00000015), ref: 00F913DE
                  • GetParent.USER32(?), ref: 00FB2946
                  • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 00FB295A
                  • SendMessageA.USER32(?,00000010,00000000,00000000), ref: 00FB29AF
                  • PostMessageA.USER32(?,00000000,00000000), ref: 00FB29D1
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: ClientMessageParent$RectSendWindow$Screen$LongPost
                  • String ID:
                  • API String ID: 3884207962-0
                  • Opcode ID: 99bd11016c645d54fad41ed8248c57bdcaee735917acc07ef3cb3bdc892722d8
                  • Instruction ID: 5de8a39f30e40bd2b54679220a958b71e0a8d9de565fd58cb9a90c6727c16dc3
                  • Opcode Fuzzy Hash: 99bd11016c645d54fad41ed8248c57bdcaee735917acc07ef3cb3bdc892722d8
                  • Instruction Fuzzy Hash: 166107B1900209AFCF10DFA9DC84AEEBBF9FF88304F104569E945A7265CB759901DF64
                  Function 00FECFC2 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00FECFC9
                  • CreatePopupMenu.USER32 ref: 00FED000
                  • AppendMenuA.USER32(?,00000040,?,?), ref: 00FED09F
                  • GetLastError.KERNEL32 ref: 00FED0A9
                  • AppendMenuA.USER32(?,00000040,?,?), ref: 00FED11B
                  • GetLastError.KERNEL32 ref: 00FED123
                  • AppendMenuA.USER32(?,00000800,00000000,00000000), ref: 00FED144
                  • GetLastError.KERNEL32 ref: 00FED14C
                  • SetMenuDefaultItem.USER32(00000000,000000FF,00000000), ref: 00FED189
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Menu$AppendErrorLast$CreateDefaultH_prolog3ItemPopup
                  • String ID:
                  • API String ID: 1085244643-0
                  • Opcode ID: 530c5945c81c372d09e171da6818d9d15c00dbda335efe016473a2176e1faf18
                  • Instruction ID: eeba7631143bb0c0e5d3e9e5f89a40a094305e1a87f99397f535b7c5a117ec25
                  • Opcode Fuzzy Hash: 530c5945c81c372d09e171da6818d9d15c00dbda335efe016473a2176e1faf18
                  • Instruction Fuzzy Hash: 1A51D672D006968FEF25DFA9CC44AAEB7F0BF08320F14022DE5A1A7690DB359D01EB51
                  Function 00FAEBA6 Relevance: 13.6, APIs: 9, Instructions: 150windowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00F92064: GetFocus.USER32 ref: 00F9206A
                    • Part of subcall function 00F92064: GetParent.USER32(00000000), ref: 00F92092
                    • Part of subcall function 00F92064: GetWindowLongA.USER32(?,000000F0), ref: 00F920AD
                    • Part of subcall function 00F92064: GetParent.USER32(?), ref: 00F920BB
                    • Part of subcall function 00F92064: GetDesktopWindow.USER32 ref: 00F920BF
                    • Part of subcall function 00F92064: SendMessageA.USER32(00000000,0000014F,00000000,00000000), ref: 00F920D3
                  • GetMenu.USER32(?), ref: 00FAEC20
                  • GetMenuItemCount.USER32(?), ref: 00FAEC50
                  • GetSubMenu.USER32(?,00000000), ref: 00FAEC61
                  • GetMenuItemCount.USER32(?), ref: 00FAEC83
                  • GetMenuItemID.USER32(?,00000000), ref: 00FAECA4
                  • GetSubMenu.USER32(?,00000000), ref: 00FAECBC
                  • GetMenuItemID.USER32(?,00000000), ref: 00FAECD4
                  • GetMenuItemCount.USER32(?), ref: 00FAED0B
                  • GetMenuItemID.USER32(?,00000000), ref: 00FAED26
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Menu$Item$Count$ParentWindow$DesktopFocusLongMessageSend
                  • String ID:
                  • API String ID: 4186786570-0
                  • Opcode ID: 93454945d2d0eb0b79d4b56d7c43ae772a2a3258ad7f076f707c88c0f84685e8
                  • Instruction ID: 8a70847b6d8a03b1ff2ed6dea1ed1157077c692f15e9e1ccae5277435d9f2680
                  • Opcode Fuzzy Hash: 93454945d2d0eb0b79d4b56d7c43ae772a2a3258ad7f076f707c88c0f84685e8
                  • Instruction Fuzzy Hash: 3051AFB1D00205EFCF21AF64C984AEEBBB5FF5A720F244869E411E6121D735ED40EB60
                  Function 00F9E3A5 Relevance: 13.6, APIs: 9, Instructions: 129windowCOMMON
                  Download Yara Rule
                  APIs
                  • EnableMenuItem.USER32(?,0000420F,00000001), ref: 00F9E3F9
                  • EnableMenuItem.USER32(?,0000420E,00000001), ref: 00F9E415
                  • CheckMenuItem.USER32(?,00004213,00000008), ref: 00F9E44A
                  • EnableMenuItem.USER32(?,00004212,00000001), ref: 00F9E46A
                  • EnableMenuItem.USER32(?,00004212,00000001), ref: 00F9E48E
                  • EnableMenuItem.USER32(?,00004213,00000001), ref: 00F9E49A
                  • EnableMenuItem.USER32(?,00004214,00000001), ref: 00F9E4A6
                  • EnableMenuItem.USER32(?,00004215,00000001), ref: 00F9E4EE
                  • CheckMenuItem.USER32(?,00004215,00000008), ref: 00F9E502
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: ItemMenu$Enable$Check
                  • String ID:
                  • API String ID: 1852492618-0
                  • Opcode ID: f0c96467576abae9b7e0fdc01034b77091134aaaaa769716e8b194da3556bed4
                  • Instruction ID: a2a1917a625a65bedfd38d6afee6c3748ace47b21aa300df1270931de2d61cc9
                  • Opcode Fuzzy Hash: f0c96467576abae9b7e0fdc01034b77091134aaaaa769716e8b194da3556bed4
                  • Instruction Fuzzy Hash: 2141B074B40201EBFF20CE18CD85F65B7A5BB14724F588169FA09AB1E5D7B2EC50EB90
                  Function 00F92430 Relevance: 13.6, APIs: 9, Instructions: 96memoryCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_catch.LIBCMT ref: 00F92437
                  • EnterCriticalSection.KERNEL32(?,00000010,00F926F3,?,00000000,?,00000004,00F8A441,00F843A7,00F83614,00000214,00F8101B), ref: 00F92448
                  • TlsGetValue.KERNEL32(?,?,00000000,?,00000004,00F8A441,00F843A7,00F83614,00000214,00F8101B), ref: 00F92466
                  • LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,00F8A441,00F843A7,00F83614,00000214,00F8101B), ref: 00F9249A
                  • LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,00F8A441,00F843A7,00F83614,00000214,00F8101B), ref: 00F92506
                  • _memset.LIBCMT ref: 00F92525
                  • TlsSetValue.KERNEL32(?,00000000), ref: 00F92536
                  • LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,00F8A441,00F843A7,00F83614,00000214,00F8101B), ref: 00F92557
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
                  • String ID:
                  • API String ID: 1891723912-0
                  • Opcode ID: 5d7b6fe4654843091e6fe8743bed25a5c5c9cfa2e55a474921f8e687a07763b2
                  • Instruction ID: b25bfe7a3549c9e93ca988188d43915eeeb7cb57995430ff04fabcda4da44b20
                  • Opcode Fuzzy Hash: 5d7b6fe4654843091e6fe8743bed25a5c5c9cfa2e55a474921f8e687a07763b2
                  • Instruction Fuzzy Hash: B531C171400606BFEF60EF64CC95DAAB7B1FF04320B21C52DE99696194CB35AD50EB40
                  Function 00F81080 Relevance: 13.6, APIs: 9, Instructions: 80COMMON
                  Download Yara Rule
                  APIs
                  • GetTcpTable2.IPHLPAPI(00000000,?,00000001), ref: 00F810B3
                  • _malloc.LIBCMT ref: 00F810BE
                  • GetTcpTable2.IPHLPAPI(00000000,?,00000001), ref: 00F810CF
                  • htonl.WS2_32(7F000001), ref: 00F810E5
                  • htonl.WS2_32(00000000), ref: 00F810F1
                  • inet_ntop.WS2_32(00000002,00000008,?,00000016), ref: 00F8110F
                  • inet_ntop.WS2_32(00000002,00000010,?,00000016), ref: 00F8111A
                  • SetTcpEntry.IPHLPAPI(00000004), ref: 00F81126
                  • _free.LIBCMT ref: 00F81143
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Table2htonlinet_ntop$Entry_free_malloc
                  • String ID:
                  • API String ID: 2996799583-0
                  • Opcode ID: 69c5014f701d1f64056c9c3e55352a431871bcac226dc828ce8ea814853b4fbc
                  • Instruction ID: 9f1629a062deec08ab2f6b6cfed6c7a0bc1c3a5138490b7df05e9787362af108
                  • Opcode Fuzzy Hash: 69c5014f701d1f64056c9c3e55352a431871bcac226dc828ce8ea814853b4fbc
                  • Instruction Fuzzy Hash: 4F219F71D00205EFD710EFA4DC84AEEB7BDFB49710F104619F54597280EB75A882CB61
                  Function 00FA8E7E Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 364stringwindowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00FA8E88
                  • IsMenu.USER32(?), ref: 00FA8EAC
                    • Part of subcall function 00F879AD: __CxxThrowException@8.LIBCMT ref: 00F879C3
                  • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00FA8FF4
                  • lstrlenA.KERNEL32(?), ref: 00FA9001
                    • Part of subcall function 00FED50D: __EH_prolog3.LIBCMT ref: 00FED514
                    • Part of subcall function 00FEC252: __EH_prolog3.LIBCMT ref: 00FEC259
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: H_prolog3$CurrentDirectoryException@8H_prolog3_MenuThrowlstrlen
                  • String ID: &%d %s$Recent File$\
                  • API String ID: 2040550558-1349024391
                  • Opcode ID: 53d6cf8b0ee6ca2780c3bac07cef15cb8a66eb87ec28aeb8d9ba21de81965f0a
                  • Instruction ID: 00ccbd17ca0ac9b671890a9d6788781a43cca50eee2626baccedf1b0c53b6e2e
                  • Opcode Fuzzy Hash: 53d6cf8b0ee6ca2780c3bac07cef15cb8a66eb87ec28aeb8d9ba21de81965f0a
                  • Instruction Fuzzy Hash: 18E19EB0A00316DFDF249F64CC89BE9B7B5BF45310F1481A8E51A97292DBB4AD81DF50
                  Function 00FA273F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 164COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_catch.LIBCMT ref: 00FA2749
                    • Part of subcall function 01008548: __EH_prolog3.LIBCMT ref: 0100854F
                  • IsWindow.USER32(?), ref: 00FA286A
                    • Part of subcall function 00F912A0: GetDlgCtrlID.USER32(?), ref: 00F912A9
                  • _free.LIBCMT ref: 00FA28FE
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: CtrlH_prolog3H_prolog3_catchWindow_free
                  • String ID: %sMFCToolBar-%d$%sMFCToolBar-%d%x$Buttons$Name
                  • API String ID: 3263183211-3132478384
                  • Opcode ID: 1edbf2d836bbb3b4aff9383c5b3b8f5647cc3ad04f33d6dab2b6a3ff0b5d864e
                  • Instruction ID: b6665281f4ab1f16a0faccc97e331c95a235f6031f4d741f20eaff00fbb14378
                  • Opcode Fuzzy Hash: 1edbf2d836bbb3b4aff9383c5b3b8f5647cc3ad04f33d6dab2b6a3ff0b5d864e
                  • Instruction Fuzzy Hash: 1351DB71E002499FDF11EFE8CC84AEEBBB0AF19310F14805DF5556B292DB398A00EB21
                  Function 00FD81BA Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 146COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_catch.LIBCMT ref: 00FD81C1
                    • Part of subcall function 00F9897D: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000), ref: 00F989A0
                    • Part of subcall function 00FCF57A: __EH_prolog3.LIBCMT ref: 00FCF581
                    • Part of subcall function 00F9890C: __EH_prolog3.LIBCMT ref: 00F98913
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: H_prolog3$ByteCharH_prolog3_catchMultiWide
                  • String ID: MFCMaskedEdit_DefaultChar$MFCMaskedEdit_InputTemplate$MFCMaskedEdit_Mask$MFCMaskedEdit_SelectByGroup$MFCMaskedEdit_ValidChars$_
                  • API String ID: 207285973-3648902185
                  • Opcode ID: db57d31a33fa52befc0b89d2e9552a2fa6dc7f4518a7d48ed0ee237572643230
                  • Instruction ID: af985e25e7d67c24b897590f5d58e869630065d222807c60f4a6bd0355509b9d
                  • Opcode Fuzzy Hash: db57d31a33fa52befc0b89d2e9552a2fa6dc7f4518a7d48ed0ee237572643230
                  • Instruction Fuzzy Hash: 3A516D31900109AEDF05FBE4CD52AEEBBBAAF14350F284119F511A7292DF389E05EB61
                  Function 01008CFD Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 130windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 01008D07
                  • GetWindowLongA.USER32(?,000000F0), ref: 01008D6A
                  • _memset.LIBCMT ref: 01008E2B
                  • GetMenuItemInfoA.USER32 ref: 01008E56
                  • InvalidateRect.USER32(?,00000000,00000001), ref: 01008ED1
                  • UpdateWindow.USER32(?), ref: 01008EDA
                    • Part of subcall function 01017BE5: SendMessageA.USER32(?,00000229,00000000,?), ref: 01017C10
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Window$H_prolog3_InfoInvalidateItemLongMenuMessageRectSendUpdate_memset
                  • String ID: 0
                  • API String ID: 3082450406-4108050209
                  • Opcode ID: 8463be29e3e891b49cdc2a20104749952fb5d683b0b7e9245b4bfebb27edf576
                  • Instruction ID: e897d4f9343baeadcbad627d5434772cb1603028b4232c0e4adeaf1cfe89299b
                  • Opcode Fuzzy Hash: 8463be29e3e891b49cdc2a20104749952fb5d683b0b7e9245b4bfebb27edf576
                  • Instruction Fuzzy Hash: 2751C3309002569FEB26EB68CC94BEEBBF9BF54310F1442ADA59A971D1DF345A84CF10
                  Function 00FD2357 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 79windowCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageA.USER32(?,0000110A,00000004,?), ref: 00FD239E
                  • _memset.LIBCMT ref: 00FD23AB
                  • SendMessageA.USER32(?,00001102,00008001,?), ref: 00FD2414
                    • Part of subcall function 00F879AD: __CxxThrowException@8.LIBCMT ref: 00F879C3
                  • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00FD23DD
                  • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00FD23E8
                  • SendMessageA.USER32(?,0000110B,00000009,?), ref: 00FD2402
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: MessageSend$Exception@8Throw_memset
                  • String ID: @
                  • API String ID: 3355562902-2766056989
                  • Opcode ID: 8306766ee809fa54535faf28cfd6724f94de789bfa8a147a5a1c3d1d547b3f57
                  • Instruction ID: b0fd9c38c650f650cee038ad8182bc4978ca130d9b12f3ecc8732d2e9b02131a
                  • Opcode Fuzzy Hash: 8306766ee809fa54535faf28cfd6724f94de789bfa8a147a5a1c3d1d547b3f57
                  • Instruction Fuzzy Hash: A4210E72A003047BEB619F55CC81FDA77ADFF6C761F144016FB44AA291D6B5DC409B90
                  Function 00FD3093 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00FD309D
                    • Part of subcall function 00FCFA5B: SendMessageA.USER32(?,00000031,00000000,00000000), ref: 00FCFA64
                  • SendMessageA.USER32(FFFFFFFF,00000030,?,00000001), ref: 00FD3109
                  • SendMessageA.USER32(FFFFFFFF,000000D4,00000000,00000000), ref: 00FD3116
                  • SendMessageA.USER32(FFFFFFFF,00000030,?,00000001), ref: 00FD3136
                  • SendMessageA.USER32(FFFFFFFF,000000D4,00000000,00000000), ref: 00FD3140
                  • ~_Task_impl.LIBCPMT ref: 00FD3160
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: MessageSend$H_prolog3_Task_impl
                  • String ID: d
                  • API String ID: 731318678-2564639436
                  • Opcode ID: e33679e54a391462d1f35bfb3bc7a3759ae40d96c30e3106d176a7944e00f5c8
                  • Instruction ID: 9998e3bf40db78aabfa483d3dec06c243926f3ad7960c58f06be3420be7e9963
                  • Opcode Fuzzy Hash: e33679e54a391462d1f35bfb3bc7a3759ae40d96c30e3106d176a7944e00f5c8
                  • Instruction Fuzzy Hash: A4218470900219AEEF25EFA5CD81FEDBAB9BF04754F50416AA248A71D1CB745F04DF60
                  Function 010711C4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57COMMON
                  Download Yara Rule
                  APIs
                  • _memset.LIBCMT ref: 010711E6
                  • _strlen.LIBCMT ref: 010711EC
                  • _strcpy_s.LIBCMT ref: 01071205
                  • GetDC.USER32(00000000), ref: 0107121B
                  • EnumFontFamiliesExA.GDI32(00000000,?,01071182,?,00000000), ref: 01071236
                  • ReleaseDC.USER32(00000000,00000000), ref: 0107123E
                    • Part of subcall function 00F879AD: __CxxThrowException@8.LIBCMT ref: 00F879C3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: EnumException@8FamiliesFontReleaseThrow_memset_strcpy_s_strlen
                  • String ID: MS UI Gothic
                  • API String ID: 2002023409-1905310704
                  • Opcode ID: b824871e57ab2e33ced23f7bc65b890af720f8094f183256602e734da4a14534
                  • Instruction ID: 51edc19d7a2d64c008d1666bc7975a71e0d2bd4deb936d19a6b74ce669aa56a1
                  • Opcode Fuzzy Hash: b824871e57ab2e33ced23f7bc65b890af720f8094f183256602e734da4a14534
                  • Instruction Fuzzy Hash: 8A01C872D01218BBDB20EBA49D49DEEBBBDFF49714F100419F941E3141DE36AA02C7A9
                  Function 00FAA07D Relevance: 12.2, APIs: 8, Instructions: 241windowtimeCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00FAA084
                    • Part of subcall function 01005AE4: __EH_prolog3.LIBCMT ref: 01005AEB
                    • Part of subcall function 01005AE4: EnterCriticalSection.KERNEL32(010F3F84,00000000,00FA0BFD,00000001), ref: 01005B47
                    • Part of subcall function 01005AE4: __beginthread.LIBCMT ref: 01005B61
                    • Part of subcall function 01005AE4: SetThreadPriority.KERNEL32(00000000,000000FF), ref: 01005B7A
                    • Part of subcall function 01005AE4: LeaveCriticalSection.KERNEL32(010F3F84), ref: 01005B91
                  • LoadCursorA.USER32(00000000,00007F00), ref: 00FAA0B7
                  • GetClientRect.USER32(?,?), ref: 00FAA101
                    • Part of subcall function 00F879AD: __CxxThrowException@8.LIBCMT ref: 00F879C3
                  • IsWindowVisible.USER32(?), ref: 00FAA317
                  • SetTimer.USER32(?,00000001,00000000), ref: 00FAA335
                  • _clock.LIBCMT ref: 00FAA33B
                  • InvalidateRect.USER32(?,00000000,00000001,010F1C10,00000000,00000000,00000000,00000000,00000053), ref: 00FAA3A0
                  • UpdateWindow.USER32(?), ref: 00FAA3A9
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: CriticalRectSectionWindow$ClientCursorEnterException@8H_prolog3H_prolog3_InvalidateLeaveLoadPriorityThreadThrowTimerUpdateVisible__beginthread_clock
                  • String ID:
                  • API String ID: 3525769149-0
                  • Opcode ID: d3bccac758221c90f86f382c190482838c6b1dc9f28c5a8ba9124eea42d053cf
                  • Instruction ID: 66e5f435b6552b979446ff81da2370812d72381850edf9bf27bca5a35584d177
                  • Opcode Fuzzy Hash: d3bccac758221c90f86f382c190482838c6b1dc9f28c5a8ba9124eea42d053cf
                  • Instruction Fuzzy Hash: DEA138B1A00705AFDB64DF74C880AEEB7F5FB09310F14492EE5AA93280DB75A844EF51
                  Function 010129E3 Relevance: 12.2, APIs: 8, Instructions: 232windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 010129EA
                  • CreateCompatibleDC.GDI32(?), ref: 01012A4D
                  • CreateCompatibleBitmap.GDI32(?,?,?), ref: 01012A7F
                  • SelectObject.GDI32(?,00000000), ref: 01012ADD
                  • _memmove.LIBCMT ref: 01012B53
                  • _memmove.LIBCMT ref: 01012BF5
                  • BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 01012C2A
                  • DeleteObject.GDI32(?), ref: 01012C70
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: CompatibleCreateObject_memmove$BitmapDeleteH_prolog3Select
                  • String ID:
                  • API String ID: 1211385342-0
                  • Opcode ID: 3357149f2179537a0a442bd8b42cffe820670898fd03bdd481d047190d1d9afa
                  • Instruction ID: 410cc00ed736188d34d3776c48e2489ad584b26f75dd9ce15b68354a768e810f
                  • Opcode Fuzzy Hash: 3357149f2179537a0a442bd8b42cffe820670898fd03bdd481d047190d1d9afa
                  • Instruction Fuzzy Hash: 73917C71D0021A9FDF10DFA8CC84AEEBBF5FF48325F248259E954AB294D7349A45CB60
                  Function 01020BBB Relevance: 12.2, APIs: 8, Instructions: 183windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 01020BC2
                  • GetSystemMenu.USER32(?,00000000,00000038,00FB663C,00000000,00000000,?), ref: 01020C70
                  • IsMenu.USER32(?), ref: 01020C85
                  • IsMenu.USER32(?), ref: 01020C96
                  • GetWindowLongA.USER32(?,000000F0), ref: 01020CBE
                  • _memset.LIBCMT ref: 01020DA0
                  • GetMenuItemInfoA.USER32(00000000,0000F060,00000000,?), ref: 01020DBB
                  • RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 01020E10
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Menu$Window$H_prolog3InfoItemLongRedrawSystem_memset
                  • String ID:
                  • API String ID: 428562733-0
                  • Opcode ID: 7e6025313354d5c702e5d223cddebffe5d731a0daea8a1e0455791a6bd327aaf
                  • Instruction ID: 5d9b97b1794abde63cb502b1c391f69db8f00c24628646d6d4ef282671f06150
                  • Opcode Fuzzy Hash: 7e6025313354d5c702e5d223cddebffe5d731a0daea8a1e0455791a6bd327aaf
                  • Instruction Fuzzy Hash: 0871AF709003199FEB61AF64C844BEEBBF8FF44310F20455DF5AA9B285DB75AA40CB50
                  Function 00FEC6E5 Relevance: 12.2, APIs: 8, Instructions: 167COMMON
                  Download Yara Rule
                  APIs
                  • GetCursorPos.USER32(?), ref: 00FEC732
                  • ScreenToClient.USER32(?,?), ref: 00FEC73F
                  • PtInRect.USER32(?,?,?), ref: 00FEC752
                  • GetCursorPos.USER32(?), ref: 00FEC790
                  • ScreenToClient.USER32(?,?), ref: 00FEC79D
                  • PtInRect.USER32(?,?,?), ref: 00FEC7B0
                  • InflateRect.USER32(?,?,?), ref: 00FEC89F
                  • RedrawWindow.USER32(?,?,00000000,00000401), ref: 00FEC8B6
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Rect$ClientCursorScreen$InflateRedrawWindow
                  • String ID:
                  • API String ID: 4131952207-0
                  • Opcode ID: 638f91f5b73642b1e63664db76c230da17feda9b28eefeab5071a89f71d16d5e
                  • Instruction ID: daed55a1826bbec54866821c86a18f9542fd7d0d761a09d4b99e0dabdd6dd719
                  • Opcode Fuzzy Hash: 638f91f5b73642b1e63664db76c230da17feda9b28eefeab5071a89f71d16d5e
                  • Instruction Fuzzy Hash: BC518F31E00204EFCF11DF66C984AAD77B9FF49320F1441AAF889DA156EB359942EF60
                  Function 00FE8AAB Relevance: 12.1, APIs: 8, Instructions: 149windowCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Window$CaptureDestroyEmptyMessageParentPointsRectReleaseSendVisible
                  • String ID:
                  • API String ID: 3509494761-0
                  • Opcode ID: 952d4adf93b39704b9f57fd0157ae79da937954cb78c6f764c1db30facab916b
                  • Instruction ID: 02a36a3bed892750dcb5146069b0c92013babecc959b27e90a3814dcfc2e49d5
                  • Opcode Fuzzy Hash: 952d4adf93b39704b9f57fd0157ae79da937954cb78c6f764c1db30facab916b
                  • Instruction Fuzzy Hash: 7651CE70600241AFDF10AF69C898BEA37B6BF45385F1800B8F90ADF196DF769805DB60
                  Function 00FD051C Relevance: 12.1, APIs: 8, Instructions: 146windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetFocus.USER32 ref: 00FD0565
                  • ScreenToClient.USER32(00000000,?), ref: 00FD05AA
                  • SendMessageA.USER32(?,0000102C,00000000,00000003), ref: 00FD05E8
                  • SetCapture.USER32(?), ref: 00FD060E
                  • ReleaseCapture.USER32 ref: 00FD0649
                  • ScreenToClient.USER32(?,?), ref: 00FD0668
                  • GetSystemMetrics.USER32(00000044), ref: 00FD06A3
                  • GetSystemMetrics.USER32(00000045), ref: 00FD06BF
                    • Part of subcall function 00FCFAD5: SendMessageA.USER32(00FD054C,00001018,00000000,00000000), ref: 00FCFAE1
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: CaptureClientMessageMetricsScreenSendSystem$FocusRelease
                  • String ID:
                  • API String ID: 3871486171-0
                  • Opcode ID: 9a5ff4df22c1e28b8624b074b1bc934d517db7f80cfa61cf45bc0d8d3f4a19eb
                  • Instruction ID: 7d8d770bb3acd79b5ace8fd5db8984bf79a6cadc340276883dd46131bff66d68
                  • Opcode Fuzzy Hash: 9a5ff4df22c1e28b8624b074b1bc934d517db7f80cfa61cf45bc0d8d3f4a19eb
                  • Instruction Fuzzy Hash: 9B517E71A00605AFCB20DF78C984BDABBF6FF58314F14452AE5AAC7250DB74E950DB40
                  Function 00FC0084 Relevance: 12.1, APIs: 8, Instructions: 138windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00FC008B
                  • IsWindowVisible.USER32(?), ref: 00FC00E4
                  • CreateRectRgn.GDI32(00000000,00000000,?,?), ref: 00FC011A
                  • CreateRectRgn.GDI32(00000000,00000000,00000005,00000005), ref: 00FC0135
                  • CreateEllipticRgn.GDI32(00000000,00000000,0000000B,0000000B), ref: 00FC0160
                  • CreateRectRgn.GDI32(?,00000000,?,00000005), ref: 00FC0194
                  • CreateEllipticRgn.GDI32(?,00000000,?,0000000B), ref: 00FC01C7
                    • Part of subcall function 00F9A16B: CombineRgn.GDI32(?,?,?,?), ref: 00F9A190
                  • SetWindowRgn.USER32(?,00000000,00000001), ref: 00FC01F9
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Create$Rect$EllipticWindow$CombineH_prolog3Visible
                  • String ID:
                  • API String ID: 2498130849-0
                  • Opcode ID: 481a3ab47173b19e89fffcd44f30fd6ec83aae207ad86776261dd8dc269aa435
                  • Instruction ID: 0aff74f8b6b8a4746ea87237eceb469674607958fa1e3725ee2af98399eba170
                  • Opcode Fuzzy Hash: 481a3ab47173b19e89fffcd44f30fd6ec83aae207ad86776261dd8dc269aa435
                  • Instruction Fuzzy Hash: C7515DB1D4020AAADB11EFE0CD9AEEFB778BF14350F504119B512B61D1DF386A05DBA1
                  Function 0106426C Relevance: 12.1, APIs: 8, Instructions: 134COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 01064273
                  • EqualRect.USER32(?,?), ref: 01064292
                  • EqualRect.USER32(?,?), ref: 010642A3
                  • CreateRectRgn.GDI32(00000000,00000000,?,?), ref: 010642F3
                  • CreateRectRgn.GDI32(?,00000000,?,?), ref: 01064326
                  • CreateRectRgnIndirect.GDI32(?), ref: 01064332
                  • SetWindowRgn.USER32(?,?,00000000), ref: 01064359
                  • RedrawWindow.USER32(?,00000000,00000000,00000105,010F1C10,?,?,?,00000001,00000058), ref: 010643D1
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Rect$Create$EqualWindow$H_prolog3IndirectRedraw
                  • String ID:
                  • API String ID: 1234839666-0
                  • Opcode ID: 2c44bc852f4f85c7e347b9f10e25d16b46e8dae19c2cf21ea3f031a47cd71440
                  • Instruction ID: fc9227177b60def2384eb4793df6ea17749192077907a40794d5349fdccfee3f
                  • Opcode Fuzzy Hash: 2c44bc852f4f85c7e347b9f10e25d16b46e8dae19c2cf21ea3f031a47cd71440
                  • Instruction Fuzzy Hash: D451547190011AEFDF11DFA8C899EEF7BB9BF04304F008119BC55AB149DB75AA45CBA0
                  Function 00FBF231 Relevance: 12.1, APIs: 8, Instructions: 124windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00FBF238
                  • InflateRect.USER32(?), ref: 00FBF25F
                  • DrawFocusRect.USER32(?,?), ref: 00FBF2C0
                  • InflateRect.USER32(?), ref: 00FBF2D5
                  • InflateRect.USER32(?), ref: 00FBF310
                  • InflateRect.USER32(?), ref: 00FBF356
                  • CreateHatchBrush.GDI32(00000005,?,?,?,?,?,?,?,?,?,?,00000010), ref: 00FBF373
                  • FillRect.USER32(00000001,?,00000000), ref: 00FBF38C
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Rect$Inflate$BrushCreateDrawFillFocusH_prolog3Hatch
                  • String ID:
                  • API String ID: 4128771895-0
                  • Opcode ID: 013fa31710e2eff79c3f6e17c922cdd2207812fab9f30218a1abf08c7b8a511f
                  • Instruction ID: 9a46322dd18ef709554d84ccfe5bc1c7f4c5ab46a60011eb122500047a12cd06
                  • Opcode Fuzzy Hash: 013fa31710e2eff79c3f6e17c922cdd2207812fab9f30218a1abf08c7b8a511f
                  • Instruction Fuzzy Hash: E241F5B580011AEBDF21DF95CD85DEE77BCFB18324F00812AF555A6144D73A9A09DFA0
                  Function 00F9CEC7 Relevance: 12.1, APIs: 8, Instructions: 111COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00FE9A48: ReleaseCapture.USER32 ref: 00FE9A76
                    • Part of subcall function 00FE9A48: IsWindow.USER32(?), ref: 00FE9A9A
                    • Part of subcall function 00FE9A48: DestroyWindow.USER32(?), ref: 00FE9AAA
                  • SetRectEmpty.USER32(?), ref: 00F9CEFA
                  • ReleaseCapture.USER32 ref: 00F9CF00
                  • SetCapture.USER32(?), ref: 00F9CF0F
                  • GetCapture.USER32 ref: 00F9CF51
                  • ReleaseCapture.USER32 ref: 00F9CF61
                  • SetCapture.USER32(?), ref: 00F9CF70
                  • RedrawWindow.USER32(?,?,?,00000505), ref: 00F9CFDB
                  • RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 00F9D01A
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Capture$Window$Release$Redraw$DestroyEmptyRect
                  • String ID:
                  • API String ID: 2209428161-0
                  • Opcode ID: 2869eda1007260f742a96f9cdc0743d5b3d13082a5e081e6b662b3768c671f9e
                  • Instruction ID: e7cde4f38707eafb4b03dd51a74a5e9e362142ddf30b4d8a30ee403ffd80279e
                  • Opcode Fuzzy Hash: 2869eda1007260f742a96f9cdc0743d5b3d13082a5e081e6b662b3768c671f9e
                  • Instruction Fuzzy Hash: F14151316007009FEB25AB34CC59F9B7BA6BF88728F15061DF5AAC7290DB35E800DB90
                  Function 00FE329C Relevance: 12.1, APIs: 8, Instructions: 108COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00FE32A3
                  • GetObjectA.GDI32(?,00000018,?), ref: 00FE32BF
                  • CreateCompatibleDC.GDI32(00000000), ref: 00FE32D5
                  • SelectObject.GDI32(?,?), ref: 00FE32EA
                  • CreateRectRgn.GDI32(00000000,00000000,?,?), ref: 00FE3318
                  • GetPixel.GDI32(?,?,?), ref: 00FE333C
                  • CreateRectRgn.GDI32(?,?,?,?), ref: 00FE3361
                  • SelectObject.GDI32(?,?), ref: 00FE33AD
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateObject$RectSelect$CompatibleH_prolog3Pixel
                  • String ID:
                  • API String ID: 3013396696-0
                  • Opcode ID: e6b52de0589c136418e2f5ee479217ec4505378c1083c6d225c2c2de42175725
                  • Instruction ID: 74dfa35577ba3cbe954ad3e8220c017d6c66f6b48be1b6fdd607c377f9f77801
                  • Opcode Fuzzy Hash: e6b52de0589c136418e2f5ee479217ec4505378c1083c6d225c2c2de42175725
                  • Instruction Fuzzy Hash: 24410371C00209EFCF00EFA4D8999EEBBB8BF48300F508029F556B7251DB359A45EBA1
                  Function 0100084C Relevance: 12.1, APIs: 8, Instructions: 107windowCOMMON
                  Download Yara Rule
                  APIs
                  • MessageBeep.USER32(000000FF), ref: 010008AD
                  • ReleaseCapture.USER32 ref: 010008E4
                  • GetClientRect.USER32(?,?), ref: 0100090F
                  • MapWindowPoints.USER32(?,?,?,00000002), ref: 01000928
                  • GetCursorPos.USER32(?), ref: 01000938
                  • ScreenToClient.USER32(?,?), ref: 01000945
                  • PtInRect.USER32(?,?,?), ref: 01000955
                  • SendMessageA.USER32(?,00000203,?,?), ref: 01000971
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: ClientMessageRect$BeepCaptureCursorPointsReleaseScreenSendWindow
                  • String ID:
                  • API String ID: 1719883865-0
                  • Opcode ID: dea1a354abe64c03a4f4c03cfb52b8c86e680009f1eb3c6bfed4b7835921eeb5
                  • Instruction ID: 859b0abd5e37e403b553d346318d3b1b1d9a16d55d94fb673b418a9b04436e13
                  • Opcode Fuzzy Hash: dea1a354abe64c03a4f4c03cfb52b8c86e680009f1eb3c6bfed4b7835921eeb5
                  • Instruction Fuzzy Hash: D7418331500205EFEB25DF69C898AAEBBF5FF48344F10456DF2DA971A4D735A941CB80
                  Function 00FCD03C Relevance: 12.1, APIs: 8, Instructions: 104windowstringCOMMON
                  Download Yara Rule
                  APIs
                  • lstrlenA.KERNEL32(?), ref: 00FCD052
                  • _memset.LIBCMT ref: 00FCD06E
                  • GetFocus.USER32 ref: 00FCD076
                    • Part of subcall function 00F8D8AA: UnhookWindowsHookEx.USER32(?), ref: 00F8D8DA
                  • IsWindowEnabled.USER32(?), ref: 00FCD0AB
                  • EnableWindow.USER32(?,00000000), ref: 00FCD0C7
                  • EnableWindow.USER32(00000000,00000001), ref: 00FCD15A
                  • IsWindow.USER32(?), ref: 00FCD15F
                  • SetFocus.USER32(?), ref: 00FCD16C
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Window$EnableFocus$EnabledHookUnhookWindows_memsetlstrlen
                  • String ID:
                  • API String ID: 3424750955-0
                  • Opcode ID: cb3e3c06bf0b5fa0e425814739bc1d0a27d8b4d65e9d52ff5088b4dd7913515b
                  • Instruction ID: bfab0cff87d6d79c829610da75eb2ed6bd6d39c994daea233b7bd7a447013f9f
                  • Opcode Fuzzy Hash: cb3e3c06bf0b5fa0e425814739bc1d0a27d8b4d65e9d52ff5088b4dd7913515b
                  • Instruction Fuzzy Hash: C541A231600601DFEB20AF74CA96F9EBBA5FF44314F14846DE55A87256CB36EC02EB40
                  Function 00FE2AF0 Relevance: 12.1, APIs: 8, Instructions: 103windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00FE2AF7
                  • CreateCompatibleDC.GDI32(?), ref: 00FE2B4C
                  • CreateCompatibleDC.GDI32(?), ref: 00FE2B5A
                  • SelectObject.GDI32(00000000,?), ref: 00FE2B79
                  • SelectObject.GDI32(?,?), ref: 00FE2B8E
                  • BitBlt.GDI32(00000000,?,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00FE2BB5
                  • SelectObject.GDI32(00000000,?), ref: 00FE2BC6
                  • SelectObject.GDI32(?,?), ref: 00FE2BD3
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: ObjectSelect$CompatibleCreate$H_prolog3
                  • String ID:
                  • API String ID: 2106698553-0
                  • Opcode ID: 5d5101e082d26d8cf82e08f8b7653ef57d07fbaf6977cfede903027fd11dfa16
                  • Instruction ID: c15843697c5189d9f5913f1ed077c119e4f5aa3ad4a47078c81ff4f4f3586282
                  • Opcode Fuzzy Hash: 5d5101e082d26d8cf82e08f8b7653ef57d07fbaf6977cfede903027fd11dfa16
                  • Instruction Fuzzy Hash: 92416671C00249EFDF11EFA0CC81AEEBBB9FF58320F54842DE48662251DB755A45EB60
                  Function 00FAB1C0 Relevance: 12.1, APIs: 8, Instructions: 100COMMON
                  Download Yara Rule
                  APIs
                  • ScreenToClient.USER32(?,?), ref: 00FAB1DD
                  • GetParent.USER32(?), ref: 00FAB1F4
                  • GetClientRect.USER32(?,?), ref: 00FAB282
                  • MapWindowPoints.USER32(?,?,?,00000002), ref: 00FAB295
                  • PtInRect.USER32(?,?,?), ref: 00FAB2A5
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: ClientRect$ParentPointsScreenWindow
                  • String ID:
                  • API String ID: 1402249346-0
                  • Opcode ID: b5c1618809642ad67e89a752757e16ed2a8f55524f84c33536c043bc79ab0b78
                  • Instruction ID: 804e7f805351678a3b1ea63878bffaa30b5c51ae4140e9fedd63b1e7ab7056c5
                  • Opcode Fuzzy Hash: b5c1618809642ad67e89a752757e16ed2a8f55524f84c33536c043bc79ab0b78
                  • Instruction Fuzzy Hash: 1A316072A00205AFCF129FA5DC589BEBBF9FF88314B10452AF946D7211EB75D901EB50
                  Function 00F9897D Relevance: 12.1, APIs: 8, Instructions: 98COMMON
                  Download Yara Rule
                  APIs
                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000), ref: 00F989A0
                  • _memset.LIBCMT ref: 00F989D0
                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,?,00000000), ref: 00F989E8
                  • GetACP.KERNEL32(00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00F989FA
                  • WideCharToMultiByte.KERNEL32(00000000), ref: 00F98A03
                  • _memset.LIBCMT ref: 00F98A1F
                  • GetACP.KERNEL32(00000000,?,000000FF,?,?,00000000,00000000), ref: 00F98A35
                  • WideCharToMultiByte.KERNEL32(00000000), ref: 00F98A38
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharMultiWide$_memset
                  • String ID:
                  • API String ID: 3545102435-0
                  • Opcode ID: 7af18ee838581687080820cb6cb61d69ae0aa0a9e508d4fe534c400e92332a21
                  • Instruction ID: 3ca2bcc69014c0de4c366b16abf43da8a55401c826a62a920a1436662ecd0b7b
                  • Opcode Fuzzy Hash: 7af18ee838581687080820cb6cb61d69ae0aa0a9e508d4fe534c400e92332a21
                  • Instruction Fuzzy Hash: DA21A672901119BFDF21AFA6CC49CEF7F69FF463A0B100515F51992190DA36AA10EBA0
                  Function 00FCF0A0 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00FCF0A7
                  • SendMessageA.USER32(?,00001009,00000000,00000000), ref: 00FCF0F3
                  • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 00FCF114
                  • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 00FCF150
                  • RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 00FCF15C
                  • GetParent.USER32(?), ref: 00FCF19B
                  • GetParent.USER32(?), ref: 00FCF1AE
                  • SendMessageA.USER32(?,00000000,00000000,00000000), ref: 00FCF1C5
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: MessageSend$Parent$H_prolog3RedrawWindow
                  • String ID:
                  • API String ID: 2708892647-0
                  • Opcode ID: 96f5b4593731acec9f714d08787a7e4bcd59eab4b51a96f1f51aed62820ab2b7
                  • Instruction ID: 6ada0544b36f1c946645f58e5fd281ca2eeac0bd2870ecfb032c436acb22679d
                  • Opcode Fuzzy Hash: 96f5b4593731acec9f714d08787a7e4bcd59eab4b51a96f1f51aed62820ab2b7
                  • Instruction Fuzzy Hash: 99315E71900606EFDF216F70CD86EAEBAAAFF44354F04493DF586961A1CB7A4D40EB40
                  Function 00F86AF3 Relevance: 12.1, APIs: 8, Instructions: 74windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetMenuItemCount.USER32(?), ref: 00F86B05
                  • GetMenuItemCount.USER32(?), ref: 00F86B0D
                  • GetSubMenu.USER32(?,-00000001), ref: 00F86B2A
                  • GetMenuItemCount.USER32(00000000), ref: 00F86B3A
                  • GetSubMenu.USER32(00000000,00000000), ref: 00F86B4B
                  • RemoveMenu.USER32(00000000,00000000,00000400), ref: 00F86B68
                  • GetSubMenu.USER32(?,?), ref: 00F86B82
                  • RemoveMenu.USER32(?,?,00000400), ref: 00F86BA0
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Menu$CountItem$Remove
                  • String ID:
                  • API String ID: 3494307843-0
                  • Opcode ID: a217ad1781a1338d3ee446a66619093efbc285ae410025a500cc77cdb5002c6a
                  • Instruction ID: d0b50904945d4624b3cc03b9adf5006eeec78a0a413aa9d97761427285814709
                  • Opcode Fuzzy Hash: a217ad1781a1338d3ee446a66619093efbc285ae410025a500cc77cdb5002c6a
                  • Instruction Fuzzy Hash: DC21F372D00219FBCF11AFA4CE45EEEBBB5FB84359F2084A6E901E2151E7359A50AB50
                  Function 00F82B0F Relevance: 12.1, APIs: 8, Instructions: 66memorystringCOMMON
                  Download Yara Rule
                  APIs
                  • GlobalLock.KERNEL32(?), ref: 00F82B2E
                  • lstrcmpA.KERNEL32(?,?), ref: 00F82B3A
                  • OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 00F82B4C
                  • DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00F82B6C
                  • GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00F82B74
                  • GlobalLock.KERNEL32(00000000), ref: 00F82B7E
                  • DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 00F82B8B
                  • ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 00F82BA3
                    • Part of subcall function 00F91DCE: GlobalFlags.KERNEL32(?), ref: 00F91DDD
                    • Part of subcall function 00F91DCE: GlobalUnlock.KERNEL32(?), ref: 00F91DEE
                    • Part of subcall function 00F91DCE: GlobalFree.KERNEL32(?), ref: 00F91DF8
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
                  • String ID:
                  • API String ID: 168474834-0
                  • Opcode ID: eccc8db04060dd75b0c5c87acd573a47cd2e66af95209ae5aebf7e3e35cb57b4
                  • Instruction ID: 33ba889826c86e8f0c0f3fd191ae59223674122c8880c1b25f322513ac32391e
                  • Opcode Fuzzy Hash: eccc8db04060dd75b0c5c87acd573a47cd2e66af95209ae5aebf7e3e35cb57b4
                  • Instruction Fuzzy Hash: FE114C71501604BAEB227FA6DD46DAF7BEDFBC5B10B440519B645D2020DA35E940E720
                  Function 00F94E7A Relevance: 12.1, APIs: 8, Instructions: 64COMMON
                  Download Yara Rule
                  APIs
                  • GetSystemMetrics.USER32(00000031), ref: 00F94E90
                  • GetSystemMetrics.USER32(00000032), ref: 00F94E9A
                  • SetRectEmpty.USER32(010F2024), ref: 00F94EA9
                  • EnumDisplayMonitors.USER32(00000000,00000000,00F94DF5,010F2024,?,?,?,00F85DF6,?), ref: 00F94EB9
                  • SystemParametersInfoA.USER32(00000030,00000000,010F2024,00000000), ref: 00F94ED4
                  • SystemParametersInfoA.USER32(00001002,00000000,010F2050,00000000), ref: 00F94EF4
                  • SystemParametersInfoA.USER32(00001012,00000000,010F2054,00000000), ref: 00F94F0C
                  • SystemParametersInfoA.USER32 ref: 00F94F2C
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: System$InfoParameters$Metrics$DisplayEmptyEnumMonitorsRect
                  • String ID:
                  • API String ID: 2614369430-0
                  • Opcode ID: 30b3afd97a906b97c553df48dbda3d688d3b2f43b286251f998e9ac2f7873eec
                  • Instruction ID: bdbed7d0d4e9df264109d274577a60f10a7ce9e525959482d0501937290bde4d
                  • Opcode Fuzzy Hash: 30b3afd97a906b97c553df48dbda3d688d3b2f43b286251f998e9ac2f7873eec
                  • Instruction Fuzzy Hash: 0F1137B1501744AFE2319B668C49ED7BBFCFFCAB04F00091EE5AA87140D7B1A841CB20
                  Function 00F86DED Relevance: 12.1, APIs: 8, Instructions: 52memoryCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Global$Size$LockUnlock$Alloc
                  • String ID:
                  • API String ID: 2344174106-0
                  • Opcode ID: 1002cd7c5a34d2c881357a50adb4d64dab3722f824796a39ab33ab41f2051ef2
                  • Instruction ID: 177ff868721048a7bbcc6c6421ed8181412f78a73f834089fd72c1b8912e6c1d
                  • Opcode Fuzzy Hash: 1002cd7c5a34d2c881357a50adb4d64dab3722f824796a39ab33ab41f2051ef2
                  • Instruction Fuzzy Hash: 77017175900218BBDB217F65CC84CAF7F6DEF442A4B108025FC0497211DA769D10EBA4
                  Function 00F96DDA Relevance: 12.0, APIs: 8, Instructions: 39COMMON
                  Download Yara Rule
                  APIs
                  • GetSystemMetrics.USER32(0000000B), ref: 00F96DE9
                  • GetSystemMetrics.USER32(0000000C), ref: 00F96DF0
                  • GetSystemMetrics.USER32(00000002), ref: 00F96DF7
                  • GetSystemMetrics.USER32(00000003), ref: 00F96E01
                  • GetDC.USER32(00000000), ref: 00F96E0B
                  • GetDeviceCaps.GDI32(00000000,00000058), ref: 00F96E1C
                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F96E24
                  • ReleaseDC.USER32(00000000,00000000), ref: 00F96E2C
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: MetricsSystem$CapsDevice$Release
                  • String ID:
                  • API String ID: 1151147025-0
                  • Opcode ID: fee6dc4dda7923286b4bf20f4f9d8fe048ab08ff6cee862248a0bb805cca74cd
                  • Instruction ID: 6b381e66214adbae4feffefcd6a756584f4ee2acab4e22b9ef2fdb731c791ad7
                  • Opcode Fuzzy Hash: fee6dc4dda7923286b4bf20f4f9d8fe048ab08ff6cee862248a0bb805cca74cd
                  • Instruction Fuzzy Hash: 89F049B1E40714BAE7205FB29C4AF167F68FB44721F00441AE6558B280CBBA98018FC0
                  Function 010585BD Relevance: 12.0, APIs: 8, Instructions: 36COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 010585C4
                  • DestroyCursor.USER32(?), ref: 010585E7
                  • DestroyCursor.USER32(?), ref: 010585EF
                  • DestroyCursor.USER32(?), ref: 010585F7
                  • DestroyCursor.USER32(?), ref: 010585FF
                  • DestroyCursor.USER32(?), ref: 01058607
                  • DestroyCursor.USER32(?), ref: 0105860F
                    • Part of subcall function 00F88A33: DeleteDC.GDI32(00000000), ref: 00F88A45
                  • ~_Task_impl.LIBCPMT ref: 01058649
                    • Part of subcall function 0100DAB6: __EH_prolog3.LIBCMT ref: 0100DABD
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: CursorDestroy$H_prolog3$DeleteTask_impl
                  • String ID:
                  • API String ID: 823465731-0
                  • Opcode ID: 32d47c2aeee85ca0485389cfbb24027d6fec2626120a71d0a71cae4bf6a9bc04
                  • Instruction ID: be25fb0cfcd6026694995e0ff959eff44c57a357f132393f187d7e06a1a2b44e
                  • Opcode Fuzzy Hash: 32d47c2aeee85ca0485389cfbb24027d6fec2626120a71d0a71cae4bf6a9bc04
                  • Instruction Fuzzy Hash: 85017C74501B54DAEB22BB70CC04BDEBAF1BF91314F11454CE0EA072A1CF762A02EB12
                  Function 01004170 Relevance: 10.8, APIs: 7, Instructions: 325windowstringCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 0100417A
                  • GetMenuItemCount.USER32(0000000D), ref: 010041C3
                  • GetMenuItemID.USER32(0000000D,?), ref: 010041E6
                    • Part of subcall function 00F879AD: __CxxThrowException@8.LIBCMT ref: 00F879C3
                    • Part of subcall function 00FE7B33: __EH_prolog3.LIBCMT ref: 00FE7B3A
                    • Part of subcall function 00F91CB8: __EH_prolog3.LIBCMT ref: 00F91CBF
                  • lstrlenA.KERNEL32(00000000,?), ref: 01004308
                  • CharUpperBuffA.USER32(00000001,00000001), ref: 0100431C
                  • lstrlenA.KERNEL32(00000000), ref: 01004324
                  • GetSubMenu.USER32(00000000,?), ref: 01004456
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Menu$H_prolog3Itemlstrlen$BuffCharCountException@8H_prolog3_ThrowUpper
                  • String ID:
                  • API String ID: 649264743-0
                  • Opcode ID: 4888df85ed31e414aa21d9e8f405d4f467cbdfe7da41128912d120940ca8001c
                  • Instruction ID: 265fd25596f6293a3d1b96193552ab372e14a141e0dee04ee7ab3f5b2e73de9c
                  • Opcode Fuzzy Hash: 4888df85ed31e414aa21d9e8f405d4f467cbdfe7da41128912d120940ca8001c
                  • Instruction Fuzzy Hash: C5D1CA30904228EFEF66EB68CC55BEDBBB4AF05320F5442C8E259A62D1DB355E84DF50
                  Function 010024AF Relevance: 10.8, APIs: 7, Instructions: 255COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Parent$H_prolog3
                  • String ID:
                  • API String ID: 4050631306-0
                  • Opcode ID: 4f2977178bb4d1db076bcac2fd1681771bf343207c2c4a7df83be94906e24176
                  • Instruction ID: 76579fe7b72789b43aa3b1ad0a9bf857a1af6a3f3ece2bcb85fca083770292cc
                  • Opcode Fuzzy Hash: 4f2977178bb4d1db076bcac2fd1681771bf343207c2c4a7df83be94906e24176
                  • Instruction Fuzzy Hash: A7918D30A00605AFEB16EBA8CC99BBEB7F5FF88700F140169F556AB2D0DB359941DB50
                  Function 00FF9211 Relevance: 10.8, APIs: 7, Instructions: 251COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00FE9886: GetParent.USER32(?), ref: 00FE98A0
                  • OffsetRect.USER32(?,?,?), ref: 00FF9255
                  • GetCursorPos.USER32(?), ref: 00FF9265
                    • Part of subcall function 00FF5627: SetRectEmpty.USER32(?), ref: 00FF5634
                    • Part of subcall function 00FF5627: GetWindowRect.USER32(?,?), ref: 00FF5645
                    • Part of subcall function 00FE97D5: GetParent.USER32(00000000), ref: 00FE97E0
                    • Part of subcall function 00FE97D5: OffsetRect.USER32(?,00000000,?), ref: 00FE9818
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Rect$OffsetParent$CursorEmptyWindow
                  • String ID:
                  • API String ID: 633258892-0
                  • Opcode ID: 302c9b90b256a43e0505578bcabb2a9f9329c3344007477149b87f4949137eec
                  • Instruction ID: 8abe2c0b0af270356e671ac69149c8b2fafc3a6878a2d26c7a3659f50ca03dac
                  • Opcode Fuzzy Hash: 302c9b90b256a43e0505578bcabb2a9f9329c3344007477149b87f4949137eec
                  • Instruction Fuzzy Hash: E7A10671A0420DAFCF15DFA8D984AEEBBB6FF48310F104069F606E7260DB75A941DB60
                  Function 01010D91 Relevance: 10.7, APIs: 7, Instructions: 242COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 01010D98
                  • CreateCompatibleDC.GDI32(00000002), ref: 01010DF5
                    • Part of subcall function 00FE0358: FillRect.USER32(?,00000020), ref: 00FE036C
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: CompatibleCreateFillH_prolog3Rect
                  • String ID:
                  • API String ID: 2215992850-0
                  • Opcode ID: efced10374b37209674c67eed9692ccafa6f950771b734ab514f239ad2648667
                  • Instruction ID: 77aec416915ccb3a1e24cef6c5eb36e18cd655aa5a1fdc63761e9aed785dda22
                  • Opcode Fuzzy Hash: efced10374b37209674c67eed9692ccafa6f950771b734ab514f239ad2648667
                  • Instruction Fuzzy Hash: EC91AA71A0020ADBDB15EFA8CC85AEEBBF5FF48300F044158F591E6299DB78D945DB60
                  Function 00FECB2E Relevance: 10.7, APIs: 7, Instructions: 194windowCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: ClientScreen$DestroyMenu$ParentRectWindow
                  • String ID:
                  • API String ID: 1640059168-0
                  • Opcode ID: 785df68f3c156d4b83dc19a53da17fdf574277f68554c71808a402989b90aaf7
                  • Instruction ID: 49aa82124aaf29dc015a35807b0e73b17532f060fefa3fcc41f0c0f0351bdd05
                  • Opcode Fuzzy Hash: 785df68f3c156d4b83dc19a53da17fdf574277f68554c71808a402989b90aaf7
                  • Instruction Fuzzy Hash: 08714B71A00645DFDB20DFA9C885AAEBBF5FF48304F10443EE59AE7250DB35A901EB90
                  Function 00FB48C5 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 175libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00FB48CC
                  • GetModuleHandleA.KERNEL32(DWMAPI), ref: 00FB4A38
                  • GetProcAddress.KERNEL32(00000000,DwmSetWindowAttribute), ref: 00FB4A48
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressH_prolog3_HandleModuleProc
                  • String ID: AFX_SUPERBAR_TAB$DWMAPI$DwmSetWindowAttribute
                  • API String ID: 2418878492-136793874
                  • Opcode ID: 59ed0c4df700363fe99b3e27aec6212a323a3c981f8e8cb9a9217a3c27fe5522
                  • Instruction ID: 91c175ada047fca432be4e8a1b778c270c690489146008acccfd8763d3523228
                  • Opcode Fuzzy Hash: 59ed0c4df700363fe99b3e27aec6212a323a3c981f8e8cb9a9217a3c27fe5522
                  • Instruction Fuzzy Hash: 72519D71B402059BEB14EFA6C990FFE77A9AF48710F14011DE94597282DF68ED00EF69
                  Function 00FE503C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 136windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00FE5043
                    • Part of subcall function 00F88ADB: __EH_prolog3.LIBCMT ref: 00F88AE2
                    • Part of subcall function 00F88ADB: GetWindowDC.USER32(00000000,00000004,00F95F09,00000000,?,?,010A4E00), ref: 00F88B0E
                  • CreateCompatibleDC.GDI32(00000000), ref: 00FE5078
                  • CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 00FE50FC
                  • CreateCompatibleBitmap.GDI32(?,?,?), ref: 00FE5148
                    • Part of subcall function 00F88D3D: SelectObject.GDI32(?,?), ref: 00F88D48
                  • FillRect.USER32(?,?), ref: 00FE5183
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Create$Compatible$BitmapFillH_prolog3H_prolog3_ObjectRectSectionSelectWindow
                  • String ID: (
                  • API String ID: 2680359821-3887548279
                  • Opcode ID: 1e8185179d5ec780baa86416ceccfbfbfa707f7013671f09791957e10e282cf9
                  • Instruction ID: 9b09dc0d6ed7d1dcd86c691b83d0504377b19e074642b5b8eab0f1053f2a5e15
                  • Opcode Fuzzy Hash: 1e8185179d5ec780baa86416ceccfbfbfa707f7013671f09791957e10e282cf9
                  • Instruction Fuzzy Hash: BE5112B1C00258AFDB11EFE6C8849EDBBB9BF08354F60812EE405AB251DB385A45EF50
                  Function 00FF262C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 134COMMON
                  Download Yara Rule
                  APIs
                  • MonitorFromPoint.USER32(?,?,00000002), ref: 00FF270E
                  • GetMonitorInfoA.USER32(00000000), ref: 00FF2715
                  • CopyRect.USER32(?,?), ref: 00FF2727
                  • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00FF2737
                  • IntersectRect.USER32(?,?,?), ref: 00FF276A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: InfoMonitorRect$CopyFromIntersectParametersPointSystem
                  • String ID: (
                  • API String ID: 2931574886-3887548279
                  • Opcode ID: e1fce8553a090a23711a1eeab1c8cace400a8d00994d0d76a5ccf03c23a6345b
                  • Instruction ID: 88989ea7fb871c4f70468698141225d6fdd33e4926e35357d47c348ea9e97e14
                  • Opcode Fuzzy Hash: e1fce8553a090a23711a1eeab1c8cace400a8d00994d0d76a5ccf03c23a6345b
                  • Instruction Fuzzy Hash: 8B51F6B6D002099FCB20DFA9C9889EEFBF9FF98310B10452AE545E7260D774A905DF61
                  Function 00F981E9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 127stringCOMMON
                  Download Yara Rule
                  APIs
                  • GlobalLock.KERNEL32(?), ref: 00F98215
                  • lstrlenA.KERNEL32(?), ref: 00F9825F
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 00F98279
                  • _wcslen.LIBCMT ref: 00F9829D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharGlobalLockMultiWide_wcslenlstrlen
                  • String ID: System
                  • API String ID: 4253822919-3470857405
                  • Opcode ID: 254e6e4dfd85be8272ee5a5bc898933a6ecbb00d0e9fea30f41cb03bbb9ddab9
                  • Instruction ID: 0296ceee11ac07f6e9b0517668a77a078db1b69460b6e0e4e8578c206cb5fbdf
                  • Opcode Fuzzy Hash: 254e6e4dfd85be8272ee5a5bc898933a6ecbb00d0e9fea30f41cb03bbb9ddab9
                  • Instruction Fuzzy Hash: 22411271D00219DFEF24DFA4CC85AAEBBB4FF05350F14852AE412EB284DB34A946DB40
                  Function 00F9D20D Relevance: 10.6, APIs: 7, Instructions: 126COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00FE6ABB: __EH_prolog3_catch.LIBCMT ref: 00FE6AC2
                  • UpdateWindow.USER32(?), ref: 00F9D2A1
                  • EqualRect.USER32(?,?), ref: 00F9D2D7
                  • InflateRect.USER32(?,00000002,00000002), ref: 00F9D2EF
                  • InvalidateRect.USER32(?,?,00000001), ref: 00F9D2FE
                  • InflateRect.USER32(?,00000002,00000002), ref: 00F9D313
                  • InvalidateRect.USER32(?,?,00000001), ref: 00F9D325
                  • UpdateWindow.USER32(?), ref: 00F9D32E
                    • Part of subcall function 00F9CDDB: InvalidateRect.USER32(?,?,00000001), ref: 00F9CE50
                    • Part of subcall function 00F9CDDB: InflateRect.USER32(?,?,?), ref: 00F9CE96
                    • Part of subcall function 00F9CDDB: RedrawWindow.USER32(?,?,00000000,00000401,?,?), ref: 00F9CEA9
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Rect$InflateInvalidateWindow$Update$EqualH_prolog3_catchRedraw
                  • String ID:
                  • API String ID: 1041772997-0
                  • Opcode ID: b6324aeb440ffad99e90e2f83d1e465264219645707f96308de56ef94d7028db
                  • Instruction ID: 445938dc084e55ebd2e3e616a2b5ba995cd611657c11223f47603c57fe18c336
                  • Opcode Fuzzy Hash: b6324aeb440ffad99e90e2f83d1e465264219645707f96308de56ef94d7028db
                  • Instruction Fuzzy Hash: C7418971A00605AFDF10DF64C888BAE77B9FF48315F240279EC5AEB296CB359904CB61
                  Function 00FEAA50 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00FEAA57
                    • Part of subcall function 00F959C6: __EH_prolog3.LIBCMT ref: 00F959CD
                    • Part of subcall function 00F959C6: LoadCursorA.USER32(00000000,00007F00), ref: 00F959F9
                    • Part of subcall function 00F959C6: GetClassInfoA.USER32(?,00000000,?), ref: 00F95A3D
                  • CopyRect.USER32(?,?), ref: 00FEAB0B
                    • Part of subcall function 00F88828: ClientToScreen.USER32(?,00FA73A3), ref: 00F88839
                    • Part of subcall function 00F88828: ClientToScreen.USER32(?,00FA73AB), ref: 00F88846
                  • IsRectEmpty.USER32(?), ref: 00FEAB24
                  • IsRectEmpty.USER32(?), ref: 00FEAB3C
                  • IsRectEmpty.USER32(?), ref: 00FEAB51
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Rect$Empty$ClientScreen$ClassCopyCursorH_prolog3H_prolog3_InfoLoad
                  • String ID: Afx:ControlBar
                  • API String ID: 2202805320-4244778371
                  • Opcode ID: 498209aa760803c7f060afea539877b836bd231e2138c506e9921cdfc8ac6b23
                  • Instruction ID: 5ce72548c4f36fdbe967b2ae822ff8ca262fe7f415932e64cf6cada59d824c40
                  • Opcode Fuzzy Hash: 498209aa760803c7f060afea539877b836bd231e2138c506e9921cdfc8ac6b23
                  • Instruction Fuzzy Hash: FD415A31A002589BDF11EFA4CC84BEE77BABF49310F040168FD05BB251DB79AA04EB61
                  Function 00FDA09C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 115COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00FDA0A3
                    • Part of subcall function 00F9897D: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000), ref: 00F989A0
                    • Part of subcall function 00FCF57A: __EH_prolog3.LIBCMT ref: 00FCF581
                    • Part of subcall function 00FCF5B7: __EH_prolog3.LIBCMT ref: 00FCF5BE
                    • Part of subcall function 00FCF5B7: __fassign.LIBCMT ref: 00FCF6A1
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: H_prolog3$ByteCharMultiWide__fassign
                  • String ID: MFCLink_FullTextTooltip$MFCLink_Tooltip$MFCLink_Url$MFCLink_UrlPrefix$TRUE
                  • API String ID: 1708987901-3373932565
                  • Opcode ID: 24b3192fd6ada1a91c487da748f4f12ea94d833df58ff5ab14c74e70431ed36c
                  • Instruction ID: 7652820a51c8c14cd4d5246c4daaebe225182ac14b991c38c6f825f4026c99c8
                  • Opcode Fuzzy Hash: 24b3192fd6ada1a91c487da748f4f12ea94d833df58ff5ab14c74e70431ed36c
                  • Instruction Fuzzy Hash: 9C413D3190010A9ACF05FBF4CD62EFEB77AAF14310F180619B512762D2DF789A05EB66
                  Function 00FD70AB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 111COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00FD70B2
                    • Part of subcall function 01005BB2: __EH_prolog3.LIBCMT ref: 01005BB9
                    • Part of subcall function 01050F67: SetRectEmpty.USER32(?), ref: 01050F97
                  • SetRectEmpty.USER32(?), ref: 00FD71FA
                  • SetRectEmpty.USER32(?), ref: 00FD7209
                  • SetRectEmpty.USER32(?), ref: 00FD7212
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: EmptyRect$H_prolog3
                  • String ID: False$True
                  • API String ID: 3752103406-1895882422
                  • Opcode ID: 142ea9baaeb80ba2272adf3d95bc73eeabe8e081d018a52b81836b62878e65fb
                  • Instruction ID: 842a7a31ae938161e9814ca0903d1971d9f0fae584bf52c2dfb1a548a5695d7e
                  • Opcode Fuzzy Hash: 142ea9baaeb80ba2272adf3d95bc73eeabe8e081d018a52b81836b62878e65fb
                  • Instruction Fuzzy Hash: 7C51CDB0802B408FD366EF7AC5847DAFAE8BF64300F10495EE4EE86261DBB42604DB55
                  Function 00FF327A Relevance: 10.6, APIs: 7, Instructions: 110windowCOMMON
                  Download Yara Rule
                  APIs
                  • IsWindowVisible.USER32(?), ref: 00FF32AD
                    • Part of subcall function 01021695: RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 0102170C
                  • IsWindowVisible.USER32(?), ref: 00FF32D7
                  • IsWindowVisible.USER32(?), ref: 00FF331B
                  • RedrawWindow.USER32(?,00000000,00000000,00000585), ref: 00FF333D
                  • RedrawWindow.USER32(?,00000000,00000000,00000501), ref: 00FF334F
                  • RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 00FF3371
                  • RedrawWindow.USER32(?,?,00000000,00000541), ref: 00FF33A2
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Window$Redraw$Visible
                  • String ID:
                  • API String ID: 1637130220-0
                  • Opcode ID: a20df4c2c6f105ac94de2131b6c4f7891416d5f9be77aee6ce8c8cf1be96e118
                  • Instruction ID: 6c9b15cb7336ee14a869c280de0970b60932e522ac0a72f7406f0f852100e74d
                  • Opcode Fuzzy Hash: a20df4c2c6f105ac94de2131b6c4f7891416d5f9be77aee6ce8c8cf1be96e118
                  • Instruction Fuzzy Hash: 4D415B71A0060AEFDB20DF64CD80ABEBBB5BF48354F14447DE69A96261DB309E40EF51
                  Function 00F851C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 106registryCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_catch_GS.LIBCMT ref: 00F851CA
                  • RegOpenKeyExA.ADVAPI32(80000000,00000010,00000000,0002001F,?), ref: 00F85281
                    • Part of subcall function 00F8515C: __EH_prolog3.LIBCMT ref: 00F85163
                  • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 00F852A4
                  • RegCloseKey.ADVAPI32(?), ref: 00F85374
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumH_prolog3H_prolog3_catch_Open
                  • String ID: Software\Classes\
                  • API String ID: 854624316-1121929649
                  • Opcode ID: 23967988463ce3e98ddc1ddc17dde75e5649921550df50b96988ffd68bd8a5bd
                  • Instruction ID: b8d53ffe844f1cfdc6e2c73906ae57e6496ecd7b0466f5739b230ba77d8e53fb
                  • Opcode Fuzzy Hash: 23967988463ce3e98ddc1ddc17dde75e5649921550df50b96988ffd68bd8a5bd
                  • Instruction Fuzzy Hash: 3A41BB72C001689FCF21FB64CC90BEDBBB5AB09720F0401D8E999A3241CA756F94EF90
                  Function 00FDC5B9 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 93COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00FDC5C0
                    • Part of subcall function 00F9897D: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000), ref: 00F989A0
                    • Part of subcall function 00FCF57A: __EH_prolog3.LIBCMT ref: 00FCF581
                    • Part of subcall function 00F9890C: __EH_prolog3.LIBCMT ref: 00F98913
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: H_prolog3$ByteCharMultiWide
                  • String ID: Automatic$MFCColorButton_ColumnsCount$MFCColorButton_EnableAutomaticButton$MFCColorButton_EnableOtherButton$Other
                  • API String ID: 2949695960-3051800008
                  • Opcode ID: 15af03a8d36b408a30935c0c68ac77a1342f97369dd28aef53462b064036ef22
                  • Instruction ID: 5d83a49b516ded988b521d500e78343f03c3048fc728a087a1b01ed97e8f8438
                  • Opcode Fuzzy Hash: 15af03a8d36b408a30935c0c68ac77a1342f97369dd28aef53462b064036ef22
                  • Instruction Fuzzy Hash: 8E314571D0020AAADF00EBE0CD81EFEB7B9AF14300F58452AB515B6141DB79DE05EBA1
                  Function 00FA43FF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92windowCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: ClientCursorMessageScreenSend_free_memset
                  • String ID: ,
                  • API String ID: 628317799-3772416878
                  • Opcode ID: 4fe8e5615d961de45e73c5d10e7c347c9e762791e13bc0679d16b32f15d0a6c3
                  • Instruction ID: caadf69de2bd296c36bb862049e241ee9815ed2b6de5b0d6d2951ae6a417d574
                  • Opcode Fuzzy Hash: 4fe8e5615d961de45e73c5d10e7c347c9e762791e13bc0679d16b32f15d0a6c3
                  • Instruction Fuzzy Hash: 4F3181B1E00209AFCB28EF64DC55BADBBB5FF89314F10052DF496D2290DB76A900DB51
                  Function 00FB45E0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00FB3CC6: IsIconic.USER32(?), ref: 00FB3CE6
                  • GetWindowRect.USER32(?,?), ref: 00FB4658
                    • Part of subcall function 00F887E7: ScreenToClient.USER32(?,?), ref: 00F887F8
                    • Part of subcall function 00F887E7: ScreenToClient.USER32(?,?), ref: 00F88805
                    • Part of subcall function 00FB4250: __EH_prolog3_GS.LIBCMT ref: 00FB425A
                    • Part of subcall function 00FB4250: GetWindowRect.USER32(?,?), ref: 00FB42A9
                    • Part of subcall function 00FB4250: OffsetRect.USER32(?,?,?), ref: 00FB42BF
                    • Part of subcall function 00FB4250: CreateCompatibleDC.GDI32(?), ref: 00FB4330
                    • Part of subcall function 00FB4250: SelectObject.GDI32(?,?), ref: 00FB4350
                  • GetModuleHandleA.KERNEL32(DWMAPI), ref: 00FB4690
                  • GetProcAddress.KERNEL32(00000000,DwmSetIconicLivePreviewBitmap), ref: 00FB46A0
                  • DeleteObject.GDI32(00000000), ref: 00FB46B7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Rect$ClientObjectScreenWindow$AddressCompatibleCreateDeleteH_prolog3_HandleIconicModuleOffsetProcSelect
                  • String ID: DWMAPI$DwmSetIconicLivePreviewBitmap
                  • API String ID: 3205686482-239049650
                  • Opcode ID: 8f38a25e3a4f0b0babb07a81d5c0db328ca1a82ed44c914030ba94d8d32094a6
                  • Instruction ID: 3ee8d7ab4429056a51a32ced371a3ceb2717c28330cfd0c649f915af16b2158f
                  • Opcode Fuzzy Hash: 8f38a25e3a4f0b0babb07a81d5c0db328ca1a82ed44c914030ba94d8d32094a6
                  • Instruction Fuzzy Hash: 73316B71A0020AAFCB14EFA9C9958BEFBF9FF88704B10452EF556E3251DA746D01DB50
                  Function 010188E4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 01017D90: GetParent.USER32(?), ref: 01017D9C
                    • Part of subcall function 01017D90: GetParent.USER32(00000000), ref: 01017D9F
                    • Part of subcall function 00F911CD: GetWindowLongA.USER32(?,000000F0), ref: 00F911D8
                  • __cftof.LIBCMT ref: 01018954
                  • swprintf.LIBCMT ref: 01018976
                  • lstrlenA.KERNEL32(?,?,?,?,00000000), ref: 01018988
                  • lstrlenA.KERNEL32(?,?,?,?,00000000), ref: 01018997
                  • _strcat_s.LIBCMT ref: 010189B2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Parentlstrlen$LongWindow__cftof_strcat_sswprintf
                  • String ID: :%d
                  • API String ID: 1631328139-1955712242
                  • Opcode ID: b9c18d4214c3f7f50b150605359fc09084aea0fd0301bff0ac975aa390365d9c
                  • Instruction ID: 47a116014cbb4d2fb4d16fd12ffdd6f9d7ae8a20608a8eea438df408c590b384
                  • Opcode Fuzzy Hash: b9c18d4214c3f7f50b150605359fc09084aea0fd0301bff0ac975aa390365d9c
                  • Instruction Fuzzy Hash: 1A21A371A00109ABDB14EBA8CC88EEE77ADBF14314F0441A6F64697241DB38EA41DB94
                  Function 00FFA7DA Relevance: 10.6, APIs: 7, Instructions: 81windowCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Rect$Empty$CaptureMessageParentReleaseSendWindow
                  • String ID:
                  • API String ID: 2026794321-0
                  • Opcode ID: 3d74c2dfd1976fe24169466242f3c1d468dfb7208bfa8ab5c3bf0322c5280120
                  • Instruction ID: fc68cb6215d05b08c8c72ffd3f8cafa9c419d486a6ef196083d9c1b51d74d520
                  • Opcode Fuzzy Hash: 3d74c2dfd1976fe24169466242f3c1d468dfb7208bfa8ab5c3bf0322c5280120
                  • Instruction Fuzzy Hash: 683105B1D01219EFDF10DF94C8889EEBBB9FF08704F14416AF905AA215D7759A01CFA1
                  Function 00FF2CC7 Relevance: 10.6, APIs: 7, Instructions: 80windowCOMMON
                  Download Yara Rule
                  APIs
                  • IsWindow.USER32(?), ref: 00FF2CDF
                  • SendMessageA.USER32(?,0000020A,?,?), ref: 00FF2D11
                  • GetFocus.USER32 ref: 00FF2D25
                  • IsChild.USER32(?,?), ref: 00FF2D47
                  • SendMessageA.USER32(?,00000010,00000000,00000000), ref: 00FF2D78
                  • IsWindowVisible.USER32(?), ref: 00FF2D8D
                  • SendMessageA.USER32(?,0000020A,?,?), ref: 00FF2DAB
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: MessageSend$Window$ChildFocusVisible
                  • String ID:
                  • API String ID: 1252167185-0
                  • Opcode ID: b8c8153a350a6d9fd3a40b25547c190d4bb65b7b0e43bedce7d34bdd52fa8d37
                  • Instruction ID: 255c007bd180e079718e0f001724694f91fda09ba251f61485997e2e8e67aa92
                  • Opcode Fuzzy Hash: b8c8153a350a6d9fd3a40b25547c190d4bb65b7b0e43bedce7d34bdd52fa8d37
                  • Instruction Fuzzy Hash: 55215E32A00209AFDBB09F25D815F697BB5BF08761F054069FA85DB5B5D736EC00EB40
                  Function 00F849A6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 78registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 00F849E1
                  • RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 00F84A0C
                  • RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 00F84A37
                  • RegCloseKey.ADVAPI32(?), ref: 00F84A4B
                  • RegCloseKey.ADVAPI32(?), ref: 00F84A55
                    • Part of subcall function 00F848CB: GetModuleHandleA.KERNEL32(Advapi32.dll), ref: 00F848DD
                    • Part of subcall function 00F848CB: GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedA), ref: 00F848ED
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseCreate$AddressHandleModuleOpenProc
                  • String ID: software
                  • API String ID: 550756860-2010147023
                  • Opcode ID: f459dad478e2e6510ed6e6accdd88657237c7aa8fbf89578477f492440a41a16
                  • Instruction ID: 3760fb90d1ff3b8feb7ca012ad3236fccb9e8d781b6ff9a093d7ef1777ba12c4
                  • Opcode Fuzzy Hash: f459dad478e2e6510ed6e6accdd88657237c7aa8fbf89578477f492440a41a16
                  • Instruction Fuzzy Hash: B0212732900059FA8F25AE86CC89DEFBFBEEBC5714B24405AF515A6014E7366A40EB64
                  Function 00FFEC99 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 78windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetParent.USER32(?), ref: 00FFECE2
                  • GetSystemMenu.USER32(?,00000000,00000000), ref: 00FFED10
                  • _memset.LIBCMT ref: 00FFED2F
                  • GetMenuItemInfoA.USER32(?,0000F060,00000000,?), ref: 00FFED4F
                  • SendMessageA.USER32(?,00000112,0000F060,00000000), ref: 00FFED68
                    • Part of subcall function 00F879AD: __CxxThrowException@8.LIBCMT ref: 00F879C3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Menu$Exception@8InfoItemMessageParentSendSystemThrow_memset
                  • String ID: 0
                  • API String ID: 1672984559-4108050209
                  • Opcode ID: c507597b547cf469265cb62113cb95846682a751b364849335b8034798278ef1
                  • Instruction ID: 891c11159a912ad4df122b96850013d3b1ed60934daea22330dd89c99eee5045
                  • Opcode Fuzzy Hash: c507597b547cf469265cb62113cb95846682a751b364849335b8034798278ef1
                  • Instruction Fuzzy Hash: EA21A472A102196BEF206FB0DC86FEE77A9FF44764F150038FA44A61A1DB799C40D7A0
                  Function 00FB9006 Relevance: 10.6, APIs: 7, Instructions: 78COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00FB900D
                  • DestroyAcceleratorTable.USER32(?), ref: 00FB9021
                  • GetTopWindow.USER32(?), ref: 00FB9059
                  • GetWindow.USER32(?,00000002), ref: 00FB9091
                  • IsWindow.USER32(?), ref: 00FB90B0
                  • GetParent.USER32(?), ref: 00FB90BB
                  • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00000020), ref: 00FB90C7
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Window$Destroy$AcceleratorH_prolog3ParentTable
                  • String ID:
                  • API String ID: 2502036937-0
                  • Opcode ID: d631488ef05f9d9406777c9a6d812deb9372a55e7d152687f67ce637b69bbc26
                  • Instruction ID: 8e6cc408ae548f8d883dfe88b3e755679742db86a8f848a362c9c2402c4452c5
                  • Opcode Fuzzy Hash: d631488ef05f9d9406777c9a6d812deb9372a55e7d152687f67ce637b69bbc26
                  • Instruction Fuzzy Hash: 93318F70D002158BCF21BFB6C8845EEFBB5BF98360F15451AE591B7255CBBA4901EFA0
                  Function 00FC06DA Relevance: 10.6, APIs: 7, Instructions: 69keyboardCOMMON
                  Download Yara Rule
                  APIs
                  • GetAsyncKeyState.USER32(00000012), ref: 00FC070A
                  • GetAsyncKeyState.USER32(00000012), ref: 00FC0724
                  • GetKeyboardState.USER32(?), ref: 00FC0746
                  • GetKeyboardLayout.USER32(?), ref: 00FC0754
                  • MapVirtualKeyA.USER32(?,00000000), ref: 00FC076E
                  • ToAsciiEx.USER32(?,00000000), ref: 00FC0776
                  • CharUpperA.USER32(?), ref: 00FC0796
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: State$AsyncKeyboard$AsciiCharLayoutUpperVirtual
                  • String ID:
                  • API String ID: 1513035088-0
                  • Opcode ID: 1c5bbd237770573b30985fbc01c0a775a6461a4a9ae62cd1de1f10f1be315744
                  • Instruction ID: 34a44389b8a0bba8bb4c9dce15f36a3d63b6336ad41cfe1a5db0b6b1c9bfd0a4
                  • Opcode Fuzzy Hash: 1c5bbd237770573b30985fbc01c0a775a6461a4a9ae62cd1de1f10f1be315744
                  • Instruction Fuzzy Hash: 4D21D13190421ADBDB20AB60DD85FEE77BCFF55754F0440AAE5C1D2181CEB4AA85DF60
                  Function 00FFEC0E Relevance: 10.6, APIs: 7, Instructions: 64windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetSystemMetrics.USER32(00000037), ref: 00FFEC2B
                  • GetSystemMetrics.USER32(00000032), ref: 00FFEC31
                  • GetSystemMetrics.USER32(00000037), ref: 00FFEC3D
                  • GetSystemMetrics.USER32(00000036), ref: 00FFEC43
                  • GetSystemMetrics.USER32(00000031), ref: 00FFEC49
                  • GetSystemMetrics.USER32(00000036), ref: 00FFEC55
                  • DrawIconEx.USER32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000003), ref: 00FFEC8C
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: MetricsSystem$DrawIcon
                  • String ID:
                  • API String ID: 2707151559-0
                  • Opcode ID: 7efceb162fe0a93ad112c668f988a4db73e18323eae4fb1924a79b87d39260d5
                  • Instruction ID: 6ba89bfa428c09cd87f487efed6a1e0439f17fdaa657e17399ac8f49e4be67d7
                  • Opcode Fuzzy Hash: 7efceb162fe0a93ad112c668f988a4db73e18323eae4fb1924a79b87d39260d5
                  • Instruction Fuzzy Hash: 6311E931740318BBD7118AB48D49F6A7F9DDF84BA4F28802AF709AB1D0D5B2DD02D790
                  Function 00F931FF Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60libraryloadertimeCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00F93206
                  • SetTimer.USER32(00000000,?,00000000), ref: 00F932A9
                    • Part of subcall function 00F8C62F: ActivateActCtx.KERNEL32(?,?,010C9830,00000010,00F8F176,hhctrl.ocx,00F8E3A8,0000000C), ref: 00F8C64F
                  • GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00F9323B
                    • Part of subcall function 00F87223: __EH_prolog3.LIBCMT ref: 00F8722A
                  • CoTaskMemFree.OLE32(?), ref: 00F93286
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: H_prolog3$ActivateAddressFreeProcTaskTimer
                  • String ID: SHELL32.DLL$SHGetKnownFolderPath
                  • API String ID: 3676277837-4069204515
                  • Opcode ID: 7865a1432bf7770db1a40e4d2ff5de6d3aef358640c1fb4eed141c1a5998d172
                  • Instruction ID: 9484eebe257602348cd93831d4f06e5525ab54d9471702fb457cbe8923e1e6cc
                  • Opcode Fuzzy Hash: 7865a1432bf7770db1a40e4d2ff5de6d3aef358640c1fb4eed141c1a5998d172
                  • Instruction Fuzzy Hash: 39119D7090020A9BEF64EFA4DC95BBEBBB4BF00314F10051CE592AA191CB748A44EB51
                  Function 00FEB11C Relevance: 10.6, APIs: 7, Instructions: 56COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Task_impl$H_prolog3
                  • String ID:
                  • API String ID: 1204490572-0
                  • Opcode ID: c2a72119537fdfdcfe03f899686bded5d236c9743218090a42c69020c5971cc7
                  • Instruction ID: 828056f62d17a7ffa09d5c9dfcbc9ab704bdc57b3d1fad745ee4d091ed34f5e7
                  • Opcode Fuzzy Hash: c2a72119537fdfdcfe03f899686bded5d236c9743218090a42c69020c5971cc7
                  • Instruction Fuzzy Hash: 03215970508782CEEB15FBF8C5647EEBAA1AF21314F54454CD5EA172C2DF742A48D722
                  Function 00F8C9CF Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 53libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00F8C9D6
                  • GetProcAddress.KERNEL32(00000000,RegisterTouchWindow), ref: 00F8CA33
                  • GetProcAddress.KERNEL32(UnregisterTouchWindow,00000000), ref: 00F8CA55
                    • Part of subcall function 00F82C42: ActivateActCtx.KERNEL32(?,?,010C8EC8,00000010,00F82E57,KERNEL32.DLL), ref: 00F82C62
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$ActivateH_prolog3
                  • String ID: RegisterTouchWindow$UnregisterTouchWindow$user32.dll
                  • API String ID: 1001276555-2470269259
                  • Opcode ID: 52687999f3b7cee4fcec291ce48903da494427c670ba0bfe3edfc327859d5427
                  • Instruction ID: 2df912b52c35cae403895e5a0b00c3dd5f61a7549db90d4d2a2257948e19024b
                  • Opcode Fuzzy Hash: 52687999f3b7cee4fcec291ce48903da494427c670ba0bfe3edfc327859d5427
                  • Instruction Fuzzy Hash: ED11B230A00306DBDB28FB75E857B953BB4BB14368F10401DE4E3969D4D77E9A41BBA1
                  Function 00F82993 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 53libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 00F829A5
                  • GetProcAddress.KERNEL32(00000000,ApplicationRecoveryInProgress), ref: 00F829C2
                  • GetProcAddress.KERNEL32(00000000,ApplicationRecoveryFinished), ref: 00F829CC
                    • Part of subcall function 00F879AD: __CxxThrowException@8.LIBCMT ref: 00F879C3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$Exception@8HandleModuleThrow
                  • String ID: ApplicationRecoveryFinished$ApplicationRecoveryInProgress$KERNEL32.DLL
                  • API String ID: 2144170044-4287352451
                  • Opcode ID: bebb7cbfe06a9167589f0ec6a2370b11d520762f4d80ef5414a53b018a443f3d
                  • Instruction ID: f08b51d4902ca696de7ff1e570a42a60750b5b5884075b1ead340752dea32f54
                  • Opcode Fuzzy Hash: bebb7cbfe06a9167589f0ec6a2370b11d520762f4d80ef5414a53b018a443f3d
                  • Instruction Fuzzy Hash: 9501B536A00215ABDB21A7B18859FAEB6ACEF85668F15006DE50197200DA78ED00D760
                  Function 00F924D1 Relevance: 10.6, APIs: 7, Instructions: 51memoryCOMMON
                  Download Yara Rule
                  APIs
                  • LeaveCriticalSection.KERNEL32(?), ref: 00F924D8
                  • __CxxThrowException@8.LIBCMT ref: 00F924E2
                    • Part of subcall function 01078515: RaiseException.KERNEL32(00F81861,00000000,31AAD7C2,010C06A0,00F81861,00000000,010D56CC,00000000,31AAD7C2), ref: 01078557
                  • LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,00F8A441,00F843A7,00F83614,00000214,00F8101B), ref: 00F924F9
                  • LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,00F8A441,00F843A7,00F83614,00000214,00F8101B), ref: 00F92506
                    • Part of subcall function 00F87975: __CxxThrowException@8.LIBCMT ref: 00F8798B
                  • _memset.LIBCMT ref: 00F92525
                  • TlsSetValue.KERNEL32(?,00000000), ref: 00F92536
                  • LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,00F8A441,00F843A7,00F83614,00000214,00F8101B), ref: 00F92557
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: CriticalLeaveSection$Exception@8Throw$AllocExceptionLocalRaiseValue_memset
                  • String ID:
                  • API String ID: 356813703-0
                  • Opcode ID: c214c1f0b3316cc98665adfca37086f0b5109e1ba08500614034c2f405dbb77f
                  • Instruction ID: 4eca168822c5bb600e110a483eda0faa7546568d610ae613f43105009b5908d3
                  • Opcode Fuzzy Hash: c214c1f0b3316cc98665adfca37086f0b5109e1ba08500614034c2f405dbb77f
                  • Instruction Fuzzy Hash: 78118BB0500605BFEB20BF64CC99D6ABBB5FF44314721C42DF89A961A5CB36EC14DB50
                  Function 00F828FB Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 00F82908
                  • GetProcAddress.KERNEL32(00000000,RegisterApplicationRestart), ref: 00F82925
                  • GetProcAddress.KERNEL32(00000000,RegisterApplicationRecoveryCallback), ref: 00F8292F
                    • Part of subcall function 00F879AD: __CxxThrowException@8.LIBCMT ref: 00F879C3
                  Strings
                  • KERNEL32.DLL, xrefs: 00F82903
                  • RegisterApplicationRecoveryCallback, xrefs: 00F82927
                  • RegisterApplicationRestart, xrefs: 00F8291F
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$Exception@8HandleModuleThrow
                  • String ID: KERNEL32.DLL$RegisterApplicationRecoveryCallback$RegisterApplicationRestart
                  • API String ID: 2144170044-723216104
                  • Opcode ID: 86b58c336cf8254587079fe9cc8e0f11ebf9d72bdc1a7bfa336ec4d0fcd9f3c6
                  • Instruction ID: 7d8b3c78eac176b37177b38ac0f1058117843a10d28c92a886244f4c1a1523f7
                  • Opcode Fuzzy Hash: 86b58c336cf8254587079fe9cc8e0f11ebf9d72bdc1a7bfa336ec4d0fcd9f3c6
                  • Instruction Fuzzy Hash: 9FF04433A0021FA79F622EA69D51DDB7FA9EF947B4B04002AFD50A2110DB76DC21B791
                  Function 00F96D94 Relevance: 10.5, APIs: 7, Instructions: 30COMMON
                  Download Yara Rule
                  APIs
                  • GetSysColor.USER32(0000000F), ref: 00F96DA2
                  • GetSysColor.USER32(00000010), ref: 00F96DA9
                  • GetSysColor.USER32(00000014), ref: 00F96DB0
                  • GetSysColor.USER32(00000012), ref: 00F96DB7
                  • GetSysColor.USER32(00000006), ref: 00F96DBE
                  • GetSysColorBrush.USER32(0000000F), ref: 00F96DCB
                  • GetSysColorBrush.USER32(00000006), ref: 00F96DD2
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Color$Brush
                  • String ID:
                  • API String ID: 2798902688-0
                  • Opcode ID: ef7063fea854dc95d98fc36e17b2edc98bf3e1ecfcc7f56abeb2aad21f890673
                  • Instruction ID: 23839a9daaf3185da2198b5d3a6d32da19b7e0ff1245eb5c9f12b5828372cfff
                  • Opcode Fuzzy Hash: ef7063fea854dc95d98fc36e17b2edc98bf3e1ecfcc7f56abeb2aad21f890673
                  • Instruction Fuzzy Hash: D2F0FE719407445BD730BF725949B47BAD1FFC4710F12092EE2858B990D6B6E441DF40
                  Function 00FF72C7 Relevance: 9.5, APIs: 6, Instructions: 481COMMON
                  Download Yara Rule
                  APIs
                  • SetRectEmpty.USER32(?), ref: 00FF7302
                    • Part of subcall function 00FF5627: SetRectEmpty.USER32(?), ref: 00FF5634
                    • Part of subcall function 00FF5627: GetWindowRect.USER32(?,?), ref: 00FF5645
                    • Part of subcall function 00F879AD: __CxxThrowException@8.LIBCMT ref: 00F879C3
                  • GetWindowRect.USER32(?,?), ref: 00FF7548
                  • IntersectRect.USER32(?,?,?), ref: 00FF7559
                  • IntersectRect.USER32(?,?,?), ref: 00FF7596
                  • GetWindowRect.USER32(?,?), ref: 00FF7765
                  • EqualRect.USER32(?,?), ref: 00FF777E
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Rect$Window$EmptyIntersect$EqualException@8Throw
                  • String ID:
                  • API String ID: 732448014-0
                  • Opcode ID: 652f0a084f076855fe7c6e10ea5e7602d0bd6301da17e846e01be17762ac8d90
                  • Instruction ID: 712da72a8142ea6489b72111161bba4430f5ed1a974142d6565c6b7dfbe29c1f
                  • Opcode Fuzzy Hash: 652f0a084f076855fe7c6e10ea5e7602d0bd6301da17e846e01be17762ac8d90
                  • Instruction Fuzzy Hash: 7C122672D0435D9BCF21EFA8C984AAEFBB5BF08310F144069EA15A7221D771AD41EF90
                  Function 00F9EF23 Relevance: 9.3, APIs: 6, Instructions: 299COMMON
                  Download Yara Rule
                  APIs
                  • GetParent.USER32(?), ref: 00F9EF9D
                  • GetClientRect.USER32(?,?), ref: 00F9EFB0
                  • GetWindowRect.USER32(?,?), ref: 00F9EFFE
                  • GetParent.USER32(?), ref: 00F9F007
                  • GetParent.USER32(?), ref: 00F9F224
                  • RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 00F9F248
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Parent$RectWindow$ClientRedraw
                  • String ID:
                  • API String ID: 443302174-0
                  • Opcode ID: efbf943acca145996d079c077295910b659282ef63e67fc02a1f57728d39b4af
                  • Instruction ID: 4acf934b0ac190a80930aa68df7710d30a85c9322fb47eac00b52c470fce8ba8
                  • Opcode Fuzzy Hash: efbf943acca145996d079c077295910b659282ef63e67fc02a1f57728d39b4af
                  • Instruction Fuzzy Hash: 98B14771E00218EFDF15DFA8C888AEEBBB5BF48710F14417AE406EB255DB359944DBA0
                  Function 00FA8427 Relevance: 9.2, APIs: 6, Instructions: 246windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetCursorPos.USER32(?), ref: 00FA853C
                  • GetWindowRect.USER32(?,?), ref: 00FA8555
                  • PtInRect.USER32(?,?,?), ref: 00FA8573
                  • SendMessageA.USER32(?,00000010,00000000,00000000), ref: 00FA8584
                  • SendMessageA.USER32(?,00000010,00000000,00000000), ref: 00FA85DC
                    • Part of subcall function 00F8F02A: GetParent.USER32(?), ref: 00F8F034
                  • GetFocus.USER32 ref: 00FA86B8
                    • Part of subcall function 00FC5FDA: __EH_prolog3_GS.LIBCMT ref: 00FC5FE4
                    • Part of subcall function 00FC5FDA: GetWindowRect.USER32(?,?), ref: 00FC607D
                    • Part of subcall function 00FC5FDA: SetRect.USER32(00000019,00000000,00000000,?,?), ref: 00FC609F
                    • Part of subcall function 00FC5FDA: CreateCompatibleDC.GDI32(?), ref: 00FC60AB
                    • Part of subcall function 00FC5FDA: CreateCompatibleBitmap.GDI32(?,00000019,010DA380), ref: 00FC60D5
                    • Part of subcall function 00FC5FDA: GetWindowRect.USER32(?,?), ref: 00FC6137
                    • Part of subcall function 00FC5FDA: GetClientRect.USER32(?,?), ref: 00FC6140
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Rect$Window$CompatibleCreateMessageSend$BitmapClientCursorFocusH_prolog3_Parent
                  • String ID:
                  • API String ID: 2914356772-0
                  • Opcode ID: d12dfb315253263019a072978dc6ed73c85364a2dc2c9865929006314fa207ff
                  • Instruction ID: 86eb5b73d11527ffa0ec567f739895c4093ce4898c5d7426fb75484bf6978510
                  • Opcode Fuzzy Hash: d12dfb315253263019a072978dc6ed73c85364a2dc2c9865929006314fa207ff
                  • Instruction Fuzzy Hash: 4B81D4B0E006018FDB25AF6488959BEB7F5FF89760B28052EE446C7345EFB59C42EB50
                  Function 00FFC2E7 Relevance: 9.2, APIs: 6, Instructions: 222windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetWindowRect.USER32(?,?), ref: 00FFC40D
                  • SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 00FFC445
                  • IsWindow.USER32(?), ref: 00FFC46A
                  • SendMessageA.USER32(?,00000010,00000000,00000000), ref: 00FFC58F
                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00FFC5E6
                  • UpdateWindow.USER32(?), ref: 00FFC5EF
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Window$MessageRectSend$InvalidateUpdate
                  • String ID:
                  • API String ID: 1016537255-0
                  • Opcode ID: 1a4e6d9eb8f7e952a4a6e9b05059a5deb2fb19a9f87a2091cecc5db5e8a7c0bd
                  • Instruction ID: d605e457d2ef7f7036c4e386397cf42ecad64047c49b02d4d5b512b15b308450
                  • Opcode Fuzzy Hash: 1a4e6d9eb8f7e952a4a6e9b05059a5deb2fb19a9f87a2091cecc5db5e8a7c0bd
                  • Instruction Fuzzy Hash: 1A916231A00B1DDFCB21DF64CA94ABAB7F1FF94350F24496DE69A87161D770A840EB90
                  Function 01011315 Relevance: 9.2, APIs: 6, Instructions: 157windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 0101131C
                  • CreateCompatibleDC.GDI32(?), ref: 0101139F
                  • CreateCompatibleBitmap.GDI32(?,?,?), ref: 010113CF
                  • SelectObject.GDI32(?,00000000), ref: 01011429
                    • Part of subcall function 0101106E: FillRect.USER32(00000002,?,?), ref: 010110AC
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: CompatibleCreate$BitmapFillH_prolog3ObjectRectSelect
                  • String ID:
                  • API String ID: 3038325377-0
                  • Opcode ID: de1933e88d4bbab7aa13993c7fcc617293ea7707fba8d91ee8fd1e7803c487ed
                  • Instruction ID: 830d99f70e7c8ff44a82b3d1e2e6e077c312d1d4cb5f84f9f6b7ddd5c770ff94
                  • Opcode Fuzzy Hash: de1933e88d4bbab7aa13993c7fcc617293ea7707fba8d91ee8fd1e7803c487ed
                  • Instruction Fuzzy Hash: 4751267290010ADFDF05EFE8C9858EEBBB1FF18304F148469EA41BB255DB399A15DB60
                  Function 00FA09FC Relevance: 9.2, APIs: 6, Instructions: 155windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetParent.USER32(00000000), ref: 00FA0A75
                  • SendMessageA.USER32(00000000,0000040C,00000000,00000000), ref: 00FA0AB4
                  • SendMessageA.USER32(00000000,0000041D,00000000,?), ref: 00FA0AE3
                  • SetRectEmpty.USER32(?), ref: 00FA0B3D
                  • SendMessageA.USER32(00000000,00000406,00000000,?), ref: 00FA0BA3
                  • RedrawWindow.USER32(00000000,00000000,00000000,00000505), ref: 00FA0BC9
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: MessageSend$EmptyParentRectRedrawWindow
                  • String ID:
                  • API String ID: 3879113052-0
                  • Opcode ID: dab6cd0624a0a61e2281c4478387ae823d64bf4836c5b8f5d081b57b146d3c0a
                  • Instruction ID: 59296835a3f1d4cce7232f54f6bd183a95a76f8c503970c0c08d36844aca2d40
                  • Opcode Fuzzy Hash: dab6cd0624a0a61e2281c4478387ae823d64bf4836c5b8f5d081b57b146d3c0a
                  • Instruction Fuzzy Hash: 535176B1E006099FDB20DFA8D984BADBBF5BF88704F20416AE546E7281EB759940DF50
                  Function 00FCEE1C Relevance: 9.1, APIs: 6, Instructions: 146windowmemoryCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00FCEE23
                  • _memset.LIBCMT ref: 00FCEE85
                  • GlobalAlloc.KERNEL32(00000040,0000000C), ref: 00FCEE9E
                  • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00FCEED8
                  • SendMessageA.USER32(?,00001007,00000000,0000000F), ref: 00FCEF42
                  • SendMessageA.USER32(?,00001200,00000000,00000000), ref: 00FCEF5E
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: MessageSend$AllocGlobalH_prolog3_memset
                  • String ID:
                  • API String ID: 2273997446-0
                  • Opcode ID: bd5015c064a2dab059ca8a5b2ae39cd9015890c282baa038f80e69d6daafe513
                  • Instruction ID: c2b53128f6693f96e78ad52e449dbcf39c95a8f280b3e278f339280ec6566a0b
                  • Opcode Fuzzy Hash: bd5015c064a2dab059ca8a5b2ae39cd9015890c282baa038f80e69d6daafe513
                  • Instruction Fuzzy Hash: E1513871A0020AAFEB15DF94C84AFEEBBB4BF48300F10451CF646AA290C775AA45DF60
                  Function 00FCD189 Relevance: 9.1, APIs: 6, Instructions: 144windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00FCD190
                  • CoTaskMemFree.OLE32(?,000000FF), ref: 00FCD236
                  • GetParent.USER32(?), ref: 00FCD2AF
                  • SendMessageA.USER32(?,00000464,00000104,?), ref: 00FCD2C3
                  • GetParent.USER32(?), ref: 00FCD2F6
                  • SendMessageA.USER32(?,00000465,00000104,?), ref: 00FCD30A
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: MessageParentSend$FreeH_prolog3Task
                  • String ID:
                  • API String ID: 526180827-0
                  • Opcode ID: a2c4fc393767c8361e2b3ecf0855f0fdb1ed9e0ba2cdc68ab40f12b882e40f43
                  • Instruction ID: e4d61408483bd3ddb37b2caf5352bf22110823a2f2b3e1ca6567edabda59e01c
                  • Opcode Fuzzy Hash: a2c4fc393767c8361e2b3ecf0855f0fdb1ed9e0ba2cdc68ab40f12b882e40f43
                  • Instruction Fuzzy Hash: C5511D71A0021BAFCB04EFA4CD45FEEB775BF45314B104628F565A7292DB39A901EBA0
                  Function 01020085 Relevance: 9.1, APIs: 6, Instructions: 138COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00F879AD: __CxxThrowException@8.LIBCMT ref: 00F879C3
                  • __EH_prolog3.LIBCMT ref: 010200E1
                  • GetTopWindow.USER32(?), ref: 0102014C
                  • GetWindow.USER32(?,00000002), ref: 0102016A
                  • IsWindow.USER32(?), ref: 01020189
                  • GetParent.USER32(?), ref: 01020194
                  • DestroyWindow.USER32(?,?,?,00FB50E0), ref: 010201A0
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Window$DestroyException@8H_prolog3ParentThrow
                  • String ID:
                  • API String ID: 3731540811-0
                  • Opcode ID: c08573f6af4cfccb17d84b9a8975e8a590f0434f9b278204f7ee1036b9dccf45
                  • Instruction ID: eaf15bb1b27e6c62001466f11ef5c60f9a4de5830e61268357bc03b73f265f61
                  • Opcode Fuzzy Hash: c08573f6af4cfccb17d84b9a8975e8a590f0434f9b278204f7ee1036b9dccf45
                  • Instruction Fuzzy Hash: 5F418F319013209BDF21AFA8CC85B9DBBB1BF84710F250199F8D57B299CB759D40DB90
                  Function 00F865D6 Relevance: 9.1, APIs: 6, Instructions: 138COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_catch.LIBCMT ref: 00F865DD
                  • GlobalLock.KERNEL32(?), ref: 00F866BE
                  • CreateDialogIndirectParamA.USER32(?,?,?,00F85FB6,00000000), ref: 00F866ED
                  • DestroyWindow.USER32(00000000), ref: 00F86767
                  • GlobalUnlock.KERNEL32(?), ref: 00F86777
                  • GlobalFree.KERNEL32(?), ref: 00F86780
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Global$CreateDestroyDialogFreeH_prolog3_catchIndirectLockParamUnlockWindow
                  • String ID:
                  • API String ID: 3003189058-0
                  • Opcode ID: f014c3dc200b3594d02fd9ca9383ecbb4bb09b41e881cf2c4ed04f8f38cdf0e1
                  • Instruction ID: b61bfffa18e87b0f6542d1ef995bdaf2aacf57da165fed0dbdafc68d48d5d538
                  • Opcode Fuzzy Hash: f014c3dc200b3594d02fd9ca9383ecbb4bb09b41e881cf2c4ed04f8f38cdf0e1
                  • Instruction Fuzzy Hash: B75178319002499BCF20EFA4C8999EEBBB5BF44314F14052DE542E7291DF399A41EB61
                  Function 00FDC943 Relevance: 9.1, APIs: 6, Instructions: 125COMMON
                  Download Yara Rule
                  APIs
                  • InflateRect.USER32(?,000000FF,000000FF), ref: 00FDC9FC
                  • InflateRect.USER32(?,000000FF,000000FF), ref: 00FDCA2D
                  • InflateRect.USER32(?,000000FF,000000FF), ref: 00FDCA5C
                  • InflateRect.USER32(?,000000FF,000000FF), ref: 00FDCA7E
                    • Part of subcall function 00F9A720: __EH_prolog3.LIBCMT ref: 00F9A727
                  • InflateRect.USER32(?,000000FE,000000FE), ref: 00FDCA8B
                  • InflateRect.USER32(?,000000FE,000000FE), ref: 00FDCABE
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: InflateRect$H_prolog3
                  • String ID:
                  • API String ID: 3346915232-0
                  • Opcode ID: f7e2378a3f053b6273dfa47169eacc5859fff8d2321d4de4426fb31168be72d5
                  • Instruction ID: a0b2d691aab41b65467da5f3ce087d349081ff24d78dd455018e73caad3edfd2
                  • Opcode Fuzzy Hash: f7e2378a3f053b6273dfa47169eacc5859fff8d2321d4de4426fb31168be72d5
                  • Instruction Fuzzy Hash: 7C41843580411AFBCF22DF54DC60AA97B62FB45370F28432BF8645A2D9CB7A4841EB91
                  Function 00FD6A8F Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 363keyboardCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00FD6A96
                  • GetAsyncKeyState.USER32(00000011), ref: 00FD6AE3
                    • Part of subcall function 00FD33F9: __EH_prolog3_GS.LIBCMT ref: 00FD3400
                    • Part of subcall function 00FD33F9: IsRectEmpty.USER32(?), ref: 00FD341B
                    • Part of subcall function 00FD33F9: InvertRect.USER32(?,?), ref: 00FD3431
                    • Part of subcall function 00FD33F9: SetRectEmpty.USER32(?), ref: 00FD343F
                  • GetAsyncKeyState.USER32(00000011), ref: 00FD6E30
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Rect$AsyncEmptyState$H_prolog3H_prolog3_Invert
                  • String ID: (
                  • API String ID: 2718929451-3887548279
                  • Opcode ID: a1f5012fcee2c85df4fb3a6d419cb6dba23e8d3f87a7298f622dd5223057f7c8
                  • Instruction ID: 536d846f2af37492cf7fea10fa2705789bee4f8bc1c064211824602ae4ad5447
                  • Opcode Fuzzy Hash: a1f5012fcee2c85df4fb3a6d419cb6dba23e8d3f87a7298f622dd5223057f7c8
                  • Instruction Fuzzy Hash: 64D1BF31A00A459FDB25DFA4C8D0BBA77ABEF84714F18441FE15ACB381CA71AE41EB11
                  Function 00FEC8D0 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                  Download Yara Rule
                  APIs
                  • IsMenu.USER32(?), ref: 00FEC901
                  • GetMenuDefaultItem.USER32(?,00000000,00000001), ref: 00FEC927
                  • GetMenuItemCount.USER32(?), ref: 00FEC933
                  • GetMenuItemID.USER32(?,?), ref: 00FEC95C
                  • GetSubMenu.USER32(?,?), ref: 00FEC9A7
                  • GetMenuState.USER32(?,?,00000400), ref: 00FEC9E1
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Menu$Item$CountDefaultState
                  • String ID:
                  • API String ID: 170603052-0
                  • Opcode ID: c738c6d87400eed5c15eb3c2cd207a35ba5474f8cd42fa1c5956878c66e1abab
                  • Instruction ID: fd60ef47558da9367da9d1568bc7238c71ede9493ecae9bb211966a8e15ce8ae
                  • Opcode Fuzzy Hash: c738c6d87400eed5c15eb3c2cd207a35ba5474f8cd42fa1c5956878c66e1abab
                  • Instruction Fuzzy Hash: 4141C371600204AFCF20EF61C889AADBFB6FF48750F008529F946DB256DB35D942EB80
                  Function 00FA525A Relevance: 9.1, APIs: 6, Instructions: 95windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetWindowRect.USER32(?,?), ref: 00FA528B
                  • OffsetRect.USER32(?,?,?), ref: 00FA52A9
                  • SendMessageA.USER32(00000000,0000000B,00000000,00000000), ref: 00FA52B6
                  • IsWindowVisible.USER32(?), ref: 00FA52BF
                  • SendMessageA.USER32(00000014,0000000B,00000001,00000000), ref: 00FA5332
                  • RedrawWindow.USER32(00000105,00000000,00000000,00000105), ref: 00FA5342
                    • Part of subcall function 00F913B6: SetWindowPos.USER32(?,000000FF,000000FF,?,?,00000000,00F8D36C,?,00F8D36C,00000000,?,?,000000FF,000000FF,00000015), ref: 00F913DE
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Window$MessageRectSend$OffsetRedrawVisible
                  • String ID:
                  • API String ID: 2707749077-0
                  • Opcode ID: 367c6c59ce26e0622fa344d73e7ce7736afed45c6c58c768ce967fd56e44d344
                  • Instruction ID: 8fddf4747f8fd098482da8961b79a1452ec71a95d5e4f6ea84d5ccf1024d1942
                  • Opcode Fuzzy Hash: 367c6c59ce26e0622fa344d73e7ce7736afed45c6c58c768ce967fd56e44d344
                  • Instruction Fuzzy Hash: E83120B1A00209BFEB21DFA4CD85EBFBBB9FB48744F10051CB555A2251DB719D00DB20
                  Function 0101465E Relevance: 9.1, APIs: 6, Instructions: 89windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 01014665
                  • GetMenuItemCount.USER32(?), ref: 01014695
                  • GetMenuItemID.USER32(?,00000000), ref: 010146AF
                  • GetMenuState.USER32(?,00000000,00000400), ref: 010146C3
                  • ModifyMenuA.USER32(?,00000000,00000400,00000000,?), ref: 0101471C
                  • GetSubMenu.USER32(?,00000000), ref: 01014735
                    • Part of subcall function 00F879AD: __CxxThrowException@8.LIBCMT ref: 00F879C3
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Menu$Item$CountException@8H_prolog3ModifyStateThrow
                  • String ID:
                  • API String ID: 447907710-0
                  • Opcode ID: fe10739e0c61e93bfc4763bdc848f78ef99ccb9cca63e025924f3eda9ae2d65e
                  • Instruction ID: e42463702b3008258a896f49d02a7abb7160eb5928cc18204aed2031029b3f73
                  • Opcode Fuzzy Hash: fe10739e0c61e93bfc4763bdc848f78ef99ccb9cca63e025924f3eda9ae2d65e
                  • Instruction Fuzzy Hash: B631A270500105AFEF10BFA4CC99AEE7BAAFF05354F108528F696EA1B5CB399940DB50
                  Function 00FFC75B Relevance: 9.1, APIs: 6, Instructions: 89windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetSystemMetrics.USER32(00000002), ref: 00FFC77E
                  • GetSystemMetrics.USER32(00000015), ref: 00FFC78C
                  • GetSystemMetrics.USER32(00000015), ref: 00FFC7AB
                  • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 00FFC805
                  • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 00FFC82E
                  • RedrawWindow.USER32(?,00000000,00000000,00000585), ref: 00FFC83A
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: MetricsSystem$MessageSend$RedrawWindow
                  • String ID:
                  • API String ID: 1898417864-0
                  • Opcode ID: 39b05e0186a5bd784823eac580c8e3e6b805a3f9ce64a974ca078a5e669e9a1d
                  • Instruction ID: 2ab807cdf23a5e6594526e7b71b79b1a55df3c523e5185fee4040569f29c4b37
                  • Opcode Fuzzy Hash: 39b05e0186a5bd784823eac580c8e3e6b805a3f9ce64a974ca078a5e669e9a1d
                  • Instruction Fuzzy Hash: D5316832600A189BD7219F39CD88AAAB7E5FFC8710F14492DF69AC7261DB759800DF94
                  Function 00FD4B4E Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageA.USER32(?,00001203,00000000,00000001), ref: 00FD4B9D
                  • GetClientRect.USER32(?,?), ref: 00FD4BB6
                  • GetSystemMetrics.USER32(00000015), ref: 00FD4BE1
                  • GetSystemMetrics.USER32(00000015), ref: 00FD4C09
                  • InvalidateRect.USER32(?,?,00000001), ref: 00FD4C29
                  • UpdateWindow.USER32(?), ref: 00FD4C32
                    • Part of subcall function 00F879AD: __CxxThrowException@8.LIBCMT ref: 00F879C3
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: MetricsRectSystem$ClientException@8InvalidateMessageSendThrowUpdateWindow
                  • String ID:
                  • API String ID: 1812906319-0
                  • Opcode ID: 6daad058aa8f05361ede97d6384a8fa5a15576c72247af0eadd9b2bff60a7b9a
                  • Instruction ID: 5bba9513673f884df592cd24fa915e8579c502e4edc72a1e724aa25789f9141b
                  • Opcode Fuzzy Hash: 6daad058aa8f05361ede97d6384a8fa5a15576c72247af0eadd9b2bff60a7b9a
                  • Instruction Fuzzy Hash: A5317E72A00608DFCB10DFB9C8849AEFBF6FF88314F15011AE196A7250DB74A901DF91
                  Function 00FA653D Relevance: 9.1, APIs: 6, Instructions: 79timeCOMMON
                  Download Yara Rule
                  APIs
                  • PtInRect.USER32(?,?,?), ref: 00FA655D
                  • ReleaseCapture.USER32 ref: 00FA656B
                  • PtInRect.USER32(?,?,?), ref: 00FA65BD
                  • InvalidateRect.USER32(?,?,00000001), ref: 00FA660B
                  • SetTimer.USER32(?,00000002,00000050,00000000), ref: 00FA662D
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Rect$CaptureInvalidateReleaseTimer
                  • String ID:
                  • API String ID: 2903485716-0
                  • Opcode ID: 41f912b5ce3c03b0eb862b84c4d2b89b2c6e4c15cee45a4684753da19cc63c5d
                  • Instruction ID: 2e4deb9e1adfe476de13de56dbd48c9b7e5bcf9dd4ddf3f27d0dd5d89bca5880
                  • Opcode Fuzzy Hash: 41f912b5ce3c03b0eb862b84c4d2b89b2c6e4c15cee45a4684753da19cc63c5d
                  • Instruction Fuzzy Hash: 02217E72504706EFDB315F20CC44BFA7BA9FF45361F180829F5AAD6290DB729942EB90
                  Function 0100A602 Relevance: 9.1, APIs: 6, Instructions: 76windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 0100A609
                    • Part of subcall function 00F88ADB: __EH_prolog3.LIBCMT ref: 00F88AE2
                    • Part of subcall function 00F88ADB: GetWindowDC.USER32(00000000,00000004,00F95F09,00000000,?,?,010A4E00), ref: 00F88B0E
                  • CreateCompatibleDC.GDI32(00000000), ref: 0100A62B
                  • GetSystemMetrics.USER32(00000036), ref: 0100A642
                  • GetSystemMetrics.USER32(00000036), ref: 0100A649
                  • CreateCompatibleBitmap.GDI32(?,?,00000000), ref: 0100A662
                    • Part of subcall function 00F88D3D: SelectObject.GDI32(?,?), ref: 00F88D48
                  • DrawFrameControl.USER32(?,?,00000001,00002000), ref: 0100A69C
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: CompatibleCreateMetricsSystem$BitmapControlDrawFrameH_prolog3H_prolog3_ObjectSelectWindow
                  • String ID:
                  • API String ID: 3758044866-0
                  • Opcode ID: 7bd79681d5c17525e330dd56956f578adba67884fde37370ee54257fc51a9413
                  • Instruction ID: 4f982d4775eb3d4ea596ce99ad2b7204fd93b0db86033a3a54cb25e85fc5fa58
                  • Opcode Fuzzy Hash: 7bd79681d5c17525e330dd56956f578adba67884fde37370ee54257fc51a9413
                  • Instruction Fuzzy Hash: 3D3103B1D00219EFDF05EFE4C995AEDBBB4BF08350F50801AE551B3291DB396A05DB60
                  Function 00FE289F Relevance: 9.1, APIs: 6, Instructions: 74memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GlobalAlloc.KERNEL32(00000002,?,?,?,?,?,00FE29E8,00000000,00000000,?,?,00FE4808,?,?,?,00000084), ref: 00FE28AF
                  • GlobalLock.KERNEL32(00000000), ref: 00FE28C7
                  • _memmove.LIBCMT ref: 00FE28D4
                  • CreateStreamOnHGlobal.OLE32(00000000,00000000,00000000,?), ref: 00FE28E3
                  • EnterCriticalSection.KERNEL32(010F3B94,00000000), ref: 00FE28FC
                  • LeaveCriticalSection.KERNEL32(010F3B94), ref: 00FE2963
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Global$CriticalSection$AllocCreateEnterLeaveLockStream_memmove
                  • String ID:
                  • API String ID: 861836607-0
                  • Opcode ID: 3dd23711f5d1524874a6d3aa8f714f7b212a37108fba78d09390b78e1092cdd7
                  • Instruction ID: cc6327c312fb723e065f265d4e8b418aeecabc5854ecd47a137ead0a73c23e99
                  • Opcode Fuzzy Hash: 3dd23711f5d1524874a6d3aa8f714f7b212a37108fba78d09390b78e1092cdd7
                  • Instruction Fuzzy Hash: 02218175A00205BBDB61ABB1DC6AFAE77ACBB44364F104019F941D6242FB39DD00EB65
                  Function 00FB03F6 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_catch.LIBCMT ref: 00FB03FD
                  • UnpackDDElParam.USER32(000003E8,?,?,?), ref: 00FB0415
                  • GlobalLock.KERNEL32(?), ref: 00FB041D
                  • GlobalUnlock.KERNEL32(?), ref: 00FB0447
                  • ReuseDDElParam.USER32(?,000003E8,000003E4,00008000,?), ref: 00FB0467
                  • PostMessageA.USER32(?,000003E4,?,00000000), ref: 00FB0477
                    • Part of subcall function 00F9134B: IsWindowEnabled.USER32(?), ref: 00F91354
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: GlobalParam$EnabledH_prolog3_catchLockMessagePostReuseUnlockUnpackWindow
                  • String ID:
                  • API String ID: 4187826474-0
                  • Opcode ID: 28f6652403f80aadb7f927b468ffb8dcb9b2f5e76f0af06854a39f8e6bb70e9c
                  • Instruction ID: daffdfe000045dcf3b3518e18070e584a2e8e867e77fbe04867034fd04985e35
                  • Opcode Fuzzy Hash: 28f6652403f80aadb7f927b468ffb8dcb9b2f5e76f0af06854a39f8e6bb70e9c
                  • Instruction Fuzzy Hash: 5A214A31900116AFDF11FBA0CD16EEEBBB9BF14315F208218A551771D1DB396E05EB61
                  Function 00FFED75 Relevance: 9.1, APIs: 6, Instructions: 64windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetMenuItemCount.USER32(?), ref: 00FFEDB7
                  • GetMenuState.USER32(?,00000000,00000400), ref: 00FFEDD4
                  • GetMenuItemID.USER32(?,00000000), ref: 00FFEDE3
                  • CheckMenuItem.USER32(?,00000000,00000008), ref: 00FFEDF7
                  • EnableMenuItem.USER32(?,00000000,00000002), ref: 00FFEE09
                  • EnableMenuItem.USER32(?,00000000,00000001), ref: 00FFEE1B
                    • Part of subcall function 00F879AD: __CxxThrowException@8.LIBCMT ref: 00F879C3
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Menu$Item$Enable$CheckCountException@8StateThrow
                  • String ID:
                  • API String ID: 1274885369-0
                  • Opcode ID: 9630aa939389a158cb27515d8ca00ace1d937808f38eb5c37e67f4a59531c8d7
                  • Instruction ID: d8546e686b653503155f80479a13d6b4af53fab407ec6b1594386239353b19f6
                  • Opcode Fuzzy Hash: 9630aa939389a158cb27515d8ca00ace1d937808f38eb5c37e67f4a59531c8d7
                  • Instruction Fuzzy Hash: 51218E70900208BFDF21AFA4DD4ABAEBBB5FF04718F148459F541A5161CB769E10EB50
                  Function 00F84BB3 Relevance: 9.1, APIs: 6, Instructions: 62registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegDeleteKeyA.ADVAPI32(00000000,?), ref: 00F84BDB
                  • RegDeleteValueA.ADVAPI32(00000000,?), ref: 00F84BFA
                  • RegCloseKey.ADVAPI32(00000000), ref: 00F84C24
                    • Part of subcall function 00F849A6: RegCloseKey.ADVAPI32(?), ref: 00F84A4B
                    • Part of subcall function 00F849A6: RegCloseKey.ADVAPI32(?), ref: 00F84A55
                  • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00F84C3F
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Close$Delete$PrivateProfileStringValueWrite
                  • String ID:
                  • API String ID: 1330817964-0
                  • Opcode ID: 16b2b2207a3a4da38efc38b5e19c86a4df31883354841b34264151e076b032dd
                  • Instruction ID: 24c7e6b9384cf82147f6a2df170ae6785d459714b39809d2b69e357af13803c7
                  • Opcode Fuzzy Hash: 16b2b2207a3a4da38efc38b5e19c86a4df31883354841b34264151e076b032dd
                  • Instruction Fuzzy Hash: 3F119E33401156BFDF213FA0DC889EE7B29FF893657008829FA6655010C7369D61FB50
                  Function 00F92064 Relevance: 9.1, APIs: 6, Instructions: 52windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetFocus.USER32 ref: 00F9206A
                  • GetParent.USER32(00000000), ref: 00F92092
                    • Part of subcall function 00F91E57: GetWindowLongA.USER32(?,000000F0), ref: 00F91E78
                    • Part of subcall function 00F91E57: GetClassNameA.USER32(?,?,0000000A), ref: 00F91E8D
                    • Part of subcall function 00F91E57: CompareStringA.KERNEL32(00000409,00000001,?,000000FF,combobox,000000FF), ref: 00F91EA7
                  • GetWindowLongA.USER32(?,000000F0), ref: 00F920AD
                  • GetParent.USER32(?), ref: 00F920BB
                  • GetDesktopWindow.USER32 ref: 00F920BF
                  • SendMessageA.USER32(00000000,0000014F,00000000,00000000), ref: 00F920D3
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Window$LongParent$ClassCompareDesktopFocusMessageNameSendString
                  • String ID:
                  • API String ID: 1233893325-0
                  • Opcode ID: 3fa49e1f4c233e5a868f1a6df98047b8f0b5eb3e2e27287fd3d7de9520800038
                  • Instruction ID: 5cf46891218016f085ea22c5b7cf5b4643a97cb16633c1bbcceb89f924c5eacd
                  • Opcode Fuzzy Hash: 3fa49e1f4c233e5a868f1a6df98047b8f0b5eb3e2e27287fd3d7de9520800038
                  • Instruction Fuzzy Hash: 4F01F432A0030537FF702A299C99F7E35ACBB85B70F150028FA01A3194DF3ADC41E2A0
                  Function 0107CEAF Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • __getptd.LIBCMT ref: 0107CEBB
                    • Part of subcall function 0107C799: __getptd_noexit.LIBCMT ref: 0107C79C
                    • Part of subcall function 0107C799: __amsg_exit.LIBCMT ref: 0107C7A9
                  • __amsg_exit.LIBCMT ref: 0107CEDB
                  • __lock.LIBCMT ref: 0107CEEB
                  • InterlockedDecrement.KERNEL32(?), ref: 0107CF08
                  • _free.LIBCMT ref: 0107CF1B
                  • InterlockedIncrement.KERNEL32(025F1660), ref: 0107CF33
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                  • String ID:
                  • API String ID: 3470314060-0
                  • Opcode ID: 064b01bc269c8bcff059ca1e42c5d7020828233887ef07e8bd8f75e31fc142d1
                  • Instruction ID: e529a634d30518beafeb9ec762e11b92846eec93d72914db7bb769c9835e9804
                  • Opcode Fuzzy Hash: 064b01bc269c8bcff059ca1e42c5d7020828233887ef07e8bd8f75e31fc142d1
                  • Instruction Fuzzy Hash: 67016131D02B23A7FB61ABA9954479DB7E0BB08720F04844DE8D4A7184C7356941CBDD
                  Function 00FA8AC9 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 294keyboardCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00F911E7: GetWindowLongA.USER32(?,000000EC), ref: 00F911F2
                  • GetClientRect.USER32(?,?), ref: 00FA8BF4
                  • GetAsyncKeyState.USER32(00000011), ref: 00FA8C9A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: AsyncClientLongRectStateWindow
                  • String ID: '
                  • API String ID: 304971295-1997036262
                  • Opcode ID: 9a2fb00d023dcd13b0662146f8d3ca59537641de7e16329c01af78b249091d2b
                  • Instruction ID: a0576dd18007950f867cde14ba15a589dabdbefc9e5f294cf52273225f33f64c
                  • Opcode Fuzzy Hash: 9a2fb00d023dcd13b0662146f8d3ca59537641de7e16329c01af78b249091d2b
                  • Instruction Fuzzy Hash: 4CB181B0B00202CFDB299F64C898BBDB7E2BF46390F14052DE54697290DFB49D42EB91
                  Function 00F90D36 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 243COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: _memset
                  • String ID: @$@$AfxFrameOrView100s$AfxMDIFrame100s
                  • API String ID: 2102423945-3695979934
                  • Opcode ID: e75dbfe53c742af303b93ad815f06a6b6f6ba06cb591ca4efc63e02a63acb8d8
                  • Instruction ID: f5bb8ff00db99bb22d45985cf465814eb100b0ead28690087255b4c68792eb19
                  • Opcode Fuzzy Hash: e75dbfe53c742af303b93ad815f06a6b6f6ba06cb591ca4efc63e02a63acb8d8
                  • Instruction Fuzzy Hash: A6910E71D00209BEEF60EF98C989BDEBEF8AF48354F118165F948E7141EB749A44DB90
                  Function 0101106E Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 238COMMON
                  Download Yara Rule
                  APIs
                  • FillRect.USER32(00000002,?,?), ref: 010110AC
                  • FillRect.USER32(?,?,?), ref: 01011131
                  • FillRect.USER32(00000002,?,?), ref: 010111A9
                    • Part of subcall function 00F88EC1: __EH_prolog3.LIBCMT ref: 00F88EC8
                    • Part of subcall function 00F88EC1: CreateSolidBrush.GDI32(00000000), ref: 00F88EE3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: FillRect$BrushCreateH_prolog3Solid
                  • String ID: @
                  • API String ID: 1242064992-2766056989
                  • Opcode ID: e4d546d42c1d5ea58f8eabb5b9c22387038b74e543241d38920b85f50e7e5ca8
                  • Instruction ID: c275ffbae43b9bbc6747b8caf33e4f2b59096304cdb3ac68d4c79b237c8959e7
                  • Opcode Fuzzy Hash: e4d546d42c1d5ea58f8eabb5b9c22387038b74e543241d38920b85f50e7e5ca8
                  • Instruction Fuzzy Hash: 03A10571D0021ADFCF08DFA8D9959EEBBB1FF48314F05811AE955AB250C779AA05CFA0
                  Function 00F9455A Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 142COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00F94561
                  • _strlen.LIBCMT ref: 00F945AC
                  • _strlen.LIBCMT ref: 00F945EA
                  • _strlen.LIBCMT ref: 00F94623
                    • Part of subcall function 00F81EA0: FindResourceW.KERNEL32(?,?,00000006), ref: 00F81EBB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: _strlen$FindH_prolog3Resource
                  • String ID:
                  • API String ID: 398175302-2344752452
                  • Opcode ID: 762aae0ecacbb5925718772803eebf0473343b79fb1325b454f721c0786a0ede
                  • Instruction ID: e47f1560e5d6991ec84c0d9d774babf206aee7e4469d593b3fbea6c4b299b80f
                  • Opcode Fuzzy Hash: 762aae0ecacbb5925718772803eebf0473343b79fb1325b454f721c0786a0ede
                  • Instruction Fuzzy Hash: 1B413D71C0011A9BEB15FBA0CC92EFFB77CBF11724F240619A45263191DF396A05EBA1
                  Function 00FDD127 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 136COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Object$Delete
                  • String ID:
                  • API String ID: 774837909-3916222277
                  • Opcode ID: 89976b4006a5ce43df0b092966cdac10abab548739b7c7f1d4d7326a3b40b9b0
                  • Instruction ID: 868afe116c2daf9106e02faee2f6ec9131d1595c6253cb7529c8c853cab06827
                  • Opcode Fuzzy Hash: 89976b4006a5ce43df0b092966cdac10abab548739b7c7f1d4d7326a3b40b9b0
                  • Instruction Fuzzy Hash: AE515A31D00609DBDF21DF64C880AAEB7B3FB84361F28452BE815A3344D7319A84EB90
                  Function 00FD0BC8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 109COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00FD0BCF
                    • Part of subcall function 00F88B6A: __EH_prolog3.LIBCMT ref: 00F88B71
                    • Part of subcall function 00F88B6A: BeginPaint.USER32(?,?,00000004,00FF85EC), ref: 00F88B9D
                  • FillRect.USER32(?,?,09100E5A), ref: 00FD0BF3
                  • InflateRect.USER32(?,000000FB,00000000), ref: 00FD0C1E
                    • Part of subcall function 00F88073: SetBkMode.GDI32(?,?), ref: 00F88090
                    • Part of subcall function 00F88073: SetBkMode.GDI32(?,?), ref: 00F8809D
                    • Part of subcall function 00F9134B: IsWindowEnabled.USER32(?), ref: 00F91354
                  • GetParent.USER32(?), ref: 00FD0C92
                    • Part of subcall function 00FCFA5B: SendMessageA.USER32(?,00000031,00000000,00000000), ref: 00FCFA64
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: ModeRect$BeginEnabledFillH_prolog3H_prolog3_InflateMessagePaintParentSendWindow
                  • String ID: mmm
                  • API String ID: 1673396195-1545505134
                  • Opcode ID: f948c9cd64c7759b6c71d6ed4ba09ab13927457f40c726ad312516aa19db552c
                  • Instruction ID: 810c0deef4060dfb0f27a96e826af98690903da6bc91c4feefdf1956361c7241
                  • Opcode Fuzzy Hash: f948c9cd64c7759b6c71d6ed4ba09ab13927457f40c726ad312516aa19db552c
                  • Instruction Fuzzy Hash: 6B419D729001049BDF21FBB4CC96EEEB77AAF44310F64422AB502A7196EE2A5E05DB50
                  Function 00FDA959 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 78COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00FDA960
                    • Part of subcall function 00F9897D: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000), ref: 00F989A0
                    • Part of subcall function 00FCF57A: __EH_prolog3.LIBCMT ref: 00FCF581
                    • Part of subcall function 00F9890C: __EH_prolog3.LIBCMT ref: 00F98913
                  Strings
                  • MFCComboBox_ShowRasterTypeFonts, xrefs: 00FDA9D4
                  • MFCComboBox_ShowTrueTypeFonts, xrefs: 00FDA9BF
                  • MFCComboBox_DrawUsingFont, xrefs: 00FDA99A
                  • MFCComboBox_ShowDeviceTypeFonts, xrefs: 00FDA9E9
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: H_prolog3$ByteCharMultiWide
                  • String ID: MFCComboBox_DrawUsingFont$MFCComboBox_ShowDeviceTypeFonts$MFCComboBox_ShowRasterTypeFonts$MFCComboBox_ShowTrueTypeFonts
                  • API String ID: 2949695960-1084877596
                  • Opcode ID: c3e32ba921dad46ae3062d0483ca7969028f7a2b211b69a0f61d60939798a1d5
                  • Instruction ID: 7743b617d6b097f43f991342a02177126f3aacfefc31d2319fa149f144d51549
                  • Opcode Fuzzy Hash: c3e32ba921dad46ae3062d0483ca7969028f7a2b211b69a0f61d60939798a1d5
                  • Instruction Fuzzy Hash: 21213971D0021EAEDB00EFE0CC82AEEBB79AF08750F48052AE501B6141DB788A05EB65
                  Function 00FF2569 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67COMMON
                  Download Yara Rule
                  APIs
                  • IsWindow.USER32(?), ref: 00FF25AB
                  • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00FF25E6
                  • OffsetRect.USER32(?,?,?), ref: 00FF25F6
                  • CopyRect.USER32(?,?), ref: 00FF2604
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Rect$CopyInfoOffsetParametersSystemWindow
                  • String ID: ,
                  • API String ID: 401166719-3772416878
                  • Opcode ID: d5ce62c04058c902cc2755bb958849283d9722da99e8de9174fe3a790c6b8799
                  • Instruction ID: d0f0cdae274dac0b9c25d3c0b912a2d74a636a02b0781f0c3a1c156289905af0
                  • Opcode Fuzzy Hash: d5ce62c04058c902cc2755bb958849283d9722da99e8de9174fe3a790c6b8799
                  • Instruction Fuzzy Hash: AA211531A00209ABDF20DBE4D899EEEBBB9FF48714F180059F605A7150DF75E901DB21
                  Function 00F8617E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 61COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: Edit
                  • API String ID: 0-554135844
                  • Opcode ID: f2d1058c1721549915ef07892fbf33230d90ecfa3d978bd8c1e4f676043b7a8f
                  • Instruction ID: 1f494a4667deb1edf253a587fa1f76b98454f33864cfab9cea75edff34dc6c0c
                  • Opcode Fuzzy Hash: f2d1058c1721549915ef07892fbf33230d90ecfa3d978bd8c1e4f676043b7a8f
                  • Instruction Fuzzy Hash: B311E531B40601A7EF303A259C0DFDAB6A8BF44B68F144069F541D20A2CF65EC00F390
                  Function 00FB4558 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleA.KERNEL32(DWMAPI), ref: 00FB4582
                  • GetProcAddress.KERNEL32(00000000,DwmSetIconicThumbnail), ref: 00FB4592
                  • DeleteObject.GDI32(00000000), ref: 00FB45CC
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressDeleteHandleModuleObjectProc
                  • String ID: DWMAPI$DwmSetIconicThumbnail
                  • API String ID: 3128169092-3761315311
                  • Opcode ID: e184054c3c85393c0b9a15a149f61f8a55ec03e201d96e22200abf08a978772d
                  • Instruction ID: 110e1b3e4171d625fe4f22b26bdf995de15dc9ecd8923cf1536f7f046a1aa560
                  • Opcode Fuzzy Hash: e184054c3c85393c0b9a15a149f61f8a55ec03e201d96e22200abf08a978772d
                  • Instruction Fuzzy Hash: 5301C471700604BBDB21AF668C98EAE77ADBF84324F044019F91197242EB78ED00EB50
                  Function 00F928AB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleA.KERNEL32(Advapi32.dll), ref: 00F928D4
                  • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExA), ref: 00F928E4
                    • Part of subcall function 00F85042: GetModuleHandleA.KERNEL32(Advapi32.dll), ref: 00F85056
                    • Part of subcall function 00F85042: GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedA), ref: 00F85066
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressHandleModuleProc
                  • String ID: Advapi32.dll$RegDeleteKeyExA
                  • API String ID: 1646373207-1984814126
                  • Opcode ID: 2a82c896887e440c472f83f37404195c5ac26d410a222bb05d04daf2324c3ff5
                  • Instruction ID: 135dadb077258ecea61fcfc926895bc2a5c7a5dcd0b4e9b73b35220a78874863
                  • Opcode Fuzzy Hash: 2a82c896887e440c472f83f37404195c5ac26d410a222bb05d04daf2324c3ff5
                  • Instruction Fuzzy Hash: 77F08C36A00305FBFF315F56E805F963FA5BB247A5F14402DF59982024CABB9850FBA0
                  Function 00FF60D7 Relevance: 7.8, APIs: 5, Instructions: 316COMMON
                  Download Yara Rule
                  APIs
                  • GetWindowRect.USER32(?,?), ref: 00FF613E
                  • GetWindowRect.USER32(?,?), ref: 00FF6216
                  • InflateRect.USER32(?,00000000,?), ref: 00FF623C
                  • GetWindowRect.USER32(?,?), ref: 00FF62F1
                  • GetWindowRect.USER32(?,?), ref: 00FF63FC
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Rect$Window$Inflate
                  • String ID:
                  • API String ID: 1123775244-0
                  • Opcode ID: fc6c0c55ec14ad17936e01f4ed32fd78b0c4407122871d6d859f4ea7e3d8ebe4
                  • Instruction ID: 0e4d85217c67c30cb9b4b405b90eea021aa70ec76f27b8060fccfcf75d5feb88
                  • Opcode Fuzzy Hash: fc6c0c55ec14ad17936e01f4ed32fd78b0c4407122871d6d859f4ea7e3d8ebe4
                  • Instruction Fuzzy Hash: 26C11471E0020EAFCB14DFA8C884AEEBBB5BF48314F14456EE655E7251DB70A940DB94
                  Function 0100A95D Relevance: 7.8, APIs: 5, Instructions: 272windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 0100A967
                  • GetFocus.USER32 ref: 0100A987
                    • Part of subcall function 00F879AD: __CxxThrowException@8.LIBCMT ref: 00F879C3
                  • GetMenuItemCount.USER32(?), ref: 0100AADC
                  • GetMenuItemID.USER32(?,?), ref: 0100AAFF
                    • Part of subcall function 0101454A: __EH_prolog3.LIBCMT ref: 01014551
                  • GetSubMenu.USER32(?,?), ref: 0100AB9C
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Menu$Item$CountException@8FocusH_prolog3H_prolog3_Throw
                  • String ID:
                  • API String ID: 2260827373-0
                  • Opcode ID: 3ef43eb924ff6aa2af02ea08670ab0909eeb885a67fa07f55dc15715f7d9f701
                  • Instruction ID: 0e7fbc549631ea3d2e758c49b0486386beed42bba5a22c0bf5fc68f3226784c1
                  • Opcode Fuzzy Hash: 3ef43eb924ff6aa2af02ea08670ab0909eeb885a67fa07f55dc15715f7d9f701
                  • Instruction Fuzzy Hash: E6B18E70A00215EBEF26AF68CC94AEDB7B5BF44310F1446AEE59A972D1DF345A80DF40
                  Function 00FC4C08 Relevance: 7.7, APIs: 5, Instructions: 205COMMON
                  Download Yara Rule
                  APIs
                  • IsWindow.USER32(?), ref: 00FC4C5C
                  • GetParent.USER32(?), ref: 00FC4C7B
                  • GetParent.USER32(?), ref: 00FC4C8A
                    • Part of subcall function 00FB24F5: SetParent.USER32(?,?), ref: 00FB2508
                  • GetWindowRect.USER32(?,?), ref: 00FC4D21
                  • GetClientRect.USER32(?,?), ref: 00FC4D9A
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Parent$RectWindow$Client
                  • String ID:
                  • API String ID: 3043635113-0
                  • Opcode ID: 36b69d9401ad6ebfa94986bedec2b2596c8378b87b10defac5b1832bf62bd34d
                  • Instruction ID: 2c45380e070b167f1b6ea7739d3258b1726f090ad5a2ab6b4005193feab8ecbe
                  • Opcode Fuzzy Hash: 36b69d9401ad6ebfa94986bedec2b2596c8378b87b10defac5b1832bf62bd34d
                  • Instruction Fuzzy Hash: FB713870700201AFCB14AF69C899EAEBBF9BF89700F0505BDF546DB296CB759900DB50
                  Function 00FAA7FD Relevance: 7.7, APIs: 5, Instructions: 196COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00FAA804
                  • IsWindow.USER32(?), ref: 00FAA821
                  • GetClientRect.USER32(?,?), ref: 00FAA880
                    • Part of subcall function 00FA1BD3: __EH_prolog3_GS.LIBCMT ref: 00FA1BDD
                    • Part of subcall function 00FA1BD3: GetClientRect.USER32(?,?), ref: 00FA1C24
                    • Part of subcall function 00FA18F8: __EH_prolog3_GS.LIBCMT ref: 00FA1902
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: H_prolog3_$ClientRect$Window
                  • String ID:
                  • API String ID: 3149087086-0
                  • Opcode ID: ad7315b024574375a946124769ca808500c88127c4a62579c8eb3f608b2055e8
                  • Instruction ID: d09d5f8c032e23de12982a12c4a66f197b52791d152c3c5e5bf042e26d35c3c2
                  • Opcode Fuzzy Hash: ad7315b024574375a946124769ca808500c88127c4a62579c8eb3f608b2055e8
                  • Instruction Fuzzy Hash: CE815CB1D00209CFCF15DFA8C980AEDBBB1FF49310F14416AE806AB255DB39A945DF21
                  Function 00FD0E63 Relevance: 7.7, APIs: 5, Instructions: 169COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00FD0E6A
                  • SetRectEmpty.USER32(?), ref: 00FD0E99
                  • _strlen.LIBCMT ref: 00FD0F80
                  • _strlen.LIBCMT ref: 00FD0FA5
                    • Part of subcall function 00FDD5E0: SendMessageA.USER32(?,00000401,00000000,00000000), ref: 00FDD617
                  • GetWindowRect.USER32(?,?), ref: 00FD1009
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Rect_strlen$EmptyH_prolog3_MessageSendWindow
                  • String ID:
                  • API String ID: 1125052493-0
                  • Opcode ID: 7f530f92004c23d28ffd574daca0390798fa1eb712c1883a52cf10b91ef8fc5a
                  • Instruction ID: 3f4295fe858c65695fb11b1a9c357b692066d2433b23c29d11eef9121fc10840
                  • Opcode Fuzzy Hash: 7f530f92004c23d28ffd574daca0390798fa1eb712c1883a52cf10b91ef8fc5a
                  • Instruction Fuzzy Hash: FD617F71D0024AAFDB14EFA4D895AEEBBB9FF04310F14462EF456A3281DB355E44DBA0
                  Function 0100A36D Relevance: 7.7, APIs: 5, Instructions: 166windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 0100A374
                  • GetMenuItemCount.USER32(?), ref: 0100A3FB
                  • GetMenuItemID.USER32(?,?), ref: 0100A415
                  • GetSubMenu.USER32(?,?), ref: 0100A471
                    • Part of subcall function 00F91528: __EH_prolog3_catch.LIBCMT ref: 00F9152F
                    • Part of subcall function 00F8266A: _malloc.LIBCMT ref: 00F82688
                  • __EH_prolog3.LIBCMT ref: 0100A54F
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Menu$H_prolog3Item$CountH_prolog3_catch_malloc
                  • String ID:
                  • API String ID: 2690492427-0
                  • Opcode ID: bfd7b83304c03d7739dfbdbe82b07ee508e3606042d9e5f6d7b94c7a2cdeb579
                  • Instruction ID: 010c4b5f232e2891de38887d5fd6e5277161f70c7e2e5a21a18aead8c07bfb77
                  • Opcode Fuzzy Hash: bfd7b83304c03d7739dfbdbe82b07ee508e3606042d9e5f6d7b94c7a2cdeb579
                  • Instruction Fuzzy Hash: 3C51FE31A00206EBEF12FFB8CC95AEDBAA0BF44314F204669F596A72D1DB394E409751
                  Function 01070EF4 Relevance: 7.7, APIs: 5, Instructions: 164stringCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 01070EFE
                  • GlobalLock.KERNEL32(?), ref: 01070F1F
                    • Part of subcall function 00F879AD: __CxxThrowException@8.LIBCMT ref: 00F879C3
                  • lstrcmpA.KERNEL32(00000000,00000000,?,00000001,0014000C,00000000,?,01054E6B,?,00000000), ref: 01070FC8
                  • lstrcmpA.KERNEL32(?,00000000,00000000,?,01054E6B,?,00000000), ref: 01070FF4
                  • lstrcmpA.KERNEL32(?,00000000,01054E6B,?,01054E6B,?,00000000), ref: 01071019
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcmp$Exception@8GlobalH_prolog3LockThrow
                  • String ID:
                  • API String ID: 1434931896-0
                  • Opcode ID: 67ae1910d17bfebc9f530312d6e5e0b800c092240013d4b79b031fa8684def85
                  • Instruction ID: 5e5e1d5bfd8b10c006f6cd088526a57f6bca992d4ad4912ae774df5c9cd248a3
                  • Opcode Fuzzy Hash: 67ae1910d17bfebc9f530312d6e5e0b800c092240013d4b79b031fa8684def85
                  • Instruction Fuzzy Hash: 8361B370E002068BEB62DF68CD44BEEBBF4BF01310F044695F595AB296DB74DA80DB54
                  Function 00FCE63F Relevance: 7.7, APIs: 5, Instructions: 162stringCOMMON
                  Download Yara Rule
                  APIs
                  • SHGetPathFromIDListA.SHELL32(?,?), ref: 00FCE6E8
                  • SHGetPathFromIDListA.SHELL32(?,?), ref: 00FCE718
                    • Part of subcall function 00F879AD: __CxxThrowException@8.LIBCMT ref: 00F879C3
                  • SHGetFileInfoA.SHELL32(?,00000000,?,00000160,00000408), ref: 00FCE7CB
                  • SHGetFileInfoA.SHELL32(?,00000000,?,00000160,00000408), ref: 00FCE7EC
                  • lstrcmpiA.KERNEL32(?,?), ref: 00FCE800
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: FileFromInfoListPath$Exception@8Throwlstrcmpi
                  • String ID:
                  • API String ID: 438698530-0
                  • Opcode ID: 8b9b985523fecb3f8d48e2ad68470aad9db69d984912e0fa310f6344d74e53d2
                  • Instruction ID: e6dd3cf8e64fee1c09756421604e1ffaddaeff6dbb7dac1dd367ab0acf4aba0b
                  • Opcode Fuzzy Hash: 8b9b985523fecb3f8d48e2ad68470aad9db69d984912e0fa310f6344d74e53d2
                  • Instruction Fuzzy Hash: 5F516D71D1122A9BCF259B55CE82FAEB7BDEF08710F0040DEA509A6181DB35AE84EF54
                  Function 010653D0 Relevance: 7.7, APIs: 5, Instructions: 154COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 010653D7
                  • CreateCompatibleDC.GDI32(00000000), ref: 01065425
                  • GetBoundsRect.GDI32(?,0106594E,00000000), ref: 0106544D
                  • CreateSolidBrush.GDI32 ref: 01065467
                  • FillRect.USER32(00000000,0106594E,?), ref: 01065480
                    • Part of subcall function 0106478A: FrameRgn.GDI32(00000000,?,00000000,0106594E,0000003C), ref: 010647B2
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateRect$BoundsBrushCompatibleFillFrameH_prolog3_Solid
                  • String ID:
                  • API String ID: 2864772683-0
                  • Opcode ID: f8f027c671ee9d9088ce7bd127a71b0fcd0673a8026a019b015671e19ffb0e18
                  • Instruction ID: 7074e6774e3f126129a8c45c16b7c36623eaa4fa89268bfd47aec924a7f2a25e
                  • Opcode Fuzzy Hash: f8f027c671ee9d9088ce7bd127a71b0fcd0673a8026a019b015671e19ffb0e18
                  • Instruction Fuzzy Hash: 76518B70D10229EFDF11EFA8CC84AEDBBB9FF08750F04406AF881AA185CB755645DBA0
                  Function 00FF5223 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                  Download Yara Rule
                  APIs
                  • GetWindowRect.USER32(?,?), ref: 00FF5252
                  • GetCursorPos.USER32(?), ref: 00FF526C
                  • ScreenToClient.USER32(?,?), ref: 00FF527C
                  • GetClientRect.USER32(?,?), ref: 00FF52A7
                    • Part of subcall function 00F88828: ClientToScreen.USER32(?,00FA73A3), ref: 00F88839
                    • Part of subcall function 00F88828: ClientToScreen.USER32(?,00FA73AB), ref: 00F88846
                  • SetRect.USER32(?,?,?,?,?), ref: 00FF535E
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Client$RectScreen$CursorWindow
                  • String ID:
                  • API String ID: 3730894386-0
                  • Opcode ID: 3b5162565e5f96d4dadfd5b52bb79b7a983ab764aa039bb183cc9916763f0907
                  • Instruction ID: 7e7a6a807355130d5fd31085d12eae5e652c14d2ac3cab2fd219dd2c44b5f541
                  • Opcode Fuzzy Hash: 3b5162565e5f96d4dadfd5b52bb79b7a983ab764aa039bb183cc9916763f0907
                  • Instruction Fuzzy Hash: 4551E3B1E0060DEFCB14DFA9C9889EEBBBAFF48315F104529E645A3214DB34A945DF60
                  Function 00FBC9BE Relevance: 7.6, APIs: 5, Instructions: 133COMMON
                  Download Yara Rule
                  APIs
                  • GetParent.USER32(?), ref: 00FBCA0B
                  • GetWindowRect.USER32(?,?), ref: 00FBCA2D
                  • GetClientRect.USER32(?,?), ref: 00FBCABD
                  • MapWindowPoints.USER32(?,?,?,00000002), ref: 00FBCAD0
                  • FillRect.USER32(?,?), ref: 00FBCB10
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Rect$Window$ClientFillParentPoints
                  • String ID:
                  • API String ID: 1064458942-0
                  • Opcode ID: afa5f11ddf894e7bcf26cb6d571da73adfec165a88fcfbefceaf0939f853d36b
                  • Instruction ID: 007ae3b26ca0ca321dc6790b0f830a70ae9b00c1f865c70bb5de1f6dc60f6b93
                  • Opcode Fuzzy Hash: afa5f11ddf894e7bcf26cb6d571da73adfec165a88fcfbefceaf0939f853d36b
                  • Instruction Fuzzy Hash: F3511771A00219AFCB10DFA9C8958EEBBB9FF48750B14805AF445E7211D7789D00DFE0
                  Function 00FC68B6 Relevance: 7.6, APIs: 5, Instructions: 124windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00FC68BD
                  • SetRectEmpty.USER32(?), ref: 00FC68E6
                    • Part of subcall function 00F8266A: _malloc.LIBCMT ref: 00F82688
                  • __CxxThrowException@8.LIBCMT ref: 00FC698D
                    • Part of subcall function 00F99D8C: __EH_prolog3.LIBCMT ref: 00F99D93
                  • GetWindowRect.USER32(?,?), ref: 00FC69B8
                  • IsWindowVisible.USER32(?), ref: 00FC69D5
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: RectWindow$EmptyException@8H_prolog3H_prolog3_ThrowVisible_malloc
                  • String ID:
                  • API String ID: 3103794022-0
                  • Opcode ID: c582463d152b3fdadc70714be255971c4b104f62d1cea9abb0a6c407c6d3cc42
                  • Instruction ID: 050f21e2e515dc474d44e5dec23cd67df772d2d8b480a5beb5934a225c8b2850
                  • Opcode Fuzzy Hash: c582463d152b3fdadc70714be255971c4b104f62d1cea9abb0a6c407c6d3cc42
                  • Instruction Fuzzy Hash: 5C413B71A04209ABDF05EFA8D992EFEB7FABF48300F54442DF15AE2241DB395905AB11
                  Function 00FCA198 Relevance: 7.6, APIs: 5, Instructions: 113windowCOMMON
                  Download Yara Rule
                  APIs
                  • IsWindow.USER32(00000000), ref: 00FCA1D7
                  • ShowWindow.USER32(00000000,00000004), ref: 00FCA209
                  • IsWindow.USER32(?), ref: 00FCA24E
                  • IsWindowVisible.USER32(?), ref: 00FCA259
                  • ShowWindow.USER32(?,00000000), ref: 00FCA294
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Window$Show$Visible
                  • String ID:
                  • API String ID: 2757229004-0
                  • Opcode ID: 3db3ec55054f496f3602e32ae52b07d225742525338d9bb0a509ce952085ec3b
                  • Instruction ID: 97eaaca5faeff79e66c0ceaff326c1c4254bfca0bc38d00fe82fd408488e4308
                  • Opcode Fuzzy Hash: 3db3ec55054f496f3602e32ae52b07d225742525338d9bb0a509ce952085ec3b
                  • Instruction Fuzzy Hash: 5C31D531640216ABDB249F61CD47FEA7768BF44764F14412DF946AB140DB36FC00E761
                  Function 00FEAE28 Relevance: 7.6, APIs: 5, Instructions: 109windowstringCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00FEAE2F
                  • SendMessageA.USER32(?,00000420,00000001,?), ref: 00FEAEC3
                  • SendMessageA.USER32(?,00000420,00000001,?), ref: 00FEAEDA
                  • _calloc.LIBCMT ref: 00FEAEF5
                  • lstrcpyA.KERNEL32(00000000,00000010,00000004,00FA4868,?,?,00000002,?,?,00000000), ref: 00FEAF08
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: MessageSend$H_prolog3_calloclstrcpy
                  • String ID:
                  • API String ID: 3273239350-0
                  • Opcode ID: 572fe22eaaf5cd79aeb1ebbf943c022cf4b26fd2953f581eb952a210a0ab8505
                  • Instruction ID: d2761c3a5f1eaa98c83182862150223136d1f1b619c7d143b464b559e36d2a1f
                  • Opcode Fuzzy Hash: 572fe22eaaf5cd79aeb1ebbf943c022cf4b26fd2953f581eb952a210a0ab8505
                  • Instruction Fuzzy Hash: F241E0B2A00285DFDB14EF6ACC45AAE77A4FF44324F148619F8659B2D1DB35EC00EB51
                  Function 00FA06BC Relevance: 7.6, APIs: 5, Instructions: 108windowCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Parent$FocusMessageSendUpdateWindow
                  • String ID:
                  • API String ID: 2438739141-0
                  • Opcode ID: 298c286a9f2b8a5120b9b72efb23af57bea692dc8a290dc750c48f921ed99159
                  • Instruction ID: 37094399560ec13e951d0bddef345d402f27a3a47eee092455d2461acba71fc7
                  • Opcode Fuzzy Hash: 298c286a9f2b8a5120b9b72efb23af57bea692dc8a290dc750c48f921ed99159
                  • Instruction Fuzzy Hash: 9D31F4B1A006109FCB25AF38DC45A6E7AE5FF85724B25062DF4A6C7291EF34AD01DF10
                  Function 010006EE Relevance: 7.6, APIs: 5, Instructions: 108windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 010006F5
                  • IsRectEmpty.USER32(?), ref: 0100074E
                    • Part of subcall function 00F91259: IsWindow.USER32(?), ref: 00F9126D
                  • SendMessageA.USER32(?,00000030,210A0E4A,00000001), ref: 0100080F
                  • SendMessageA.USER32(?,000000B1,00000000,000000FF), ref: 01000823
                    • Part of subcall function 00F913F4: GetParent.USER32(?), ref: 00F91409
                    • Part of subcall function 00F913F4: GetParent.USER32(?), ref: 00F91418
                    • Part of subcall function 00F913F4: GetParent.USER32(?), ref: 00F9142E
                    • Part of subcall function 00F913F4: SetFocus.USER32(?,00000000), ref: 00F91444
                  • SetCapture.USER32(?,?,00000001), ref: 0100083C
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Parent$MessageSend$CaptureEmptyFocusH_prolog3_RectWindow
                  • String ID:
                  • API String ID: 1703786938-0
                  • Opcode ID: 49515ddc8332776183a0eafa11e365ecfbe09c8fab47715b76c66b5a8deb8f4d
                  • Instruction ID: 9ea64673c4c3712740288188894f0fa1611aafbe9d6242280c6580a42ae4a3d3
                  • Opcode Fuzzy Hash: 49515ddc8332776183a0eafa11e365ecfbe09c8fab47715b76c66b5a8deb8f4d
                  • Instruction Fuzzy Hash: AB414C71A002019BEF16EFA9C895BED37E5BF48350F1541B9F9499F296DB759800CF20
                  Function 00FCA455 Relevance: 7.6, APIs: 5, Instructions: 106COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: EmptyRect$H_prolog3
                  • String ID:
                  • API String ID: 3752103406-0
                  • Opcode ID: 721df95bfa561db18cf266df0c37eb5bcc8d615bf9332a1edc0dcad9bed46722
                  • Instruction ID: 1a389afb2371dbdb7d46677bb164446e939648717b176d956c1971c6e06a317b
                  • Opcode Fuzzy Hash: 721df95bfa561db18cf266df0c37eb5bcc8d615bf9332a1edc0dcad9bed46722
                  • Instruction Fuzzy Hash: 2151E8B0905B45CAD321EF7AC951BDAFBE8BFA5300F10880FD5EA96291DBB42144DF81
                  Function 00FA07FA Relevance: 7.6, APIs: 5, Instructions: 99COMMON
                  Download Yara Rule
                  APIs
                  • CallNextHookEx.USER32(00000000,?,?), ref: 00FA0816
                  • WindowFromPoint.USER32(?,?), ref: 00FA0841
                  • ScreenToClient.USER32(?,00000000), ref: 00FA0872
                  • GetParent.USER32(?), ref: 00FA08E0
                  • UpdateWindow.USER32(?), ref: 00FA0938
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Window$CallClientFromHookNextParentPointScreenUpdate
                  • String ID:
                  • API String ID: 160110263-0
                  • Opcode ID: 9a141f51c0f3ff77f10f5591125ece8dc26869f96849e30d6f60e4b86f24000a
                  • Instruction ID: d10c6bc61ec7958531972971e22554c8b77ec40d46cb82b9b0d0083159c99b20
                  • Opcode Fuzzy Hash: 9a141f51c0f3ff77f10f5591125ece8dc26869f96849e30d6f60e4b86f24000a
                  • Instruction Fuzzy Hash: 0C31BFB5600200AFEB219F64EC45A9A7BB5FF48324F24813DF44587695CF7AE850EF41
                  Function 00FA6639 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                  Download Yara Rule
                  APIs
                  • GetWindowRect.USER32(?,?), ref: 00FA668D
                    • Part of subcall function 00F911E7: GetWindowLongA.USER32(?,000000EC), ref: 00F911F2
                  • OffsetRect.USER32(?,?,00000000), ref: 00FA66E8
                  • UnionRect.USER32(?,?,?), ref: 00FA6706
                  • EqualRect.USER32(?,?), ref: 00FA6714
                  • UpdateWindow.USER32(?), ref: 00FA6750
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Rect$Window$EqualLongOffsetUnionUpdate
                  • String ID:
                  • API String ID: 4261707372-0
                  • Opcode ID: 1e37f73ee328953983a7d3fdf32b2b1b2c41ec8d39c7c60da60c4e719b2e4a25
                  • Instruction ID: 8f502c3d1be67bde09234392ec02fe28d13ddda0f149e79973bc6882d31e6744
                  • Opcode Fuzzy Hash: 1e37f73ee328953983a7d3fdf32b2b1b2c41ec8d39c7c60da60c4e719b2e4a25
                  • Instruction Fuzzy Hash: D13128B1901209EBCB20DFA4C9849EEBBF9FF48314F14462EE556E2254DB35AA00DB50
                  Function 00FDA7DF Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00FDA7E9
                  • IsWindow.USER32(?), ref: 00FDA808
                    • Part of subcall function 00F879AD: __CxxThrowException@8.LIBCMT ref: 00F879C3
                    • Part of subcall function 00FDA3F6: IsWindow.USER32(?), ref: 00FDA402
                    • Part of subcall function 00FDA3F6: SendMessageA.USER32(?,00000146,00000000,00000000), ref: 00FDA42E
                    • Part of subcall function 00FDA3F6: SendMessageA.USER32(?,00000150,?,00000000), ref: 00FDA441
                    • Part of subcall function 00FDA3F6: SendMessageA.USER32(?,00000146,00000000,00000000), ref: 00FDA45B
                    • Part of subcall function 00FDA3F6: SendMessageA.USER32(?,0000014B,00000000,00000000), ref: 00FDA46E
                    • Part of subcall function 01054FCA: __EH_prolog3.LIBCMT ref: 01054FD1
                  • SendMessageA.USER32(?,00000158,000000FF,?), ref: 00FDA8B8
                    • Part of subcall function 00F8266A: _malloc.LIBCMT ref: 00F82688
                  • SendMessageA.USER32(?,00000143,00000000,?), ref: 00FDA8FE
                  • SendMessageA.USER32(?,00000151,00000000,?), ref: 00FDA90F
                    • Part of subcall function 00FDA487: __EH_prolog3.LIBCMT ref: 00FDA48E
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: MessageSend$H_prolog3Window$Exception@8H_prolog3_Throw_malloc
                  • String ID:
                  • API String ID: 3274925976-0
                  • Opcode ID: b1646b3c69587b683f1968bd25cfff57859e326ed0eae765dde49af35f73e38a
                  • Instruction ID: 9fe0a65397c0e330042c0399c012a52a33d83f1284901aad6643c23be544eec9
                  • Opcode Fuzzy Hash: b1646b3c69587b683f1968bd25cfff57859e326ed0eae765dde49af35f73e38a
                  • Instruction Fuzzy Hash: 2E417F3180425EEBDF29AB30CC52AEDBB71BF15310F1441D9A659622A1DA314F85EF61
                  Function 010185E5 Relevance: 7.6, APIs: 5, Instructions: 95COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 01017D90: GetParent.USER32(?), ref: 01017D9C
                    • Part of subcall function 01017D90: GetParent.USER32(00000000), ref: 01017D9F
                  • GetWindowLongA.USER32(?,000000EC), ref: 01018654
                  • RedrawWindow.USER32(?,00000000,00000000,00000081,?,?,?,?,?,010189F8,00000000), ref: 010186A5
                  • SetWindowLongA.USER32(?,000000EC,?), ref: 010186B4
                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000137,?,?,?,?,?,010189F8,00000000), ref: 010186CA
                  • GetClientRect.USER32(?,?), ref: 010186DE
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Window$LongParent$ClientRectRedraw
                  • String ID:
                  • API String ID: 556606033-0
                  • Opcode ID: 7104c6b4196b884cd49154a9307d9926a6aaff197ac17b7feeb40525262d32e5
                  • Instruction ID: d30ae9e3499f91b269dbcd82c5b9ae9bee265f5494edb5ab722da8dbf56015b1
                  • Opcode Fuzzy Hash: 7104c6b4196b884cd49154a9307d9926a6aaff197ac17b7feeb40525262d32e5
                  • Instruction Fuzzy Hash: 6F21E732500204BFEF61AF78CC899EE7AE9FB88354F154C7AF69693094DA795E40C750
                  Function 00F96268 Relevance: 7.6, APIs: 5, Instructions: 92windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00F9626F
                  • CreateRectRgnIndirect.GDI32(?), ref: 00F96291
                    • Part of subcall function 00F8875C: SelectClipRgn.GDI32(?,00000000), ref: 00F88782
                    • Part of subcall function 00F8875C: SelectClipRgn.GDI32(?,?), ref: 00F88798
                  • GetParent.USER32(?), ref: 00F962B1
                  • MapWindowPoints.USER32(?,00000000,?,00000001), ref: 00F96309
                  • SendMessageA.USER32(?,00000014,?,00000000), ref: 00F96336
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: ClipSelect$CreateH_prolog3IndirectMessageParentPointsRectSendWindow
                  • String ID:
                  • API String ID: 3362736716-0
                  • Opcode ID: d20dea37fe76b5361d8d7c1d84c238097c510635b4c6adaa4e9cb65571cb7569
                  • Instruction ID: ce0f935c847e81a0c97a27e314129013f57d0a37c2997bc28ef32644e3423ded
                  • Opcode Fuzzy Hash: d20dea37fe76b5361d8d7c1d84c238097c510635b4c6adaa4e9cb65571cb7569
                  • Instruction Fuzzy Hash: 77312A71A0021AAFDF14EFA4CC54AEEB7B5FF08350F148528E955EB250EB359E01DBA0
                  Function 010187E0 Relevance: 7.6, APIs: 5, Instructions: 90windowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00F911CD: GetWindowLongA.USER32(?,000000F0), ref: 00F911D8
                    • Part of subcall function 01017D90: GetParent.USER32(?), ref: 01017D9C
                    • Part of subcall function 01017D90: GetParent.USER32(00000000), ref: 01017D9F
                  • SendMessageA.USER32(?,00000234,00000000,00000000), ref: 0101885B
                  • SendMessageA.USER32(?,00000229,00000000,00000000), ref: 01018882
                  • SendMessageA.USER32(?,00000229,00000000,00000000), ref: 0101889F
                  • SendMessageA.USER32(?,00000222,?,00000000), ref: 010188B6
                  • SendMessageA.USER32(?,00000222,00000000,?), ref: 010188DB
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: MessageSend$Parent$LongWindow
                  • String ID:
                  • API String ID: 4191550487-0
                  • Opcode ID: c6454bdf67c177d7256207ebdb455128bd365a8581ceedd9f11b275455cc94e4
                  • Instruction ID: 895e81e317676452a6497a68ca3c16995a530173a4c7da534f7a913165aeb2d9
                  • Opcode Fuzzy Hash: c6454bdf67c177d7256207ebdb455128bd365a8581ceedd9f11b275455cc94e4
                  • Instruction Fuzzy Hash: 3C2147317002087BEF196F68DC86FFD3A99BB44750F14453AFA509A0C5CAB8E9808790
                  Function 00FECA1C Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Window$Rect$InflateInvalidateUpdate
                  • String ID:
                  • API String ID: 2730120201-0
                  • Opcode ID: 7282757aec8e1f68a66206dc790e9fd4f5a7119ee90571b2669e01b4169b2c3c
                  • Instruction ID: dd24b67dcd2c8b367cd4de965e3d847c29616e221696a4215fcede9e5ef334b5
                  • Opcode Fuzzy Hash: 7282757aec8e1f68a66206dc790e9fd4f5a7119ee90571b2669e01b4169b2c3c
                  • Instruction Fuzzy Hash: BE3133726002049BDB10EF65C895FAA77B9BF88740F0580B4ED49CF266DB75A806DBB1
                  Function 00FF2BD1 Relevance: 7.6, APIs: 5, Instructions: 87COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Rect$Window
                  • String ID:
                  • API String ID: 924285169-0
                  • Opcode ID: 1c92c666075bd54ee975e8efded2ed51429af564e2ee59d5babfa95bfb9cce37
                  • Instruction ID: 2404dcbf8bf88daa78cc52075fddae9841cb7b5544330c7594100002b7038939
                  • Opcode Fuzzy Hash: 1c92c666075bd54ee975e8efded2ed51429af564e2ee59d5babfa95bfb9cce37
                  • Instruction Fuzzy Hash: 46310571D102299FCB65DFA9D8448EEBBF8FF4C760B10406AE540E3220D7759900DFA0
                  Function 00F8CD61 Relevance: 7.6, APIs: 5, Instructions: 81windowCOMMON
                  Download Yara Rule
                  APIs
                  • IsWindowVisible.USER32(?), ref: 00F8CD84
                  • GetWindowRect.USER32(00000000,?), ref: 00F8CDB1
                  • SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,00000015), ref: 00F8CDD6
                  • GetWindow.USER32(?,00000005), ref: 00F8CDDF
                  • ScrollWindow.USER32(?,?,?,?,?), ref: 00F8CDFA
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Window$RectScrollVisible
                  • String ID:
                  • API String ID: 2639402888-0
                  • Opcode ID: c22086af5a73ea57cb5490b9bd014e52166c4ba0b96195bb50584541e80ae8a7
                  • Instruction ID: 424e50945311de48b435e2b7958f85dccd2a23cf8d8fbae8ff9726400031f5f5
                  • Opcode Fuzzy Hash: c22086af5a73ea57cb5490b9bd014e52166c4ba0b96195bb50584541e80ae8a7
                  • Instruction Fuzzy Hash: E4214A72900209EBCF21EF95CC88DEEBBB9FF88754B10441AF582A6210DB759950DBA0
                  Function 00FFA343 Relevance: 7.6, APIs: 5, Instructions: 80windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetClientRect.USER32(?,?), ref: 00FFA383
                  • MapWindowPoints.USER32(?,?,?,00000002), ref: 00FFA396
                  • PtInRect.USER32(?,?,?), ref: 00FFA3A6
                  • MapWindowPoints.USER32(?,?,?,00000001), ref: 00FFA3D5
                  • SendMessageA.USER32(?,00000203,?,?), ref: 00FFA3F4
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: PointsRectWindow$ClientMessageSend
                  • String ID:
                  • API String ID: 3885650166-0
                  • Opcode ID: 6b3b516d1c400a32a5bdf36c5139d474db9d57e6626ba60ecd237b36d2be92b8
                  • Instruction ID: 53d0f6d7c953bf58b9b3467bd318488d915ff0f5852dda422e8ece3dc2ee3106
                  • Opcode Fuzzy Hash: 6b3b516d1c400a32a5bdf36c5139d474db9d57e6626ba60ecd237b36d2be92b8
                  • Instruction Fuzzy Hash: E2210A72A00209EFDB15DF64CC589BE7BB5FF48310B118529F99997160EB71AD10DB50
                  Function 00F8E8F2 Relevance: 7.6, APIs: 5, Instructions: 80windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00F8E8FC
                  • GetTopWindow.USER32(00000000), ref: 00F8E921
                  • GetDlgCtrlID.USER32(00000000), ref: 00F8E933
                  • SendMessageA.USER32(?,00000087,00000000,00000000), ref: 00F8E98F
                  • GetWindow.USER32(00000000,00000002), ref: 00F8E9CF
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Window$CtrlH_prolog3MessageSend
                  • String ID:
                  • API String ID: 849854284-0
                  • Opcode ID: bff6e310abf923cad19c695b29fdf320bab73b2e7e9d3f06e83f72e7f20290b6
                  • Instruction ID: 1b8bb918b4921b1d4f77e89212d0336a6196ddb42237f36722cef76c51049a3e
                  • Opcode Fuzzy Hash: bff6e310abf923cad19c695b29fdf320bab73b2e7e9d3f06e83f72e7f20290b6
                  • Instruction Fuzzy Hash: 41219171D00128ABDF21BBA4DC84EEDB678FF56310F144659F491E21A0EB754E40EB61
                  Function 00FB9106 Relevance: 7.6, APIs: 5, Instructions: 76windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00FB910D
                  • IsWindowVisible.USER32(?), ref: 00FB9129
                  • IsWindowVisible.USER32(?), ref: 00FB9132
                  • IsWindowVisible.USER32(?), ref: 00FB915F
                  • SendMessageA.USER32(?,00000085,00000000,00000000), ref: 00FB91CB
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: VisibleWindow$H_prolog3MessageSend
                  • String ID:
                  • API String ID: 3429043573-0
                  • Opcode ID: b11b84e1fe828cd09c9c6916dd6483d7a35f5b85853d8c155494e87eaeb4557b
                  • Instruction ID: e3b2c24f6d3abfc0725994fa50d53e9c3944324fc71c25e66e1b9736da0b7e90
                  • Opcode Fuzzy Hash: b11b84e1fe828cd09c9c6916dd6483d7a35f5b85853d8c155494e87eaeb4557b
                  • Instruction Fuzzy Hash: 9621A4316046069BCB11FBB9CC95AEF76B9BF48350F000129F556A21A2DF659D01FF61
                  Function 00FA42DE Relevance: 7.6, APIs: 5, Instructions: 73windowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00FA3D3F: __EH_prolog3_GS.LIBCMT ref: 00FA3D46
                    • Part of subcall function 00FA3D3F: GetWindowRect.USER32(?,?), ref: 00FA3D87
                    • Part of subcall function 00FA3D3F: CreateRoundRectRgn.GDI32(00000000,00000000,?,?,00000004,00000004), ref: 00FA3DB1
                    • Part of subcall function 00FA3D3F: SetWindowRgn.USER32(?,?,00000000), ref: 00FA3DC7
                  • GetSystemMenu.USER32(?,00000000), ref: 00FA4352
                  • DeleteMenu.USER32(?,0000F120,00000000,00000000), ref: 00FA4373
                  • DeleteMenu.USER32(?,0000F020,00000000), ref: 00FA437F
                  • DeleteMenu.USER32(?,0000F030,00000000), ref: 00FA438B
                  • EnableMenuItem.USER32(?,0000F060,00000001), ref: 00FA43A5
                    • Part of subcall function 00F9CEC7: SetRectEmpty.USER32(?), ref: 00F9CEFA
                    • Part of subcall function 00F9CEC7: ReleaseCapture.USER32 ref: 00F9CF00
                    • Part of subcall function 00F9CEC7: SetCapture.USER32(?), ref: 00F9CF0F
                    • Part of subcall function 00F9CEC7: GetCapture.USER32 ref: 00F9CF51
                    • Part of subcall function 00F9CEC7: ReleaseCapture.USER32 ref: 00F9CF61
                    • Part of subcall function 00F9CEC7: SetCapture.USER32(?), ref: 00F9CF70
                    • Part of subcall function 00F9CEC7: RedrawWindow.USER32(?,?,?,00000505), ref: 00F9CFDB
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: CaptureMenu$DeleteRectWindow$Release$CreateEmptyEnableH_prolog3_ItemRedrawRoundSystem
                  • String ID:
                  • API String ID: 2818640433-0
                  • Opcode ID: 81b478ec545f919cdfa53c2d40b4cea3daae1d87dcf152cfc4057d220b284760
                  • Instruction ID: 498a3ed4ca212be1d606085aa62464d605a5e8a399c6c0f380d9a7035d944f96
                  • Opcode Fuzzy Hash: 81b478ec545f919cdfa53c2d40b4cea3daae1d87dcf152cfc4057d220b284760
                  • Instruction Fuzzy Hash: B221C371641210AFDF312F60CC95FAE7A29FF85B10F040039F6059A192CBB6AC10FB90
                  Function 00FE027F Relevance: 7.6, APIs: 5, Instructions: 72COMMON
                  Download Yara Rule
                  APIs
                  • SelectObject.GDI32(?,00000000), ref: 00FE02A5
                    • Part of subcall function 00F91DA7: DeleteObject.GDI32(00000000), ref: 00F91DC0
                  • SelectObject.GDI32(?,00000000), ref: 00FE02BB
                  • DeleteObject.GDI32(00000000), ref: 00FE0326
                  • DeleteDC.GDI32(00000000), ref: 00FE0335
                  • LeaveCriticalSection.KERNEL32(010F3B94), ref: 00FE034E
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Object$Delete$Select$CriticalLeaveSection
                  • String ID:
                  • API String ID: 3849354926-0
                  • Opcode ID: feefcdd3b170d69bf3e3498f3194938d2f1d671648e58ea9f9b12e160e440722
                  • Instruction ID: c1defb97a418260b1bd8c202d7188d5f23b96d93e6da93e123c66818eb0d2e9d
                  • Opcode Fuzzy Hash: feefcdd3b170d69bf3e3498f3194938d2f1d671648e58ea9f9b12e160e440722
                  • Instruction Fuzzy Hash: 7621D071900204DFCF11EFA5CC85999BBB5FF84360B04416AFA189F16ACBB58882EF50
                  Function 00FAE195 Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00F911CD: GetWindowLongA.USER32(?,000000F0), ref: 00F911D8
                  • SendMessageA.USER32(?,00000086,00000001,00000000), ref: 00FAE1FC
                  • SendMessageA.USER32(?,00000086,00000000,00000000), ref: 00FAE213
                  • GetDesktopWindow.USER32 ref: 00FAE217
                  • SendMessageA.USER32(00000000,0000036D,0000000C,00000000), ref: 00FAE238
                  • GetWindow.USER32(00000000), ref: 00FAE23D
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: MessageSendWindow$DesktopLong
                  • String ID:
                  • API String ID: 2272707703-0
                  • Opcode ID: 1ce96f317e34cbb86da1144ab80d371515d66d03ca1fec77e9fe6d6baeb0b873
                  • Instruction ID: e5137d713df9892c5f55b971e0d97d95c406aaa2166b458e8f50850bfcde1231
                  • Opcode Fuzzy Hash: 1ce96f317e34cbb86da1144ab80d371515d66d03ca1fec77e9fe6d6baeb0b873
                  • Instruction Fuzzy Hash: 8311E771B4071177FB313A11CC4AFAE7A9CBF96764F210124FA42590E2CEA5DC40A790
                  Function 00FF20E8 Relevance: 7.6, APIs: 5, Instructions: 68windowCOMMON
                  Download Yara Rule
                  APIs
                  • _memset.LIBCMT ref: 00FF211C
                  • SHAppBarMessage.SHELL32(00000007,?), ref: 00FF213A
                  • SHAppBarMessage.SHELL32(00000007,?), ref: 00FF2154
                  • SHAppBarMessage.SHELL32(00000007,?), ref: 00FF216A
                  • SHAppBarMessage.SHELL32(00000007,?), ref: 00FF2183
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Message$_memset
                  • String ID:
                  • API String ID: 2485647581-0
                  • Opcode ID: bb62aef3530b28b7279801435734795e1f4d8fb467b2b272c46f328d4d0307a2
                  • Instruction ID: c76100c4ba3068a1915cec8fb90c0f504e71af8d2a9aa64a25ac9440dea0f372
                  • Opcode Fuzzy Hash: bb62aef3530b28b7279801435734795e1f4d8fb467b2b272c46f328d4d0307a2
                  • Instruction Fuzzy Hash: 1A215171E4120AAEE744DFA5D881FEABFB8BF04768F14102AD605E6180DB75E945CBA0
                  Function 010786D1 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • _malloc.LIBCMT ref: 010786DF
                    • Part of subcall function 010752FC: __FF_MSGBANNER.LIBCMT ref: 01075315
                    • Part of subcall function 010752FC: __NMSG_WRITE.LIBCMT ref: 0107531C
                    • Part of subcall function 010752FC: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0107B92B,00F811CC,00000001,00F811CC,?,0107BFC2,00000018,010D5228,0000000C,0107C052), ref: 01075341
                  • _free.LIBCMT ref: 010786F2
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocateHeap_free_malloc
                  • String ID:
                  • API String ID: 1020059152-0
                  • Opcode ID: ab42dbc081c2be98509a065d5691e80f49538fc2b5bf8109bacd0ded465963f1
                  • Instruction ID: 5bd3731817743027ca92c762e2999195a16599747a702fa25eaf82b8707908c9
                  • Opcode Fuzzy Hash: ab42dbc081c2be98509a065d5691e80f49538fc2b5bf8109bacd0ded465963f1
                  • Instruction Fuzzy Hash: 34110D32C00613ABDB722B34A80869E77D4BF44370B10856AF5CA9B150DE36C451C79C
                  Function 00FD32E8 Relevance: 7.6, APIs: 5, Instructions: 68stringwindowCOMMON
                  Download Yara Rule
                  APIs
                  • lstrlenA.KERNEL32(?), ref: 00FD3334
                  • SendMessageA.USER32(?,00001204,00000000,00000002), ref: 00FD3358
                  • lstrlenA.KERNEL32(00000000), ref: 00FD3361
                  • SendMessageA.USER32(?,00001204,00000001,00000002), ref: 00FD337F
                  • RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 00FD3398
                    • Part of subcall function 00F879AD: __CxxThrowException@8.LIBCMT ref: 00F879C3
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: MessageSendlstrlen$Exception@8RedrawThrowWindow
                  • String ID:
                  • API String ID: 2101318621-0
                  • Opcode ID: 80065cdaaf82fb8a534fe4c2a7c1f69735096407f7c249671e572dc3e7ca2b32
                  • Instruction ID: fcf292f2af48a82eac4b470f15b01d32441d71c89cd06df2c3e6a5eea42d3aa1
                  • Opcode Fuzzy Hash: 80065cdaaf82fb8a534fe4c2a7c1f69735096407f7c249671e572dc3e7ca2b32
                  • Instruction Fuzzy Hash: 95212975600214AFDB11EF59CC89FAEBBB5FF88720F150119F689A72A0DB71A900CB55
                  Function 00FAE99F Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON
                  Download Yara Rule
                  APIs
                  • GlobalGetAtomNameA.KERNEL32(?,?,00000103), ref: 00FAEA19
                  • GlobalAddAtomA.KERNEL32(?), ref: 00FAEA28
                  • GlobalGetAtomNameA.KERNEL32(?,?,00000103), ref: 00FAEA3E
                  • GlobalAddAtomA.KERNEL32(?), ref: 00FAEA47
                  • SendMessageA.USER32(?,000003E4,?,?), ref: 00FAEA71
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: AtomGlobal$Name$MessageSend
                  • String ID:
                  • API String ID: 1515195355-0
                  • Opcode ID: 8df28b20e1bb3899b397986640929f4e222708acc9f8e0a5f1f48c3b8f7d454b
                  • Instruction ID: a8ab9c34e72f96aaebecf901293b1fe6d04ef6818a898cdf297c1ac0a3c82678
                  • Opcode Fuzzy Hash: 8df28b20e1bb3899b397986640929f4e222708acc9f8e0a5f1f48c3b8f7d454b
                  • Instruction Fuzzy Hash: 9B21C671900218AACB20DFA5C854AEAB3F8FF58710F01854AF589D7180D7B8AEC0CF90
                  Function 00F86D39 Relevance: 7.6, APIs: 5, Instructions: 65windowCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00F86D40
                    • Part of subcall function 00F8266A: _malloc.LIBCMT ref: 00F82688
                  • __CxxThrowException@8.LIBCMT ref: 00F86D85
                  • FormatMessageA.KERNEL32(00001100,00000000,?,00000800,00F87BB7,00000000,00000000,00000000,?,00F87BB7,010C921C,00000004,00F82218,00F87BB7,?,00F87BB7), ref: 00F86DB0
                  • __cftof.LIBCMT ref: 00F86DCE
                    • Part of subcall function 010783F1: __mbsnbcpy_s_l.LIBCMT ref: 01078404
                  • LocalFree.KERNEL32(00F87BB7,00F82218,00F87BB7,?,00F87BB7), ref: 00F86DDF
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow__cftof__mbsnbcpy_s_l_malloc
                  • String ID:
                  • API String ID: 3996353993-0
                  • Opcode ID: 3666f7b48e15b36309987635d093e0f116180632e3043f8fbc303c546178b2ee
                  • Instruction ID: ad475623d8691346a5769435535e0a8be5eabfe760a6e3829a77bd3426c183d0
                  • Opcode Fuzzy Hash: 3666f7b48e15b36309987635d093e0f116180632e3043f8fbc303c546178b2ee
                  • Instruction Fuzzy Hash: 4911E272A04209EFDF10AFA4CC44BEE7BA8FF04724F208519F994CA190D771DD10AB90
                  Function 01054DF5 Relevance: 7.6, APIs: 5, Instructions: 64COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 01054DFF
                    • Part of subcall function 00F88ADB: __EH_prolog3.LIBCMT ref: 00F88AE2
                    • Part of subcall function 00F88ADB: GetWindowDC.USER32(00000000,00000004,00F95F09,00000000,?,?,010A4E00), ref: 00F88B0E
                  • _memset.LIBCMT ref: 01054E1B
                  • EnumFontFamiliesExA.GDI32(?,?,01054BDD,?,00000000), ref: 01054E40
                    • Part of subcall function 01070BAD: __EH_prolog3.LIBCMT ref: 01070BB4
                    • Part of subcall function 01070BAD: _memset.LIBCMT ref: 01070BE3
                  • EnumFontFamiliesExA.GDI32(00000000,?,01054C26,?,00000000), ref: 01054E99
                  • DeleteObject.GDI32(?), ref: 01054E9E
                    • Part of subcall function 00F879AD: __CxxThrowException@8.LIBCMT ref: 00F879C3
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: EnumFamiliesFontH_prolog3_memset$DeleteException@8H_prolog3_ObjectThrowWindow
                  • String ID:
                  • API String ID: 426196164-0
                  • Opcode ID: c6ae0d3747a5f9d599f99cec0c626a8dd368a5f851fb4e4459b5162c69523603
                  • Instruction ID: 1b30933d00fc2a95d173f33be96774bd40937bbf51e911794164fa0b1c8a4cce
                  • Opcode Fuzzy Hash: c6ae0d3747a5f9d599f99cec0c626a8dd368a5f851fb4e4459b5162c69523603
                  • Instruction Fuzzy Hash: E8219070D0024DAFDB15FBA1CC95EEEBB78AF10344F4040A9A599A71A1EB705E45DB20
                  Function 010584B8 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 010584BF
                  • SetRectEmpty.USER32(?), ref: 01058574
                  • CreateCompatibleDC.GDI32(00000000), ref: 01058577
                  • SetRectEmpty.USER32(?), ref: 01058596
                  • CreatePen.GDI32(00000000,00000001,?), ref: 010585A1
                    • Part of subcall function 00F879AD: __CxxThrowException@8.LIBCMT ref: 00F879C3
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateEmptyRect$CompatibleException@8H_prolog3Throw
                  • String ID:
                  • API String ID: 3214640438-0
                  • Opcode ID: fbfdf5711ad48b16eed878e40c529a4ba3790c261f17dde127f8656bb138cf7a
                  • Instruction ID: 9d87218bfdd5d66c49baed4eb913d9e020c71511f4e3ab521e3ad8dab6283515
                  • Opcode Fuzzy Hash: fbfdf5711ad48b16eed878e40c529a4ba3790c261f17dde127f8656bb138cf7a
                  • Instruction Fuzzy Hash: BB21B7B0901B008AD761EF69C981B9AFAE8BFA4300F00890FE1AE97211CB746545DF65
                  Function 00FC2366 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                  Download Yara Rule
                  APIs
                  • SetCapture.USER32(?), ref: 00FC237E
                  • GetCursorPos.USER32(?), ref: 00FC23BD
                  • LoadCursorA.USER32(00000000,00007F86), ref: 00FC23E7
                  • SetCursor.USER32(00000000), ref: 00FC23EE
                  • GetCursorPos.USER32(?), ref: 00FC23FB
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Cursor$CaptureLoad
                  • String ID:
                  • API String ID: 1460996051-0
                  • Opcode ID: e11c2a8073aa74e2698375d4333e9f094bcf71fd483e12c3b9ddbe24f85bbc38
                  • Instruction ID: 77ca5d7883341c85133de2e0ce6d5b8df3dc48b13f2876fbbfe94952fd84c7fb
                  • Opcode Fuzzy Hash: e11c2a8073aa74e2698375d4333e9f094bcf71fd483e12c3b9ddbe24f85bbc38
                  • Instruction Fuzzy Hash: 73118F316006459FDB24AB78C81DFDA77E9FF59714F00046DE1DA87242CB79A800DB91
                  Function 00FDA3F6 Relevance: 7.6, APIs: 5, Instructions: 55windowCOMMON
                  Download Yara Rule
                  APIs
                  • IsWindow.USER32(?), ref: 00FDA402
                  • SendMessageA.USER32(?,00000146,00000000,00000000), ref: 00FDA42E
                  • SendMessageA.USER32(?,00000150,?,00000000), ref: 00FDA441
                  • SendMessageA.USER32(?,00000146,00000000,00000000), ref: 00FDA45B
                  • SendMessageA.USER32(?,0000014B,00000000,00000000), ref: 00FDA46E
                    • Part of subcall function 00F879AD: __CxxThrowException@8.LIBCMT ref: 00F879C3
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: MessageSend$Exception@8ThrowWindow
                  • String ID:
                  • API String ID: 220582486-0
                  • Opcode ID: 8663b2517736d97ae2e0cc6b1a5c7ada1acb21d42d843714cf07a1686385c67d
                  • Instruction ID: 9e0a8d70790e2a47eb0f9f81c39d194fbaef7c21e93e66a3e79f483df6073918
                  • Opcode Fuzzy Hash: 8663b2517736d97ae2e0cc6b1a5c7ada1acb21d42d843714cf07a1686385c67d
                  • Instruction Fuzzy Hash: 52015231B00605BFEB115B70CC45F9ABAB9FB49754F144126B504E65B0E6B1EC10AB95
                  Function 00FD49E0 Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00FD49E7
                  • IsWindow.USER32(?), ref: 00FD4A0E
                  • InflateRect.USER32(?,00000000,000000FF), ref: 00FD4A2A
                  • InvalidateRect.USER32(?,?,00000001), ref: 00FD4A3F
                  • UpdateWindow.USER32(?), ref: 00FD4A4E
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: RectWindow$H_prolog3_InflateInvalidateUpdate
                  • String ID:
                  • API String ID: 2146894351-0
                  • Opcode ID: 108beddbd6f3149267261f7071c894900a12b40f9a4c5953ad698a82dda2b199
                  • Instruction ID: 0b221c6394a6892a5bde53ddb8685befc7f73a0a0410efd4647b0046111a05bd
                  • Opcode Fuzzy Hash: 108beddbd6f3149267261f7071c894900a12b40f9a4c5953ad698a82dda2b199
                  • Instruction Fuzzy Hash: 201107716002059FDF00DF94C994FE977A5FF08314F0842A8F955AF296CB76A904DB20
                  Function 00FE2971 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                  Download Yara Rule
                  APIs
                  • FindResourceA.KERNEL32(?,?,75296BA0), ref: 00FE2995
                  • LoadResource.KERNEL32(?,00000000,?,00FE4808,?,?,?,00000084,00FE4BDC,0000000A,0000000A,0000000A,00000000,00000014,00FDCBFB,00000004), ref: 00FE29AB
                  • LockResource.KERNEL32(00000000,?,?,00FE4808,?,?,?,00000084,00FE4BDC,0000000A,0000000A,0000000A,00000000,00000014,00FDCBFB,00000004), ref: 00FE29BA
                  • FreeResource.KERNEL32(?,00000000,00000000,?,?,00FE4808,?,?,?,00000084,00FE4BDC,0000000A,0000000A,0000000A,00000000,00000014), ref: 00FE29CB
                  • SizeofResource.KERNEL32(?,00000000,?,?,00FE4808,?,?,?,00000084,00FE4BDC,0000000A,0000000A,0000000A,00000000,00000014,00FDCBFB), ref: 00FE29D8
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Resource$FindFreeLoadLockSizeof
                  • String ID:
                  • API String ID: 4159136517-0
                  • Opcode ID: 33e018a3187646d27f8fdbc4e65f473a86bafee868c06ef2e576fc7fd09200ad
                  • Instruction ID: 10769015bf27100dbfa15cca973aa1ef177145f160f40e39d20cc2db2c2941b5
                  • Opcode Fuzzy Hash: 33e018a3187646d27f8fdbc4e65f473a86bafee868c06ef2e576fc7fd09200ad
                  • Instruction Fuzzy Hash: 4601DF76900655BF9B616BA6EC18C9F7B6CFF983747019019FD41E3241EA39CE00EBA1
                  Function 01070B3A Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                  Download Yara Rule
                  APIs
                  • GlobalLock.KERNEL32(00000000), ref: 01070B55
                  • GlobalLock.KERNEL32(00000000), ref: 01070B61
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: GlobalLock
                  • String ID:
                  • API String ID: 2848605275-0
                  • Opcode ID: a1e5cbebc92a10888491ded0da6e5a72968a3ad46f598a17cd67567515fc1f8a
                  • Instruction ID: c1fc5fdcf7499735d60c57e888cd4a6c92972d56c25eccee198747da76316bbc
                  • Opcode Fuzzy Hash: a1e5cbebc92a10888491ded0da6e5a72968a3ad46f598a17cd67567515fc1f8a
                  • Instruction Fuzzy Hash: F201D632A00229ABC7715F7ADC44E3B7EDCEF84AA8B048525BDC9D2204D635DA10C7A8
                  Function 00FDAB5B Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                  Download Yara Rule
                  APIs
                  • PtInRect.USER32(?,?,?), ref: 00FDAB7B
                  • RedrawWindow.USER32(?,00000000,00000000,00000401), ref: 00FDAB93
                  • PtInRect.USER32(?,?,?), ref: 00FDABAD
                  • ReleaseCapture.USER32 ref: 00FDABBA
                  • RedrawWindow.USER32(?,00000000,00000000,00000401), ref: 00FDABCA
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: RectRedrawWindow$CaptureRelease
                  • String ID:
                  • API String ID: 1080614547-0
                  • Opcode ID: e1058cf3601ad1dce46757e24c66add263badef0d28d3da4e1647442c9ff73ac
                  • Instruction ID: 8f5e0210baea9ce021732b94987862bf641dc395a5b593a753167fdac08d3f96
                  • Opcode Fuzzy Hash: e1058cf3601ad1dce46757e24c66add263badef0d28d3da4e1647442c9ff73ac
                  • Instruction Fuzzy Hash: B7015231500704ABDF325F629C58DABBBFBFBC4710B04481FF2AA82120DB76A452EB54
                  Function 00F92736 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                  Download Yara Rule
                  APIs
                  • TlsFree.KERNEL32(?), ref: 00F9275E
                  • GlobalHandle.KERNEL32(?), ref: 00F9276C
                  • GlobalUnlock.KERNEL32(00000000), ref: 00F92775
                  • GlobalFree.KERNEL32(00000000), ref: 00F9277C
                  • DeleteCriticalSection.KERNEL32 ref: 00F92786
                    • Part of subcall function 00F92580: EnterCriticalSection.KERNEL32(?), ref: 00F925DF
                    • Part of subcall function 00F92580: LeaveCriticalSection.KERNEL32(?), ref: 00F925EF
                    • Part of subcall function 00F92580: LocalFree.KERNEL32(?), ref: 00F925F8
                    • Part of subcall function 00F92580: TlsSetValue.KERNEL32(?,00000000), ref: 00F9260A
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: CriticalFreeGlobalSection$DeleteEnterHandleLeaveLocalUnlockValue
                  • String ID:
                  • API String ID: 1549993015-0
                  • Opcode ID: d86a9b866114bd99fb7ce08027e92ca960285204c9467ea2beeb1dcb757991be
                  • Instruction ID: ac7669ce64903eaca97222291cb958364944596ccbd1c9c9c82bbe8915fca430
                  • Opcode Fuzzy Hash: d86a9b866114bd99fb7ce08027e92ca960285204c9467ea2beeb1dcb757991be
                  • Instruction Fuzzy Hash: 6BF054366006007BDA705F7CA858E6A37A9BF857653168608F455E3285DB39DC029761
                  Function 00FCA929 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 187COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_catch.LIBCMT ref: 00FCA933
                    • Part of subcall function 01008548: __EH_prolog3.LIBCMT ref: 0100854F
                  • _free.LIBCMT ref: 00FCAB28
                    • Part of subcall function 00F879AD: __CxxThrowException@8.LIBCMT ref: 00F879C3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Exception@8H_prolog3H_prolog3_catchThrow_free
                  • String ID: %sDockingManager-%d$DockingPaneAndPaneDividers
                  • API String ID: 302405227-4068244756
                  • Opcode ID: df6a98de698deb9fbf28348e9004044cfa0aef2649e2ce7d1072f7477e343476
                  • Instruction ID: 8941ec944be7ed42bd9ba3c5f65eeaa0b043aa696bdb9c64202d4c9ee7c741e8
                  • Opcode Fuzzy Hash: df6a98de698deb9fbf28348e9004044cfa0aef2649e2ce7d1072f7477e343476
                  • Instruction Fuzzy Hash: 3D611430E0020ADFDF15EBA4C942FEDB7B1AF54324F15415CE8956B291CB386D01EB52
                  Function 00FBF0A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 135COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00FBF0A7
                  • CreateRectRgnIndirect.GDI32(?), ref: 00FBF1BB
                    • Part of subcall function 00F88EC1: __EH_prolog3.LIBCMT ref: 00F88EC8
                    • Part of subcall function 00F88EC1: CreateSolidBrush.GDI32(00000000), ref: 00F88EE3
                  • FillRect.USER32(?,00000000,?), ref: 00FBF0F6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateRect$BrushFillH_prolog3H_prolog3_IndirectSolid
                  • String ID: %d%%
                  • API String ID: 2254786338-1518462796
                  • Opcode ID: d7481287f52da03e270ebcfe5f7b491ad673891d0270d98b94bb2405f317c7fc
                  • Instruction ID: 2f904ab223132a27343cb4de9a70a90831239d12241200a2561b91b380b79328
                  • Opcode Fuzzy Hash: d7481287f52da03e270ebcfe5f7b491ad673891d0270d98b94bb2405f317c7fc
                  • Instruction Fuzzy Hash: 18513B71900209EFDF05EFA8CC95AEE77B9BF18314F104558F851BB285CB75AA08DB60
                  Function 00FF90D2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Rect$ClientCopyH_prolog3_
                  • String ID: Afx:DockPane
                  • API String ID: 871324638-3269875795
                  • Opcode ID: c88b41d9a255fbdd14f6e1305f91b11e0784e58d20d251be94947eb8e370a82c
                  • Instruction ID: f52b3bbe24892edca14e10aae7fb567873975dd15a9b655e4ce97f456ce31aa3
                  • Opcode Fuzzy Hash: c88b41d9a255fbdd14f6e1305f91b11e0784e58d20d251be94947eb8e370a82c
                  • Instruction Fuzzy Hash: 3241E3B19002099FDF45DFA4C888BEEBBB5FF08310F148469F909EB255C7759A45DBA0
                  Function 00F90A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94COMMON
                  Download Yara Rule
                  APIs
                  • __snwprintf_s.LIBCMT ref: 00F90AAE
                  • __snwprintf_s.LIBCMT ref: 00F90AE0
                    • Part of subcall function 010768CC: __getptd_noexit.LIBCMT ref: 010768CC
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: __snwprintf_s$__getptd_noexit
                  • String ID: Afx:%p:%x$Afx:%p:%x:%p:%p:%p
                  • API String ID: 101746997-2801496823
                  • Opcode ID: f46bb7258bf2243af4cf295d7b12692c45c579667bb561ed64cb524afb28de8c
                  • Instruction ID: 4c851ac6a5628626671fe9d76919e45f9218bea526c86026afb975b8eefcd186
                  • Opcode Fuzzy Hash: f46bb7258bf2243af4cf295d7b12692c45c579667bb561ed64cb524afb28de8c
                  • Instruction Fuzzy Hash: 46316BB1D0060AEFEF51EFA9C8409DE7BB4EF58320F004056F845A7212DA368940EF75
                  Function 00FB2A55 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleA.KERNEL32(DWMAPI,?,?,00000000,?,?,?,?,?,?,?,?,01019775), ref: 00FB2ACC
                  • GetProcAddress.KERNEL32(00000000,DwmInvalidateIconicBitmaps), ref: 00FB2ADC
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressHandleModuleProc
                  • String ID: DWMAPI$DwmInvalidateIconicBitmaps
                  • API String ID: 1646373207-1098356003
                  • Opcode ID: f95806f8453571107ffbaa67cac5a98352e507d1a0510b28b7557d9ac8c6e5a9
                  • Instruction ID: b34e6e075ac8015c35cbd93fea59ab76df10d11069b01a2257b1ed21695d8699
                  • Opcode Fuzzy Hash: f95806f8453571107ffbaa67cac5a98352e507d1a0510b28b7557d9ac8c6e5a9
                  • Instruction Fuzzy Hash: AB119671A002059BCB50DFBA88946EF77E9AF49310B04047DA906EB141EE79DE00EF60
                  Function 00F94F41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72windowCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • _memset.LIBCMT ref: 00F94F66
                  • GetSysColor.USER32(00000014), ref: 00F94FB0
                  • CreateDIBitmap.GDI32(?,00000028,00000004,?,00000028,00000000), ref: 00F95003
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: BitmapColorCreate_memset
                  • String ID: (
                  • API String ID: 3930187609-3887548279
                  • Opcode ID: 606d623067f4a7ad4abd344bdba817ebb4068bd80688fd91cafcc4580ca0c28a
                  • Instruction ID: 440dac83ce99c20f2386847afa2db4fd79c60698e8ed504eef5c51ff574c7ac5
                  • Opcode Fuzzy Hash: 606d623067f4a7ad4abd344bdba817ebb4068bd80688fd91cafcc4580ca0c28a
                  • Instruction Fuzzy Hash: 19213731A10248DFEB04CBB8C855BEDBBF4BF55700F00846EE586E7281DE355908CB64
                  Function 00FBA5DB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00FBA5E2
                  • InflateRect.USER32(?,000000FE,000000FE), ref: 00FBA63E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: H_prolog3_InflateRect
                  • String ID: iii$
                  • API String ID: 3173815319-462628325
                  • Opcode ID: 423f7995e5ec3be6458ad2ea605141bedae0127898700cd73ad844cf8901a130
                  • Instruction ID: 96a47ea9403b7e4a67f656f8868dbbb51f42d46749ec539c33f0def58d9c3bfa
                  • Opcode Fuzzy Hash: 423f7995e5ec3be6458ad2ea605141bedae0127898700cd73ad844cf8901a130
                  • Instruction Fuzzy Hash: 27216F71E10115DFCB20DF69D8849EDB7B5BF6C720B144159E482AB290EB359E01CF54
                  Function 01002A3E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 01002A48
                  • SetRectEmpty.USER32(?), ref: 01002AAC
                  • GetClassNameA.USER32(?,?,000000FF), ref: 01002AE4
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: ClassEmptyH_prolog3_NameRect
                  • String ID: SysListView32
                  • API String ID: 2539663969-78025650
                  • Opcode ID: 0003b1815f9f5bb402194bdac73e1ec13afb0a965bb7bf6bd5d3a3021417ceb7
                  • Instruction ID: 2a906940a0a2672730507e9ba0b9d5ff057c4ddf2f20dacc73cd60a4c0166e8f
                  • Opcode Fuzzy Hash: 0003b1815f9f5bb402194bdac73e1ec13afb0a965bb7bf6bd5d3a3021417ceb7
                  • Instruction Fuzzy Hash: AF314CB0900B198FC724EF69C9819DABBF0BF08710F408A6DE59A97691D774A644CF50
                  Function 00FAC951 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: CursorH_prolog3
                  • String ID: Control Panel\Desktop$MenuShowDelay
                  • API String ID: 634316419-702829638
                  • Opcode ID: 09b5a0b15318b87b3b7f50823e4d3598b16738ee905fcc6a8b0c75a6742f7ed1
                  • Instruction ID: 192c213ac70f3bcce9f17f0243c7a894d6b8db460eb424fc2f2d955d7377c3a9
                  • Opcode Fuzzy Hash: 09b5a0b15318b87b3b7f50823e4d3598b16738ee905fcc6a8b0c75a6742f7ed1
                  • Instruction Fuzzy Hash: 8521C270A002059FEF14EFA4C815BFE7BA0BF15365F104658F5A5DB2D1DB798940DB90
                  Function 00F8F13F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00F96CFD: EnterCriticalSection.KERNEL32(010F2290,?,?,00000000,?,00F9219A,00000010,00000008,00F8A460,00F8A3F7,00F843A7,00F83614,00000214,00F8101B), ref: 00F96D37
                    • Part of subcall function 00F96CFD: InitializeCriticalSection.KERNEL32(?,?,?,00000000,?,00F9219A,00000010,00000008,00F8A460,00F8A3F7,00F843A7,00F83614,00000214,00F8101B), ref: 00F96D49
                    • Part of subcall function 00F96CFD: LeaveCriticalSection.KERNEL32(010F2290,?,?,00000000,?,00F9219A,00000010,00000008,00F8A460,00F8A3F7,00F843A7,00F83614,00000214,00F8101B), ref: 00F96D56
                    • Part of subcall function 00F96CFD: EnterCriticalSection.KERNEL32(?,?,?,00000000,?,00F9219A,00000010,00000008,00F8A460,00F8A3F7,00F843A7,00F83614,00000214,00F8101B), ref: 00F96D66
                    • Part of subcall function 00F9217F: __EH_prolog3_catch.LIBCMT ref: 00F92186
                    • Part of subcall function 00F879AD: __CxxThrowException@8.LIBCMT ref: 00F879C3
                  • GetProcAddress.KERNEL32(00000000,HtmlHelpA), ref: 00F8F188
                  • FreeLibrary.KERNEL32(?), ref: 00F8F198
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3_catchInitializeLeaveLibraryProcThrow
                  • String ID: HtmlHelpA$hhctrl.ocx
                  • API String ID: 3274081130-63838506
                  • Opcode ID: 5c479972748c6e374854134a62a3acef3ad19c6de73374ddcfc40615069e6979
                  • Instruction ID: 9dcfe0a5b3e869f549c462fc979b6d437edc73d46664366bbfc7fceb03ddeb78
                  • Opcode Fuzzy Hash: 5c479972748c6e374854134a62a3acef3ad19c6de73374ddcfc40615069e6979
                  • Instruction Fuzzy Hash: AE01D631900B06EFEF213FA1DC1AF9B3B95AF00765F008429F99A95050DB35D850B711
                  Function 010206F4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40timewindowCOMMON
                  Download Yara Rule
                  APIs
                  • KillTimer.USER32(?,00000002), ref: 0102071B
                  • GetFocus.USER32 ref: 01020727
                  • RedrawWindow.USER32(?,00000000,00000000,00000105,00000000), ref: 01020758
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: FocusKillRedrawTimerWindow
                  • String ID: y
                  • API String ID: 1950525498-4225443349
                  • Opcode ID: c2afc4ff94f9eca3d9f983c9a4beea451c67afbc0a529784181b20d87524de0b
                  • Instruction ID: 6205a3772a59a9b1827ad5f0ca4653bb2980594c0719d69b20822c07a0c126ab
                  • Opcode Fuzzy Hash: c2afc4ff94f9eca3d9f983c9a4beea451c67afbc0a529784181b20d87524de0b
                  • Instruction Fuzzy Hash: 80F0C831900728EFEB716B25CD05B6A7BB9BB04711F108069F1DB85089D67A9840DF50
                  Function 00F84924 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleA.KERNEL32(Advapi32.dll), ref: 00F84936
                  • GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedA), ref: 00F84946
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressHandleModuleProc
                  • String ID: Advapi32.dll$RegCreateKeyTransactedA
                  • API String ID: 1646373207-1184998024
                  • Opcode ID: edb87ea5bd5a87908a36287091ad1d2c3d425ce2dcaab54166a6bd577560baa4
                  • Instruction ID: 9f89e4c9629c8d1e86c9706a2167ba7f34ddf0f853ed8ae89c2ede261fa048f1
                  • Opcode Fuzzy Hash: edb87ea5bd5a87908a36287091ad1d2c3d425ce2dcaab54166a6bd577560baa4
                  • Instruction Fuzzy Hash: DCF04F3261410AFBCF321ED4DC05FEA7BA9FF08765F048019FA5491060D776D861EB50
                  Function 00F85042 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleA.KERNEL32(Advapi32.dll), ref: 00F85056
                  • GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedA), ref: 00F85066
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressHandleModuleProc
                  • String ID: Advapi32.dll$RegDeleteKeyTransactedA
                  • API String ID: 1646373207-1972538232
                  • Opcode ID: f20c353bb3ad2b2100674fc05565fbf2045efc47279b762df39e6fca0046e95b
                  • Instruction ID: 823ce4478a37b52fa748bb99bbf60d97dbea844e04f9de274cc09801df1842cb
                  • Opcode Fuzzy Hash: f20c353bb3ad2b2100674fc05565fbf2045efc47279b762df39e6fca0046e95b
                  • Instruction Fuzzy Hash: D3F0AE33700545FBC7312E5A9C08C97BB69FBC1F72714463EF595C5004D5724851E7A0
                  Function 00F848CB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleA.KERNEL32(Advapi32.dll), ref: 00F848DD
                  • GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedA), ref: 00F848ED
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressHandleModuleProc
                  • String ID: Advapi32.dll$RegOpenKeyTransactedA
                  • API String ID: 1646373207-496252237
                  • Opcode ID: 794f82de3cf07e8d7528857524913991421003f43bb9596b8c0da7a1a57e677f
                  • Instruction ID: c401e98d78021718f3256f5cf2746e37b7c5f971b2fa2329b662c60314379d00
                  • Opcode Fuzzy Hash: 794f82de3cf07e8d7528857524913991421003f43bb9596b8c0da7a1a57e677f
                  • Instruction Fuzzy Hash: E8F0543264021AFBDF312ED59C04BD73BA5FB04765F048429F55195064C776D560EB50
                  Function 00FD878F Relevance: 6.2, APIs: 4, Instructions: 190windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00FD8796
                  • SendMessageA.USER32 ref: 00FD87BE
                  • SendMessageA.USER32(?,000000B0,?,?), ref: 00FD87D3
                    • Part of subcall function 00F834E7: _strnlen.LIBCMT ref: 00F83519
                    • Part of subcall function 00F834E7: _memcpy_s.LIBCMT ref: 00F8354D
                    • Part of subcall function 00FD8398: __EH_prolog3.LIBCMT ref: 00FD839F
                  • MessageBeep.USER32(000000FF), ref: 00FD895C
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Message$H_prolog3Send$Beep_memcpy_s_strnlen
                  • String ID:
                  • API String ID: 2026611799-0
                  • Opcode ID: e727688074e08492f654c4022da79d7e4416c56a986c6e08d6534e3ab2247f75
                  • Instruction ID: ce10a249e7ee189e9667a98a29e0a29cd99f70e187674d922bc66eb47dc62ce6
                  • Opcode Fuzzy Hash: e727688074e08492f654c4022da79d7e4416c56a986c6e08d6534e3ab2247f75
                  • Instruction Fuzzy Hash: E071AE31900549DFDF15FBA4CC95BEEB7FABF04310F14411AE162A7292DB38AA05EB61
                  Function 00FA2541 Relevance: 6.2, APIs: 4, Instructions: 183COMMON
                  Download Yara Rule
                  APIs
                  • FindResourceW.KERNEL32(?,00000000,000000F1), ref: 00FA256B
                    • Part of subcall function 00F879AD: __CxxThrowException@8.LIBCMT ref: 00F879C3
                  • LoadResource.KERNEL32(?,00000000), ref: 00FA257E
                  • LockResource.KERNEL32(00000000), ref: 00FA258C
                  • FreeResource.KERNEL32(?), ref: 00FA2730
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Resource$Exception@8FindFreeLoadLockThrow
                  • String ID:
                  • API String ID: 3726238965-0
                  • Opcode ID: a47d93d194c3901d9790edb4094e8e0789545bda01ecd7ebd5c72800b4cd658b
                  • Instruction ID: a476e93afc8834c5945a0cbe4e3e54d1a1b4fe7b117e5eb2680a5c8fee24c176
                  • Opcode Fuzzy Hash: a47d93d194c3901d9790edb4094e8e0789545bda01ecd7ebd5c72800b4cd658b
                  • Instruction Fuzzy Hash: 8B61E1B5F00206EFDB559F68C954BBEB7B4FF05314F148429E88696290EB74DE40EB90
                  Function 01008EE8 Relevance: 6.2, APIs: 4, Instructions: 177COMMON
                  Download Yara Rule
                  APIs
                  • GetClientRect.USER32(?,?), ref: 01008F3F
                  • SetRectEmpty.USER32(?), ref: 01008F98
                  • OffsetRect.USER32(?,00000000,?), ref: 0100903F
                  • SetRectEmpty.USER32(?), ref: 01009095
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Rect$Empty$ClientOffset
                  • String ID:
                  • API String ID: 2342594873-0
                  • Opcode ID: 5863d521287ba5f4be22b1373ec0d90a1582002207b8ad54b6c7cd817f5c8e1c
                  • Instruction ID: 3a5a14f1e70bbbaef2e4b648b73db8954c7185eaa3b3d224a96f8051627f1a23
                  • Opcode Fuzzy Hash: 5863d521287ba5f4be22b1373ec0d90a1582002207b8ad54b6c7cd817f5c8e1c
                  • Instruction Fuzzy Hash: D2613471E0061A9FDF11DFA8C8849EEBBF6BF48304F15456AE945AB245DB31A901CB60
                  Function 00FD2C00 Relevance: 6.2, APIs: 4, Instructions: 175COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: EmptyRect$Window
                  • String ID:
                  • API String ID: 1945993337-0
                  • Opcode ID: ca995c34a8620169cceb3e7698b6c9bcacc3a8f937d685ff7eb2a815a69ba68f
                  • Instruction ID: 69fe71207dcba5f782f868696b5f53192884bbe1c9da5cb07c635e1e478a7e17
                  • Opcode Fuzzy Hash: ca995c34a8620169cceb3e7698b6c9bcacc3a8f937d685ff7eb2a815a69ba68f
                  • Instruction Fuzzy Hash: 8B516C31A00605CFDB55DF18C884BEA73B6BF58324F1902AAEC16AF356DB71AD41CB90
                  Function 00FF0D9D Relevance: 6.2, APIs: 4, Instructions: 170COMMON
                  Download Yara Rule
                  APIs
                  • _memset.LIBCMT ref: 00FF0E63
                  • GetSysColorBrush.USER32(0000000F), ref: 00FF0ECC
                  • SetClassLongA.USER32(?,000000F6,00000000), ref: 00FF0ED8
                  • GetWindowRect.USER32(?,?), ref: 00FF0EFB
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: BrushClassColorLongRectWindow_memset
                  • String ID:
                  • API String ID: 2638262843-0
                  • Opcode ID: e3a9217307caa35c4656c66beb3a28179ef972872c1f64270a492a58ead16d0f
                  • Instruction ID: 1ae4952466387af1852024fd43d946fc63dab35b74b73ccc95160ea5c8b20217
                  • Opcode Fuzzy Hash: e3a9217307caa35c4656c66beb3a28179ef972872c1f64270a492a58ead16d0f
                  • Instruction Fuzzy Hash: F0612971E002099FDF10DFA9C885AEEBBF9FF88310F104429E95AE7291DB749941EB50
                  Function 01018D54 Relevance: 6.2, APIs: 4, Instructions: 162windowCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 01018DF0
                  • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 01018E36
                  • RedrawWindow.USER32(?,00000000,00000000,00000185), ref: 01018E46
                  • IsWindowVisible.USER32(?), ref: 01018EEB
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: MessageSendWindow$RedrawVisible
                  • String ID:
                  • API String ID: 2376333906-0
                  • Opcode ID: 5ef0c77342ba25f9dc83fbd1d69425593e2b03e0587fb365aeb6862ac89f9351
                  • Instruction ID: 92863e24b2ff7ea86fb6417dade826f42910e35e396e9bff97b9476012408aca
                  • Opcode Fuzzy Hash: 5ef0c77342ba25f9dc83fbd1d69425593e2b03e0587fb365aeb6862ac89f9351
                  • Instruction Fuzzy Hash: 8151C630200700EFDB219F69CC88D6A7BF6FF88700B2485ADF6869B655DB76E940DB50
                  Function 01044F9D Relevance: 6.2, APIs: 4, Instructions: 157COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Rect$CopyEmptyWindow
                  • String ID:
                  • API String ID: 2176940440-0
                  • Opcode ID: bd51839a088140f64347be91e446be3b3ac50f27bbe0dd4a934e7d77ecda7319
                  • Instruction ID: e99223c4cd3c1914dee893d842291cc6b11da1d1e8d8fbf2dc06ff2dc2cd26c2
                  • Opcode Fuzzy Hash: bd51839a088140f64347be91e446be3b3ac50f27bbe0dd4a934e7d77ecda7319
                  • Instruction Fuzzy Hash: 855124B5D00219EFDB10DFA9D9848EEFBF9FF88704B10416AE546A7204D775AA41CFA0
                  Function 0105421E Relevance: 6.2, APIs: 4, Instructions: 155windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 01054225
                  • SendMessageA.USER32(?,00000146,00000000,00000000), ref: 0105438C
                  • SendMessageA.USER32(?,00000150,?,00000000), ref: 010543D8
                  • SendMessageA.USER32(?,00000146,00000000,00000000), ref: 0105440A
                    • Part of subcall function 00F87DF9: __EH_prolog3_GS.LIBCMT ref: 00F87E03
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: MessageSend$H_prolog3H_prolog3_
                  • String ID:
                  • API String ID: 1270747201-0
                  • Opcode ID: c87ffde0cdf46b430bb3f3b5fac214e4659bbded6a2f2069af4c8d94c6f4fb06
                  • Instruction ID: fa89aae2fb6bcde73ea557e75b5a863bc5c6df3dde1bc9bee1e4a91764694095
                  • Opcode Fuzzy Hash: c87ffde0cdf46b430bb3f3b5fac214e4659bbded6a2f2069af4c8d94c6f4fb06
                  • Instruction Fuzzy Hash: 3F516C312007049BDB55EF68CC91FEEB7E6BF48300F01882DB69B972A2DB75A945DB50
                  Function 00FB702F Relevance: 6.1, APIs: 4, Instructions: 137keyboardwindowCOMMON
                  Download Yara Rule
                  APIs
                  • GetAsyncKeyState.USER32(00000001), ref: 00FB7070
                  • WindowFromPoint.USER32(?,?), ref: 00FB70B0
                  • SendMessageA.USER32(?,00000000,?,00000000), ref: 00FB7123
                  • ScreenToClient.USER32(?,?), ref: 00FB7184
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: AsyncClientFromMessagePointScreenSendStateWindow
                  • String ID:
                  • API String ID: 227561881-0
                  • Opcode ID: 03be77bb0c15faf6391daafb6a75702d2cc8e451ddf6059505a66dfd299274e0
                  • Instruction ID: 54db32878a5f2252c599a6e3ee378ef26830b96a93f98a58b0759d527f44892b
                  • Opcode Fuzzy Hash: 03be77bb0c15faf6391daafb6a75702d2cc8e451ddf6059505a66dfd299274e0
                  • Instruction Fuzzy Hash: A7516171A043069FCB24EFA9C844AFEB7B5FB84314F20452EF95697550DB349950EFA0
                  Function 00F90B66 Relevance: 6.1, APIs: 4, Instructions: 131windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00F90B6D
                  • SendDlgItemMessageA.USER32(?,?,?,00000000,?), ref: 00F90CB4
                    • Part of subcall function 00F8266A: _malloc.LIBCMT ref: 00F82688
                  • SendDlgItemMessageA.USER32(?,?,00000401,00000000,?), ref: 00F90C40
                    • Part of subcall function 00F984A0: __EH_prolog3.LIBCMT ref: 00F984A7
                  • SendDlgItemMessageA.USER32(?,?,0000037C,?,?), ref: 00F90C72
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: ItemMessageSend$H_prolog3$_malloc
                  • String ID:
                  • API String ID: 2480034192-0
                  • Opcode ID: a9f6961c252bdd2da5efa3aa638959ca1e98b0cb60525af7d400845de9978015
                  • Instruction ID: a35727261e328173b256ed11b620711b0b6570333ed6b9c71ef8af29e3cf0cda
                  • Opcode Fuzzy Hash: a9f6961c252bdd2da5efa3aa638959ca1e98b0cb60525af7d400845de9978015
                  • Instruction Fuzzy Hash: 3B419CB1D00515AFEF20AB64DC50BFE7AB5FB84334F604319F9A5AA2D0DB744A42EB50
                  Function 00FF4A0D Relevance: 6.1, APIs: 4, Instructions: 129COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00FF4A14
                    • Part of subcall function 00F879AD: __CxxThrowException@8.LIBCMT ref: 00F879C3
                    • Part of subcall function 00F91528: __EH_prolog3_catch.LIBCMT ref: 00F9152F
                  • GetWindowRect.USER32(?,?), ref: 00FF4B08
                  • GetSystemMetrics.USER32(00000010), ref: 00FF4B16
                  • GetSystemMetrics.USER32(00000011), ref: 00FF4B21
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: MetricsSystem$Exception@8H_prolog3_H_prolog3_catchRectThrowWindow
                  • String ID:
                  • API String ID: 3879625780-0
                  • Opcode ID: 38c401aa43292917fa5c8e6c2fd2ef0f54cc1d6529a731d8bd3ad401b669d19d
                  • Instruction ID: 6b4700c5aa432e5349495ca083a70eaa3ea5743657c8be1a895efcc5b755841d
                  • Opcode Fuzzy Hash: 38c401aa43292917fa5c8e6c2fd2ef0f54cc1d6529a731d8bd3ad401b669d19d
                  • Instruction Fuzzy Hash: 94416871A006099FDB14EFA8CC95AEEBBF5FF48300F144569E916AB291CB75A900DB50
                  Function 00FF6C98 Relevance: 6.1, APIs: 4, Instructions: 129COMMON
                  Download Yara Rule
                  APIs
                  • GetWindowRect.USER32(?,?), ref: 00FF6D7A
                  • EqualRect.USER32(?,?), ref: 00FF6DA0
                  • BeginDeferWindowPos.USER32(?), ref: 00FF6DAD
                  • EndDeferWindowPos.USER32(?), ref: 00FF6DD3
                    • Part of subcall function 00F879AD: __CxxThrowException@8.LIBCMT ref: 00F879C3
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Window$DeferRect$BeginEqualException@8Throw
                  • String ID:
                  • API String ID: 2822849800-0
                  • Opcode ID: 95679d621e415570080de4b93b3fa3dd0a371debd2497f50e61da04e7e92feb9
                  • Instruction ID: e8fd30ddd52e60931d32c75b5bd73693d43e21f0ba8ff692573ab22d0c46a6a5
                  • Opcode Fuzzy Hash: 95679d621e415570080de4b93b3fa3dd0a371debd2497f50e61da04e7e92feb9
                  • Instruction Fuzzy Hash: 43414D71E00208DFCF15EFA5C8848EEFBB9FF88310B14416AE601EB265DB759901DB50
                  Function 00FD08D3 Relevance: 6.1, APIs: 4, Instructions: 125windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00FD08DA
                  • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 00FD0997
                  • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 00FD0A0F
                  • InvalidateRect.USER32(?,00000000,00000001,00000000), ref: 00FD0A2C
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: MessageSend$H_prolog3InvalidateRect
                  • String ID:
                  • API String ID: 1245545628-0
                  • Opcode ID: cfe38dd9a3c7a01aaef1362cf56d9b9a22c8b1749150f69fc8dd0b86f41c69bf
                  • Instruction ID: 6e31322618428950f5b42d56f64c4b4ae87cb899813fe075afcd911340663c12
                  • Opcode Fuzzy Hash: cfe38dd9a3c7a01aaef1362cf56d9b9a22c8b1749150f69fc8dd0b86f41c69bf
                  • Instruction Fuzzy Hash: 9C417C316006009FDB259F68C898BAEB7F2BF49710F28056EF19A973A1CF759840DB55
                  Function 00FA4AF8 Relevance: 6.1, APIs: 4, Instructions: 120COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: EmptyRect
                  • String ID:
                  • API String ID: 2270935405-0
                  • Opcode ID: ce4c3c94ab20f0478b5059152c13d36b31a8cac15e28d2c87487e7cf8e9ba21e
                  • Instruction ID: 0c63f07e8914d49184bf1550f88dea7169a8f38bb830126960a5e18c9b6f44b4
                  • Opcode Fuzzy Hash: ce4c3c94ab20f0478b5059152c13d36b31a8cac15e28d2c87487e7cf8e9ba21e
                  • Instruction Fuzzy Hash: 625198B1801B858EC360DF3AC5816E6FAE9BF99310F104A2FD0EAD2261DBB464819F51
                  Function 00F84E73 Relevance: 6.1, APIs: 4, Instructions: 119registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,31AAD7C2,?,?,?,?,0108BC3C,000000FF), ref: 00F84F29
                  • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,?,?,0108BC3C,000000FF), ref: 00F84F62
                  • RegCloseKey.ADVAPI32(?,?,?,?,?,0108BC3C,000000FF), ref: 00F84F7D
                  • GetPrivateProfileStringA.KERNEL32(?,?,?,?,00001000,?), ref: 00F84FE6
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: QueryValue$ClosePrivateProfileString
                  • String ID:
                  • API String ID: 1042844925-0
                  • Opcode ID: d126f567fdd784cd07ec8800f7e09d55a063f4a17e8dcd0c7f6fe98aea314c34
                  • Instruction ID: 305e7c0fbb34845fb39cb3ead63dfc439904d7e037a890350c484f2a211af425
                  • Opcode Fuzzy Hash: d126f567fdd784cd07ec8800f7e09d55a063f4a17e8dcd0c7f6fe98aea314c34
                  • Instruction Fuzzy Hash: 06414E71D001A9ABCB21EF54CC449DEB7B8FB48710F10459AF599A3280CBB86AC1EF64
                  Function 00FE8C86 Relevance: 6.1, APIs: 4, Instructions: 115windowCOMMON
                  Download Yara Rule
                  APIs
                  • SetRectEmpty.USER32(?), ref: 00FE8D11
                  • GetWindowRect.USER32(?,?), ref: 00FE8D1E
                  • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 00FE8D4B
                  • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 00FE8DB2
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: MessageRectSend$EmptyWindow
                  • String ID:
                  • API String ID: 1914275016-0
                  • Opcode ID: 40c0c120de995da445e325efaa5e7bb813acf5ee9375b69198a1f5f7ff8b49fc
                  • Instruction ID: 7150a930fb62d1c5cec2bea62af8c3a8687696f24769a1c4f785ffc74953c683
                  • Opcode Fuzzy Hash: 40c0c120de995da445e325efaa5e7bb813acf5ee9375b69198a1f5f7ff8b49fc
                  • Instruction Fuzzy Hash: B2414D71A00245EFDB20AF65C888AFEB7B9FF49344F240469F54AD7290CB319D41DBA0
                  Function 00FF6684 Relevance: 6.1, APIs: 4, Instructions: 114COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Rect$Window$EqualParent
                  • String ID:
                  • API String ID: 2870910800-0
                  • Opcode ID: c5284c377c57d03a352c396e61304a8885506150f5d77aa45145323b44c48fdf
                  • Instruction ID: 4dbea728132d39fcff3b32cb62a30ee5c200ecd07c779773ca1661b5099dc137
                  • Opcode Fuzzy Hash: c5284c377c57d03a352c396e61304a8885506150f5d77aa45145323b44c48fdf
                  • Instruction Fuzzy Hash: FB414972E012099FDF10DFA4C988ABEB7B9FF48714F150169EA05EB260DB35AD00DB60
                  Function 00FD4E4B Relevance: 6.1, APIs: 4, Instructions: 111COMMON
                  Download Yara Rule
                  APIs
                  • SetRectEmpty.USER32(?), ref: 00FD4ED8
                  • RedrawWindow.USER32(?,?,00000000,00000105), ref: 00FD4EF3
                  • IsRectEmpty.USER32(?), ref: 00FD4F45
                  • RedrawWindow.USER32(?,?,00000000,00000105), ref: 00FD4F60
                    • Part of subcall function 00FD2B01: RedrawWindow.USER32(00000000,?,00000000,00000105), ref: 00FD2B6B
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: RedrawWindow$EmptyRect
                  • String ID:
                  • API String ID: 138230908-0
                  • Opcode ID: 9aa34ea7ad0ed0d5d9b6f683b3d02d2b01b39ee403ea3dfc7b524c78b39a54f7
                  • Instruction ID: 7a462069be009399e3d2fbd41066214832c9af7a262ddb41774f7d5299636871
                  • Opcode Fuzzy Hash: 9aa34ea7ad0ed0d5d9b6f683b3d02d2b01b39ee403ea3dfc7b524c78b39a54f7
                  • Instruction Fuzzy Hash: 75416D72E00205ABDF10DF64C885BEE77BAFB88310F19407AEA05AF251D671AD41DB64
                  Function 00FB51A1 Relevance: 6.1, APIs: 4, Instructions: 111COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: ClientScreenWindow
                  • String ID:
                  • API String ID: 1643562046-0
                  • Opcode ID: 6ccf2ff0c538e91cf194e2ffd6acb12d0da67be9ff9143f7d1d930554030bc7c
                  • Instruction ID: 0bb7d90e2b7303ffd62c00f9b7b047be2f646fea600dafe5c2a0f0cbdff50a97
                  • Opcode Fuzzy Hash: 6ccf2ff0c538e91cf194e2ffd6acb12d0da67be9ff9143f7d1d930554030bc7c
                  • Instruction Fuzzy Hash: 7E41A075901A04AFEF20AF95CC80BFEBBA9EF08B10F104429E985D6161EA3DD940EF50
                  Function 00FCF1D8 Relevance: 6.1, APIs: 4, Instructions: 107COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00FCF1E2
                    • Part of subcall function 00F879AD: __CxxThrowException@8.LIBCMT ref: 00F879C3
                  • SHGetFileInfoA.SHELL32(?,00000000,?,00000160,00000408,00000394), ref: 00FCF246
                  • SHGetPathFromIDListA.SHELL32(?,?,00000394), ref: 00FCF263
                  • SHGetFileInfoA.SHELL32(?,00000000,?,00000160,00000208,00000394), ref: 00FCF344
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: FileInfo$Exception@8FromH_prolog3_ListPathThrow
                  • String ID:
                  • API String ID: 1236858919-0
                  • Opcode ID: 5fd85e0d1baa781bb252fdd913d1ddb4bc16f3136dc44e581d5a15bc025a207d
                  • Instruction ID: 6e021931943a3c4463ebc790d273bbcbdad3ada09ca634a81fd86a43b8c40d79
                  • Opcode Fuzzy Hash: 5fd85e0d1baa781bb252fdd913d1ddb4bc16f3136dc44e581d5a15bc025a207d
                  • Instruction Fuzzy Hash: 88417B75A0011A9FCB29AF24CD4AFEEB6B9BF44310F5441ADF04AA6191DB74AE44EF10
                  Function 00FD3198 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00FD319F
                    • Part of subcall function 00F95AF2: __EH_prolog3.LIBCMT ref: 00F95AF9
                    • Part of subcall function 00F95AF2: GetClientRect.USER32(?,?), ref: 00F95B4C
                  • GetClientRect.USER32(?,?), ref: 00FD31EF
                  • InflateRect.USER32(?,000000FF,000000FF), ref: 00FD3273
                  • SelectObject.GDI32(?,?), ref: 00FD329C
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Rect$Client$H_prolog3H_prolog3_InflateObjectSelect
                  • String ID:
                  • API String ID: 3664266300-0
                  • Opcode ID: a03d1989f9b3ff8df912f9b9522596d4d12cb35ed0f5d94100c4aa418f11e02f
                  • Instruction ID: 63b5cc2bccf891bde3ffe3dad9f315531c72c0f9926be6ebfdb695bafd729134
                  • Opcode Fuzzy Hash: a03d1989f9b3ff8df912f9b9522596d4d12cb35ed0f5d94100c4aa418f11e02f
                  • Instruction Fuzzy Hash: 24315E31E006299FDF01EFA8C8849DEB7B6FF49320F144269F955AB285CB759A01CF91
                  Function 00FFB14C Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                  Download Yara Rule
                  APIs
                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 00FFB202
                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000014), ref: 00FFB238
                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00FFB242
                  • UpdateWindow.USER32(?), ref: 00FFB249
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Window$InvalidateRectUpdate
                  • String ID:
                  • API String ID: 1651931182-0
                  • Opcode ID: 0de9aa3ece2b6592042941980da9cf782dc2279d1547667eada1910c666eff61
                  • Instruction ID: 5b90a6458c2f89e52ca20393b6ad4aecdbdc474c012bf5afaa89f7049ffab174
                  • Opcode Fuzzy Hash: 0de9aa3ece2b6592042941980da9cf782dc2279d1547667eada1910c666eff61
                  • Instruction Fuzzy Hash: 84313C71900B0CEFCF32CF64C8989BFB7A5FF94361F24495AE69692125D7719980EB10
                  Function 00FD6F6B Relevance: 6.1, APIs: 4, Instructions: 100windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00FD6F72
                  • GetCursorPos.USER32(?), ref: 00FD6FD3
                  • ScreenToClient.USER32(?,?), ref: 00FD6FE0
                  • SendMessageA.USER32(?,00000030,?,00000000), ref: 00FD7096
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: ClientCursorH_prolog3MessageScreenSend
                  • String ID:
                  • API String ID: 2934386762-0
                  • Opcode ID: 066b878fbbb15f94a02b4cae13905d8c99d9b66e95b6a63bdec6969e8237bd1f
                  • Instruction ID: 1a109ad4aa43b623560eaf7f81f295f8b6b75afb66f15d5292b64a9f81357500
                  • Opcode Fuzzy Hash: 066b878fbbb15f94a02b4cae13905d8c99d9b66e95b6a63bdec6969e8237bd1f
                  • Instruction Fuzzy Hash: 15316072A04606DFCB14FFA0C898AAEB7B6FF44314F18452EE1568E291EB359D41EB10
                  Function 0100CE18 Relevance: 6.1, APIs: 4, Instructions: 99COMMON
                  Download Yara Rule
                  APIs
                  • GetParent.USER32(?), ref: 0100CE43
                  • GetClientRect.USER32(?,?), ref: 0100CE87
                  • GetWindowRect.USER32(?,?), ref: 0100CECD
                  • GetSystemMetrics.USER32(00000007), ref: 0100CEE1
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Rect$ClientMetricsParentSystemWindow
                  • String ID:
                  • API String ID: 2120119201-0
                  • Opcode ID: a89ec9287e8df83c537b55cc354b057725959f5e80af1f5f3c139a73b945decc
                  • Instruction ID: e4288b7fb480099e9f489d29c2348dd2b7b972d21efb9b50231678e6b67cc173
                  • Opcode Fuzzy Hash: a89ec9287e8df83c537b55cc354b057725959f5e80af1f5f3c139a73b945decc
                  • Instruction Fuzzy Hash: D7311871D00209DFDF11DFA8D9849EEBBF5FF49304F10456AE945E7241EB75A9008BA4
                  Function 00FDF185 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Rect$ClientEmptyWindow
                  • String ID:
                  • API String ID: 742297903-0
                  • Opcode ID: c6205b392a2a03048d3c53781b7c519eb053b3d3278d668c48a1ec4fa6321b45
                  • Instruction ID: 71c60ddbfd119f615d86f2b00674be080b34b50aaba6ee45e53a8d00b208a54b
                  • Opcode Fuzzy Hash: c6205b392a2a03048d3c53781b7c519eb053b3d3278d668c48a1ec4fa6321b45
                  • Instruction Fuzzy Hash: 603118B5A0010AEFCB04EFA8C994EADB7F5FF49305B54816AE41BDB341DB34A905DB90
                  Function 0101454A Relevance: 6.1, APIs: 4, Instructions: 91windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 01014551
                  • GetMenuItemCount.USER32(?), ref: 010145A3
                  • GetMenuItemID.USER32(?,00000000), ref: 01014604
                  • GetSubMenu.USER32(?,00000000), ref: 01014613
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Menu$Item$CountH_prolog3
                  • String ID:
                  • API String ID: 366217265-0
                  • Opcode ID: 9947191f4bba3b3a5b7e7906246b6bde6193ddcc9cc57ca63d8039dce449d085
                  • Instruction ID: 564adabf8a51bec41df959620d618aad4b363a2b1a976a748b28f8716fe73a6d
                  • Opcode Fuzzy Hash: 9947191f4bba3b3a5b7e7906246b6bde6193ddcc9cc57ca63d8039dce449d085
                  • Instruction Fuzzy Hash: 4631F4B02005039FDF24EF64D8909AE7BE9FF04354B104A2DF296CA5AADF38E841CB51
                  Function 0100B37A Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 0100B384
                  • _strlen.LIBCMT ref: 0100B456
                    • Part of subcall function 00F82CE9: _memcpy_s.LIBCMT ref: 00F82D3B
                  • SearchPathA.KERNEL32(00000000,00000010,00000000,00000104,?,00000000,00000270), ref: 0100B41E
                  • SHGetFileInfoA.SHELL32(?,00000000,?,00000160,00000105,00000270), ref: 0100B492
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: FileH_prolog3_InfoPathSearch_memcpy_s_strlen
                  • String ID:
                  • API String ID: 1153459047-0
                  • Opcode ID: 59781f04540f559137b4cf521eebf75e1e3ae3001b0690337238fd671b9b0daf
                  • Instruction ID: 1fc5fa741125a8529d421c478baf87e44a0f6302ce8141fd35b5e12c5094222c
                  • Opcode Fuzzy Hash: 59781f04540f559137b4cf521eebf75e1e3ae3001b0690337238fd671b9b0daf
                  • Instruction Fuzzy Hash: BA31A471A441189FEF65EB78CC89AED77A8AF04710F0106C9F199A72D1DF759E44CB20
                  Function 0100CD4D Relevance: 6.1, APIs: 4, Instructions: 77COMMON
                  Download Yara Rule
                  APIs
                  • GetParent.USER32(?), ref: 0100CD71
                  • GetWindowRect.USER32(?,?), ref: 0100CDBE
                  • OffsetRect.USER32(?,00000000,?), ref: 0100CDD8
                  • GetWindow.USER32(?,00000005), ref: 0100CDF8
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: RectWindow$OffsetParent
                  • String ID:
                  • API String ID: 3516746122-0
                  • Opcode ID: ca4466e273405d25bd36d5713c6dfe62a43eb007aa9921ef97ba6c14b10dc673
                  • Instruction ID: b3aa2c3257e7842b73a0f49f6e4d5e85494e3ebea790b937bb20ed98a67f49af
                  • Opcode Fuzzy Hash: ca4466e273405d25bd36d5713c6dfe62a43eb007aa9921ef97ba6c14b10dc673
                  • Instruction Fuzzy Hash: FE215171D00219ABDF11AFA5CD49CEEFBB9FF88710F200659F191B3280EA7959019B91
                  Function 00FDC17C Relevance: 6.1, APIs: 4, Instructions: 71windowCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00FDC183
                  • GetSystemPaletteEntries.GDI32(?,00000000,00000100,00000004), ref: 00FDC1EB
                  • CreatePalette.GDI32(00000000), ref: 00FDC236
                    • Part of subcall function 00FDBD5F: GetObjectA.GDI32(?,00000002,?), ref: 00FDBD6E
                    • Part of subcall function 00F8266A: _malloc.LIBCMT ref: 00F82688
                  • GetPaletteEntries.GDI32(00000000,00000000,00000000,00000004), ref: 00FDC21D
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Palette$Entries$CreateH_prolog3ObjectSystem_malloc
                  • String ID:
                  • API String ID: 437169817-0
                  • Opcode ID: e371ce08f7c2ae84fe74a99a2d2446d05e13adbba2876c3a40c143765d42baa8
                  • Instruction ID: ef877ea72eff77061240c19eff2acbaa2fd8aec5a36b11ed9bf36c23628846d7
                  • Opcode Fuzzy Hash: e371ce08f7c2ae84fe74a99a2d2446d05e13adbba2876c3a40c143765d42baa8
                  • Instruction Fuzzy Hash: 1721B072A00201EBDB55AFA4CC85FDA77A5BF05310F14402EF58ADB292DE38A800DB65
                  Function 0100659D Relevance: 6.1, APIs: 4, Instructions: 70windowCOMMON
                  Download Yara Rule
                  APIs
                  • _memset.LIBCMT ref: 010065EC
                  • _memcpy_s.LIBCMT ref: 01006602
                  • SendMessageA.USER32(?,0000040B,00000000,?), ref: 0100661E
                  • _memcmp.LIBCMT ref: 01006633
                    • Part of subcall function 00F87975: __CxxThrowException@8.LIBCMT ref: 00F8798B
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Exception@8MessageSendThrow_memcmp_memcpy_s_memset
                  • String ID:
                  • API String ID: 3731674294-0
                  • Opcode ID: d52129a8b666f56a44ee066336bd1904536eb2d9a747c74cf50b4ed4380deacc
                  • Instruction ID: 54141f38114e0ad9cb3fbc90dea8ae154e7022e14f99f5739e34f01b0a7a52cf
                  • Opcode Fuzzy Hash: d52129a8b666f56a44ee066336bd1904536eb2d9a747c74cf50b4ed4380deacc
                  • Instruction Fuzzy Hash: 9F112CB2E00209BBDB10EBA4CC46FDF77B8AB58740F114415F755AB281DA75A9018BA4
                  Function 01078AA3 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: __getptd_noexit
                  • String ID:
                  • API String ID: 3074181302-0
                  • Opcode ID: 31de683cbb14c0009ac10e46dfebfa4b6d6a216bfb323cdacf5a588a998787f4
                  • Instruction ID: 94eea1da1531891517e332b8455a8b569ddafb8c38ecb732b58f4a071566d656
                  • Opcode Fuzzy Hash: 31de683cbb14c0009ac10e46dfebfa4b6d6a216bfb323cdacf5a588a998787f4
                  • Instruction Fuzzy Hash: FA11E6B1D00206FFEF712B64DC09BAE3BE5EB44360F1182A5E9D597190C7768C45DB68
                  Function 00FB2D4E Relevance: 6.1, APIs: 4, Instructions: 61windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetParent.USER32(?), ref: 00FB2D5F
                  • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 00FB2DA2
                  • RedrawWindow.USER32(?,00000000,00000000,00000185), ref: 00FB2DAE
                  • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 00FB2D8D
                    • Part of subcall function 010187E0: SendMessageA.USER32(?,00000234,00000000,00000000), ref: 0101885B
                    • Part of subcall function 010187E0: SendMessageA.USER32(?,00000229,00000000,00000000), ref: 01018882
                    • Part of subcall function 010187E0: SendMessageA.USER32(?,00000229,00000000,00000000), ref: 0101889F
                    • Part of subcall function 010187E0: SendMessageA.USER32(?,00000222,?,00000000), ref: 010188B6
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: MessageSend$ParentRedrawWindow
                  • String ID:
                  • API String ID: 2139789815-0
                  • Opcode ID: 02c4dc1e22cc22ddae62f4377e2541e1d5e41a91ad38e50dd3012ca3f440a8fb
                  • Instruction ID: 4d18baba30d30b8941a1f35278539809b00a8590cc7e69386a22a3fcef3a6c75
                  • Opcode Fuzzy Hash: 02c4dc1e22cc22ddae62f4377e2541e1d5e41a91ad38e50dd3012ca3f440a8fb
                  • Instruction Fuzzy Hash: 2211A072600204BFDF31AF62CCC9EEE7AA9FB883A4F104429F64596150DB799D40EB90
                  Function 00FDECEC Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00F9116D: GetDlgItem.USER32(?,?), ref: 00F9117E
                  • GetWindowLongA.USER32(?,000000F0), ref: 00FDED09
                  • GetWindowTextLengthA.USER32(?), ref: 00FDED36
                  • GetWindowTextA.USER32(?,00000000,00000100), ref: 00FDED65
                  • SendMessageA.USER32(?,0000014D,000000FF,?), ref: 00FDED86
                    • Part of subcall function 00F91D0F: lstrlenA.KERNEL32(?,?,?), ref: 00F91D3B
                    • Part of subcall function 00F91D0F: _memset.LIBCMT ref: 00F91D58
                    • Part of subcall function 00F91D0F: GetWindowTextA.USER32(00000000,00000000,00000100), ref: 00F91D72
                    • Part of subcall function 00F91D0F: lstrcmpA.KERNEL32(00000000,?,?,?), ref: 00F91D84
                    • Part of subcall function 00F91D0F: SetWindowTextA.USER32(00000000,?), ref: 00F91D90
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Window$Text$ItemLengthLongMessageSend_memsetlstrcmplstrlen
                  • String ID:
                  • API String ID: 205973220-0
                  • Opcode ID: 2237bbd322e192ad5c64ceb99dafb3ff438c5c0f620dd8c5cd66ba7732ff6333
                  • Instruction ID: b1ab389a265c1124beb0001b38ca2963cdc09f3cd150a4e76adedc6f64c982c1
                  • Opcode Fuzzy Hash: 2237bbd322e192ad5c64ceb99dafb3ff438c5c0f620dd8c5cd66ba7732ff6333
                  • Instruction Fuzzy Hash: 50115B32504209FBDF11BF64CC15EA97B67BF04360F28461AF9694E2E4CB35A890EB50
                  Function 00F8C279 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                  Download Yara Rule
                  APIs
                  • GetObjectA.GDI32(?,0000000C,?), ref: 00F8C2C6
                  • SetBkColor.GDI32(?,?), ref: 00F8C2D0
                  • GetSysColor.USER32(00000008), ref: 00F8C2E0
                  • SetTextColor.GDI32(?,?), ref: 00F8C2E8
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Color$ObjectText
                  • String ID:
                  • API String ID: 829078354-0
                  • Opcode ID: 76f480b806637bb76d50f56e8563885a4458d195882e2d7495c4353a8c142618
                  • Instruction ID: d81d5fa945a5c05146ed518e51a82547071c0700c4750dd40062440f80dd465d
                  • Opcode Fuzzy Hash: 76f480b806637bb76d50f56e8563885a4458d195882e2d7495c4353a8c142618
                  • Instruction Fuzzy Hash: 3E116131E11118ABCB30BFA898449FF77A9FB8A724F144519F951E21C0CB35DD1197B5
                  Function 00F84B28 Relevance: 6.1, APIs: 4, Instructions: 57registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 00F84B65
                  • RegCloseKey.ADVAPI32(00000000), ref: 00F84B6E
                  • swprintf.LIBCMT ref: 00F84B8B
                  • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00F84B9C
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: ClosePrivateProfileStringValueWriteswprintf
                  • String ID:
                  • API String ID: 22681860-0
                  • Opcode ID: 776a183553405c4c43ceb864658ffbc1a81acc40810f35755a2cae1fe01c8930
                  • Instruction ID: 1b270675c6a4aa6c8a4384a71d8747e7ba7d0770957a6a303190dcaea2f0d0c0
                  • Opcode Fuzzy Hash: 776a183553405c4c43ceb864658ffbc1a81acc40810f35755a2cae1fe01c8930
                  • Instruction Fuzzy Hash: E301847290120ABBDB20EF64CC45FEF77ACEF84B14F154419BA41A7280DAB5FD059764
                  Function 00FC3284 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: RectWindow$CursorFromPoint
                  • String ID:
                  • API String ID: 3445796726-0
                  • Opcode ID: e42836035849e77505f4957cf146f6bf8b236ccc5638235bfe8a94f2b81e12a0
                  • Instruction ID: 0aef8d5d63bf95f158449fed0f0ed9897fc99c19e2aa7539db3d3fc9138067e5
                  • Opcode Fuzzy Hash: e42836035849e77505f4957cf146f6bf8b236ccc5638235bfe8a94f2b81e12a0
                  • Instruction Fuzzy Hash: 16110A71E0024AAF8F109FA5D9899EFFBF9FF88354B10442AE586E2150DB759A01DB60
                  Function 00FD046A Relevance: 6.1, APIs: 4, Instructions: 52windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetClientRect.USER32(?,?), ref: 00FD04A7
                  • GetSystemMetrics.USER32(0000002D), ref: 00FD04BB
                  • GetSystemMetrics.USER32(00000002), ref: 00FD04C3
                  • SendMessageA.USER32(?,0000101E,00000000,00000000), ref: 00FD04DB
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: MetricsSystem$ClientMessageRectSend
                  • String ID:
                  • API String ID: 2251314529-0
                  • Opcode ID: 8df5a6c7194f52541b85d527914bcaf7a1f7e815baf6c43f392c805f8a1936eb
                  • Instruction ID: 76d5f9bb51f71c9ad261ed4a511ae6d25f29e50c75b50512ba60c8011cde5a5b
                  • Opcode Fuzzy Hash: 8df5a6c7194f52541b85d527914bcaf7a1f7e815baf6c43f392c805f8a1936eb
                  • Instruction Fuzzy Hash: 95016572E00204AFCB20DFB9D958AAE7BF5FB48314F15416AE945E7285DA759D00CB60
                  Function 00FAE85B Relevance: 6.1, APIs: 4, Instructions: 52fileCOMMON
                  Download Yara Rule
                  APIs
                  • SetActiveWindow.USER32(?), ref: 00FAE879
                  • DragQueryFileA.SHELL32(?,000000FF,00000000,00000000,00000000), ref: 00FAE892
                  • DragQueryFileA.SHELL32(?,00000000,?,00000104), ref: 00FAE8C5
                  • DragFinish.SHELL32(?), ref: 00FAE8ED
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Drag$FileQuery$ActiveFinishWindow
                  • String ID:
                  • API String ID: 892977027-0
                  • Opcode ID: 323d12955f34a9042dda2cd8063c67bb97df09dfafaf5da777e3e73a8babd594
                  • Instruction ID: 3c9d5a423fd2c119debc88bb07a095bc4be8899f9a482beff75816cefe5555d8
                  • Opcode Fuzzy Hash: 323d12955f34a9042dda2cd8063c67bb97df09dfafaf5da777e3e73a8babd594
                  • Instruction Fuzzy Hash: 3D117071D00118ABCB20AB64DC45FDEB7B9FF59310F104595F695A7181CBB9AD80CF90
                  Function 00FD3002 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                  Download Yara Rule
                  APIs
                  • GetStockObject.GDI32(00000011), ref: 00FD303F
                  • _memset.LIBCMT ref: 00FD3055
                  • GetObjectA.GDI32(?,0000003C,?), ref: 00FD3066
                  • CreateFontIndirectA.GDI32(?), ref: 00FD3077
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Object$CreateFontIndirectStock_memset
                  • String ID:
                  • API String ID: 1064234985-0
                  • Opcode ID: 357a3e006aaad49dcf8ea57fe546466d758a56e8d55eedfaedf1d9b8745659e2
                  • Instruction ID: 36861912202a23ea195aa2ba8d261ff3c2d163f0ddf148faae670803e239603f
                  • Opcode Fuzzy Hash: 357a3e006aaad49dcf8ea57fe546466d758a56e8d55eedfaedf1d9b8745659e2
                  • Instruction Fuzzy Hash: FA012672A01508EFC710ABA4CC0DBEEB7A9BB44B44F14001AF601E3280DF75AE02D7D1
                  Function 00F8E777 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                  Download Yara Rule
                  APIs
                  • GetTopWindow.USER32(?), ref: 00F8E787
                  • GetTopWindow.USER32(00000000), ref: 00F8E7C6
                  • GetWindow.USER32(00000000,00000002), ref: 00F8E7E4
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Window
                  • String ID:
                  • API String ID: 2353593579-0
                  • Opcode ID: cb93511ad75031608aca2c90ef5c77fda2fdcce51ea39b35ccc63c09cc489a03
                  • Instruction ID: 202f88640ab50e2de1ad56ace5b62cb71510481a6eb8f9684938c4e8eafce985
                  • Opcode Fuzzy Hash: cb93511ad75031608aca2c90ef5c77fda2fdcce51ea39b35ccc63c09cc489a03
                  • Instruction Fuzzy Hash: 2B01043240111ABBCF226FA19C45EDF3B6ABF89761F084014FE6465061C73AC931FBA1
                  Function 00FBC572 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00FBC579
                  • IsRectEmpty.USER32(?), ref: 00FBC59B
                    • Part of subcall function 010129E3: __EH_prolog3.LIBCMT ref: 010129EA
                    • Part of subcall function 010129E3: CreateCompatibleDC.GDI32(?), ref: 01012A4D
                    • Part of subcall function 010129E3: CreateCompatibleBitmap.GDI32(?,?,?), ref: 01012A7F
                    • Part of subcall function 010129E3: SelectObject.GDI32(?,00000000), ref: 01012ADD
                  • IsRectEmpty.USER32(?), ref: 00FBC5DF
                  • FillRect.USER32(?,?), ref: 00FBC5F6
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Rect$CompatibleCreateEmptyH_prolog3$BitmapFillObjectSelect
                  • String ID:
                  • API String ID: 1042983850-0
                  • Opcode ID: 002232da7e6810cd378b3fe2715cb2d22273a561987aae1cdda87b87371789ec
                  • Instruction ID: 0c8bf9483cf56eda027a09088af89ed789145e70a0542f4c26bfe7a40e85c914
                  • Opcode Fuzzy Hash: 002232da7e6810cd378b3fe2715cb2d22273a561987aae1cdda87b87371789ec
                  • Instruction Fuzzy Hash: BA114C3150010BEBDF20EFA0DC55EEE3B79BB24325F140219E5A1A20D4DB3AAA04EF90
                  Function 00F83242 Relevance: 6.0, APIs: 4, Instructions: 49memoryCOMMON
                  Download Yara Rule
                  APIs
                  • MultiByteToWideChar.KERNEL32(00000003,00000000,?,?,00000000,00000000), ref: 00F83268
                  • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00F83277
                  • MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000), ref: 00F8328F
                  • SysFreeString.OLEAUT32(?), ref: 00F83298
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharMultiStringWide$AllocFree
                  • String ID:
                  • API String ID: 447844807-0
                  • Opcode ID: 066e3d9a5dd5bd942737b786af2cc86bc0156367980f092989db06c7bf71f71b
                  • Instruction ID: 425cf55591ee57f2ed8c9a8167011dbe44ef194dc54d2e8b8ce4cb4e97853aef
                  • Opcode Fuzzy Hash: 066e3d9a5dd5bd942737b786af2cc86bc0156367980f092989db06c7bf71f71b
                  • Instruction Fuzzy Hash: 3D016272900109BFEF219F95CC89DEE7BADEB447B4B248129FA1486054D6319F41EB60
                  Function 00F9D188 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                  Download Yara Rule
                  APIs
                  • InflateRect.USER32(?,00000002,00000002), ref: 00F9D1C4
                  • InvalidateRect.USER32(?,?,00000001), ref: 00F9D1D5
                  • UpdateWindow.USER32(?), ref: 00F9D1DE
                  • SetRectEmpty.USER32(?), ref: 00F9D1EB
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Rect$EmptyInflateInvalidateUpdateWindow
                  • String ID:
                  • API String ID: 3040190709-0
                  • Opcode ID: bb0afad1b9eadddaae7f9b8e3c1bf649bc48df5781a0ff9ca72a90bc89f50bd2
                  • Instruction ID: d7872ad8a0d14fa9d462af7c3fd1eb59c2b58825bec8d7abb17363d44e050fb1
                  • Opcode Fuzzy Hash: bb0afad1b9eadddaae7f9b8e3c1bf649bc48df5781a0ff9ca72a90bc89f50bd2
                  • Instruction Fuzzy Hash: F70196715001059BDB10DF98D989ADA7BB8FB09324F110265ED56DF095CF719505CF60
                  Function 00FD2B82 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                  Download Yara Rule
                  APIs
                  • InvalidateRect.USER32(?,?,00000001,?,?,00FD2F9A), ref: 00FD2BA1
                  • InvalidateRect.USER32(?,?,00000001), ref: 00FD2BC2
                  • InvalidateRect.USER32(?,?,00000001,00000000), ref: 00FD2BE7
                  • UpdateWindow.USER32(?), ref: 00FD2BF7
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: InvalidateRect$UpdateWindow
                  • String ID:
                  • API String ID: 488614814-0
                  • Opcode ID: 426c8988eeeba5471ec06f19e91984914d549960944fb3d0fcccc6fa4de7fd07
                  • Instruction ID: f4cf4d49eb1c26d93c713c17cf1ea04b761134278da7b37877db00742265a44d
                  • Opcode Fuzzy Hash: 426c8988eeeba5471ec06f19e91984914d549960944fb3d0fcccc6fa4de7fd07
                  • Instruction Fuzzy Hash: C8010072504600DFE7658F29DC80F96B7F6FF58310F19055AE199972A1D7B1EC40DB50
                  Function 00F91061 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                  Download Yara Rule
                  APIs
                  • FindResourceA.KERNEL32(?,?,000000F0), ref: 00F91087
                  • LoadResource.KERNEL32(?,00000000), ref: 00F91093
                  • LockResource.KERNEL32(00000000), ref: 00F910A0
                  • FreeResource.KERNEL32(00000000,00000000), ref: 00F910BC
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Resource$FindFreeLoadLock
                  • String ID:
                  • API String ID: 1078018258-0
                  • Opcode ID: 3c96fb00e0eda1c5263c0364eea5a49c3682f3b11bf57b9b56d31748fe9891fc
                  • Instruction ID: ff526ef2873e01d86eb32d4dd85234e412d9ba1b85eba759a986d2debcb2a2bd
                  • Opcode Fuzzy Hash: 3c96fb00e0eda1c5263c0364eea5a49c3682f3b11bf57b9b56d31748fe9891fc
                  • Instruction Fuzzy Hash: 14F0AF33A006426BAB215EE58C889ABB6ACFF84775B058039FA05D3250DE7ACD449B60
                  Function 00FBF010 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00FBF017
                  • FillRect.USER32(?,?), ref: 00FBF032
                  • CreateSolidBrush.GDI32(000000FF), ref: 00FBF04D
                  • FillRect.USER32(00000000,00000000,00000000), ref: 00FBF066
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: FillRect$BrushCreateH_prolog3Solid
                  • String ID:
                  • API String ID: 1242064992-0
                  • Opcode ID: 2f84f6c1f36c607fdb602866683d78e101e72b0e55dfc4303aa470caa84a3d3a
                  • Instruction ID: d0ee2cdb558f15525406a1a5dac41ec568b336514d50e52e3bb3f95a5c3984cf
                  • Opcode Fuzzy Hash: 2f84f6c1f36c607fdb602866683d78e101e72b0e55dfc4303aa470caa84a3d3a
                  • Instruction Fuzzy Hash: 0C11927180020AEFDF21EF90CD05AEE7B75FF14365F004219F4A1621A4CB3A5A25EFA1
                  Function 00FDACC8 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                  Download Yara Rule
                  APIs
                  • ScreenToClient.USER32(?,?), ref: 00FDACEE
                  • PtInRect.USER32(?,?,?), ref: 00FDAD01
                  • SetCapture.USER32(?), ref: 00FDAD0E
                  • RedrawWindow.USER32(?,00000000,00000000,00000401,00000000), ref: 00FDAD2D
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: CaptureClientRectRedrawScreenWindow
                  • String ID:
                  • API String ID: 2178243973-0
                  • Opcode ID: e70fc02dc42e5f06fb2d3dc5494b0b68d3a2a9a4573ae786350626dc945093ea
                  • Instruction ID: 5c4a359ee9cfa6d747bda727863d2f31ea06fe3da0c9215a7d6ffd22aa7698de
                  • Opcode Fuzzy Hash: e70fc02dc42e5f06fb2d3dc5494b0b68d3a2a9a4573ae786350626dc945093ea
                  • Instruction Fuzzy Hash: 0D014B71900608AFDB21AFA0CD49B9EBBF9FF08304F004419F586A2250EBB9A9009B50
                  Function 00FC065D Relevance: 6.0, APIs: 4, Instructions: 38keyboardCOMMON
                  Download Yara Rule
                  APIs
                  • GetKeyboardState.USER32(?), ref: 00FC0679
                  • GetKeyboardLayout.USER32(?), ref: 00FC0697
                  • MapVirtualKeyA.USER32(?,00000000), ref: 00FC06B3
                  • ToAsciiEx.USER32(?,00000000), ref: 00FC06BD
                    • Part of subcall function 00F879AD: __CxxThrowException@8.LIBCMT ref: 00F879C3
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Keyboard$AsciiException@8LayoutStateThrowVirtual
                  • String ID:
                  • API String ID: 1136512886-0
                  • Opcode ID: 530a6ce52f26bbc83fad1e1f3eb3a3f95e8f7d37539a5c653deca532d50e88d4
                  • Instruction ID: 19f69d0e2cededad235c38994dfcfc45fbb1815c496d7cfa2cc033a8851a9b85
                  • Opcode Fuzzy Hash: 530a6ce52f26bbc83fad1e1f3eb3a3f95e8f7d37539a5c653deca532d50e88d4
                  • Instruction Fuzzy Hash: 09016971A00108ABEB20AFA0DC49BEA7BACBF58304F1040A9B686D6084DE759A84DF54
                  Function 00F86994 Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                  Download Yara Rule
                  APIs
                  • FindResourceA.KERNEL32(?,?,00000005), ref: 00F869B0
                  • LoadResource.KERNEL32(?,00000000), ref: 00F869B8
                  • LockResource.KERNEL32(00000000), ref: 00F869C5
                  • FreeResource.KERNEL32(00000000,00000000,?,?), ref: 00F869DD
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Resource$FindFreeLoadLock
                  • String ID:
                  • API String ID: 1078018258-0
                  • Opcode ID: 9b7eddbacad84a4ae47f96deae1923cd1b8f46beec3b5ea5f1a4d16d21aa4e8f
                  • Instruction ID: 6f6b637227b9e964374d49419da06da5433c56406938cc1f547dd7d20d2ef8e3
                  • Opcode Fuzzy Hash: 9b7eddbacad84a4ae47f96deae1923cd1b8f46beec3b5ea5f1a4d16d21aa4e8f
                  • Instruction Fuzzy Hash: D0F0B432500610BBC7216FE59C4CCDFBB6CEF896617018059F545D3250EA798D019760
                  Function 00F86900 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                  Download Yara Rule
                  APIs
                  • EnableWindow.USER32(?,00000001), ref: 00F86920
                  • GetActiveWindow.USER32 ref: 00F8692B
                  • SetActiveWindow.USER32(?,?,00000024,00FEBCF9,?,?,?), ref: 00F86939
                  • FreeResource.KERNEL32(?,?,00000024,00FEBCF9,?,?,?), ref: 00F86955
                    • Part of subcall function 00F91366: EnableWindow.USER32(?,?), ref: 00F91377
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Window$ActiveEnable$FreeResource
                  • String ID:
                  • API String ID: 253586258-0
                  • Opcode ID: bf34ad8b8a83c2cab04a549e509215ca42d3a1eeabfeeeb3d0f3fa6f4a31b6e7
                  • Instruction ID: 763115a7ed5ebcdd930c41b7e121f091ad1a1e5cf2886a8aa42900709013b5b9
                  • Opcode Fuzzy Hash: bf34ad8b8a83c2cab04a549e509215ca42d3a1eeabfeeeb3d0f3fa6f4a31b6e7
                  • Instruction Fuzzy Hash: A1F0FF30E00A05CBDF22AF64C9559EDB7B1BF48756F604518E582B2295CB3B5D40DF51
                  Function 01064184 Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00F91324: ShowWindow.USER32(00000000,?,?,00F84876,00000000,00000000,00000363,00000001,00000000,00000001,00000001,?,00000000,00000363,00000001,00000000), ref: 00F91335
                  • UpdateWindow.USER32(?), ref: 010641B1
                  • UpdateWindow.USER32(?), ref: 010641BD
                  • SetRectEmpty.USER32(?), ref: 010641C9
                  • SetRectEmpty.USER32(?), ref: 010641D2
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Window$EmptyRectUpdate$Show
                  • String ID:
                  • API String ID: 1262231214-0
                  • Opcode ID: af6837282511f65976d689f121e0d714d8462f95b0f963ebc1fdb747ab908c64
                  • Instruction ID: 5aa7f4ed320c29cc3dbf5b2c7affe7f2d9a8355bf2b43da83c7a3a9fdf54b992
                  • Opcode Fuzzy Hash: af6837282511f65976d689f121e0d714d8462f95b0f963ebc1fdb747ab908c64
                  • Instruction Fuzzy Hash: CEF01C32300A149BE731AB29DC00F8BBBE9BF84715F0A0569E6D4D7564CB75E805CB60
                  Function 0100C736 Relevance: 6.0, APIs: 4, Instructions: 25COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: EmptyRect
                  • String ID:
                  • API String ID: 2270935405-0
                  • Opcode ID: 38ee788717f71eac6954b01aa690fa7fcf6dc79f7d5085ee59cab51db373eb95
                  • Instruction ID: b2188e887147fc6c9baa58c57f70798a4b7a9aba35e2d675597d5a0eff3e6186
                  • Opcode Fuzzy Hash: 38ee788717f71eac6954b01aa690fa7fcf6dc79f7d5085ee59cab51db373eb95
                  • Instruction Fuzzy Hash: 3CE0C9B64007199AD730AB6AE845AC7B3ECAF84314F11091EE582C3518DA79F589CF50
                  Function 00FB2E1B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 133COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00FB2A55: GetModuleHandleA.KERNEL32(DWMAPI,?,?,00000000,?,?,?,?,?,?,?,?,01019775), ref: 00FB2ACC
                    • Part of subcall function 00FB2A55: GetProcAddress.KERNEL32(00000000,DwmInvalidateIconicBitmaps), ref: 00FB2ADC
                    • Part of subcall function 00F9A720: __EH_prolog3.LIBCMT ref: 00F9A727
                  • GetWindowRect.USER32(?,?), ref: 00FB2E8E
                  • SetWindowRgn.USER32(?,00000000,00000001), ref: 00FB2EDB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Window$AddressH_prolog3HandleModuleProcRect
                  • String ID:
                  • API String ID: 2106468464-3916222277
                  • Opcode ID: db447a102233f0cf866a4f54e6a674ca3798288109456bb0bc58878b1a0c7048
                  • Instruction ID: 4fc767a48c5615a240f6d8e7f894e1c7570adab7839919a2ffc6728f9b317bd7
                  • Opcode Fuzzy Hash: db447a102233f0cf866a4f54e6a674ca3798288109456bb0bc58878b1a0c7048
                  • Instruction Fuzzy Hash: D5515A31A00708EFCB62DF66C8449EEBBF5FF98350F10452EE89A96210DB349940EF50
                  Function 0103070E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 121COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 01030715
                    • Part of subcall function 00FAA658: __EH_prolog3.LIBCMT ref: 00FAA65F
                    • Part of subcall function 00F879AD: __CxxThrowException@8.LIBCMT ref: 00F879C3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: H_prolog3$Exception@8Throw
                  • String ID: %c%c$0%d
                  • API String ID: 2489616738-1309594724
                  • Opcode ID: ed162d3f4a3b73c6a15cf83c91fcb85ded9f63610f955df0c35dd151973ed245
                  • Instruction ID: b7b639415051a980dafa980c4e722b2a42299843ce6c666452abd2b2145ee2f5
                  • Opcode Fuzzy Hash: ed162d3f4a3b73c6a15cf83c91fcb85ded9f63610f955df0c35dd151973ed245
                  • Instruction Fuzzy Hash: 2451B4B0A01B458FCB65DFA8C880ADABBE0BF48304F50496FE5AE97341D730B845DB61
                  Function 00FB6D9B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                  Download Yara Rule
                  APIs
                  • GetWindowRect.USER32(?,?), ref: 00FB6E0A
                  • SystemParametersInfoA.USER32(00000026,00000000,?,00000000), ref: 00FB6EA7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: InfoParametersRectSystemWindow
                  • String ID:
                  • API String ID: 85510744-3916222277
                  • Opcode ID: 84cb8748f91f250133241fa137aaa6f102ebb4b40d1bea442ed97831c75d55f6
                  • Instruction ID: 83cab211a490d83d8e79a3f89935b1e57be2dfa78fc1dd391b1ce28f0d89abd6
                  • Opcode Fuzzy Hash: 84cb8748f91f250133241fa137aaa6f102ebb4b40d1bea442ed97831c75d55f6
                  • Instruction Fuzzy Hash: 61411C75A00608EFCB25DF65C8849EEBBF5FF88350F10842EE85A96250DB759A84DF50
                  Function 01020FF3 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105timeCOMMON
                  Download Yara Rule
                  APIs
                  • GetWindowRect.USER32(?,?), ref: 010210C7
                  • KillTimer.USER32(?,00000002), ref: 010210F6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: KillRectTimerWindow
                  • String ID:
                  • API String ID: 1987732032-3916222277
                  • Opcode ID: f307215624a90b63177efb78b6800cf64a4c087f6415552eb438a0e1095509ee
                  • Instruction ID: 6668fcc287b4f635443d0750aee3893407de9ce740365867ed4d022afe612a82
                  • Opcode Fuzzy Hash: f307215624a90b63177efb78b6800cf64a4c087f6415552eb438a0e1095509ee
                  • Instruction Fuzzy Hash: ED31A331A046569FCB60DF68C8C4AEEBBF5FF88301F11056EE59A97241DB78A841CF90
                  Function 00F90A52 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00F96D6F: LeaveCriticalSection.KERNEL32(?,?,00F921B4,00000010,00000010,00000008,00F8A460,00F8A3F7,00F843A7,00F83614,00000214,00F8101B), ref: 00F96D8A
                  • __CxxThrowException@8.LIBCMT ref: 00F90A5D
                    • Part of subcall function 01078515: RaiseException.KERNEL32(00F81861,00000000,31AAD7C2,010C06A0,00F81861,00000000,010D56CC,00000000,31AAD7C2), ref: 01078557
                  • __snwprintf_s.LIBCMT ref: 00F90AAE
                  • __snwprintf_s.LIBCMT ref: 00F90AE0
                    • Part of subcall function 010768CC: __getptd_noexit.LIBCMT ref: 010768CC
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: __snwprintf_s$CriticalExceptionException@8LeaveRaiseSectionThrow__getptd_noexit
                  • String ID: Afx:%p:%x
                  • API String ID: 730118740-3201128726
                  • Opcode ID: c71e68bcc0c32a10cb8b20b5c3db41b8ae04ac13659c0926dbc860b91b742580
                  • Instruction ID: 60ccc323eeadabeefdba2454755e3f7e334f0085ec00ee8242db8cfead17f339
                  • Opcode Fuzzy Hash: c71e68bcc0c32a10cb8b20b5c3db41b8ae04ac13659c0926dbc860b91b742580
                  • Instruction Fuzzy Hash: 96216BB1D003099FEF51EF69C841ADEBBF4EF58320F104056E814E7212DA758940DBA5
                  Function 00FA0DBF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: EmptyH_prolog3_Rect
                  • String ID: Afx:ToolBar
                  • API String ID: 2941628838-177727192
                  • Opcode ID: bc0d7e986abb2680db211faeef251489a8982dc603bc375752b5088c83cedbc9
                  • Instruction ID: 4e54e16805747dc840ea4319cc38e15081e0439f505ef929f891cd5094b785e4
                  • Opcode Fuzzy Hash: bc0d7e986abb2680db211faeef251489a8982dc603bc375752b5088c83cedbc9
                  • Instruction Fuzzy Hash: 39219FB1A1020A9FCF04DFB4CC92AEE7AB5FF49350F10452AF555E7280DB389900DBA0
                  Function 00FA2971 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00FA2978
                    • Part of subcall function 01008548: __EH_prolog3.LIBCMT ref: 0100854F
                    • Part of subcall function 00F912A0: GetDlgCtrlID.USER32(?), ref: 00F912A9
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: H_prolog3$Ctrl
                  • String ID: %sMFCToolBar-%d$%sMFCToolBar-%d%x
                  • API String ID: 3879667756-3776508225
                  • Opcode ID: 3a2cef1496bfb5cfcf1d86c1b419d77ada08b83fc352f36f2266dce749b6d93c
                  • Instruction ID: 461af754f06d501e046f29a45f1d75e920cb5f231598dc1d0befcd56ee207c63
                  • Opcode Fuzzy Hash: 3a2cef1496bfb5cfcf1d86c1b419d77ada08b83fc352f36f2266dce749b6d93c
                  • Instruction Fuzzy Hash: 1621F271E00209EBEF10FFA4CC55AEFBB75BF59320F104119F4559B292DA759A40E7A0
                  Function 01005113 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3_catch.LIBCMT ref: 0100511A
                    • Part of subcall function 00F8A47C: ActivateActCtx.KERNEL32(?), ref: 00F8A49F
                  • _memset.LIBCMT ref: 01005174
                    • Part of subcall function 00F89BB4: DeactivateActCtx.KERNEL32(00000000,?,00F8BF7C), ref: 00F89BBE
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: ActivateDeactivateH_prolog3_catch_memset
                  • String ID: d
                  • API String ID: 1157175656-2564639436
                  • Opcode ID: a6153b41f2c08607bba89533bbefdd7bdc793168890cbcd38dac014a97ed2536
                  • Instruction ID: 79e397f43748598efd3bc3d276a657f82a34025602cbf9c73850c540eedd5907
                  • Opcode Fuzzy Hash: a6153b41f2c08607bba89533bbefdd7bdc793168890cbcd38dac014a97ed2536
                  • Instruction Fuzzy Hash: 50219C3094030ADBEF22EF94DD44BEEBBB0BF10320F248258B5A25B1E1DB759A11DB54
                  Function 0100665F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                  Download Yara Rule
                  APIs
                  • _memset.LIBCMT ref: 010066AA
                  • SendMessageA.USER32(00000000,00000405,00000000,?), ref: 010066D7
                    • Part of subcall function 00F8C8AD: SendMessageA.USER32(?,00000401,00000000,00000000), ref: 00F8C8D2
                    • Part of subcall function 00F8C8AD: GetKeyState.USER32(00000001), ref: 00F8C8E7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: MessageSend$State_memset
                  • String ID: ,
                  • API String ID: 930327405-3772416878
                  • Opcode ID: 842ddeb4d7549e5cb1da76a5da4f0b3a5f5f2db1f525174a9422a62a51b84db9
                  • Instruction ID: ea605c918a0ccb5e33f5031e5de91d8028e10f134f4cb5744b60b7d1f63d8629
                  • Opcode Fuzzy Hash: 842ddeb4d7549e5cb1da76a5da4f0b3a5f5f2db1f525174a9422a62a51b84db9
                  • Instruction Fuzzy Hash: E011E170900308AFEB21EF69C885B9AB7F5FF08314F10002EE58197191D7B2E410CF94
                  Function 00FCEFE4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00FCEFEB
                    • Part of subcall function 00F9897D: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000), ref: 00F989A0
                    • Part of subcall function 00FCF57A: __EH_prolog3.LIBCMT ref: 00FCF581
                    • Part of subcall function 00FCF5B7: __EH_prolog3.LIBCMT ref: 00FCF5BE
                    • Part of subcall function 00FCF5B7: __fassign.LIBCMT ref: 00FCF6A1
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: H_prolog3$ByteCharMultiWide__fassign
                  • String ID: MFCShellListCtrl_EnableShellContextMenu$TRUE
                  • API String ID: 1708987901-1509083621
                  • Opcode ID: 135b2dd9cfc32204da9ea6de3c3d406e1d0ff1ab9e38dbc706fdbdadd67fc4f1
                  • Instruction ID: efb885adc39c99deba2f7ed6e8da7ff9aba280e14a92e30a61e0a7f8815e79b0
                  • Opcode Fuzzy Hash: 135b2dd9cfc32204da9ea6de3c3d406e1d0ff1ab9e38dbc706fdbdadd67fc4f1
                  • Instruction Fuzzy Hash: B7115B3190010A9EDB04FBB4CD52FFEB775AF10310F144629B562A71E2DF785A09EB22
                  Function 00F94DF5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: CopyInfoMonitorRect
                  • String ID: (
                  • API String ID: 2119610155-3887548279
                  • Opcode ID: 64db6e97e79bb33ab2de59cfd218e6b478db32e747b92816ca3ec961c74f0d49
                  • Instruction ID: 0fad9a0767b47daaa12ebebbd2e44a2be8420b4f37f362ae5c05ea4eed2609f5
                  • Opcode Fuzzy Hash: 64db6e97e79bb33ab2de59cfd218e6b478db32e747b92816ca3ec961c74f0d49
                  • Instruction Fuzzy Hash: 9E11C271A0060AAFDB20DFA9D584D9EB7F5FB18714B508859E4AAE3200DB34F941CB21
                  Function 00FCE880 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47windowCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageA.USER32(?,00001200,00000000,00000000), ref: 00FCE8A6
                  • SendMessageA.USER32(00000000,0000101C,00000000,00000000), ref: 00FCE8BB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: MessageSend
                  • String ID: Name
                  • API String ID: 3850602802-4262580536
                  • Opcode ID: 2caccfde9c6e6af5bb8fb044c0af1a71673246c67b84211f6c2c2e20dd05c521
                  • Instruction ID: c1876a34ff88d16c5f49bc2a212e46dbaac2edab52dc2bfbb5bf2d67c7fb5a91
                  • Opcode Fuzzy Hash: 2caccfde9c6e6af5bb8fb044c0af1a71673246c67b84211f6c2c2e20dd05c521
                  • Instruction Fuzzy Hash: B801DB72B00314BBEB206F55CD06FAE3AB5FBC4750F510568F585AB1D1C2719901EB54
                  Function 00FD72FD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46memoryCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00FD7304
                    • Part of subcall function 00F8F062: GetWindowTextLengthA.USER32(?), ref: 00F8F073
                    • Part of subcall function 00F8F062: GetWindowTextA.USER32(?,00000000,00000001), ref: 00F8F08A
                  • SysAllocString.OLEAUT32(PropertyList), ref: 00FD7343
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: TextWindow$AllocH_prolog3LengthString
                  • String ID: PropertyList
                  • API String ID: 3872802996-1939653111
                  • Opcode ID: f657977957ec8995f0bfdc1fdd2b569b24e954ffc3eb3f838c54c99097da0462
                  • Instruction ID: d0d1bdfffb54d171f48d9e8cba4d00048fa9dfcf98c241f730fc9fd2f23ae8bf
                  • Opcode Fuzzy Hash: f657977957ec8995f0bfdc1fdd2b569b24e954ffc3eb3f838c54c99097da0462
                  • Instruction Fuzzy Hash: 38112A30A1420ACFDB05FFA0C855BEE77B5BF10314F14445AE852AB291EF795A44EB61
                  Function 00F82FF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 00F83018
                  • PathFindExtensionA.SHLWAPI(?), ref: 00F8302E
                    • Part of subcall function 00F82E21: GetProcAddress.KERNEL32(00000000,GetThreadPreferredUILanguages), ref: 00F82E66
                    • Part of subcall function 00F82E21: _memset.LIBCMT ref: 00F82E92
                    • Part of subcall function 00F82E21: _wcstoul.LIBCMT ref: 00F82EDA
                    • Part of subcall function 00F82E21: _wcslen.LIBCMT ref: 00F82EFB
                    • Part of subcall function 00F82E21: GetUserDefaultUILanguage.KERNEL32 ref: 00F82F0B
                    • Part of subcall function 00F82E21: ConvertDefaultLocale.KERNEL32(?), ref: 00F82F32
                    • Part of subcall function 00F82E21: ConvertDefaultLocale.KERNEL32(?), ref: 00F82F41
                    • Part of subcall function 00F82E21: GetSystemDefaultUILanguage.KERNEL32 ref: 00F82F4A
                    • Part of subcall function 00F82E21: ConvertDefaultLocale.KERNEL32(?), ref: 00F82F66
                    • Part of subcall function 00F82E21: ConvertDefaultLocale.KERNEL32(?), ref: 00F82F75
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: Default$ConvertLocale$Language$AddressExtensionFileFindModuleNamePathProcSystemUser_memset_wcslen_wcstoul
                  • String ID: %s%s.dll
                  • API String ID: 1415830068-1649984862
                  • Opcode ID: 854b1710f3587ba9a5184ae239ee96b9fe2b682d062f785cbb77654009ab7c11
                  • Instruction ID: 788bd9d58f6cfccba768c60f814a7a746c9845a582d3649d0fe9d5ac5121774a
                  • Opcode Fuzzy Hash: 854b1710f3587ba9a5184ae239ee96b9fe2b682d062f785cbb77654009ab7c11
                  • Instruction Fuzzy Hash: 3201A47290011C9FCB15EB68DC45AEF77FCBB49B14F0104A9A586E7180EA75AE049BA1
                  Function 00FE6A41 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34registryclipboardCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog3.LIBCMT ref: 00FE6A48
                  • RegisterClipboardFormatA.USER32(00000010), ref: 00FE6A91
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: ClipboardFormatH_prolog3Register
                  • String ID: ToolbarButton%p
                  • API String ID: 1070914459-899657487
                  • Opcode ID: 171c2fb456d92673061b7ab8ddc721f4af16f8d8783f71016899cb8558a00a09
                  • Instruction ID: fe8edf17d427fb03ba919f9a567bd6c3108de2a17febc3d7c4e63a2ea7a3f1c0
                  • Opcode Fuzzy Hash: 171c2fb456d92673061b7ab8ddc721f4af16f8d8783f71016899cb8558a00a09
                  • Instruction Fuzzy Hash: ABF0AF74C0020A8ADF20FBE5EC16BEE7374BF10334F104559E190A7181DB7DA945DB55
                  Function 00F92580 Relevance: 5.1, APIs: 4, Instructions: 61COMMON
                  Download Yara Rule
                  APIs
                  • EnterCriticalSection.KERNEL32(?), ref: 00F925DF
                  • LeaveCriticalSection.KERNEL32(?), ref: 00F925EF
                  • LocalFree.KERNEL32(?), ref: 00F925F8
                  • TlsSetValue.KERNEL32(?,00000000), ref: 00F9260A
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: CriticalSection$EnterFreeLeaveLocalValue
                  • String ID:
                  • API String ID: 2949335588-0
                  • Opcode ID: 83532085969ea1b71670bf3b82b4cbd38b2ac5da7fe04fd6d3d7f1fa2979664d
                  • Instruction ID: c3b427fc411051f3633fe0c89f777cd7597b7f760372a73d4a7407d544aea164
                  • Opcode Fuzzy Hash: 83532085969ea1b71670bf3b82b4cbd38b2ac5da7fe04fd6d3d7f1fa2979664d
                  • Instruction Fuzzy Hash: 25113771A00604FFEB24CF58D898B69B7A8FF45325F15842DF5528B6A1CB75E840DB60
                  Function 00F96CFD Relevance: 5.0, APIs: 4, Instructions: 38COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • EnterCriticalSection.KERNEL32(010F2290,?,?,00000000,?,00F9219A,00000010,00000008,00F8A460,00F8A3F7,00F843A7,00F83614,00000214,00F8101B), ref: 00F96D37
                  • InitializeCriticalSection.KERNEL32(?,?,?,00000000,?,00F9219A,00000010,00000008,00F8A460,00F8A3F7,00F843A7,00F83614,00000214,00F8101B), ref: 00F96D49
                  • LeaveCriticalSection.KERNEL32(010F2290,?,?,00000000,?,00F9219A,00000010,00000008,00F8A460,00F8A3F7,00F843A7,00F83614,00000214,00F8101B), ref: 00F96D56
                  • EnterCriticalSection.KERNEL32(?,?,?,00000000,?,00F9219A,00000010,00000008,00F8A460,00F8A3F7,00F843A7,00F83614,00000214,00F8101B), ref: 00F96D66
                    • Part of subcall function 00F879AD: __CxxThrowException@8.LIBCMT ref: 00F879C3
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: CriticalSection$Enter$Exception@8InitializeLeaveThrow
                  • String ID:
                  • API String ID: 3253506028-0
                  • Opcode ID: a9b29ed34f915efb8d6828ff5f4cb72b60278f1e00c6f805382843c97e5ec9c8
                  • Instruction ID: 15793cdbe8e10d5746c08eb48da8797003afa3fb6be8c5045f10c3d5190b577a
                  • Opcode Fuzzy Hash: a9b29ed34f915efb8d6828ff5f4cb72b60278f1e00c6f805382843c97e5ec9c8
                  • Instruction Fuzzy Hash: 75F0F6736402096BEF302B54DC46B59BB6AFB91329F11501EF29082446DB3AD881EB61
                  Function 00F92113 Relevance: 5.0, APIs: 4, Instructions: 35COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • EnterCriticalSection.KERNEL32(010F1E48,?,?,00000000,?,00F926DA,?,00000004,00F8A441,00F843A7,00F83614,00000214,00F8101B), ref: 00F92121
                  • TlsGetValue.KERNEL32(010F1E2C,?,?,00000000,?,00F926DA,?,00000004,00F8A441,00F843A7,00F83614,00000214,00F8101B), ref: 00F92135
                  • LeaveCriticalSection.KERNEL32(010F1E48,?,?,00000000,?,00F926DA,?,00000004,00F8A441,00F843A7,00F83614,00000214,00F8101B), ref: 00F9214B
                  • LeaveCriticalSection.KERNEL32(010F1E48,?,?,00000000,?,00F926DA,?,00000004,00F8A441,00F843A7,00F83614,00000214,00F8101B), ref: 00F92156
                  Memory Dump Source
                  • Source File: 00000000.00000002.4140206285.0000000000F81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F80000, based on PE: true
                  • Associated: 00000000.00000002.4140190529.0000000000F80000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140282213.0000000001099000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140315734.00000000010D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140331946.00000000010DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140351429.00000000010F1000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4140367800.00000000010F8000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_f80000_2.jbxd
                  Yara matches
                  Similarity
                  • API ID: CriticalSection$Leave$EnterValue
                  • String ID:
                  • API String ID: 3969253408-0
                  • Opcode ID: ce481f20336bc6547e44512da2c27fddcb3923c3f7a0142d9c37146a872717d1
                  • Instruction ID: d8b688b56923b4343f56094a83c257f127a8bc6193f43718f1c4942a26739955
                  • Opcode Fuzzy Hash: ce481f20336bc6547e44512da2c27fddcb3923c3f7a0142d9c37146a872717d1
                  • Instruction Fuzzy Hash: D0F03076200204BFAF204F64DC48C5677BDFB883643159459F65693215D736F856DB50