Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
hhcqxkb.exe

Overview

General Information

Sample name:hhcqxkb.exe
Analysis ID:1590856
MD5:650d2ff4c186fbbc65cd5d4a8fb8911e
SHA1:13a0bde0732ce802e91df36c70b54afe6dd67f6f
SHA256:4ec6425bb2c3b0c9c33679ca134418f385437f9f6fc89bcce8668d07e6c4c23a
Tags:exemalwaretrojanuser-Joker
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Contains functionality to access PhysicalDrive, possible boot sector overwrite
Contains functionality to infect the boot sector
Machine Learning detection for sample
PE file has a writeable .text section
AV process strings found (often used to terminate AV products)
Checks for available system drives (often done to infect USB drives)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic

Classification

Process Tree

  • System is w10x64
  • hhcqxkb.exe (PID: 4596 cmdline: "C:\Users\user\Desktop\hhcqxkb.exe" MD5: 650D2FF4C186FBBC65CD5D4A8FB8911E)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: hhcqxkb.exe PID: 4596JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for submitted file
    Source: hhcqxkb.exeVirustotal: Detection: 50%Perma Link
    Source: hhcqxkb.exeReversingLabs: Detection: 36%
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
    Machine Learning detection for sample
    Source: hhcqxkb.exeJoe Sandbox ML: detected
    Source: hhcqxkb.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
    Source: Binary string: krnlmp.pdb\ source: hhcqxkb.exe, 00000000.00000002.4698199092.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: hhcqxkb.exe, 00000000.00000003.3595557423.0000000006D51000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\y\*dat\ source: hhcqxkb.exe, 00000000.00000003.3595557423.0000000006D51000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: hhcqxkb.exe, 00000000.00000003.3594892617.0000000006B8D000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\.*r\Ap source: hhcqxkb.exe, 00000000.00000003.3594892617.0000000006B37000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\kies\emp\ source: hhcqxkb.exe, 00000000.00000003.3594892617.0000000006B37000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: hhcqxkb.exe, 00000000.00000002.4702393727.0000000006CF5000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: hhcqxkb.exe, 00000000.00000002.4699238477.0000000002740000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pl\tkrnlmp.pdb\a source: hhcqxkb.exe, 00000000.00000003.3595557423.0000000006DF6000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\.*dobe\0s3s source: hhcqxkb.exe, 00000000.00000002.4703353558.0000000007191000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\y\at\ source: hhcqxkb.exe, 00000000.00000002.4702393727.0000000006C85000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\A source: hhcqxkb.exe, 00000000.00000002.4702393727.0000000006C85000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: hhcqxkb.exe, 00000000.00000003.3595557423.0000000006D51000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\\*.* source: hhcqxkb.exe, 00000000.00000003.3594892617.0000000006B8D000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\me\Use!? source: hhcqxkb.exe, 00000000.00000002.4702393727.0000000006C10000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: hhcqxkb.exe, 00000000.00000002.4702393727.0000000006C10000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\blob_storage\921a1560-5524-44c0-8495-fce7014dcfba\*.pdb\\ source: hhcqxkb.exe, 00000000.00000002.4698199092.0000000000DE9000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: hhcqxkb.exe, 00000000.00000002.4699238477.0000000002760000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\6_110794397\. source: hhcqxkb.exe, 00000000.00000002.4703353558.00000000070ED000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\cal Settings\Application Data\Application Data\Application Data\Packages\Microsoft.People_8wekyb3d8bbwe\AC\Temp\stant\ source: hhcqxkb.exe, 00000000.00000002.4702393727.0000000006CF5000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: OC:\Users\user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\.*q source: hhcqxkb.exe, 00000000.00000002.4699238477.0000000002760000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: hhcqxkb.exe, 00000000.00000003.3594892617.0000000006B37000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: ;C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\ source: hhcqxkb.exe, 00000000.00000002.4699238477.0000000002822000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\8< source: hhcqxkb.exe, 00000000.00000002.4699238477.0000000002760000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: hhcqxkb.exe, 00000000.00000003.3594892617.0000000006B37000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: hhcqxkb.exe, 00000000.00000002.4698199092.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\ies\mp\!+ source: hhcqxkb.exe, 00000000.00000002.4698199092.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: hhcqxkb.exe, 00000000.00000002.4702393727.0000000006C85000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: tkrnlmp.pdb\ source: hhcqxkb.exe, 00000000.00000003.3595557423.0000000006DF6000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: hhcqxkb.exe, 00000000.00000003.3594892617.0000000006B37000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\17691134\.1e source: hhcqxkb.exe, 00000000.00000003.3595557423.0000000006D51000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: hhcqxkb.exe, 00000000.00000002.4702393727.0000000006C10000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: p.pdb\ source: hhcqxkb.exe, 00000000.00000003.3595557423.0000000006DF6000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\e\*.** source: hhcqxkb.exe, 00000000.00000002.4698199092.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\17691134\. source: hhcqxkb.exe, 00000000.00000003.3595557423.0000000006D51000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: hhcqxkb.exe, 00000000.00000003.3594892617.0000000006B8D000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\tings\ source: hhcqxkb.exe, 00000000.00000002.4703353558.0000000007150000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: hhcqxkb.exe, 00000000.00000002.4702393727.0000000006C85000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\kies\emp\ source: hhcqxkb.exe, 00000000.00000002.4698199092.0000000000DE9000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: hhcqxkb.exe, 00000000.00000003.3594892617.0000000006B37000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ation DaAb source: hhcqxkb.exe, 00000000.00000003.3594892617.0000000006B8D000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: hhcqxkb.exe, 00000000.00000003.3594892617.0000000006B8D000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: hhcqxkb.exe, 00000000.00000002.4698199092.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\ies\ source: hhcqxkb.exe, 00000000.00000003.3594892617.0000000006B8D000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: hhcqxkb.exe, 00000000.00000002.4698199092.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\hr\*.pdb\\A source: hhcqxkb.exe, 00000000.00000003.3595557423.0000000006D51000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\17691134\..! source: hhcqxkb.exe, 00000000.00000002.4698199092.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\*.*roa source: hhcqxkb.exe, 00000000.00000003.3594892617.0000000006B8D000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: cuments and Settings\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: hhcqxkb.exe, 00000000.00000002.4702393727.0000000006CF5000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: hhcqxkb.exe, 00000000.00000002.4702393727.0000000006C10000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: lication Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: hhcqxkb.exe, 00000000.00000003.3595557423.0000000006E48000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: hhcqxkb.exe, 00000000.00000003.3594892617.0000000006B8D000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\y\**\ source: hhcqxkb.exe, 00000000.00000002.4698199092.0000000000DE9000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\1\*.*r\Lo!V source: hhcqxkb.exe, 00000000.00000002.4703353558.0000000007150000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: hhcqxkb.exe, 00000000.00000002.4702393727.0000000006C10000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\ source: hhcqxkb.exe, 00000000.00000002.4699238477.0000000002760000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: hhcqxkb.exe, 00000000.00000002.4703353558.0000000007150000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\\l\A source: hhcqxkb.exe, 00000000.00000002.4702393727.0000000006C10000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: hhcqxkb.exe, 00000000.00000002.4698199092.0000000000DE9000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\AC\cuments and Settings\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\. source: hhcqxkb.exe, 00000000.00000002.4702393727.0000000006CF5000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: hhcqxkb.exe, 00000000.00000002.4703353558.0000000007191000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\on Dat source: hhcqxkb.exe, 00000000.00000002.4698199092.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: hhcqxkb.exe, 00000000.00000003.3594892617.0000000006B8D000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\\*.*\L source: hhcqxkb.exe, 00000000.00000002.4702393727.0000000006C10000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: hhcqxkb.exe, 00000000.00000003.3594892617.0000000006B37000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: .pdb\ source: hhcqxkb.exe, 00000000.00000002.4698199092.0000000000DE9000.00000004.00001000.00020000.00000000.sdmp, hhcqxkb.exe, 00000000.00000003.3595557423.0000000006D51000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: hhcqxkb.exe, 00000000.00000002.4698199092.0000000000DE9000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\e\*.** source: hhcqxkb.exe, 00000000.00000002.4702393727.0000000006C10000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Sync Data\lication Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\s\p\ source: hhcqxkb.exe, 00000000.00000003.3595557423.0000000006E48000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: hhcqxkb.exe, 00000000.00000003.3595557423.0000000006D51000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\ source: hhcqxkb.exe, 00000000.00000002.4699238477.0000000002822000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\.\\\a/ source: hhcqxkb.exe, 00000000.00000002.4698199092.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\p.pdb\\ source: hhcqxkb.exe, 00000000.00000003.3595557423.0000000006DF6000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\y\**\Q* source: hhcqxkb.exe, 00000000.00000003.3594892617.0000000006B37000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: hhcqxkb.exe, 00000000.00000002.4703353558.0000000007150000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\zh_CN\krnlmp.pdb\ source: hhcqxkb.exe, 00000000.00000002.4698199092.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: hhcqxkb.exe, 00000000.00000002.4698199092.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ineer\Ap source: hhcqxkb.exe, 00000000.00000003.3594892617.0000000006B8D000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\1\..\ Dataa source: hhcqxkb.exe, 00000000.00000003.3594892617.0000000006B37000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\a source: hhcqxkb.exe, 00000000.00000002.4703353558.0000000007150000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: hhcqxkb.exe, 00000000.00000002.4703353558.00000000070ED000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: hhcqxkb.exe, 00000000.00000002.4703353558.0000000007150000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: hhcqxkb.exe, 00000000.00000002.4698199092.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: hhcqxkb.exe, 00000000.00000003.3594892617.0000000006B8D000.00000004.00001000.00020000.00000000.sdmp
    Source: C:\Users\user\Desktop\hhcqxkb.exeFile opened: z:Jump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeFile opened: x:Jump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeFile opened: v:Jump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeFile opened: t:Jump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeFile opened: r:Jump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeFile opened: p:Jump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeFile opened: n:Jump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeFile opened: l:Jump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeFile opened: j:Jump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeFile opened: h:Jump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeFile opened: f:Jump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeFile opened: b:Jump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeFile opened: y:Jump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeFile opened: w:Jump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeFile opened: u:Jump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeFile opened: s:Jump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeFile opened: q:Jump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeFile opened: o:Jump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeFile opened: m:Jump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeFile opened: k:Jump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeFile opened: i:Jump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeFile opened: g:Jump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeFile opened: e:Jump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeFile opened: a:Jump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_0040A48C FindFirstFileA,GetLastError,0_2_0040A48C
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_0040A20A FindFirstFileA,FindClose,0_2_0040A20A
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_0040A20C FindFirstFileA,FindClose,0_2_0040A20C
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_004AE374 FindFirstFileW,FindFirstFileA,FindClose,0_2_004AE374
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_004065A4 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_004065A4
    Source: global trafficTCP traffic: 192.168.2.6:58852 -> 1.1.1.1:53
    Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
    Source: hhcqxkb.exeString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
    Source: hhcqxkb.exeString found in binary or memory: http://crl.globalsign.net/root.crl0
    Source: hhcqxkb.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
    Source: hhcqxkb.exeString found in binary or memory: http://s.symcd.com06
    Source: hhcqxkb.exeString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
    Source: hhcqxkb.exeString found in binary or memory: http://s2.symcb.com0
    Source: hhcqxkb.exeString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
    Source: hhcqxkb.exeString found in binary or memory: http://sf.symcb.com/sf.crl0f
    Source: hhcqxkb.exeString found in binary or memory: http://sf.symcb.com/sf.crt0
    Source: hhcqxkb.exeString found in binary or memory: http://sf.symcd.com0&
    Source: hhcqxkb.exeString found in binary or memory: http://sv.symcb.com/sv.crl0f
    Source: hhcqxkb.exeString found in binary or memory: http://sv.symcb.com/sv.crt0
    Source: hhcqxkb.exeString found in binary or memory: http://sv.symcd.com0&
    Source: hhcqxkb.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
    Source: hhcqxkb.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
    Source: hhcqxkb.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
    Source: hhcqxkb.exeString found in binary or memory: http://www.360.cn
    Source: hhcqxkb.exe, 00000000.00000003.2235571986.0000000002690000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.indyproject.org/
    Source: hhcqxkb.exeString found in binary or memory: http://www.symauth.com/cps0(
    Source: hhcqxkb.exeString found in binary or memory: http://www.symauth.com/rpa00
    Source: hhcqxkb.exeString found in binary or memory: https://d.symcb.com/cps0%
    Source: hhcqxkb.exeString found in binary or memory: https://d.symcb.com/rpa0
    Source: hhcqxkb.exeString found in binary or memory: https://d.symcb.com/rpa0.
    Source: hhcqxkb.exeString found in binary or memory: https://www.globalsign.com/repository/0
    Source: hhcqxkb.exeString found in binary or memory: https://www.globalsign.com/repository/03
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_0043D240 GlobalAlloc,GlobalLock,SetClipboardData,GlobalUnlock,0_2_0043D240
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_0043D530 SetClipboardData,SetClipboardData,0_2_0043D530
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_0043D5B4 SetClipboardData,SetClipboardData,0_2_0043D5B4
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_0043D344 EnumClipboardFormats,GetClipboardData,GetClipboardData,EnumClipboardFormats,0_2_0043D344
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_0042F31C GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,0_2_0042F31C
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_0044CE2C GetKeyboardState,0_2_0044CE2C
    Source: Yara matchFile source: Process Memory Space: hhcqxkb.exe PID: 4596, type: MEMORYSTR

    Operating System Destruction

    barindex
    Contains functionality to access PhysicalDrive, possible boot sector overwrite
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_0051EC44 CreateFileA on filename \\.\PhysicalDrive00_2_0051EC44
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_0051EDC4 CreateFileA on filename \\.\PhysicalDrive00_2_0051EDC4

    System Summary

    barindex
    PE file has a writeable .text section
    Source: hhcqxkb.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_00450BE4 SetWindowPos,NtdllDefWindowProc_A,GetCapture,0_2_00450BE4
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_00469650 NtdllDefWindowProc_A,0_2_00469650
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_0043C17C NtdllDefWindowProc_A,0_2_0043C17C
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_00444B2C GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,0_2_00444B2C
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_00469DB4 SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_00469DB4
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_00469E94 SetActiveWindow,ShowWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_00469E94
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_0051EC44: CreateFileA,CreateFileA,DeviceIoControl,CloseHandle,0_2_0051EC44
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_004621700_2_00462170
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_004B24F80_2_004B24F8
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_00444B2C0_2_00444B2C
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_00480C980_2_00480C98
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_00484D500_2_00484D50
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_00494F000_2_00494F00
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_0048D15C0_2_0048D15C
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_005091440_2_00509144
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_004A92D00_2_004A92D0
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_005094040_2_00509404
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_004A14B80_2_004A14B8
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_004815C80_2_004815C8
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_005097C80_2_005097C8
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_00521A440_2_00521A44
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_00471C380_2_00471C38
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_00405E6C0_2_00405E6C
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_004023CC0_2_004023CC
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_005024680_2_00502468
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_0051E6100_2_0051E610
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_00492BF80_2_00492BF8
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_004F31140_2_004F3114
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_004871F40_2_004871F4
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: String function: 00405160 appears 95 times
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: String function: 00404BFC appears 39 times
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: String function: 004075B8 appears 90 times
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: String function: 004F2F24 appears 75 times
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: String function: 00404CD0 appears 34 times
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: String function: 004F2F5C appears 494 times
    Source: hhcqxkb.exeStatic PE information: invalid certificate
    Source: hhcqxkb.exeBinary or memory string: OriginalFilename vs hhcqxkb.exe
    Source: hhcqxkb.exe, 00000000.00000002.4699238477.0000000002760000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilename7za.dll, vs hhcqxkb.exe
    Source: hhcqxkb.exe, 00000000.00000002.4704133876.000000001004F000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilename7za.dll, vs hhcqxkb.exe
    Source: hhcqxkb.exe, 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename7za.dll, vs hhcqxkb.exe
    Source: hhcqxkb.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
    Source: classification engineClassification label: mal76.evad.winEXE@1/0@0/0
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_0040A692 GetDiskFreeSpaceA,0_2_0040A692
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_00477FC8 CoGetClassObject,CoCreateInstance,0_2_00477FC8
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_0041A3C0 FindResourceA,0_2_0041A3C0
    Source: C:\Users\user\Desktop\hhcqxkb.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: hhcqxkb.exeVirustotal: Detection: 50%
    Source: hhcqxkb.exeReversingLabs: Detection: 36%
    Source: hhcqxkb.exeString found in binary or memory: NATS-SEFI-ADD
    Source: hhcqxkb.exeString found in binary or memory: NATS-DANO-ADD
    Source: hhcqxkb.exeString found in binary or memory: JIS_C6229-1984-b-add
    Source: hhcqxkb.exeString found in binary or memory: jp-ocr-b-add
    Source: hhcqxkb.exeString found in binary or memory: jp-ocr-hand-add
    Source: hhcqxkb.exeString found in binary or memory: JIS_C6229-1984-hand-add
    Source: hhcqxkb.exeString found in binary or memory: ISO_6937-2-add
    Source: C:\Users\user\Desktop\hhcqxkb.exeFile read: C:\Users\user\Desktop\hhcqxkb.exeJump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeSection loaded: wsock32.dllJump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeSection loaded: olepro32.dllJump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeSection loaded: security.dllJump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeSection loaded: ieframe.dllJump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeSection loaded: dwrite.dllJump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeSection loaded: windowscodecs.dllJump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32Jump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeWindow found: window name: TComboBoxJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: hhcqxkb.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
    Source: hhcqxkb.exeStatic file information: File size 7545920 > 1048576
    Source: hhcqxkb.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x242800
    Source: Binary string: krnlmp.pdb\ source: hhcqxkb.exe, 00000000.00000002.4698199092.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: hhcqxkb.exe, 00000000.00000003.3595557423.0000000006D51000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\y\*dat\ source: hhcqxkb.exe, 00000000.00000003.3595557423.0000000006D51000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: hhcqxkb.exe, 00000000.00000003.3594892617.0000000006B8D000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\.*r\Ap source: hhcqxkb.exe, 00000000.00000003.3594892617.0000000006B37000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\kies\emp\ source: hhcqxkb.exe, 00000000.00000003.3594892617.0000000006B37000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: hhcqxkb.exe, 00000000.00000002.4702393727.0000000006CF5000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: hhcqxkb.exe, 00000000.00000002.4699238477.0000000002740000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pl\tkrnlmp.pdb\a source: hhcqxkb.exe, 00000000.00000003.3595557423.0000000006DF6000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\.*dobe\0s3s source: hhcqxkb.exe, 00000000.00000002.4703353558.0000000007191000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\y\at\ source: hhcqxkb.exe, 00000000.00000002.4702393727.0000000006C85000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\A source: hhcqxkb.exe, 00000000.00000002.4702393727.0000000006C85000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: hhcqxkb.exe, 00000000.00000003.3595557423.0000000006D51000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\\*.* source: hhcqxkb.exe, 00000000.00000003.3594892617.0000000006B8D000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\me\Use!? source: hhcqxkb.exe, 00000000.00000002.4702393727.0000000006C10000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: hhcqxkb.exe, 00000000.00000002.4702393727.0000000006C10000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\blob_storage\921a1560-5524-44c0-8495-fce7014dcfba\*.pdb\\ source: hhcqxkb.exe, 00000000.00000002.4698199092.0000000000DE9000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: hhcqxkb.exe, 00000000.00000002.4699238477.0000000002760000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\6_110794397\. source: hhcqxkb.exe, 00000000.00000002.4703353558.00000000070ED000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\cal Settings\Application Data\Application Data\Application Data\Packages\Microsoft.People_8wekyb3d8bbwe\AC\Temp\stant\ source: hhcqxkb.exe, 00000000.00000002.4702393727.0000000006CF5000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: OC:\Users\user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\.*q source: hhcqxkb.exe, 00000000.00000002.4699238477.0000000002760000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: hhcqxkb.exe, 00000000.00000003.3594892617.0000000006B37000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: ;C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\ source: hhcqxkb.exe, 00000000.00000002.4699238477.0000000002822000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\8< source: hhcqxkb.exe, 00000000.00000002.4699238477.0000000002760000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: hhcqxkb.exe, 00000000.00000003.3594892617.0000000006B37000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: hhcqxkb.exe, 00000000.00000002.4698199092.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\ies\mp\!+ source: hhcqxkb.exe, 00000000.00000002.4698199092.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: hhcqxkb.exe, 00000000.00000002.4702393727.0000000006C85000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: tkrnlmp.pdb\ source: hhcqxkb.exe, 00000000.00000003.3595557423.0000000006DF6000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: hhcqxkb.exe, 00000000.00000003.3594892617.0000000006B37000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\17691134\.1e source: hhcqxkb.exe, 00000000.00000003.3595557423.0000000006D51000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: hhcqxkb.exe, 00000000.00000002.4702393727.0000000006C10000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: p.pdb\ source: hhcqxkb.exe, 00000000.00000003.3595557423.0000000006DF6000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\e\*.** source: hhcqxkb.exe, 00000000.00000002.4698199092.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\17691134\. source: hhcqxkb.exe, 00000000.00000003.3595557423.0000000006D51000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: hhcqxkb.exe, 00000000.00000003.3594892617.0000000006B8D000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\tings\ source: hhcqxkb.exe, 00000000.00000002.4703353558.0000000007150000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: hhcqxkb.exe, 00000000.00000002.4702393727.0000000006C85000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\kies\emp\ source: hhcqxkb.exe, 00000000.00000002.4698199092.0000000000DE9000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: hhcqxkb.exe, 00000000.00000003.3594892617.0000000006B37000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ation DaAb source: hhcqxkb.exe, 00000000.00000003.3594892617.0000000006B8D000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: hhcqxkb.exe, 00000000.00000003.3594892617.0000000006B8D000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: hhcqxkb.exe, 00000000.00000002.4698199092.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\ies\ source: hhcqxkb.exe, 00000000.00000003.3594892617.0000000006B8D000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: hhcqxkb.exe, 00000000.00000002.4698199092.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\hr\*.pdb\\A source: hhcqxkb.exe, 00000000.00000003.3595557423.0000000006D51000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\17691134\..! source: hhcqxkb.exe, 00000000.00000002.4698199092.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\*.*roa source: hhcqxkb.exe, 00000000.00000003.3594892617.0000000006B8D000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: cuments and Settings\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: hhcqxkb.exe, 00000000.00000002.4702393727.0000000006CF5000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: hhcqxkb.exe, 00000000.00000002.4702393727.0000000006C10000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: lication Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: hhcqxkb.exe, 00000000.00000003.3595557423.0000000006E48000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: hhcqxkb.exe, 00000000.00000003.3594892617.0000000006B8D000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\y\**\ source: hhcqxkb.exe, 00000000.00000002.4698199092.0000000000DE9000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\1\*.*r\Lo!V source: hhcqxkb.exe, 00000000.00000002.4703353558.0000000007150000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: hhcqxkb.exe, 00000000.00000002.4702393727.0000000006C10000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\ source: hhcqxkb.exe, 00000000.00000002.4699238477.0000000002760000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: hhcqxkb.exe, 00000000.00000002.4703353558.0000000007150000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\\l\A source: hhcqxkb.exe, 00000000.00000002.4702393727.0000000006C10000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: hhcqxkb.exe, 00000000.00000002.4698199092.0000000000DE9000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\AC\cuments and Settings\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\. source: hhcqxkb.exe, 00000000.00000002.4702393727.0000000006CF5000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: hhcqxkb.exe, 00000000.00000002.4703353558.0000000007191000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\on Dat source: hhcqxkb.exe, 00000000.00000002.4698199092.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: hhcqxkb.exe, 00000000.00000003.3594892617.0000000006B8D000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\\*.*\L source: hhcqxkb.exe, 00000000.00000002.4702393727.0000000006C10000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: hhcqxkb.exe, 00000000.00000003.3594892617.0000000006B37000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: .pdb\ source: hhcqxkb.exe, 00000000.00000002.4698199092.0000000000DE9000.00000004.00001000.00020000.00000000.sdmp, hhcqxkb.exe, 00000000.00000003.3595557423.0000000006D51000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: hhcqxkb.exe, 00000000.00000002.4698199092.0000000000DE9000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\e\*.** source: hhcqxkb.exe, 00000000.00000002.4702393727.0000000006C10000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Sync Data\lication Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\s\p\ source: hhcqxkb.exe, 00000000.00000003.3595557423.0000000006E48000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: hhcqxkb.exe, 00000000.00000003.3595557423.0000000006D51000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\ source: hhcqxkb.exe, 00000000.00000002.4699238477.0000000002822000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\.\\\a/ source: hhcqxkb.exe, 00000000.00000002.4698199092.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\p.pdb\\ source: hhcqxkb.exe, 00000000.00000003.3595557423.0000000006DF6000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\y\**\Q* source: hhcqxkb.exe, 00000000.00000003.3594892617.0000000006B37000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: hhcqxkb.exe, 00000000.00000002.4703353558.0000000007150000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\zh_CN\krnlmp.pdb\ source: hhcqxkb.exe, 00000000.00000002.4698199092.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: hhcqxkb.exe, 00000000.00000002.4698199092.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ineer\Ap source: hhcqxkb.exe, 00000000.00000003.3594892617.0000000006B8D000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\1\..\ Dataa source: hhcqxkb.exe, 00000000.00000003.3594892617.0000000006B37000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\a source: hhcqxkb.exe, 00000000.00000002.4703353558.0000000007150000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: hhcqxkb.exe, 00000000.00000002.4703353558.00000000070ED000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: hhcqxkb.exe, 00000000.00000002.4703353558.0000000007150000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: hhcqxkb.exe, 00000000.00000002.4698199092.0000000000CF0000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: hhcqxkb.exe, 00000000.00000003.3594892617.0000000006B8D000.00000004.00001000.00020000.00000000.sdmp

    Data Obfuscation

    barindex
    Detected unpacking (changes PE section rights)
    Source: C:\Users\user\Desktop\hhcqxkb.exeUnpacked PE file: 0.2.hhcqxkb.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_004AC650 LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_004AC650
    Source: hhcqxkb.exeStatic PE information: real checksum: 0x2538e2 should be: 0x73fad6
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_0050C948 push 85BE5052h; mov dword ptr [esp], 8F60F1B6h0_2_005BCDE8
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_0041964C push ecx; mov dword ptr [esp], edx0_2_00419651
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_004940F0 push 0049415Dh; ret 0_2_00494155
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_004D4134 push 004D416Ch; ret 0_2_004D4164
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_004081A8 push 004081EAh; ret 0_2_004081E2
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_004101BC push ecx; mov dword ptr [esp], edx0_2_004101C1
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_00428248 push 0042828Bh; ret 0_2_00428283
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_0050C248 push 0050C28Bh; ret 0_2_0050C283
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_0050034C push 00500389h; ret 0_2_00500381
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_00474368 push 004743DEh; ret 0_2_004743D6
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_004AC454 push 004AC480h; ret 0_2_004AC478
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_0046C4E0 push 0046C54Ah; ret 0_2_0046C542
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_004CC48C push 004CC4D0h; ret 0_2_004CC4C8
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_004A860C push 004A8638h; ret 0_2_004A8630
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_0046C8F4 push 0046C927h; ret 0_2_0046C91F
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_00500888 push 005008C0h; ret 0_2_005008B8
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_0046C92C push 0046C96Fh; ret 0_2_0046C967
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_0043C9CC push 0043C9F8h; ret 0_2_0043C9F0
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_004109AC push 00410B37h; ret 0_2_00410B2F
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_004249B8 push 004249F0h; ret 0_2_004249E8
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_0046C9BC push 0046CA08h; ret 0_2_0046CA00
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_00480A58 push 00480AF0h; ret 0_2_00480AE8
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_0046CA0C push 0046CA57h; ret 0_2_0046CA4F
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_0040CA3D push ss; retf 0_2_0040CA3E
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_00508B4C push 00508B72h; ret 0_2_00508B6A
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_0045CB3C push ecx; mov dword ptr [esp], edx0_2_0045CB40
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_004B4BA4 push 004B4BE7h; ret 0_2_004B4BDF
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_0044CBBC push ecx; mov dword ptr [esp], ecx0_2_0044CBC0
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_004ACCA4 push 004ACCDCh; ret 0_2_004ACCD4
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_004C8D78 push 004C8DABh; ret 0_2_004C8DA3
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_0045CDE0 push ecx; mov dword ptr [esp], edx0_2_0045CDE4

    Persistence and Installation Behavior

    barindex
    Contains functionality to infect the boot sector
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: CreateFileA,CreateFileA,DeviceIoControl,CloseHandle, \\.\PhysicalDrive00_2_0051EC44
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: CreateFileA,CreateFileA,DeviceIoControl,CloseHandle, \\.\PhysicalDrive00_2_0051EDC4

    Boot Survival

    barindex
    Contains functionality to infect the boot sector
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: CreateFileA,CreateFileA,DeviceIoControl,CloseHandle, \\.\PhysicalDrive00_2_0051EC44
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: CreateFileA,CreateFileA,DeviceIoControl,CloseHandle, \\.\PhysicalDrive00_2_0051EDC4
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_0045F368 GetWindowLongA,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongA,SetWindowLongA,ShowWindow,ShowWindow,0_2_0045F368
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_00424BF0 MonitorFromWindow,MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect,0_2_00424BF0
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_00452BE4 IsIconic,GetCapture,0_2_00452BE4
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_0045F2EC IsIconic,0_2_0045F2EC
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_004C8A58 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_004C8A58
    Source: C:\Users\user\Desktop\hhcqxkb.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,0_2_00468834
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: GetAdaptersInfo,SetLastError,0_2_0051EB94
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_0040A48C FindFirstFileA,GetLastError,0_2_0040A48C
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_0040A20A FindFirstFileA,FindClose,0_2_0040A20A
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_0040A20C FindFirstFileA,FindClose,0_2_0040A20C
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_004AE374 FindFirstFileW,FindFirstFileA,FindClose,0_2_004AE374
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_004065A4 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_004065A4
    Source: hhcqxkb.exe, 00000000.00000002.4697799956.0000000000AE5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: C:\Users\user\Desktop\hhcqxkb.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_004AC650 LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_004AC650
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_004AC8D4 VirtualAlloc,VirtualAlloc,GetProcessHeap,RtlAllocateHeap,VirtualAlloc,VirtualAlloc,0_2_004AC8D4
    Source: C:\Users\user\Desktop\hhcqxkb.exeProcess token adjusted: DebugJump to behavior
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_004072EA AllocateAndInitializeSid,OpenProcessToken,RegQueryValueExA,CloseHandle,0_2_004072EA
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,0_2_00406768
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: GetLocaleInfoA,0_2_0040DBC0
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: GetLocaleInfoA,0_2_0040DC0C
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_0040C4C4 GetLocalTime,0_2_0040C4C4
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_004BE470 GetTimeZoneInformation,0_2_004BE470
    Source: hhcqxkb.exe, 00000000.00000002.4699112695.0000000002730000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 360Tray.exe
    Source: C:\Users\user\Desktop\hhcqxkb.exeCode function: 0_2_0047DC64 bind,listen,0_2_0047DC64

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire Infrastructure1
    Replication Through Removable Media    		2
    Command and Scripting Interpreter    		2
    Bootkit    		1
    DLL Side-Loading    		1
    Deobfuscate/Decode Files or Information    		11
    Input Capture    		2
    System Time Discovery    		Remote Services1
    Screen Capture    		1
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts1
    Native API    		1
    DLL Side-Loading    		Boot or Logon Initialization Scripts2
    Obfuscated Files or Information    		LSASS Memory31
    Security Software Discovery    		Remote Desktop Protocol11
    Input Capture    		Junk DataExfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
    Bootkit    		Security Account Manager1
    Process Discovery    		SMB/Windows Admin Shares1
    Archive Collected Data    		SteganographyAutomated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    Software Packing    		NTDS11
    Application Window Discovery    		Distributed Component Object Model2
    Clipboard Data    		Protocol ImpersonationTraffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    DLL Side-Loading    		LSA Secrets11
    Peripheral Device Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials1
    System Network Configuration Discovery    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
    File and Directory Discovery    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem14
    System Information Discovery    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    hhcqxkb.exe50%VirustotalBrowse
    hhcqxkb.exe37%ReversingLabsWin32.Trojan.Generic
    hhcqxkb.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    s-part-0017.t-0009.t-msedge.net
    		13.107.246.45
    		truefalse
      		high

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://www.indyproject.org/hhcqxkb.exe, 00000000.00000003.2235571986.0000000002690000.00000004.00001000.00020000.00000000.sdmpfalse
        		high
        http://www.360.cnhhcqxkb.exefalse
          		high
          http://www.symauth.com/cps0(hhcqxkb.exefalse
            		high
            http://www.symauth.com/rpa00hhcqxkb.exefalse
              		high

              World Map of Contacted IPs

              No contacted IP infos

              General Information

              Joe Sandbox version:42.0.0 Malachite
              Analysis ID:1590856
              Start date and time:2025-01-14 16:33:01 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 7m 48s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:16
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:hhcqxkb.exe
              Detection:MAL
              Classification:mal76.evad.winEXE@1/0@0/0
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 69%
              • Number of executed functions: 97
              • Number of non-executed functions: 192
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Override analysis time to 240000 for current running targets taking high CPU consumption

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
              • Excluded IPs from analysis (whitelisted): 2.23.227.208, 13.107.246.45, 184.28.90.27, 20.12.23.50, 173.222.162.64, 20.223.36.55, 20.31.169.57, 150.171.27.10, 2.21.65.154
              • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, tse1.mm.bing.net, azureedge-t-prod.trafficmanager.net, g.bing.com, arc.msn.com, fe3cr.delivery.mp.microsoft.com
              • Report size getting too big, too many NtOpenFile calls found.
              • Report size getting too big, too many NtQueryAttributesFile calls found.

              Simulations

              Behavior and APIs

              No simulations

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              s-part-0017.t-0009.t-msedge.netSubscription_Renewal_Receipt_2025.htmGet hashmaliciousHTMLPhisherBrowse
              • 13.107.246.45
              https://www.xrmtoolbox.com/Get hashmaliciousUnknownBrowse
              • 13.107.246.45
              https://forrestore.com/static/apps/437.zipGet hashmaliciousUnknownBrowse
              • 13.107.246.45
              https://2ol.itectaxice.ru/Qm75/Get hashmaliciousUnknownBrowse
              • 13.107.246.45
              https://forms.office.com/e/xknrfCPQkRGet hashmaliciousHTMLPhisherBrowse
              • 13.107.246.45
              https://account.tctmagazine.com/emailclickthrough?TxActivity=239212&returnUrl=https://mighty-calm-plum-toucan.easy2.de/&Hash=1DD38A2BA32B80F59EA0F1A750C3EC0EGet hashmaliciousHTMLPhisherBrowse
              • 13.107.246.45
              https://forms.office.com/e/xknrfCPQkRGet hashmaliciousHTMLPhisherBrowse
              • 13.107.246.45
              https://forms.office.com/e/xknrfCPQkRGet hashmaliciousHTMLPhisherBrowse
              • 13.107.246.45
              https://forms.office.com/e/xknrfCPQkRGet hashmaliciousHTMLPhisherBrowse
              • 13.107.246.45
              https://www.tiktok.com/link/v2?aid=1988&lang=en&scene=bio_url&target=https%3A%2F%2Fgoogle.com%2Furl%3Fq%3Dhttps%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%3A%2F%2Fwww.google.com%2Furl%3Fq%253Dhttps%3A%2F%2Fwww.google.com%2Furl%3Fq%3D.%2F%2F%2F%2Famp%2Fs%2Fjobuli.in%2Fwinner%2FsXtxg%2FbWFyc2hhLnJvd2xhbmRAY2hlcm9rZWVicmljay5jb20=?0s57db=MTMmMTMmMTMmMTMmQjEmRjQmb2JxdEczJkQ0Jk11bHdyVGhHeUtZLi45SjNYNlJyamY6ckY0JjMzJnV5ZnUub2ZlZWppMzMmRTQmdHRibWQxMyZvYnF0RDQmQjEmRjQmbW51aUczJkQ0JkIxJkY0JnplcGNHMyZENCZCMSZGNCZ6ZXBjRDQmQjEmRjQmZWJmaUczJkQ0JkIxJkY0JmZtenV0RzMmRDQmMTMmMTMmMTMmMTMmQjEmRTgmMTMmMTMmMTMmMTMmMTMmMTMmMTMmMTMmQjEmQzQmb2ZlZWppMTMmQjQmenVqbWpjanRqdzEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJkIxJkM0JmZ1aml4MTMmQjQmc3BtcGQxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyZCMSZDOCYxMyZ1eWZ1Lm9mZWVqaS8xMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyZCMSZGNCZmbXp1dEQ0JjEzJjEzJjEzJjEzJkIxJkY0JmZtdWp1RzMmRDQmZm5wSUY0JmZtdWp1RDQmMTMmMTMmMTMmMTMmQjEmRzMmKzEzJmZzMTMmZWViMTMmRTQmRTQmRTQmRTQmRTQmRTQmRDQmMTMmK0czJjEzJjEzJkY0JjMzJkI6NjMmMTk2MyYzRjYzJkRCNjMmMzk2MyYzRjYzJjRCNjMmNEQ2MyY1MyY1MyZCOjYzJjE5NjMmM0Y2MyZEQjYzJjM5NjMmM0Y2MyY0QjYzJjRENjMmRTQmRTQmeGN6Nnpka21IZXtHSGN4MlRaelM0Wm1HSFJpT1hidkdIZXs2VFp2R25bbVM0ZEczJkROUEVHMyZ6ZndzdnR0c2Z6YkczJmx2L3BkL3pmd3N2dHRzZnpiRzMmRzMmQjQmdHF1dWlFNCZtc3ZDNCYzMzMmRTQmdW9mdW9wZDEzJjMzJml0ZnNnZnMzMyZFNCZ3anZyZi5xdXVpMTMmYnVmbkQ0JjEzJjEzJjEzJjEzJkIxJkY0JjMzJjkuR1VWMzMmRTQmdWZ0c2JpZDEzJmJ1Zm5ENCYxMyYxMyYxMyYxMyZCMSZGNCZlYmZpRDQmQjEmRjQmbW51aUQ0JkIxJkY0Jm9icXRHMyZENCZkazdoWlZENCZ0ezVNRTQmTFhteDFPUWdkWFBZc3s1d0c5e1FFNiZDT0Y0JjMzJnV5ZnUub2ZlZWppMzMmRTQmdHRibWQxMyZvYnF0RDQmQjEmGet hashmaliciousHTMLPhisherBrowse
              • 13.107.246.45

              ASNs

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              No created / dropped files found

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed
              Entropy (8bit):7.999767379567863
              TrID:
              • Win32 Executable (generic) a (10002005/4) 98.94%
              • Win32 EXE PECompact compressed (v2.x) (59071/9) 0.58%
              • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
              • Win16/32 Executable Delphi generic (2074/23) 0.02%
              • Generic Win/DOS Executable (2004/3) 0.02%
              File name:hhcqxkb.exe
              File size:7'545'920 bytes
              MD5:650d2ff4c186fbbc65cd5d4a8fb8911e
              SHA1:13a0bde0732ce802e91df36c70b54afe6dd67f6f
              SHA256:4ec6425bb2c3b0c9c33679ca134418f385437f9f6fc89bcce8668d07e6c4c23a
              SHA512:3c3af898942c301fa0b2380f5f3eeca5e80c3a76569ef4c5ab1782aa11b948d590645e118d588144ed436f2462315c5a78da7d11f7abc337ee231d1a5c215789
              SSDEEP:196608:IDiqDuF/MBIf09WIUfi09XCwbRvkSsmUvqlRfrd9T:IDWFuc9ywdv7UCl39T
              TLSH:3376333D058E48E2FD3269BA50C0CCE8457C0EA96651E79D1FC1BC852EF2B786B918C7
              File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

              File Icon

              Icon Hash:cba729a585a5555b

              Static PE Info

              General

              Entrypoint:0x401000
              Entrypoint Section:.text
              Digitally signed:true
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
              DLL Characteristics:
              Time Stamp:0x5BAFC2FB [Sat Sep 29 18:22:51 2018 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:5
              OS Version Minor:0
              File Version Major:5
              File Version Minor:0
              Subsystem Version Major:5
              Subsystem Version Minor:0
              Import Hash:09d0478591d4f788cb3e5ea416c25237

              Authenticode Signature

              Signature Valid:false
              Signature Issuer:CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
              Signature Validation Error:The digital signature of the object did not verify
              Error Number:-2146869232
              Not Before, Not After
              • 05/01/2016 19:00:00 28/03/2019 19:59:59
              Subject Chain
              • CN=Qihoo 360 Software (Beijing) Company Limited, OU=Tech. Dev. Dept., O=Qihoo 360 Software (Beijing) Company Limited, L=Beijing, S=Beijing, C=CN
              Version:3
              Thumbprint MD5:458049CD38BF196FA31298973E90FBE2
              Thumbprint SHA-1:D4FB2982268B592E3CD46FA78194E71418297741
              Thumbprint SHA-256:0C9E4AE0B30089F2608168012D7D453CE982CCACC709D566C0ADD9DAB14C7E15
              Serial:26279F0F2F11970DCCF63EBA88F2D4C4

              Entrypoint Preview

              Instruction
              mov eax, 007A6948h
              push eax
              push dword ptr fs:[00000000h]
              mov dword ptr fs:[00000000h], esp
              xor eax, eax
              mov dword ptr [eax], ecx
              push eax
              inc ebp
              inc ebx
              outsd
              insd
              jo 00007F2244D94353h
              arpl word ptr [edx+esi+00h], si
              adc ebx, dword ptr [edi-54h]
              xchg eax, ebx
              neg dl
              push cs
              dec edx
              bound ebx, dword ptr [D6498464h]
              cmp eax, 55FD1C84h
              fld qword ptr [edx-3Ch]
              jecxz 00007F2244D942A4h
              xchg eax, ecx
              mov ebx, dword ptr [esi-7C4EA088h]
              pop ebp
              inc esi
              inc edi
              pop es
              xor al, 2Bh
              loope 00007F2244D9430Eh
              and byte ptr [ecx+4AA1D934h], dl
              push cs
              sub dh, byte ptr [eax+44h]
              pop es
              dec edx
              mov esi, 19CEA694h
              daa
              xchg eax, esp
              inc ebp
              les edx, fword ptr [ecx-04h]
              shl dl, cl
              loope 00007F2244D942A1h

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x3a5c340x8f.rsrc
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x3a40000x19f5.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x2458180x4ecc28
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x3a6a100x5c.rsrc
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x3a30000x242800028f87c4fd09a3ce6e8c11789cf99075unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .rsrc0x3a40000x28c0000x2c00131b10ee8f5b83312f297a191c2b9c8dunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

              Resources

              NameRVASizeTypeLanguageCountryZLIB Complexity
              RT_CURSOR0x32f0000x134emptyEnglishUnited States0
              RT_CURSOR0x32f1380x134emptyEnglishUnited States0
              RT_CURSOR0x32f2700x134emptyEnglishUnited States0
              RT_CURSOR0x32f3a80x134emptyEnglishUnited States0
              RT_CURSOR0x32f4e00x134emptyEnglishUnited States0
              RT_CURSOR0x32f6180x134emptyEnglishUnited States0
              RT_CURSOR0x32f7500x134emptyEnglishUnited States0
              RT_CURSOR0x32f8880x134emptyEnglishUnited States0
              RT_BITMAP0x32f9c00x1d0emptyEnglishUnited States0
              RT_BITMAP0x32fb900x1e4emptyEnglishUnited States0
              RT_BITMAP0x32fd780x1d0emptyEnglishUnited States0
              RT_BITMAP0x32ff480x1d0emptyEnglishUnited States0
              RT_BITMAP0x3301180x1d0emptyEnglishUnited States0
              RT_BITMAP0x3302e80x1d0emptyEnglishUnited States0
              RT_BITMAP0x3304b80x1d0emptyEnglishUnited States0
              RT_BITMAP0x3306880x1d0emptyEnglishUnited States0
              RT_BITMAP0x3308580x1d0emptyEnglishUnited States0
              RT_BITMAP0x330a280x1d0emptyEnglishUnited States0
              RT_BITMAP0x330bf80xc0emptyEnglishUnited States0
              RT_BITMAP0x330cb80xe0emptyEnglishUnited States0
              RT_BITMAP0x330d980xe0emptyEnglishUnited States0
              RT_BITMAP0x330e780xe0emptyEnglishUnited States0
              RT_BITMAP0x330f580xc0emptyEnglishUnited States0
              RT_BITMAP0x3310180xc0emptyEnglishUnited States0
              RT_BITMAP0x3310d80xe0emptyEnglishUnited States0
              RT_BITMAP0x3311b80xc0emptyEnglishUnited States0
              RT_BITMAP0x3312780xe0emptyEnglishUnited States0
              RT_BITMAP0x3313580xe8emptyEnglishUnited States0
              RT_BITMAP0x3314400xc0emptyEnglishUnited States0
              RT_BITMAP0x3315000x228emptyEnglishUnited States0
              RT_BITMAP0x3317280xe0emptyEnglishUnited States0
              RT_ICON0x3a55380x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512ChineseChina0.39919354838709675
              RT_DIALOG0x3318080x52empty0
              RT_DIALOG0x3318600x52empty0
              RT_STRING0x3318b80x4ecempty0
              RT_STRING0x331da80x2d8empty0
              RT_STRING0x3320800x36cempty0
              RT_STRING0x3323f00xe90empty0
              RT_STRING0x3332800xac8empty0
              RT_STRING0x333d480xad4empty0
              RT_STRING0x3348200x8ecempty0
              RT_STRING0x3351100x76cempty0
              RT_STRING0x3358800x40cempty0
              RT_STRING0x335c900x484empty0
              RT_STRING0x3361180x3d4empty0
              RT_STRING0x3364f00x35cempty0
              RT_STRING0x3368500x4ecempty0
              RT_STRING0x336d400x328empty0
              RT_STRING0x3370680x3a0empty0
              RT_STRING0x3374080x254empty0
              RT_STRING0x3376600x4ccempty0
              RT_STRING0x337b300xbf4empty0
              RT_STRING0x3387280x39cempty0
              RT_STRING0x338ac80x384empty0
              RT_STRING0x338e500xa8empty0
              RT_STRING0x338ef80xe0empty0
              RT_STRING0x338fd80x218empty0
              RT_STRING0x3391f00x408empty0
              RT_STRING0x3395f80x35cempty0
              RT_STRING0x3399580x398empty0
              RT_STRING0x339cf00x364empty0
              RT_STRING0x33a0580x39cempty0
              RT_STRING0x33a3f80xd0empty0
              RT_STRING0x33a4c80xa0empty0
              RT_STRING0x33a5680x2b8empty0
              RT_STRING0x33a8200x418empty0
              RT_STRING0x33ac380x2ecempty0
              RT_STRING0x33af280x30cempty0
              RT_RCDATA0x33b2380x22000emptyChineseChina0
              RT_RCDATA0x35d2380x10empty0
              RT_RCDATA0x35d2480xc3cempty0
              RT_RCDATA0x35de880x860dempty0
              RT_RCDATA0x3664980x8d40empty0
              RT_RCDATA0x36f1d80x112aempty0
              RT_RCDATA0x3703080x21476empty0
              RT_RCDATA0x3917800x98ebempty0
              RT_RCDATA0x39b0700x2c8empty0
              RT_RCDATA0x39b3380x6a3cempty0
              RT_GROUP_CURSOR0x3a1d780x14emptyEnglishUnited States0
              RT_GROUP_CURSOR0x3a1d900x14emptyEnglishUnited States0
              RT_GROUP_CURSOR0x3a1da80x14emptyEnglishUnited States0
              RT_GROUP_CURSOR0x3a1dc00x14emptyEnglishUnited States0
              RT_GROUP_CURSOR0x3a1dd80x14emptyEnglishUnited States0
              RT_GROUP_CURSOR0x3a1df00x14emptyEnglishUnited States0
              RT_GROUP_CURSOR0x3a1e080x14emptyEnglishUnited States0
              RT_GROUP_CURSOR0x3a1e200x14emptyEnglishUnited States0
              RT_GROUP_ICON0x3a58200x14dataChineseChina1.2
              RT_MANIFEST0x3a58380x1bdXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5258426966292135

              Imports

              DLLImport
              kernel32.dllLoadLibraryA, GetProcAddress, VirtualAlloc, VirtualFree

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States
              ChineseChina

              Network Behavior

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jan 14, 2025 16:34:22.842009068 CET5885253192.168.2.61.1.1.1
              Jan 14, 2025 16:34:22.846923113 CET53588521.1.1.1192.168.2.6
              Jan 14, 2025 16:34:22.849514008 CET5885253192.168.2.61.1.1.1
              Jan 14, 2025 16:34:22.858174086 CET53588521.1.1.1192.168.2.6
              Jan 14, 2025 16:34:23.343631029 CET5885253192.168.2.61.1.1.1
              Jan 14, 2025 16:34:23.386640072 CET5885253192.168.2.61.1.1.1
              Jan 14, 2025 16:34:23.391697884 CET53588521.1.1.1192.168.2.6
              Jan 14, 2025 16:34:23.391757011 CET5885253192.168.2.61.1.1.1

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jan 14, 2025 16:34:22.838659048 CET53521031.1.1.1192.168.2.6

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
              Jan 14, 2025 16:33:59.726799011 CET1.1.1.1192.168.2.60x3b3eNo error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
              Jan 14, 2025 16:33:59.726799011 CET1.1.1.1192.168.2.60x3b3eNo error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              System Behavior

              General

              Target ID:0
              Start time:10:34:02
              Start date:14/01/2025
              Path:C:\Users\user\Desktop\hhcqxkb.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\hhcqxkb.exe"
              Imagebase:0x400000
              File size:7'545'920 bytes
              MD5 hash:650D2FF4C186FBBC65CD5D4A8FB8911E
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Borland Delphi
              Reputation:low
              Has exited:false

              Disassembly

              Reset < >

                Execution Graph

                Execution Coverage:4.5%
                Dynamic/Decrypted Code Coverage:0%
                Signature Coverage:10.6%
                Total number of Nodes:1850
                Total number of Limit Nodes:115
                execution_graph 63192 40edc0 63205 404d68 63192->63205 63196 40edf5 63197 40ee80 63196->63197 63198 40ee0d 63196->63198 63230 404cd0 63197->63230 63215 402f78 63198->63215 63202 40ee14 63223 402f94 63202->63223 63204 40ee78 63206 404d6c 63205->63206 63207 404d90 63206->63207 63208 402f94 11 API calls 63206->63208 63209 4051b8 63207->63209 63208->63207 63210 405174 63209->63210 63211 4051af 63210->63211 63234 404d94 63210->63234 63211->63196 63213 40518b 63213->63211 63214 402f94 11 API calls 63213->63214 63214->63211 63216 402f8f 63215->63216 63219 402f7c 63215->63219 63216->63202 63217 402f86 63217->63202 63218 4030a1 63247 403070 7 API calls 63218->63247 63219->63217 63219->63218 63239 4071c4 63219->63239 63222 4030c2 63222->63202 63224 402fa2 63223->63224 63226 402f98 63223->63226 63224->63204 63225 4030a1 63249 403070 7 API calls 63225->63249 63226->63224 63226->63225 63227 4071c4 4 API calls 63226->63227 63227->63225 63229 4030c2 63229->63204 63231 404cf1 63230->63231 63232 404cd6 63230->63232 63232->63231 63233 402f94 11 API calls 63232->63233 63233->63231 63235 404d98 63234->63235 63236 404dbc 63234->63236 63237 402f78 11 API calls 63235->63237 63236->63213 63238 404da5 63237->63238 63238->63213 63240 4071d3 63239->63240 63241 4071f9 TlsGetValue 63239->63241 63240->63218 63242 407203 63241->63242 63243 4071de 63241->63243 63242->63218 63248 407180 LocalAlloc TlsSetValue 63243->63248 63245 4071e3 TlsGetValue 63246 4071f2 63245->63246 63246->63218 63247->63222 63248->63245 63249->63229 63252 404941 63253 40494b 63252->63253 63256 4048d8 63253->63256 63257 4048e8 63256->63257 63258 40491b 63256->63258 63257->63258 63261 406504 63257->63261 63265 401754 63257->63265 63262 406514 GetModuleFileNameA 63261->63262 63263 406530 63261->63263 63269 406768 GetModuleFileNameA RegOpenKeyExA 63262->63269 63263->63257 63288 4016e8 63265->63288 63267 40175c VirtualAlloc 63268 401773 63267->63268 63268->63257 63270 4067eb 63269->63270 63271 4067ab RegOpenKeyExA 63269->63271 63287 4065a4 12 API calls 63270->63287 63271->63270 63272 4067c9 RegOpenKeyExA 63271->63272 63272->63270 63274 406874 lstrcpyn GetThreadLocale GetLocaleInfoA 63272->63274 63278 4068ab 63274->63278 63279 40698e 63274->63279 63275 406810 RegQueryValueExA 63276 406830 RegQueryValueExA 63275->63276 63277 40684e RegCloseKey 63275->63277 63276->63277 63277->63263 63278->63279 63281 4068bb lstrlen 63278->63281 63279->63263 63282 4068d3 63281->63282 63282->63279 63283 406920 63282->63283 63284 4068f8 lstrcpyn LoadLibraryExA 63282->63284 63283->63279 63285 40692a lstrcpyn LoadLibraryExA 63283->63285 63284->63283 63285->63279 63286 40695c lstrcpyn LoadLibraryExA 63285->63286 63286->63279 63287->63275 63289 401688 63288->63289 63289->63267 63290 421c44 63291 421c55 63290->63291 63303 4219ac InterlockedIncrement 63291->63303 63293 421c80 63304 404c54 63293->63304 63295 421c9b 63296 421ca4 GetLastError 63295->63296 63297 421cd3 63295->63297 63309 40db74 12 API calls 63296->63309 63299 404cd0 11 API calls 63297->63299 63301 421ced 63299->63301 63300 421cb1 63310 40e5fc 42 API calls 63300->63310 63303->63293 63305 404c7a 63304->63305 63307 404c6e CreateThread 63304->63307 63306 402f78 11 API calls 63305->63306 63306->63307 63307->63295 63311 404c1c 63307->63311 63309->63300 63310->63297 63312 404c24 63311->63312 63313 402f94 11 API calls 63312->63313 63314 404c42 63313->63314 63317 404cb4 63314->63317 63315 404c46 63318 404cc0 63317->63318 63319 404cc8 RtlExitUserThread 63317->63319 63318->63319 63319->63315 63320 479840 63331 45303c 63320->63331 63322 47991f 63339 412150 52 API calls 63322->63339 63324 479934 63325 479863 63325->63322 63326 479896 63325->63326 63329 4798d3 63326->63329 63337 478d6c 49 API calls 63326->63337 63328 479900 63329->63328 63338 4791ac 98 API calls 63329->63338 63332 453046 63331->63332 63333 453069 63332->63333 63340 42a1d8 63332->63340 63333->63325 63335 45305b 63355 44cd50 63335->63355 63337->63329 63338->63328 63339->63324 63341 42a212 63340->63341 63342 42a3d3 63340->63342 63360 4294b8 RtlEnterCriticalSection 63341->63360 63363 404cf4 63342->63363 63346 42a3b4 63362 4294c4 RtlLeaveCriticalSection 63346->63362 63348 42a3cb 63348->63335 63349 42a21c 63349->63346 63350 42a2ff CompareStringA 63349->63350 63351 42a313 63350->63351 63353 42a355 63351->63353 63361 431dd8 GetDC SelectObject GetTextMetricsA ReleaseDC 63351->63361 63354 42a3a5 CreateFontIndirectA 63353->63354 63354->63346 63356 44cd77 63355->63356 63357 44cd6c 63355->63357 63356->63333 63367 462170 63357->63367 63424 44ce2c 63357->63424 63360->63349 63361->63353 63362->63348 63365 404cfa 63363->63365 63364 404d20 63364->63335 63365->63364 63366 402f94 11 API calls 63365->63366 63366->63365 63368 4621b6 63367->63368 63369 46218a 63367->63369 63371 462644 63368->63371 63372 4621c5 63368->63372 63370 46218c 63369->63370 63382 4621e6 63369->63382 63373 462198 63370->63373 63384 46224d 63370->63384 63499 46c040 InvalidateRect InvalidateRect 63371->63499 63381 4621a8 63372->63381 63389 46234a 63372->63389 63391 4622c7 63372->63391 63377 4621a1 63373->63377 63385 462415 63373->63385 63375 462234 63376 450be4 170 API calls 63375->63376 63380 46223e 63376->63380 63377->63381 63387 462516 63377->63387 63378 462248 63378->63356 63492 46c464 59 API calls 63380->63492 63388 44cd50 170 API calls 63381->63388 63381->63389 63382->63375 63382->63389 63384->63378 63386 46227e 63384->63386 63384->63389 63400 46229b 63384->63400 63385->63389 63392 462457 63385->63392 63493 463040 8 API calls 63386->63493 63387->63389 63398 46254f 63387->63398 63393 462669 63388->63393 63435 450be4 63389->63435 63397 4622e7 63391->63397 63495 4484b8 7 API calls 63391->63495 63496 42ac28 47 API calls 63392->63496 63401 44cd50 170 API calls 63393->63401 63394 4622bc SetFocus 63394->63378 63396 462286 63396->63400 63494 463040 8 API calls 63396->63494 63397->63389 63416 44cd50 170 API calls 63397->63416 63406 462557 GetWindowDC 63398->63406 63400->63389 63400->63394 63404 46267a 63401->63404 63402 4622d5 GetParent 63402->63391 63403 462463 SaveDC 63414 46249f 63403->63414 63407 44cd50 170 API calls 63404->63407 63498 42ac28 47 API calls 63406->63498 63410 46268b 63407->63410 63408 462292 63408->63400 63412 44cd50 170 API calls 63410->63412 63411 46257a SaveDC 63413 4625b0 63411->63413 63415 46269c 63412->63415 63423 4625eb RestoreDC 63413->63423 63497 445324 15 API calls 63414->63497 63418 44cd50 170 API calls 63415->63418 63416->63389 63420 4626ad 63418->63420 63419 4624ca 63422 4624e1 RestoreDC 63419->63422 63421 44cd50 170 API calls 63420->63421 63421->63389 63422->63356 63423->63356 63426 44ce42 63424->63426 63425 44d04c 63425->63356 63426->63425 63427 44d08d GetKeyboardState 63426->63427 63429 44ce8a 63426->63429 63428 44d0a9 63427->63428 63428->63425 63429->63425 63509 451104 63429->63509 63527 465358 63429->63527 63533 465f98 63429->63533 63574 478294 63429->63574 63581 454ae4 63429->63581 63436 450c37 63435->63436 63437 450c00 63435->63437 63440 450c74 63436->63440 63441 450c3f 63436->63441 63438 450c05 63437->63438 63439 450c20 63437->63439 63444 451041 63438->63444 63460 450c0b 63438->63460 63445 450c29 63439->63445 63446 450fea 63439->63446 63443 451083 63440->63443 63480 450c80 63440->63480 63442 450c45 63441->63442 63458 450ce0 63441->63458 63448 450c14 63442->63448 63451 450c63 63442->63451 63468 450e18 63442->63468 63449 451097 63443->63449 63507 455030 42 API calls 63443->63507 63455 451049 GetCapture 63444->63455 63445->63448 63450 450d6b 63445->63450 63506 4509e4 177 API calls 63446->63506 63452 44ce2c 174 API calls 63448->63452 63457 450db9 63448->63457 63464 4510d1 63449->63464 63508 455030 42 API calls 63449->63508 63453 44ce2c 174 API calls 63450->63453 63451->63448 63461 450df7 63451->63461 63462 450de7 63451->63462 63452->63457 63471 450d76 63453->63471 63454 450ff7 63454->63448 63474 450fff 63454->63474 63455->63448 63459 451058 63455->63459 63457->63378 63458->63448 63469 44cd50 174 API calls 63458->63469 63459->63448 63472 44cd50 174 API calls 63459->63472 63460->63448 63500 45f650 SendMessageA 63460->63500 63467 44cd50 174 API calls 63461->63467 63466 44cd50 174 API calls 63462->63466 63464->63378 63466->63448 63467->63448 63485 450f54 63468->63485 63502 448804 8 API calls 63468->63502 63469->63448 63470 450f9e 63470->63448 63479 450fa6 63470->63479 63471->63457 63501 450920 177 API calls 63471->63501 63472->63448 63474->63457 63475 44ce2c 174 API calls 63474->63475 63477 451027 63475->63477 63477->63457 63478 450e4f 63484 450e67 63478->63484 63503 449fd0 177 API calls 63478->63503 63479->63457 63483 450fdf NtdllDefWindowProc_A 63479->63483 63480->63448 63481 450cd5 SetWindowPos 63480->63481 63481->63448 63483->63457 63484->63485 63486 450ee2 63484->63486 63487 44cd50 174 API calls 63484->63487 63505 450b30 177 API calls 63485->63505 63489 450ef7 63486->63489 63504 4224e8 42 API calls 63486->63504 63487->63486 63489->63485 63490 44cd50 174 API calls 63489->63490 63490->63485 63492->63378 63493->63396 63494->63408 63495->63402 63496->63403 63497->63419 63498->63411 63499->63389 63500->63448 63501->63457 63502->63478 63503->63484 63504->63489 63505->63470 63506->63454 63507->63449 63508->63464 63510 4511fc 63509->63510 63511 451119 63509->63511 63616 44d0fc 11 API calls 63510->63616 63512 451137 63511->63512 63516 44cd50 173 API calls 63511->63516 63514 451152 63512->63514 63515 45115e SendMessageA 63512->63515 63521 4511b2 63512->63521 63517 45115c 63514->63517 63518 451178 63514->63518 63515->63521 63516->63512 63520 4511c4 CallWindowProcA 63517->63520 63517->63521 63612 429ccc 63518->63612 63520->63521 63521->63425 63523 451198 63524 429ccc GetSysColor 63523->63524 63525 45119d SetBkColor 63524->63525 63615 42aaec RtlEnterCriticalSection RtlLeaveCriticalSection GetSysColor CreateBrushIndirect 63525->63615 63528 465367 63527->63528 63617 463460 63528->63617 63532 465387 63532->63425 63534 465fc0 63533->63534 63535 465fe8 63533->63535 63534->63535 63537 40708c 42 API calls 63534->63537 63667 46b314 63535->63667 63539 465fd9 63537->63539 63675 40e504 11 API calls 63539->63675 63540 466596 63543 4664e8 63540->63543 63544 4665b4 63540->63544 63541 46601c 63545 46648a 63541->63545 63546 46602c 63541->63546 63543->63425 63547 4665be ShowWindow 63544->63547 63545->63543 63549 466526 63545->63549 63550 466504 63545->63550 63548 466093 63546->63548 63573 466379 KiUserCallbackDispatcher 63546->63573 63547->63543 63553 466465 63548->63553 63554 4663b0 63548->63554 63552 466530 GetActiveWindow 63549->63552 63551 46651b SetWindowPos 63550->63551 63551->63543 63557 46653b 63552->63557 63572 466548 63552->63572 63556 46647f ShowWindow 63553->63556 63558 4663bc 63554->63558 63559 4663f2 63554->63559 63555 46655f 63566 466576 SetWindowPos SetActiveWindow 63555->63566 63556->63543 63676 45f2ec IsIconic 63557->63676 63560 4663c6 SendMessageA 63558->63560 63561 46640c ShowWindow 63559->63561 63564 453b48 63560->63564 63565 453b48 63561->63565 63562 466584 63567 46658e ShowWindow 63562->63567 63568 4663ea ShowWindow 63564->63568 63569 466430 CallWindowProcA 63565->63569 63566->63543 63567->63543 63570 466443 SendMessageA 63568->63570 63571 44bcf0 63569->63571 63570->63543 63571->63570 63572->63555 63572->63562 63573->63548 63575 4782b3 63574->63575 63576 478302 63575->63576 63578 4782d6 63575->63578 63577 451104 176 API calls 63576->63577 63579 47830b 63577->63579 63580 4782e8 CallWindowProcA 63578->63580 63579->63425 63580->63579 63582 454b0f 63581->63582 63583 454aff 63581->63583 63585 454b17 GetWindowDC 63582->63585 63583->63582 63584 454d9e 63583->63584 63611 478294 160 API calls 63584->63611 63586 453b48 63585->63586 63589 454b3a GetClientRect 63586->63589 63587 454da9 63683 45a490 177 API calls 63587->63683 63590 453b48 63589->63590 63592 454b4c GetWindowRect 63590->63592 63591 454dcd 63591->63425 63593 453b48 63592->63593 63595 454b60 MapWindowPoints OffsetRect ExcludeClipRect InflateRect 63593->63595 63594 454db1 63594->63591 63684 45a308 12 API calls 63594->63684 63596 453b48 63595->63596 63598 454bc8 GetWindowLongA 63596->63598 63608 454bd8 63598->63608 63599 454ccd IntersectClipRect 63600 454d12 GetRgnBox 63599->63600 63601 454cfb OffsetRect 63599->63601 63603 453b48 63600->63603 63602 454d5b 63601->63602 63682 42aaec RtlEnterCriticalSection RtlLeaveCriticalSection GetSysColor CreateBrushIndirect 63602->63682 63604 454d2d MapWindowPoints IntersectRect OffsetRect 63603->63604 63604->63602 63606 454d69 FillRect 63607 453b48 63606->63607 63610 454d90 ReleaseDC 63607->63610 63608->63599 63609 454c78 DrawEdge 63608->63609 63609->63599 63610->63425 63611->63587 63613 429cd0 GetSysColor 63612->63613 63614 429cdb SetTextColor 63612->63614 63613->63614 63614->63523 63615->63521 63616->63521 63618 4634f4 63617->63618 63627 463484 63617->63627 63620 463505 63618->63620 63655 444398 16 API calls 63618->63655 63621 463545 63620->63621 63623 4635dd 63620->63623 63624 4635b8 63621->63624 63629 463560 63621->63629 63622 4635f7 63625 4635b6 63622->63625 63623->63622 63628 4635f1 SetMenu 63623->63628 63624->63622 63632 4635cc 63624->63632 63625->63622 63657 463398 GetMenu SendMessageA DrawMenuBar 63625->63657 63627->63618 63648 40708c 63627->63648 63654 40e540 42 API calls 63627->63654 63628->63622 63629->63622 63638 463583 GetMenu 63629->63638 63631 46365e 63634 404cd0 11 API calls 63631->63634 63636 4635d5 SetMenu 63632->63636 63637 463673 63634->63637 63635 463610 63635->63631 63641 463638 SetWindowPos 63635->63641 63636->63622 63637->63532 63647 46525c 10 API calls 63637->63647 63639 4635a6 63638->63639 63640 46358d 63638->63640 63656 444398 16 API calls 63639->63656 63646 4635a0 SetMenu 63640->63646 63642 44cd50 172 API calls 63641->63642 63643 46364e 63642->63643 63644 44cd50 172 API calls 63643->63644 63644->63631 63646->63639 63647->63532 63649 4070ce 63648->63649 63650 40709d 63648->63650 63649->63627 63650->63649 63658 40654c 63650->63658 63654->63627 63655->63620 63656->63625 63657->63635 63659 406571 LoadStringA 63658->63659 63660 40655b 63658->63660 63662 404dc0 63659->63662 63660->63659 63661 406504 30 API calls 63660->63661 63661->63659 63663 404d94 11 API calls 63662->63663 63664 404dd0 63663->63664 63665 404cd0 11 API calls 63664->63665 63666 404de8 63665->63666 63666->63649 63668 46b327 63667->63668 63673 465ff7 63667->63673 63669 46b38a 63668->63669 63671 46b37b 63668->63671 63674 46b371 IsChild 63668->63674 63670 46b27c 4 API calls 63669->63670 63670->63673 63677 46b27c IsWindowVisible 63671->63677 63673->63540 63673->63541 63674->63668 63674->63671 63675->63535 63676->63572 63678 46b30d 63677->63678 63679 46b2a0 63677->63679 63678->63673 63679->63678 63680 46b2e2 SetWindowPos 63679->63680 63681 46b2c0 GetWindowLongA SetWindowLongA 63679->63681 63680->63678 63681->63680 63682->63606 63683->63594 63684->63591 63685 41964c 63687 419686 63685->63687 63688 41965d 63685->63688 63688->63687 63690 41aaa4 63688->63690 63694 403ca8 63688->63694 63691 41aaae 63690->63691 63692 41aac2 63691->63692 63699 41a9e0 42 API calls 63691->63699 63692->63688 63695 403cd7 63694->63695 63696 403d06 CompareStringA 63695->63696 63697 404cd0 11 API calls 63696->63697 63698 403d2e 63697->63698 63698->63688 63699->63692 63700 40a294 63704 405160 63700->63704 63703 40a2a9 63705 405164 GetFileAttributesA 63704->63705 63705->63703 63708 42b694 63709 42b6b0 63708->63709 63710 42b6d4 63708->63710 63709->63710 63712 40e5c0 42 API calls 63709->63712 63712->63710 63713 477c50 63714 477ee2 63713->63714 63716 477c7d 63713->63716 63715 477cf5 63717 477d24 63715->63717 63718 477d0e 63715->63718 63716->63715 63720 47474c 43 API calls 63716->63720 63719 477d2c CreateStreamOnHGlobal 63717->63719 63722 47474c 43 API calls 63718->63722 63733 47474c 63719->63733 63720->63715 63725 477d22 63722->63725 63724 47474c 43 API calls 63726 477d52 63724->63726 63728 47474c 43 API calls 63725->63728 63737 478498 63726->63737 63729 477d80 63728->63729 63730 47474c 43 API calls 63729->63730 63731 477dcb 63730->63731 63740 479b28 MulDiv MulDiv 63731->63740 63734 474753 63733->63734 63735 474758 63733->63735 63741 474730 43 API calls 63734->63741 63735->63724 63738 4784a5 GlobalFree 63737->63738 63739 4784b3 63737->63739 63738->63739 63739->63725 63740->63714 63741->63735 63742 47d6d0 63743 47d6d7 63742->63743 63748 47d584 WSAStartup 63743->63748 63747 47d6ff 63749 47d5f2 63748->63749 63750 47d5b3 63748->63750 63751 404cd0 11 API calls 63749->63751 63757 40db74 12 API calls 63750->63757 63753 47d60c 63751->63753 63756 4329b0 RtlInitializeCriticalSection 63753->63756 63754 47d5bd 63758 40e5fc 42 API calls 63754->63758 63756->63747 63757->63754 63758->63749 63759 50c948 63760 50c950 63759->63760 63771 50c640 63760->63771 63763 46a4cc 26 API calls 63768 50c9df 63763->63768 63765 50cd13 63766 404cf4 11 API calls 63765->63766 63767 50cd55 63766->63767 63768->63765 63770 50c9fb 63768->63770 63779 46a4cc 63768->63779 63783 50c738 63768->63783 63774 50c65e 63771->63774 63775 50c680 GetDriveTypeA 63774->63775 63776 50c6a4 63774->63776 63800 404eb8 63774->63800 63803 404fe8 63774->63803 63775->63774 63777 404cf4 11 API calls 63776->63777 63778 50c6be 63777->63778 63778->63763 63778->63768 63780 46a4d2 63779->63780 63782 46a4df 63780->63782 63824 46a3b8 PeekMessageA 63780->63824 63782->63768 63784 50c764 63783->63784 63785 404fe8 11 API calls 63784->63785 63786 50c7ae 63785->63786 63866 40a48c 63786->63866 63788 50c8b9 63881 40a500 63788->63881 63791 50c7c4 63791->63788 63792 404fe8 11 API calls 63791->63792 63798 50c81a 63791->63798 63794 50c7ee 63792->63794 63793 404fe8 11 API calls 63793->63798 63794->63798 63884 404d24 11 API calls 63794->63884 63797 46a4cc 26 API calls 63797->63798 63798->63788 63798->63793 63798->63797 63876 40a4dc FindNextFileA 63798->63876 63885 404d24 11 API calls 63798->63885 63801 404dc0 11 API calls 63800->63801 63802 404ec5 63801->63802 63802->63774 63804 404fec 63803->63804 63810 40504f 63803->63810 63805 404d24 63804->63805 63809 404ff4 63804->63809 63806 404d38 63805->63806 63811 404d94 11 API calls 63805->63811 63807 404d66 63806->63807 63814 402f94 11 API calls 63806->63814 63807->63774 63808 405003 63808->63810 63813 404d94 11 API calls 63808->63813 63809->63808 63809->63810 63818 404d24 63809->63818 63810->63810 63811->63806 63815 40501f 63813->63815 63814->63807 63816 404d24 11 API calls 63815->63816 63817 40504b 63816->63817 63817->63774 63819 404d28 63818->63819 63822 404d38 63818->63822 63821 404d94 11 API calls 63819->63821 63819->63822 63820 404d66 63820->63808 63821->63822 63822->63820 63823 402f94 11 API calls 63822->63823 63823->63820 63825 46a3d9 63824->63825 63830 46a4bb 63824->63830 63826 46a3df IsWindowUnicode 63825->63826 63827 46a3e9 63825->63827 63826->63827 63828 46a40e PeekMessageA 63827->63828 63829 46a3f8 PeekMessageW 63827->63829 63831 46a422 63828->63831 63829->63831 63830->63780 63831->63830 63841 46a138 63831->63841 63838 46a49f TranslateMessage 63839 46a4b3 DispatchMessageA 63838->63839 63840 46a4ab DispatchMessageW 63838->63840 63839->63830 63840->63830 63842 46a182 63841->63842 63843 46a148 63841->63843 63842->63830 63845 46a188 63842->63845 63843->63842 63844 46a16f TranslateMDISysAccel 63843->63844 63844->63842 63846 46a273 63845->63846 63847 46a1a3 63845->63847 63846->63830 63860 46a0f0 63846->63860 63847->63846 63848 46a1ae GetCapture 63847->63848 63849 46a238 GetWindowThreadProcessId GetWindowThreadProcessId 63848->63849 63850 46a1b9 63848->63850 63849->63846 63851 46a256 SendMessageA 63849->63851 63852 46a1ca 63850->63852 63854 46a1ea 63850->63854 63856 46a1d3 GetParent 63850->63856 63865 448514 7 API calls 63850->63865 63851->63846 63859 46a215 63851->63859 63855 46a1f0 IsWindowUnicode 63852->63855 63854->63852 63854->63855 63857 46a1fa SendMessageW 63855->63857 63858 46a219 SendMessageA 63855->63858 63856->63850 63857->63846 63857->63859 63858->63846 63858->63859 63859->63846 63861 46a135 63860->63861 63862 46a101 IsWindowUnicode 63860->63862 63861->63830 63861->63838 63863 46a122 IsDialogMessage 63862->63863 63864 46a10d IsDialogMessageW 63862->63864 63863->63861 63864->63861 63865->63850 63867 405160 63866->63867 63868 40a4a6 FindFirstFileA 63867->63868 63869 40a4b6 63868->63869 63870 40a4cc GetLastError 63868->63870 63886 40a408 FindNextFileA GetLastError FileTimeToLocalFileTime FileTimeToDosDateTime 63869->63886 63872 40a4d3 63870->63872 63872->63791 63873 40a4bd 63873->63872 63874 40a500 FindClose 63873->63874 63875 40a4ca 63874->63875 63875->63872 63877 40a4f0 63876->63877 63878 40a4f9 GetLastError 63876->63878 63887 40a408 FindNextFileA GetLastError FileTimeToLocalFileTime FileTimeToDosDateTime 63877->63887 63878->63798 63880 40a4f7 63880->63798 63882 40a518 63881->63882 63883 40a50b FindClose 63881->63883 63882->63768 63883->63882 63884->63798 63885->63798 63886->63873 63887->63880 63890 4220d8 63893 421f3c GetCurrentThreadId 63890->63893 63892 4220fb 63895 421f66 63893->63895 63896 421f58 63893->63896 63894 421f76 63898 421fa1 63894->63898 63899 421f8c CreateEventA 63894->63899 63895->63894 63897 402f78 11 API calls 63895->63897 63896->63892 63897->63894 63900 421fa9 RtlEnterCriticalSection 63898->63900 63899->63900 63901 421fe2 63900->63901 63906 4219a0 SetEvent 63901->63906 63903 42200d 63904 422073 RtlLeaveCriticalSection 63903->63904 63905 42202e RtlLeaveCriticalSection WaitForSingleObject RtlEnterCriticalSection 63903->63905 63904->63892 63905->63892 63906->63903 63907 4612dc 63908 4612f3 63907->63908 63909 461313 63907->63909 63914 422100 ResumeThread 63908->63914 63917 40a24c 63908->63917 63910 461352 63909->63910 63927 461fc0 177 API calls 63909->63927 63928 421e10 63914->63928 63918 405160 63917->63918 63919 40a257 GetFileAttributesA 63918->63919 63920 40a262 63919->63920 63921 40a26a GetLastError 63919->63921 63920->63909 63922 40a28b 63921->63922 63923 40a276 63921->63923 63922->63909 63923->63922 63924 40a280 63923->63924 63933 40a20c FindFirstFileA FindClose 63924->63933 63926 40a287 63926->63922 63927->63910 63929 421e17 GetLastError 63928->63929 63930 421e25 63928->63930 63932 421d94 43 API calls 63929->63932 63930->63909 63932->63930 63933->63926 63934 46739c 63935 4673a6 63934->63935 63944 4607f4 63935->63944 63937 4673ca 63950 462e04 63937->63950 63941 4673dc 63979 463224 178 API calls 63941->63979 63943 4673e5 63945 4607ff 63944->63945 63946 460809 63944->63946 63945->63946 63980 460320 63945->63980 63946->63937 63949 460320 GetSysColor 63949->63946 63951 462e17 63950->63951 63952 462f9b 63950->63952 63953 4607f4 GetSysColor 63951->63953 63978 452638 42 API calls 63952->63978 63954 462e42 63953->63954 63954->63952 63955 462e74 GetWindowLongA 63954->63955 63956 453b48 63955->63956 63957 462e86 GetWindowLongA 63956->63957 63958 453b48 63957->63958 63959 462e99 GetClassLongA 63958->63959 63960 462ebb 63959->63960 63961 462ed9 SetWindowLongA 63960->63961 63962 453b48 63961->63962 63963 462eed SetWindowLongA 63962->63963 63964 453b48 63963->63964 63965 462f01 SetClassLongA 63964->63965 63967 462f0e 63965->63967 63966 462f78 63969 462f8b SetWindowPos 63966->63969 63967->63966 63968 462f59 63967->63968 63970 462f25 63967->63970 63971 462f43 63967->63971 63972 462f62 GetSystemMenu 63968->63972 63969->63952 64012 464e44 63970->64012 63976 462f53 SendMessageA 63971->63976 63974 44cd50 177 API calls 63972->63974 63974->63966 63975 462f2c 63977 462f3b SendMessageA 63975->63977 63976->63968 63977->63968 63978->63941 63979->63943 63983 460308 63980->63983 63984 460311 63983->63984 63987 460850 63984->63987 63986 46031e 63986->63949 63988 460942 63987->63988 63989 460867 63987->63989 63988->63986 63989->63988 63990 4608c7 63989->63990 63991 4608a1 63989->63991 63994 4608ff 63990->63994 63995 4608d9 63990->63995 63992 460458 GetSysColor 63991->63992 63993 4608b3 63992->63993 63996 460458 GetSysColor 63993->63996 64004 460458 63994->64004 63997 460458 GetSysColor 63995->63997 63999 4608c5 63996->63999 64000 4608eb 63997->64000 63999->63986 64002 460458 GetSysColor 64000->64002 64001 460911 64003 460458 GetSysColor 64001->64003 64002->63999 64003->63999 64005 46047e 64004->64005 64008 460350 64005->64008 64007 460504 64007->64001 64009 46038d 64008->64009 64010 429ccc GetSysColor 64009->64010 64011 460432 64010->64011 64011->64007 64017 4319a8 64012->64017 64015 464e5d 64015->63975 64025 4319e4 64017->64025 64019 4319b2 64019->64015 64020 469d98 64019->64020 64021 4319a8 50 API calls 64020->64021 64022 469da3 64021->64022 64023 469da7 LoadIconA 64022->64023 64024 469db3 64022->64024 64023->64024 64024->64015 64026 4319f4 64025->64026 64031 431a20 64025->64031 64026->64031 64033 41da10 64026->64033 64030 431a13 64030->64031 64037 42c408 6 API calls 64030->64037 64031->64019 64038 41de3c 64033->64038 64036 41dc1c 42 API calls 64036->64030 64037->64031 64041 40a1bc SetFilePointer 64038->64041 64042 40a1f5 64041->64042 64043 40a1ec GetLastError 64041->64043 64042->64036 64043->64042 64044 459398 GetCurrentProcessId 64075 40b2c0 64044->64075 64047 404d24 11 API calls 64048 4593e1 64047->64048 64049 4593eb GlobalAddAtomA GetCurrentThreadId 64048->64049 64050 40b2c0 42 API calls 64049->64050 64051 459425 64050->64051 64052 404d24 11 API calls 64051->64052 64053 459432 64052->64053 64054 45943c GlobalAddAtomA 64053->64054 64055 405160 64054->64055 64056 459452 RegisterClipboardFormatA 64055->64056 64078 41b0c0 64056->64078 64058 459469 64082 458fa0 64058->64082 64060 459473 64090 458d4c 64060->64090 64062 45947f 64094 4678c8 64062->64094 64064 459492 64111 468b48 64064->64111 64066 4594a8 64125 41a1d8 44 API calls 64066->64125 64068 4594d2 GetModuleHandleA 64069 4594f2 64068->64069 64070 4594e2 GetProcAddress 64068->64070 64071 404cd0 11 API calls 64069->64071 64070->64069 64072 459507 64071->64072 64073 404cd0 11 API calls 64072->64073 64074 45950f 64073->64074 64126 40b2ec 64075->64126 64079 41b0c6 64078->64079 64080 41b0db RtlInitializeCriticalSection 64079->64080 64081 41b0f0 64080->64081 64081->64058 64083 458fb4 SetErrorMode 64082->64083 64084 45910d 64082->64084 64085 458ff4 64083->64085 64086 458fd8 GetModuleHandleA GetProcAddress 64083->64086 64084->64060 64087 459001 LoadLibraryA 64085->64087 64088 4590ef SetErrorMode 64085->64088 64086->64085 64087->64088 64089 45901d 10 API calls 64087->64089 64088->64060 64089->64088 64091 458d52 64090->64091 64143 458f3c 64091->64143 64093 458dc0 64093->64062 64095 4678d2 64094->64095 64156 4221d4 64095->64156 64097 4678e8 64160 467c84 LoadCursorA 64097->64160 64100 467921 64101 46795d GetDC GetDeviceCaps ReleaseDC 64100->64101 64102 467993 64101->64102 64164 429fc4 64102->64164 64104 46799f 64105 429fc4 13 API calls 64104->64105 64106 4679b1 64105->64106 64107 429fc4 13 API calls 64106->64107 64108 4679c3 64107->64108 64168 4680fc 64108->64168 64110 4679d0 64110->64064 64112 468b57 64111->64112 64113 4221d4 42 API calls 64112->64113 64114 468b6d 64113->64114 64115 468c2a LoadIconA 64114->64115 64227 431c3c 64115->64227 64117 468c4d GetModuleFileNameA OemToCharA 64118 468c96 64117->64118 64119 468cbc CharNextA CharLowerA 64118->64119 64120 468ce4 64119->64120 64234 423350 GetClassInfoA 64120->64234 64123 468d0d 64123->64066 64125->64068 64128 40b312 64126->64128 64127 40b345 64130 40b3af 64127->64130 64137 40b362 64127->64137 64128->64127 64139 40ab4c 42 API calls 64128->64139 64131 404dc0 11 API calls 64130->64131 64132 40b2cf 64131->64132 64132->64047 64133 40b3a3 64142 4053f0 11 API calls 64133->64142 64135 404cd0 11 API calls 64135->64137 64137->64133 64137->64135 64140 4053f0 11 API calls 64137->64140 64141 40ab4c 42 API calls 64137->64141 64139->64127 64140->64137 64141->64137 64142->64132 64144 458f44 64143->64144 64146 458f4b 64143->64146 64145 458f49 64144->64145 64149 458f87 SendMessageA 64144->64149 64150 458f76 SystemParametersInfoA 64144->64150 64145->64093 64147 458f61 64146->64147 64148 458f58 64146->64148 64155 458e9c SystemParametersInfoA 64147->64155 64154 458ecc 6 API calls 64148->64154 64149->64145 64150->64145 64153 458f68 64153->64093 64154->64145 64155->64153 64157 4221db 64156->64157 64159 422200 64157->64159 64186 422390 42 API calls 64157->64186 64159->64097 64161 467ca3 64160->64161 64162 467cbc LoadCursorA 64161->64162 64163 46790b GetKeyboardLayout 64161->64163 64162->64161 64163->64100 64165 429fca 64164->64165 64187 4294d0 64165->64187 64167 429fec 64167->64104 64169 468115 64168->64169 64170 468147 SystemParametersInfoA 64169->64170 64171 468172 GetStockObject 64170->64171 64172 46815a CreateFontIndirectA 64170->64172 64173 42a414 16 API calls 64171->64173 64197 42a414 64172->64197 64176 468186 SystemParametersInfoA 64173->64176 64177 4681a6 CreateFontIndirectA 64176->64177 64178 4681da 64176->64178 64179 42a414 16 API calls 64177->64179 64202 42a500 16 API calls 64178->64202 64181 4681bf CreateFontIndirectA 64179->64181 64183 42a414 16 API calls 64181->64183 64182 4681ea GetStockObject 64184 42a414 16 API calls 64182->64184 64185 4681d8 64183->64185 64184->64185 64185->64110 64186->64159 64188 4294eb 64187->64188 64195 4294b8 RtlEnterCriticalSection 64188->64195 64190 4294f5 64192 402f78 11 API calls 64190->64192 64194 429552 64190->64194 64192->64194 64193 4295a3 64193->64167 64196 4294c4 RtlLeaveCriticalSection 64194->64196 64195->64190 64196->64193 64203 429f04 GetObjectA 64197->64203 64199 42a426 64204 42a148 64199->64204 64202->64182 64203->64199 64211 429d10 64204->64211 64210 42a18c 64210->64176 64212 429d17 RtlEnterCriticalSection 64211->64212 64213 429d1d 64211->64213 64212->64213 64214 429678 64213->64214 64224 4294b8 RtlEnterCriticalSection 64214->64224 64216 429691 64217 4294d0 13 API calls 64216->64217 64218 4296ad 64217->64218 64225 4295b4 RtlEnterCriticalSection RtlLeaveCriticalSection 64218->64225 64220 4296cb 64226 4294c4 RtlLeaveCriticalSection 64220->64226 64222 4296e0 64223 429d20 RtlLeaveCriticalSection 64222->64223 64223->64210 64224->64216 64225->64220 64226->64222 64228 431c54 64227->64228 64229 431cc0 64228->64229 64230 431c58 GetIconInfo 64228->64230 64229->64117 64230->64229 64231 431c66 GetObjectA 64230->64231 64232 431c87 64231->64232 64233 431c99 DeleteObject DeleteObject 64231->64233 64232->64233 64233->64117 64235 423380 64234->64235 64236 42338e UnregisterClassA 64235->64236 64237 42339f RegisterClassA 64235->64237 64238 4233a9 64235->64238 64236->64237 64237->64238 64266 408058 64238->64266 64240 4233d7 64241 4233f4 64240->64241 64270 423294 64240->64270 64241->64123 64244 468e9c 64241->64244 64243 4233eb SetWindowLongA 64243->64241 64245 468ec5 64244->64245 64246 46901f 64244->64246 64245->64246 64249 423294 VirtualAlloc 64245->64249 64247 404cd0 11 API calls 64246->64247 64248 469034 64247->64248 64248->64123 64250 468ede GetClassInfoA 64249->64250 64251 468f04 RegisterClassA 64250->64251 64256 468f39 64250->64256 64252 468f1d 64251->64252 64251->64256 64253 40708c 42 API calls 64252->64253 64254 468f2a 64253->64254 64273 40e504 11 API calls 64254->64273 64257 408058 CreateWindowExA 64256->64257 64258 468f93 SetWindowLongA 64257->64258 64259 468fb6 64258->64259 64260 468fe1 GetSystemMenu DeleteMenu DeleteMenu 64258->64260 64262 469d98 51 API calls 64259->64262 64260->64246 64261 469012 DeleteMenu 64260->64261 64261->64246 64263 468fbd SendMessageA 64262->64263 64264 469d98 51 API calls 64263->64264 64265 468fd5 SetClassLongA 64264->64265 64265->64260 64267 403424 64266->64267 64268 40806b CreateWindowExA 64267->64268 64269 4080a5 64268->64269 64269->64240 64271 4232a4 VirtualAlloc 64270->64271 64272 4232d2 64270->64272 64271->64272 64272->64243 64273->64256 64274 42a05c 64275 42a077 64274->64275 64276 42a11e 64275->64276 64277 42a07f 64275->64277 64302 41b450 42 API calls 64276->64302 64279 429d10 RtlEnterCriticalSection 64277->64279 64281 42a087 64279->64281 64280 42a129 64282 429d10 RtlEnterCriticalSection 64281->64282 64283 42a09f 64282->64283 64292 4296f4 64283->64292 64285 42a0bd 64286 42a0e4 64285->64286 64299 42a4e4 MulDiv 64285->64299 64301 429d20 RtlLeaveCriticalSection 64286->64301 64289 42a0da 64300 42a500 16 API calls 64289->64300 64290 42a0f9 64303 4294b8 RtlEnterCriticalSection 64292->64303 64294 42973a 64305 4294c4 RtlLeaveCriticalSection 64294->64305 64296 42970a 64296->64294 64304 4295b4 RtlEnterCriticalSection RtlLeaveCriticalSection 64296->64304 64297 42974f 64297->64285 64299->64289 64300->64286 64301->64290 64302->64280 64303->64296 64304->64294 64305->64297 64306 4ac8d4 64307 4ac8fc 64306->64307 64308 4ac92d VirtualAlloc 64307->64308 64326 4aca29 64307->64326 64309 4ac94d VirtualAlloc 64308->64309 64310 4ac964 64308->64310 64309->64310 64311 4ac96c GetProcessHeap RtlAllocateHeap VirtualAlloc VirtualAlloc 64310->64311 64310->64326 64312 4ac9d7 64311->64312 64327 4ac4f0 64312->64327 64314 4ac9f7 64332 4ac650 64314->64332 64317 4aca1a 64317->64326 64345 4acbf8 FreeLibrary VirtualFree GetProcessHeap HeapFree 64317->64345 64318 4aca2b 64341 4ac83c 64318->64341 64322 4aca4a 64322->64326 64346 4acbf8 FreeLibrary VirtualFree GetProcessHeap HeapFree 64322->64346 64323 4aca5b 64323->64326 64347 4acbf8 FreeLibrary VirtualFree GetProcessHeap HeapFree 64323->64347 64331 4ac50a 64327->64331 64328 4ac58c 64328->64314 64329 4ac55a VirtualAlloc 64329->64331 64330 4ac52d VirtualAlloc 64330->64331 64331->64328 64331->64329 64331->64330 64335 4ac671 64332->64335 64333 4ac7b5 64333->64317 64333->64318 64334 4ac799 IsBadReadPtr 64334->64333 64334->64335 64335->64333 64335->64334 64336 4ac688 LoadLibraryA 64335->64336 64337 4ac6a0 64336->64337 64338 4ac6a9 64336->64338 64337->64333 64338->64334 64338->64337 64339 4ac76d GetProcAddress 64338->64339 64340 4ac747 GetProcAddress 64338->64340 64339->64338 64340->64338 64343 4ac84e 64341->64343 64342 4ac8c9 64342->64322 64342->64323 64342->64326 64343->64342 64344 4ac8ad VirtualProtect 64343->64344 64344->64342 64344->64343 64345->64326 64346->64326 64347->64326 64348 41069f 64349 410690 SetErrorMode 64348->64349 64350 431e1c MulDiv 64351 431e58 64350->64351 64354 431e6e 64350->64354 64398 431dd8 GetDC SelectObject GetTextMetricsA ReleaseDC 64351->64398 64353 431e5d 64353->64354 64355 404d68 11 API calls 64353->64355 64362 427c5c 64354->64362 64355->64354 64358 431ec1 64360 431eb9 64392 427aa0 64360->64392 64363 404d68 11 API calls 64362->64363 64364 427c86 64363->64364 64366 427ca6 64364->64366 64399 405208 11 API calls 64364->64399 64367 427cd4 RegOpenKeyExA 64366->64367 64368 427ce6 64367->64368 64370 427d24 64367->64370 64374 427d12 64368->64374 64400 405064 11 API calls 64368->64400 64371 427d44 RegOpenKeyExA 64370->64371 64372 427d56 64371->64372 64377 427d91 64371->64377 64372->64374 64401 405064 11 API calls 64372->64401 64373 404cd0 11 API calls 64375 427e0c 64373->64375 64374->64373 64375->64358 64381 427ed4 64375->64381 64378 427daf RegOpenKeyExA 64377->64378 64378->64374 64379 427dc1 64378->64379 64379->64374 64402 405064 11 API calls 64379->64402 64382 427ee8 64381->64382 64383 427eee 64382->64383 64384 427f3d 64382->64384 64385 404dc0 11 API calls 64383->64385 64386 404cd0 11 API calls 64384->64386 64387 427ef9 64385->64387 64389 427f32 64386->64389 64403 427fb4 64387->64403 64389->64360 64390 427f11 64390->64389 64409 4053f0 11 API calls 64390->64409 64393 427aaa 64392->64393 64394 427acc 64392->64394 64395 427ab0 RegFlushKey 64393->64395 64396 427ab6 RegCloseKey 64393->64396 64394->64358 64395->64396 64397 404cd0 11 API calls 64396->64397 64397->64394 64398->64353 64399->64366 64404 405160 64403->64404 64405 427fda RegQueryValueExA 64404->64405 64406 427fe8 64405->64406 64407 428007 64405->64407 64410 40e5fc 42 API calls 64406->64410 64407->64390 64409->64389 64410->64407 64411 45f464 64412 45f473 IsWindowVisible 64411->64412 64413 45f4a9 64411->64413 64412->64413 64414 45f47d IsWindowEnabled 64412->64414 64414->64413 64415 45f487 64414->64415 64416 402f78 11 API calls 64415->64416 64417 45f491 EnableWindow 64416->64417 64417->64413 64418 402624 64419 40266a 64418->64419 64422 40262d 64418->64422 64420 402673 VirtualAlloc 64419->64420 64421 40268b 64419->64421 64420->64421 64422->64419 64423 402638 Sleep 64422->64423 64424 40264d 64423->64424 64424->64419 64425 402651 Sleep 64424->64425 64425->64422 64426 41dea4 64427 41dead 64426->64427 64430 41dee8 64427->64430 64429 41dec9 64431 41df03 64430->64431 64432 41dfa8 64431->64432 64433 41df2a 64431->64433 64454 40a10c 64432->64454 64435 41df43 CreateFileA 64433->64435 64436 41df54 64435->64436 64452 41e006 64436->64452 64458 40a658 12 API calls 64436->64458 64437 41dfb2 64437->64452 64461 40a658 12 API calls 64437->64461 64439 404d24 11 API calls 64443 41e015 64439->64443 64441 41dfcd GetLastError 64462 40db74 12 API calls 64441->64462 64442 41df68 GetLastError 64459 40db74 12 API calls 64442->64459 64446 404cf4 11 API calls 64443->64446 64449 41e02f 64446->64449 64447 41dfe4 64463 40e5fc 42 API calls 64447->64463 64448 41df7f 64460 40e5fc 42 API calls 64448->64460 64449->64429 64452->64439 64453 41dfa1 64453->64452 64455 40a120 64454->64455 64456 40a15f 64454->64456 64455->64456 64457 40a159 CreateFileA 64455->64457 64456->64437 64457->64456 64458->64442 64459->64448 64460->64453 64461->64441 64462->64447 64463->64452 64464 470f20 64506 44fd34 64464->64506 64466 470f3b 64467 429ccc GetSysColor 64466->64467 64468 470f50 SendMessageA 64467->64468 64469 470f68 64468->64469 64470 429ccc GetSysColor 64469->64470 64471 470f78 SendMessageA 64470->64471 64472 4710e3 64471->64472 64473 470f98 64471->64473 64480 4710fb 64472->64480 64541 471a14 SendMessageA SendMessageA 64472->64541 64531 470680 SendMessageA 64473->64531 64475 470fa6 64532 470954 54 API calls 64475->64532 64478 470fcb 64533 470ab4 46 API calls 64478->64533 64482 47112d 64480->64482 64542 45aad0 43 API calls 64480->64542 64488 471162 64482->64488 64544 45aad0 43 API calls 64482->64544 64483 470fe2 64534 470560 44 API calls 64483->64534 64484 471121 64543 472c28 SendMessageA 64484->64543 64487 471153 64545 472c28 SendMessageA 64487->64545 64491 471006 64535 471ad0 SendMessageA 64491->64535 64493 471010 64494 471092 64493->64494 64503 471028 64493->64503 64538 470560 44 API calls 64494->64538 64496 4710a9 64539 471b68 SendMessageA SendMessageA 64496->64539 64497 41aaa4 42 API calls 64497->64503 64499 471090 64540 4706cc SendMessageA 64499->64540 64502 4710db 64503->64497 64504 471067 64503->64504 64536 470560 44 API calls 64503->64536 64537 471b68 SendMessageA SendMessageA 64504->64537 64513 44fd67 64506->64513 64507 44fde0 GetClassInfoA 64508 44fe07 64507->64508 64509 44fe40 64508->64509 64510 44fe25 RegisterClassA 64508->64510 64511 44fe18 UnregisterClassA 64508->64511 64546 44ff04 64509->64546 64510->64509 64511->64510 64512 40708c 42 API calls 64515 44fdc9 64512->64515 64513->64507 64513->64512 64518 44fd94 64513->64518 64514 44fe5b 64516 44fe69 GetWindowLongA 64514->64516 64553 40e540 42 API calls 64515->64553 64519 44fe7e GetWindowLongA 64516->64519 64520 44fe9f 64516->64520 64518->64507 64519->64520 64521 44fe90 SetWindowLongA 64519->64521 64549 40aa94 64520->64549 64521->64520 64523 44fea7 64524 42a1d8 19 API calls 64523->64524 64525 44febd 64524->64525 64526 44cd50 177 API calls 64525->64526 64527 44fecb 64526->64527 64528 404cd0 11 API calls 64527->64528 64529 44fef4 64528->64529 64529->64466 64531->64475 64532->64478 64533->64483 64534->64491 64535->64493 64536->64503 64537->64499 64538->64496 64539->64499 64540->64502 64541->64480 64542->64484 64543->64482 64544->64487 64545->64488 64547 408058 CreateWindowExA 64546->64547 64548 44ff39 64547->64548 64548->64514 64550 40aaa2 64549->64550 64551 40aa98 64549->64551 64550->64523 64552 402f94 11 API calls 64551->64552 64552->64550 64553->64518 64554 401a68 64555 401a80 64554->64555 64556 401cc8 64554->64556 64565 401a92 64555->64565 64568 401b1d Sleep 64555->64568 64557 401de0 64556->64557 64558 401c8c 64556->64558 64559 401814 VirtualAlloc 64557->64559 64560 401de9 64557->64560 64567 401ca6 Sleep 64558->64567 64570 401ce6 64558->64570 64562 40184f 64559->64562 64563 40183f 64559->64563 64561 401aa1 64578 4017cc 64563->64578 64564 401b80 64575 401754 VirtualAlloc 64564->64575 64577 401b8c 64564->64577 64565->64561 64565->64564 64573 401b61 Sleep 64565->64573 64567->64570 64571 401cbc Sleep 64567->64571 64568->64565 64572 401b33 Sleep 64568->64572 64569 401d04 64570->64569 64574 401754 VirtualAlloc 64570->64574 64571->64558 64572->64555 64573->64564 64576 401b77 Sleep 64573->64576 64574->64569 64575->64577 64576->64565 64579 401812 64578->64579 64580 4017d5 64578->64580 64579->64562 64580->64579 64581 4017e0 Sleep 64580->64581 64582 4017f5 64581->64582 64582->64579 64583 4017f9 Sleep 64582->64583 64583->64580 64584 44f8ac 64585 44f8c3 64584->64585 64586 44cd50 177 API calls 64585->64586 64587 44f8dc 64586->64587 64588 44cd50 177 API calls 64587->64588 64589 44f8ee 64588->64589 64590 44f969 64589->64590 64592 44cd50 177 API calls 64589->64592 64591 44cd50 177 API calls 64590->64591 64593 44f999 64591->64593 64594 44f911 64592->64594 64595 44cd50 177 API calls 64594->64595 64596 44f921 64595->64596 64597 44cd50 177 API calls 64596->64597 64598 44f931 64597->64598 64599 44cd50 177 API calls 64598->64599 64600 44f941 64599->64600 64600->64590 64601 44cd50 177 API calls 64600->64601 64602 44f962 64601->64602 64604 450604 64602->64604 64605 450618 64604->64605 64607 4506c3 64605->64607 64608 450627 64605->64608 64606 4506ee 64606->64590 64607->64606 64612 450494 64607->64612 64608->64606 64609 44cd50 177 API calls 64608->64609 64611 450687 64609->64611 64611->64590 64618 4504a9 64612->64618 64613 45053f 64614 4505fb 64613->64614 64615 44cd50 177 API calls 64613->64615 64614->64606 64616 4505ab 64615->64616 64616->64606 64617 41aaa4 42 API calls 64617->64618 64618->64613 64618->64617 64619 450494 177 API calls 64618->64619 64619->64618 64620 4360a8 64621 4360dd 64620->64621 64623 436112 64621->64623 64652 404d24 11 API calls 64621->64652 64624 436298 64623->64624 64625 404d68 11 API calls 64623->64625 64626 4362a8 OffsetRect 64624->64626 64629 43634f 64624->64629 64641 43616f 64625->64641 64630 4362cb 64626->64630 64627 436287 64627->64624 64628 404d68 11 API calls 64627->64628 64628->64624 64643 435ff0 64629->64643 64633 435ff0 48 API calls 64630->64633 64632 43634c 64635 404cf4 11 API calls 64632->64635 64634 4362fb OffsetRect 64633->64634 64638 43631f 64634->64638 64636 436398 64635->64636 64637 4361fa DrawTextA 64637->64641 64639 435ff0 48 API calls 64638->64639 64639->64632 64641->64627 64641->64637 64642 404fe8 11 API calls 64641->64642 64653 4051c8 64641->64653 64642->64641 64650 436003 64643->64650 64644 436060 64645 436085 64644->64645 64646 43606e 64644->64646 64649 436098 DrawTextA 64645->64649 64661 435ef8 SysFreeString GetSysColor GetProcAddress 64646->64661 64648 436082 64648->64632 64649->64648 64650->64644 64660 46c2b0 44 API calls 64650->64660 64652->64623 64654 4051fa 64653->64654 64655 4051cd 64653->64655 64656 404cd0 11 API calls 64654->64656 64655->64654 64657 4051e1 64655->64657 64659 4051f0 64656->64659 64658 404dc0 11 API calls 64657->64658 64658->64659 64659->64641 64660->64644 64661->64648 64662 4b4160 64663 4b418e 64662->64663 64664 4b43cc 64662->64664 64663->64664 64673 4b41a1 64663->64673 64687 4054b0 64664->64687 64667 404cd0 11 API calls 64668 4b43e9 64667->64668 64669 4054b0 SysFreeString 64668->64669 64670 4b43f1 64669->64670 64671 4b43af 64673->64671 64679 48090c 64673->64679 64676 4b429b 64686 4807c4 SysFreeString SysFreeString SysAllocStringLen 64676->64686 64678 4b437a 64680 480917 64679->64680 64690 405908 64680->64690 64682 480931 64683 4054b0 SysFreeString 64682->64683 64684 48097a 64683->64684 64685 42a4e4 MulDiv 64684->64685 64685->64676 64686->64678 64688 4054c4 64687->64688 64689 4054b6 SysFreeString 64687->64689 64688->64667 64689->64688 64691 405924 64690->64691 64692 40590e SysAllocStringLen 64690->64692 64691->64682 64692->64691 64693 405480 64692->64693 64694 4054c4 64693->64694 64695 4054b6 SysFreeString 64693->64695 64694->64682 64695->64694 64696 44b0e8 KiUserCallbackDispatcher 64697 44b10e 64696->64697 64698 401dec 64699 401e01 64698->64699 64700 401ee4 64698->64700 64702 401e07 64699->64702 64704 401e7e Sleep 64699->64704 64701 401878 64700->64701 64700->64702 64703 401fde 64701->64703 64705 4017cc 2 API calls 64701->64705 64706 401e10 64702->64706 64708 401ec2 Sleep 64702->64708 64715 401ef9 64702->64715 64704->64702 64707 401e98 Sleep 64704->64707 64709 401889 64705->64709 64707->64699 64710 401ed8 Sleep 64708->64710 64708->64715 64711 4018b9 64709->64711 64712 40189f VirtualFree 64709->64712 64710->64702 64713 4018b0 64711->64713 64714 4018c2 VirtualQuery VirtualFree 64711->64714 64712->64713 64714->64711 64714->64713 64716 401f78 VirtualFree 64715->64716 64717 401f1c 64715->64717 64718 4ac264 64725 4280d0 64718->64725 64720 4ac295 64729 428164 64720->64729 64722 4ac2be 64743 4095bc 11 API calls 64722->64743 64724 4ac2c9 64726 4280d6 64725->64726 64744 42810c 64726->64744 64728 4280f0 64728->64720 64766 428038 64729->64766 64732 428189 64774 428028 64732->64774 64733 42821d 64734 404d24 11 API calls 64733->64734 64735 428227 64734->64735 64735->64722 64738 4281c7 64740 427ed4 43 API calls 64738->64740 64739 4281d5 64741 404d24 11 API calls 64739->64741 64742 4281d3 64740->64742 64741->64742 64742->64722 64743->64724 64745 428116 64744->64745 64746 404d24 11 API calls 64745->64746 64747 42813a 64746->64747 64750 427b38 64747->64750 64749 428145 64749->64728 64751 404d68 11 API calls 64750->64751 64752 427b64 64751->64752 64754 427b84 64752->64754 64764 405208 11 API calls 64752->64764 64755 427b95 64754->64755 64756 427bbf 64754->64756 64757 427bb1 RegOpenKeyExA 64755->64757 64759 427be5 RegCreateKeyExA 64756->64759 64758 427bf1 64757->64758 64760 427c1a 64758->64760 64765 405064 11 API calls 64758->64765 64759->64758 64761 404cd0 11 API calls 64760->64761 64763 427c3c 64761->64763 64763->64749 64764->64754 64767 404d68 11 API calls 64766->64767 64768 428061 64767->64768 64770 428081 64768->64770 64777 405208 11 API calls 64768->64777 64771 4280a2 RegOpenKeyExA 64770->64771 64772 404cd0 11 API calls 64771->64772 64773 4280bd 64772->64773 64773->64732 64773->64733 64778 427e2c 64774->64778 64776 428032 64776->64738 64776->64739 64777->64770 64779 427e45 64778->64779 64780 427e59 RegQueryValueExA 64779->64780 64781 427e70 64780->64781 64781->64776 64782 448374 IsWindowUnicode 64783 448397 SetWindowLongW GetWindowLongW 64782->64783 64784 4483e0 SetWindowLongA GetWindowLongA 64782->64784 64785 448427 SetPropA SetPropA 64783->64785 64786 4483c0 GetWindowLongW 64783->64786 64784->64785 64787 448409 GetWindowLongA 64784->64787 64792 42326c 64785->64792 64786->64785 64788 4483cf SetWindowLongW 64786->64788 64787->64785 64789 448418 SetWindowLongA 64787->64789 64788->64785 64789->64785 64797 4507dc 64792->64797 64805 4696d8 64792->64805 64896 46911c 64792->64896 64793 423282 64803 450be4 177 API calls 64797->64803 64804 462170 177 API calls 64797->64804 64798 45080b 64904 44a150 50 API calls 64798->64904 64800 45081d 64905 42ee2c 52 API calls 64800->64905 64802 450822 64802->64793 64803->64798 64804->64798 64806 469740 64805->64806 64812 46970e 64805->64812 64906 469568 64806->64906 64809 41aaa4 42 API calls 64809->64812 64810 469802 64813 469858 64810->64813 64814 469809 64810->64814 64811 46975b 64815 469761 64811->64815 64816 469c9d 64811->64816 64812->64806 64812->64809 64880 46972f 64812->64880 64819 4697e6 64813->64819 64821 469cb7 64813->64821 64822 469865 64813->64822 64817 469b14 64814->64817 64818 46980f 64814->64818 64815->64819 64825 4697c5 64815->64825 64826 4697eb 64815->64826 64815->64880 64934 46ab8c PostMessageA 64816->64934 64871 469b3a IsWindowEnabled 64817->64871 64817->64880 64823 469816 64818->64823 64824 46983f 64818->64824 64819->64880 64926 469650 NtdllDefWindowProc_A 64819->64926 64829 469cc0 64821->64829 64830 469cd8 64821->64830 64827 469870 64822->64827 64828 469c5f 64822->64828 64834 46981c 64823->64834 64878 469bad 64823->64878 64835 469c26 GetLastActivePopup 64824->64835 64836 46984a 64824->64836 64831 46997c 64825->64831 64832 4697cb 64825->64832 64833 4697f4 64826->64833 64854 469d41 64826->64854 64827->64816 64827->64819 64933 45f2ec IsIconic 64828->64933 64935 46a508 12 API calls 64829->64935 64936 46a564 43 API calls 64830->64936 64917 469650 NtdllDefWindowProc_A 64831->64917 64839 4697d4 64832->64839 64840 469933 64832->64840 64833->64819 64841 469948 64833->64841 64843 469823 64834->64843 64844 46989a 64834->64844 64835->64880 64836->64819 64847 469af2 64836->64847 64850 469aa6 64839->64850 64851 4697dd 64839->64851 64930 469650 NtdllDefWindowProc_A 64840->64930 64855 469d98 51 API calls 64841->64855 64843->64819 64857 469a7a SendMessageA 64843->64857 64848 4698b5 64844->64848 64849 4698ac 64844->64849 64932 46a2b0 IsWindowEnabled 64847->64932 64927 469db4 67 API calls 64848->64927 64860 4698c2 64849->64860 64861 4698b3 64849->64861 64859 469ab3 64850->64859 64850->64880 64851->64819 64863 469d1b 64851->64863 64939 469650 NtdllDefWindowProc_A 64854->64939 64855->64880 64856 469c6a 64865 469c72 GetFocus 64856->64865 64856->64880 64857->64880 64858 469982 64866 4699d8 64858->64866 64881 46999f 64858->64881 64931 404b08 7 API calls 64859->64931 64928 469e94 186 API calls 64860->64928 64929 469650 NtdllDefWindowProc_A 64861->64929 64868 458f3c 9 API calls 64863->64868 64870 469c83 64865->64870 64865->64880 64923 469218 64866->64923 64873 469d2d 64868->64873 64870->64880 64885 469c92 SetFocus 64870->64885 64876 469b48 64871->64876 64871->64880 64937 4695e4 11 API calls 64873->64937 64874 4698ca 64874->64880 64886 469b4f IsWindowVisible 64876->64886 64878->64880 64883 469bf2 IsWindowEnabled 64878->64883 64880->64793 64918 469278 64881->64918 64883->64880 64888 469bfc 64883->64888 64884 469d38 64938 469650 NtdllDefWindowProc_A 64884->64938 64885->64880 64886->64880 64890 469b5d GetFocus 64886->64890 64888->64880 64894 469c0f SetFocus 64888->64894 64891 453b48 64890->64891 64892 469b72 SetFocus 64891->64892 64893 44cd50 177 API calls 64892->64893 64895 469b91 SetFocus 64893->64895 64894->64880 64895->64880 64897 46912e 64896->64897 64898 4691b5 64896->64898 64897->64898 64899 469137 EnumWindows 64897->64899 64898->64793 64899->64898 64900 469157 GetWindow GetWindowLongA 64899->64900 64901 469174 64900->64901 64901->64898 64902 41aaa4 42 API calls 64901->64902 64903 4691a9 SetWindowPos 64902->64903 64903->64898 64903->64901 64904->64800 64905->64802 64907 46957b 64906->64907 64908 4695dc 64907->64908 64909 469586 SetThreadLocale 64907->64909 64911 469595 64907->64911 64908->64810 64908->64811 64940 40f5f0 64909->64940 64912 4680fc 24 API calls 64911->64912 64913 4695a5 64911->64913 64912->64913 64913->64908 65014 45f368 GetWindowLongA 64913->65014 64916 45f368 8 API calls 64916->64908 64917->64858 64919 4692d1 PostMessageA 64918->64919 64920 469282 64918->64920 64919->64880 64920->64919 64921 41aaa4 42 API calls 64920->64921 64922 4692c5 SetWindowPos 64921->64922 64922->64919 64922->64920 64924 46911c 46 API calls 64923->64924 64925 46921f PostMessageA 64924->64925 64925->64880 64926->64880 64927->64880 64928->64874 64929->64880 64930->64880 64932->64880 64933->64856 64934->64874 64935->64874 64936->64874 64937->64884 64938->64880 64939->64880 64941 40f5f8 64940->64941 64941->64941 65026 40f52c GetThreadLocale 64941->65026 64943 40f613 65032 40dc74 44 API calls 64943->65032 64945 40f618 64946 40f626 GetThreadLocale 64945->64946 65033 40df98 17 API calls 64945->65033 65034 40dbc0 12 API calls 64946->65034 64949 40f63f 64950 404d24 11 API calls 64949->64950 64951 40f64c 64950->64951 65035 40dbc0 12 API calls 64951->65035 64953 40f661 65036 40dbc0 12 API calls 64953->65036 64955 40f685 65037 40dc0c GetLocaleInfoA 64955->65037 64957 40f6a2 65038 40dc0c GetLocaleInfoA 64957->65038 64959 40f6b5 65039 40dbc0 12 API calls 64959->65039 64961 40f6cf 65040 40dc0c GetLocaleInfoA 64961->65040 64963 40f6ec 65041 40dbc0 12 API calls 64963->65041 64965 40f706 65042 40e048 14 API calls 64965->65042 64967 40f711 64968 404d24 11 API calls 64967->64968 64969 40f71e 64968->64969 65043 40dbc0 12 API calls 64969->65043 64971 40f733 65044 40e048 14 API calls 64971->65044 64973 40f73e 64974 404d24 11 API calls 64973->64974 64975 40f74b 64974->64975 65045 40dc0c GetLocaleInfoA 64975->65045 64977 40f759 65046 40dbc0 12 API calls 64977->65046 64979 40f773 64980 404d24 11 API calls 64979->64980 64981 40f780 64980->64981 65047 40dbc0 12 API calls 64981->65047 64983 40f795 64984 404d24 11 API calls 64983->64984 64985 40f7a2 64984->64985 64986 404cd0 11 API calls 64985->64986 64987 40f7aa 64986->64987 64988 404cd0 11 API calls 64987->64988 64989 40f7b2 64988->64989 65048 40dbc0 12 API calls 64989->65048 64991 40f7c7 64992 40f7e4 64991->64992 64993 40f7d5 64991->64993 64995 404d68 11 API calls 64992->64995 64994 404d68 11 API calls 64993->64994 64996 40f7e2 64994->64996 64995->64996 65049 40dbc0 12 API calls 64996->65049 64998 40f844 65051 405064 11 API calls 64998->65051 64999 40f806 64999->64998 65050 40dbc0 12 API calls 64999->65050 65003 40f829 65007 40f846 65003->65007 65008 40f837 65003->65008 65011 404d68 11 API calls 65007->65011 65010 404d68 11 API calls 65008->65010 65010->64998 65011->64998 65015 45f381 65014->65015 65016 45f3a3 IsIconic IsWindowVisible 65015->65016 65017 45f424 65015->65017 65018 45f3d6 65016->65018 65019 45f3ce ShowWindow 65016->65019 65017->64916 65020 45f3eb SetWindowLongA 65018->65020 65021 45f3da SetWindowLongA 65018->65021 65019->65018 65022 45f3fa 65020->65022 65021->65022 65022->65017 65023 45f40b 65022->65023 65024 45f412 ShowWindow 65023->65024 65025 45f41c ShowWindow 65023->65025 65024->65017 65025->65017 65027 40f557 65026->65027 65028 40f59f GetSystemMetrics 65027->65028 65029 40f599 65027->65029 65030 40f5ae GetSystemMetrics 65028->65030 65029->65030 65031 40f5c1 65030->65031 65031->64943 65032->64945 65033->64946 65034->64949 65035->64953 65036->64955 65037->64957 65038->64959 65039->64961 65040->64963 65041->64965 65042->64967 65043->64971 65044->64973 65045->64977 65046->64979 65047->64983 65048->64991 65049->64999 65050->65003 65052 46aab4 65053 404d68 11 API calls 65052->65053 65057 46aae7 65053->65057 65054 46ab21 65065 46a018 12 API calls 65054->65065 65056 46ab30 65066 46a938 65056->65066 65057->65054 65080 404d24 11 API calls 65057->65080 65060 46ab4e 65061 404cd0 11 API calls 65060->65061 65062 46ab66 65061->65062 65063 404cd0 11 API calls 65062->65063 65064 46ab6e 65063->65064 65065->65056 65068 46a954 65066->65068 65067 46a9f7 65081 45f4b4 GetCurrentThreadId EnumThreadWindows 65067->65081 65068->65067 65070 46a9af GetWindowRect 65068->65070 65071 46a9d1 SetWindowPos 65070->65071 65071->65067 65073 46a9ff 65074 46aa1c MessageBoxA 65073->65074 65075 46aa86 65074->65075 65076 46aa4e SetWindowPos 65074->65076 65078 46aa8e SetActiveWindow 65075->65078 65076->65075 65079 46aa9f 65078->65079 65079->65060 65080->65054 65082 45f540 65081->65082 65082->65073 65083 422130 GetCurrentThreadId 65084 4221a5 WaitForSingleObject 65083->65084 65085 42214d 65083->65085 65086 4221b1 GetExitCodeThread 65084->65086 65088 42216f MsgWaitForMultipleObjects 65085->65088 65089 42215d PeekMessageA 65085->65089 65093 4221a3 65085->65093 65094 4219c4 GetCurrentThreadId 65085->65094 65087 421e10 44 API calls 65086->65087 65090 4221c9 65087->65090 65091 421e10 44 API calls 65088->65091 65089->65088 65091->65085 65093->65086 65095 4219de GetCurrentThreadId 65094->65095 65101 421a02 65094->65101 65112 40e5fc 42 API calls 65095->65112 65097 421a14 65114 421978 ResetEvent 65097->65114 65098 421a0b 65113 421984 ResetEvent WaitForSingleObject 65098->65113 65101->65097 65101->65098 65102 421a12 65103 421a19 RtlEnterCriticalSection InterlockedExchange 65102->65103 65105 421a5b 65103->65105 65104 421b54 65104->65085 65105->65104 65106 41aaa4 42 API calls 65105->65106 65107 421a86 65106->65107 65115 41a948 42 API calls 65107->65115 65109 421a93 RtlLeaveCriticalSection 65110 421ac4 RtlEnterCriticalSection 65109->65110 65110->65085 65112->65101 65113->65102 65114->65103 65115->65109 65116 4f0c3c 65119 4f0bd8 65116->65119 65128 4f0e1c 65119->65128 65122 40708c 42 API calls 65124 4f0c06 65122->65124 65123 404cd0 11 API calls 65125 4f0c2f 65123->65125 65132 40e504 11 API calls 65124->65132 65127 4f0c15 65127->65123 65129 4f0e2c 65128->65129 65131 4f0bf5 65128->65131 65129->65131 65133 4f0c80 65129->65133 65131->65122 65131->65127 65132->65127 65134 4f0ca6 65133->65134 65135 4f0ca9 65134->65135 65136 4f0cb8 65134->65136 65138 404d68 11 API calls 65135->65138 65137 404d68 11 API calls 65136->65137 65139 4f0cb6 65137->65139 65138->65139 65150 410628 SetErrorMode 65139->65150 65142 4f0d93 65144 404cd0 11 API calls 65142->65144 65143 4f0ce1 GetProcAddress 65149 4f0cf0 65143->65149 65145 4f0da8 65144->65145 65145->65131 65146 4f0d58 GetProcAddress 65147 4f0d70 65146->65147 65147->65142 65148 4f0d7b GetProcAddress 65147->65148 65148->65142 65149->65146 65149->65147 65151 405160 65150->65151 65152 410660 LoadLibraryA 65151->65152 65153 410676 65152->65153 65153->65142 65153->65143 65154 44b670 65155 44b804 65154->65155 65156 44b687 65154->65156 65157 44b6b4 65156->65157 65158 44b6a2 MulDiv 65156->65158 65159 44b6bc MulDiv 65157->65159 65160 44b6d0 65157->65160 65158->65157 65159->65160 65161 44b6e7 MulDiv 65160->65161 65162 44b700 MulDiv 65160->65162 65164 44b714 65160->65164 65161->65164 65162->65164 65163 44b75a 65167 44b76d KiUserCallbackDispatcher 65163->65167 65164->65163 65165 44b746 MulDiv 65164->65165 65166 44b72b MulDiv 65164->65166 65165->65163 65166->65163 65168 44b7b1 65167->65168 65169 44b79a MulDiv 65167->65169 65170 44b7c4 MulDiv 65168->65170 65171 44b7db 65168->65171 65169->65168 65170->65171 65171->65155 65175 42a4e4 MulDiv 65171->65175 65173 44b7f5 MulDiv 65176 42a500 16 API calls 65173->65176 65175->65173 65176->65155 65177 4b0efc 65207 4ae328 SysFreeString SysFreeString SysAllocStringLen SysFreeString 65177->65207 65179 4b0f46 65208 4ae61c 6 API calls 65179->65208 65181 4b0f51 65183 4b0f6e 65181->65183 65209 4b0c8c 65181->65209 65191 4b0f72 65183->65191 65237 4af2b8 SysFreeString SysFreeString SysReAllocStringLen 65183->65237 65185 4054b0 SysFreeString 65186 4b12b7 65185->65186 65187 404cd0 11 API calls 65186->65187 65188 4b12bf 65187->65188 65251 4054c8 SysFreeString 65188->65251 65190 4b12cc 65252 406470 13 API calls 65190->65252 65191->65185 65192 4b119a 65197 406370 15 API calls 65192->65197 65193 4b0fed 65193->65191 65193->65192 65238 406370 65193->65238 65196 4b12da 65202 4b11b5 65197->65202 65198 4b10ab 65198->65191 65198->65192 65241 4b0a90 19 API calls 65198->65241 65201 4b121b 65243 4ae7ac 8 API calls 65201->65243 65242 4aebe0 SysFreeString SysFreeString SysReAllocStringLen 65202->65242 65204 4b122e 65244 4054ec 65204->65244 65206 4b1239 65207->65179 65208->65181 65210 4b0c95 65209->65210 65210->65210 65211 405908 2 API calls 65210->65211 65212 4b0cc9 65211->65212 65253 4ae328 SysFreeString SysFreeString SysAllocStringLen SysFreeString 65212->65253 65214 4b0cef 65254 4ae61c 6 API calls 65214->65254 65216 4b0d00 65217 4b0d16 65216->65217 65218 4b0e85 65216->65218 65272 4ae6e0 14 API calls 65217->65272 65276 4054c8 SysFreeString 65218->65276 65220 4b0ea2 65221 4054b0 SysFreeString 65220->65221 65223 4b0ead 65221->65223 65223->65183 65224 4b0d53 65273 4ae774 SetFilePointer 65224->65273 65226 4b0d75 65274 4ae774 SetFilePointer 65226->65274 65228 4b0d8c ReadFile 65229 4b0df3 65228->65229 65232 4b0db7 65228->65232 65230 4b0e67 CloseHandle 65229->65230 65255 4b0b64 65229->65255 65230->65183 65232->65229 65235 4b0e1d ReadFile 65236 4b0e40 65235->65236 65236->65230 65237->65193 65284 4061e4 65238->65284 65241->65198 65242->65201 65243->65204 65245 4054f0 65244->65245 65246 405513 65244->65246 65247 405480 65245->65247 65250 405503 SysReAllocStringLen 65245->65250 65246->65206 65248 4054c4 65247->65248 65249 4054b6 SysFreeString 65247->65249 65248->65206 65249->65248 65250->65246 65250->65247 65251->65190 65252->65196 65253->65214 65254->65216 65277 4ae774 SetFilePointer 65255->65277 65257 4b0b83 65278 4ae774 SetFilePointer 65257->65278 65259 4b0ba5 65279 40a164 ReadFile 65259->65279 65263 4b0bcf 65264 40a164 ReadFile 65263->65264 65265 4b0be2 65264->65265 65282 4ae774 SetFilePointer 65265->65282 65267 4b0c11 65268 40a164 ReadFile 65267->65268 65269 4b0c24 65268->65269 65283 4ae774 SetFilePointer 65269->65283 65271 4b0c45 65271->65230 65275 4ae774 SetFilePointer 65271->65275 65272->65224 65273->65226 65274->65228 65275->65235 65276->65220 65277->65257 65278->65259 65280 40a181 65279->65280 65281 4ae774 SetFilePointer 65280->65281 65281->65263 65282->65267 65283->65271 65285 406203 65284->65285 65289 40621d 65284->65289 65286 40620e 65285->65286 65298 40307c 11 API calls 65285->65298 65299 4061dc 13 API calls 65286->65299 65291 406266 65289->65291 65300 40307c 11 API calls 65289->65300 65290 406218 65290->65198 65293 402f78 11 API calls 65291->65293 65295 406273 65291->65295 65294 4062b2 65293->65294 65294->65295 65301 4061c4 15 API calls 65294->65301 65295->65290 65297 4061e4 15 API calls 65295->65297 65297->65295 65298->65286 65299->65290 65300->65291 65301->65295 65302 4365f4 65303 436700 65302->65303 65304 43660c 65302->65304 65304->65303 65305 436627 GetDC 65304->65305 65306 436650 65305->65306 65307 436689 ReleaseDC 65306->65307 65308 46a5f8 65309 46a60d 65308->65309 65316 460dc8 65309->65316 65310 46a6f1 65311 46a669 65311->65310 65312 46a6b9 GetWindowLongA SetWindowLongA 65311->65312 65313 46a6d2 65311->65313 65312->65313 65314 45f368 8 API calls 65313->65314 65314->65310 65318 460dde 65316->65318 65317 460ef2 65317->65311 65318->65317 65325 41a5d0 65318->65325 65320 460e6e 65321 460eb7 65320->65321 65322 40708c 42 API calls 65320->65322 65321->65311 65323 460ea5 65322->65323 65335 40e540 42 API calls 65323->65335 65326 41a5e6 65325->65326 65327 41a61b 65326->65327 65348 41a444 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 65326->65348 65336 41a528 65327->65336 65332 41a646 65333 41a65e 65332->65333 65350 41a4cc 42 API calls 65332->65350 65333->65320 65335->65321 65337 41a5a6 65336->65337 65340 41a552 65336->65340 65338 404cd0 11 API calls 65337->65338 65339 41a5bd 65338->65339 65339->65332 65349 41a49c 42 API calls 65339->65349 65340->65337 65341 41a528 236 API calls 65340->65341 65342 41a56a 65341->65342 65351 4064fc 65342->65351 65345 40654c 30 API calls 65346 41a598 65345->65346 65354 41a3c0 65346->65354 65348->65327 65349->65332 65350->65333 65363 4064d4 VirtualQuery 65351->65363 65355 41a3d1 65354->65355 65356 41a3e0 FindResourceA 65355->65356 65357 41a3f0 65356->65357 65358 41a43d 65356->65358 65365 41e358 65357->65365 65358->65337 65360 41a401 65369 41dd80 65360->65369 65362 41a41c 65362->65337 65364 4064ee 65363->65364 65364->65345 65366 41e362 65365->65366 65374 41e450 FindResourceA 65366->65374 65368 41e392 65368->65360 65386 41e504 65369->65386 65371 41dd9c 65390 42074c 65371->65390 65373 41ddb7 65373->65362 65375 41e475 65374->65375 65376 41e47c LoadResource 65374->65376 65384 41e3b0 42 API calls 65375->65384 65378 41e496 SizeofResource LockResource 65376->65378 65379 41e48f 65376->65379 65381 41e4b4 65378->65381 65385 41e3b0 42 API calls 65379->65385 65381->65368 65382 41e47b 65382->65376 65383 41e495 65383->65378 65384->65382 65385->65383 65387 41e50e 65386->65387 65388 402f78 11 API calls 65387->65388 65389 41e527 65388->65389 65389->65371 65418 420b3c 65390->65418 65393 4207c4 65457 420b60 65393->65457 65394 4207f9 65395 420b60 42 API calls 65394->65395 65397 42080a 65395->65397 65400 420813 65397->65400 65401 420820 65397->65401 65403 420b60 42 API calls 65400->65403 65404 420b60 42 API calls 65401->65404 65402 4207d7 65407 420b60 42 API calls 65402->65407 65408 4207ec 65403->65408 65405 42083b 65404->65405 65467 4206ec 42 API calls 65405->65467 65407->65408 65423 419cc0 65408->65423 65411 4071c4 4 API calls 65412 420897 65411->65412 65434 44b8ec 65412->65434 65436 461558 65412->65436 65413 420967 65413->65373 65414 420927 65414->65413 65415 41aaa4 42 API calls 65414->65415 65415->65414 65468 41f1d4 65418->65468 65421 420785 65421->65393 65421->65394 65424 419ccd 65423->65424 65474 419bac RtlEnterCriticalSection 65424->65474 65426 419da7 65475 419c64 RtlLeaveCriticalSection 65426->65475 65427 41aaa4 42 API calls 65433 419d04 65427->65433 65429 419dbe 65429->65411 65431 41aaa4 42 API calls 65432 419d66 65431->65432 65432->65426 65432->65431 65433->65427 65433->65432 65476 4196b4 42 API calls 65433->65476 65435 44b906 KiUserCallbackDispatcher 65434->65435 65435->65414 65437 46156b 65436->65437 65477 44ebc0 65437->65477 65439 461748 65440 46175f 65439->65440 65486 44b3ec KiUserCallbackDispatcher 65439->65486 65443 46179c 65440->65443 65487 460ab4 GetSysColor MulDiv MulDiv 65440->65487 65441 4615ca 65441->65439 65447 461626 MulDiv 65441->65447 65448 461635 65441->65448 65445 44cd50 177 API calls 65443->65445 65446 4617bf 65445->65446 65446->65414 65481 42a440 65447->65481 65448->65439 65485 460ab4 GetSysColor MulDiv MulDiv 65448->65485 65451 461672 65452 4616c7 65451->65452 65453 4616a4 MulDiv 65451->65453 65454 4616f6 65452->65454 65455 4616d3 MulDiv 65452->65455 65453->65452 65454->65439 65456 461702 MulDiv MulDiv 65454->65456 65455->65454 65456->65439 65458 41f1d4 42 API calls 65457->65458 65459 420b75 65458->65459 65460 404dc0 11 API calls 65459->65460 65461 420b82 65460->65461 65489 4051c0 65461->65489 65464 41f1d4 42 API calls 65465 4207cf 65464->65465 65466 419f70 45 API calls 65465->65466 65466->65402 65467->65408 65471 41f1df 65468->65471 65469 41f219 65469->65421 65472 41ebcc 42 API calls 65469->65472 65471->65469 65473 41f220 42 API calls 65471->65473 65472->65421 65473->65471 65474->65433 65475->65429 65476->65433 65478 44ebd2 65477->65478 65488 44acf0 226 API calls 65478->65488 65480 44ebea 65480->65441 65483 42a450 65481->65483 65482 42a46a 65482->65448 65483->65482 65484 42a148 15 API calls 65483->65484 65484->65482 65485->65451 65486->65440 65487->65443 65488->65480 65490 405174 65489->65490 65491 404d94 11 API calls 65490->65491 65492 4051af 65490->65492 65493 40518b 65491->65493 65492->65464 65493->65492 65494 402f94 11 API calls 65493->65494 65494->65492

                Executed Functions

                Function 00406768 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184registrystringlibraryCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 00406784
                • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 004067A2
                • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 004067C0
                • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 004067DE
                • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,0040686D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00406827
                • RegQueryValueExA.ADVAPI32(?,004069D4,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,0040686D,?,80000001), ref: 00406845
                • RegCloseKey.ADVAPI32(?,00406874,00000000,00000000,00000005,00000000,0040686D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00406867
                • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406884
                • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406891
                • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406897
                • lstrlen.KERNEL32(00000000), ref: 004068C2
                • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 00406909
                • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 00406919
                • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 00406941
                • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 00406951
                • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 00406977
                • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 00406987
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                • String ID: .$Software\Borland\Delphi\Locales$Software\Borland\Locales
                • API String ID: 1759228003-3917250287
                • Opcode ID: c09340b128d35b28bf5c35f959529f5a9a74781a2b941973ba84d0d43ccb1668
                • Instruction ID: 31b4a42ee0f970866b6571c146a715502fc94fe72828d392b164f3dbe00c74aa
                • Opcode Fuzzy Hash: c09340b128d35b28bf5c35f959529f5a9a74781a2b941973ba84d0d43ccb1668
                • Instruction Fuzzy Hash: 98518171A4031C7EFB21D6A48C46FEFB7AC9B04744F4100B7BA05F65C1EA789E548BA8
                Function 004B24F8 Relevance: 15.7, APIs: 10, Instructions: 728sleepCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 479 4b24f8-4b2572 call 42fbf0 485 4b2593-4b259d 479->485 486 4b2574-4b257b 479->486 488 4b259f-4b25a9 485->488 489 4b25c1-4b25cd 485->489 486->485 487 4b257d-4b2591 486->487 487->489 490 4b25ab-4b25b5 488->490 491 4b25b7-4b25ba 488->491 492 4b25da-4b25dc 489->492 493 4b25cf-4b25d8 489->493 490->489 491->489 494 4b25e2 492->494 495 4b25de-4b25e0 492->495 493->492 493->494 496 4b25e4-4b25e6 494->496 495->496 497 4b25e8-4b25ed 496->497 498 4b25ef 496->498 499 4b25f4-4b2624 call 4301c4 call 42aa98 497->499 498->499 505 4b2626 499->505 506 4b2635-4b2657 call 4301c4 call 4ac0b4 Sleep 499->506 507 4b2628-4b262a 505->507 508 4b26a0-4b26df call 4301c4 call 42b140 call 4301c4 call 42aa98 call 4301c4 call 42b17c InflateRect 505->508 518 4b2752-4b2768 506->518 526 4b265d-4b269b call 4301c4 call 42a884 call 42abd4 call 42b280 506->526 511 4b26e1-4b270d 507->511 512 4b2630 507->512 508->518 516 4b271b-4b271d 511->516 517 4b270f-4b2719 511->517 512->518 524 4b2721-4b274d call 4301c4 call 46c5ec InflateRect 516->524 517->516 523 4b271f 517->523 521 4b276e-4b2778 518->521 522 4b27f6-4b2809 518->522 527 4b277a-4b2781 521->527 528 4b279e-4b27a6 521->528 544 4b280b-4b281e 522->544 545 4b2834-4b285d call 42fbf0 522->545 523->524 524->518 526->518 534 4b2788-4b2799 call 4301c4 call 42aa6c 527->534 535 4b2783 call 4b1ff0 527->535 529 4b27a8-4b27ab 528->529 530 4b27ae-4b27c3 InflateRect 528->530 529->530 537 4b27d5-4b27e8 InflateRect 530->537 538 4b27c5-4b27d0 call 4301c4 call 42b140 530->538 534->528 535->534 551 4b27ea-4b27ed 537->551 552 4b27f0-4b27f3 537->552 538->537 567 4b2c78-4b2cb0 call 4b2ea0 call 4301c4 call 42b4d4 call 44ba60 544->567 568 4b2824-4b282e 544->568 561 4b287a-4b2884 545->561 562 4b285f 545->562 551->552 552->522 571 4b28ac-4b28b6 561->571 572 4b2886-4b2899 561->572 569 4b28fb-4b290e 562->569 570 4b2865-4b2867 562->570 623 4b2e37-4b2e69 call 42b094 call 403db4 567->623 624 4b2cb6-4b2cc0 567->624 568->545 568->567 593 4b2abc-4b2ac8 569->593 594 4b2914-4b2997 call 42fbf0 call 4301c4 call 42aa98 call 430280 569->594 576 4b2acd-4b2ae0 570->576 577 4b286d-4b286f 570->577 579 4b28ea-4b28f6 571->579 580 4b28b8-4b28c2 571->580 572->571 596 4b289b-4b28a7 572->596 602 4b2ae2-4b2aee 576->602 603 4b2af0-4b2afc 576->603 584 4b2afe-4b2b11 577->584 585 4b2875-4b2b5b 577->585 582 4b2b5e-4b2b79 call 4b2ea0 579->582 580->579 589 4b28c4-4b28d7 580->589 608 4b2b7b 582->608 609 4b2b92-4b2bd3 call 4193cc call 4301c4 call 4abd14 582->609 611 4b2b13-4b2b26 584->611 612 4b2b44-4b2b50 584->612 585->582 589->579 606 4b28d9-4b28e5 589->606 593->582 692 4b2999-4b29c8 call 4301c4 call 42a198 call 4310d8 call 4301c4 call 42aa98 594->692 693 4b29cd-4b2aac call 4310d8 call 4301c4 call 42aa98 call 4193cc call 42b140 call 42aa98 call 42a198 call 42b094 * 2 call 42aa98 call 42a198 call 42b094 call 403db4 594->693 596->582 602->582 603->582 606->582 614 4b2bd8-4b2c19 call 4193cc call 4301c4 call 4abb64 608->614 615 4b2b7d-4b2b7f 608->615 634 4b2c5b-4b2c70 call 403db4 609->634 628 4b2b28-4b2b34 611->628 629 4b2b36-4b2b42 611->629 612->582 614->634 617 4b2c1b-4b2c3a call 4301c4 call 4ac060 615->617 618 4b2b85-4b2b87 615->618 617->634 626 4b2b8d 618->626 627 4b2c3c-4b2c56 call 4301c4 call 4abfb4 618->627 631 4b2cc9 624->631 632 4b2cc2-4b2cc7 624->632 626->634 627->634 628->582 629->582 639 4b2cce-4b2cea call 4301c4 call 42abd4 631->639 632->639 667 4b2cf0-4b2d82 OffsetRect call 4301c4 call 42a198 call 44ba60 call 4301c4 call 4ac424 OffsetRect call 4301c4 call 42a198 call 44ba60 call 4301c4 call 4ac424 639->667 668 4b2d84-4b2d90 639->668 712 4b2de6-4b2df0 667->712 670 4b2d92-4b2d94 668->670 671 4b2d96-4b2da5 OffsetRect 668->671 670->671 675 4b2daa-4b2de1 call 44ba60 call 4301c4 call 4ac424 call 4301c4 call 42a198 670->675 671->675 675->712 692->693 712->623 716 4b2df2-4b2dfc 712->716 716->623 718 4b2dfe-4b2e32 call 4301c4 call 42aa98 InflateRect call 4301c4 call 42b5b8 DrawFocusRect 716->718 718->623
                APIs
                • InflateRect.USER32(?,000000FF,000000FF), ref: 004B26DA
                • Sleep.KERNEL32(0000000A), ref: 004B264B
                  • Part of subcall function 0042B140: FillRect.USER32(?,00000000,00000000), ref: 0042B169
                  • Part of subcall function 0042B17C: FrameRect.USER32(?,?,00000000), ref: 0042B1A5
                • InflateRect.USER32(?,00000002,00000002), ref: 004B27B4
                • InflateRect.USER32(?,00000002,00000002), ref: 004B27E1
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Rect$Inflate$FillFrameSleep
                • String ID:
                • API String ID: 1234504313-0
                • Opcode ID: 4fb71bfc2203d2f6c9d41450e4be53ece1427cf94922f41340ef8833d70813af
                • Instruction ID: 09ec3c52cdd9c88c08e73a180359e61ae679bf03ccb2a0247f39fefa8b087d2d
                • Opcode Fuzzy Hash: 4fb71bfc2203d2f6c9d41450e4be53ece1427cf94922f41340ef8833d70813af
                • Instruction Fuzzy Hash: CB620934A04108DFCB00DF69C988EAEB7F5BF49304F1445A6E805AB362CB78ED45DB69
                Function 00462170 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 365windowCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 898 462170-462188 899 4621b6-4621bf 898->899 900 46218a 898->900 903 462644-46264e call 46c040 899->903 904 4621c5-4621cb 899->904 901 4621e6-4621f3 900->901 902 46218c-462192 900->902 910 462234-462248 call 450be4 call 46c464 901->910 911 4621f5-46220b 901->911 905 46224d-462254 902->905 906 462198-46219b 902->906 916 4626be-4626c3 call 450be4 903->916 908 4621d1-4621d2 904->908 909 46237c-462386 904->909 918 46225a-46225d 905->918 919 4626c8-4626ce 905->919 913 462415-462421 906->913 914 4621a1-4621a2 906->914 920 46235b-462365 908->920 921 4621d8-4621db 908->921 909->916 917 46238c-462398 call 403fb0 909->917 910->919 911->916 922 462211-46221c 911->922 913->916 933 462427-462431 913->933 925 462516-46251c 914->925 926 4621a8-4621ab 914->926 916->919 917->916 918->916 928 462263-46226a 918->928 920->916 932 46236b-462377 call 403fb0 920->932 929 4622c7-4622cc 921->929 930 4621e1 921->930 922->916 931 462222-46222e call 46c45c 922->931 925->916 943 462522-46252c 925->943 936 4621b1 926->936 937 46239d-4623b5 926->937 928->916 939 462270-46227c 928->939 940 4622df-4622e1 929->940 941 462650-462656 930->941 931->910 931->916 932->916 933->916 934 462437-462451 call 443af4 933->934 934->916 968 462457-4624f1 call 42ac28 SaveDC call 42b640 call 42b4d4 call 445324 call 42b640 RestoreDC 934->968 936->941 937->916 950 4623bb-4623c8 937->950 951 46227e-462288 call 463040 939->951 952 46229b-4622a6 939->952 953 4622e7-4622e9 940->953 954 4622e3-4622e5 940->954 941->916 949 462658-4626b9 call 44cd50 * 6 941->949 943->916 945 462532-462549 call 443af4 943->945 945->916 978 46254f-4625f8 call 453b48 GetWindowDC call 42ac28 SaveDC call 42b640 call 42b4d4 call 42b640 RestoreDC 945->978 949->916 961 4623dd-4623e9 950->961 962 4623ca-4623d4 950->962 958 4622b4-4622b6 951->958 985 46228a-462299 call 463040 call 453b48 951->985 952->958 959 4622a8-4622ab 952->959 953->916 965 4622ef-462303 call 45f944 953->965 954->953 964 4622ce-4622dd call 4484b8 GetParent 954->964 958->916 971 4622bc-4622c2 SetFocus 958->971 959->958 969 4622ad-4622b2 call 453b48 959->969 973 4623f3-4623ff 961->973 974 4623eb-4623ed 961->974 962->961 972 4623d6-4623d9 962->972 964->940 986 462305-46230d 965->986 987 462313-462315 965->987 969->958 971->919 972->961 983 462401-462403 973->983 984 462409-462410 973->984 974->916 974->973 983->916 983->984 984->916 985->958 986->916 986->987 987->916 993 46231b-46231e 987->993 998 462320-462328 993->998 999 46232e-462336 993->999 998->916 998->999 1005 46234a-462356 999->1005 1006 462338-46233a 999->1006 1005->916 1006->1005 1010 46233c-462345 call 44cd50 1006->1010 1010->1005
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: RestoreSave$FocusWindow
                • String ID: [D
                • API String ID: 1553564791-3436156298
                • Opcode ID: 1deef9302d920acaf592f7a10d6cd0e817aec189dd5c4eea970a48d181fe22b5
                • Instruction ID: f9a4282e0908100019b3de3c90649775a6ecf955a6be879d74690d65b976a715
                • Opcode Fuzzy Hash: 1deef9302d920acaf592f7a10d6cd0e817aec189dd5c4eea970a48d181fe22b5
                • Instruction Fuzzy Hash: 72D1B630A00904EFCB20DF69C695A6E77F1EB45304F5540A6F804EB366EB78EE41DB5A
                Function 004AC8D4 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 153memoryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1029 4ac8d4-4ac902 call 408040 1032 4aca8a-4aca93 1029->1032 1033 4ac908-4ac927 call 408040 1029->1033 1033->1032 1036 4ac92d-4ac94b VirtualAlloc 1033->1036 1037 4ac94d-4ac962 VirtualAlloc 1036->1037 1038 4ac964-4ac966 1036->1038 1037->1038 1038->1032 1039 4ac96c-4aca01 GetProcessHeap RtlAllocateHeap VirtualAlloc * 2 call 408040 call 4ac4f0 1038->1039 1044 4aca0d-4aca18 call 4ac650 1039->1044 1045 4aca03-4aca08 call 4ac598 1039->1045 1049 4aca1a-4aca1e 1044->1049 1050 4aca2b-4aca3e call 4ac83c 1044->1050 1045->1044 1049->1032 1052 4aca20-4aca29 call 4acbf8 1049->1052 1056 4aca40-4aca48 1050->1056 1057 4aca84-4aca87 1050->1057 1052->1032 1058 4aca4a-4aca4e 1056->1058 1059 4aca5b-4aca5f 1056->1059 1057->1032 1058->1032 1060 4aca50-4aca59 call 4acbf8 1058->1060 1062 4aca62-4aca6a 1059->1062 1060->1032 1064 4aca6c-4aca70 1062->1064 1065 4aca7d-4aca80 1062->1065 1064->1032 1066 4aca72-4aca7b call 4acbf8 1064->1066 1065->1057 1066->1032
                APIs
                • VirtualAlloc.KERNEL32(?,?,00002000,00000040), ref: 004AC942
                • VirtualAlloc.KERNEL32(00000000,?,00002000,00000040,?,?,00002000,00000040), ref: 004AC95D
                  • Part of subcall function 004ACBF8: FreeLibrary.KERNEL32(?,?,?,00000000,?,00000000), ref: 004ACC59
                  • Part of subcall function 004ACBF8: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,?,00000000), ref: 004ACC82
                  • Part of subcall function 004ACBF8: GetProcessHeap.KERNEL32(00000000,?,?,?,00000000,?,00000000), ref: 004ACC8C
                  • Part of subcall function 004ACBF8: HeapFree.KERNEL32(00000000,00000000,?,?,?,00000000,?,00000000), ref: 004ACC92
                • GetProcessHeap.KERNEL32(00000000,00000011,?,?,00002000,00000040), ref: 004AC970
                • RtlAllocateHeap.NTDLL(00000000,00000000,00000011), ref: 004AC976
                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,00000000,00000000,00000011,?,?,00002000,00000040), ref: 004AC9AA
                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,00000000,?,00001000,00000040,00000000,00000000,00000011,?,?,00002000,00000040), ref: 004AC9BE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Virtual$AllocHeap$Free$Process$AllocateLibrary
                • String ID: MZ$PE
                • API String ID: 3858850678-1102611028
                • Opcode ID: d54918d1b25df5398b27543a05d4d6839911f9e5556df68e522f9b107ba5a520
                • Instruction ID: 9d77758b92b76a836bbd295bc7307f41679d20c6918e8a2fb82168533fe12fe8
                • Opcode Fuzzy Hash: d54918d1b25df5398b27543a05d4d6839911f9e5556df68e522f9b107ba5a520
                • Instruction Fuzzy Hash: 16510471E00208AFDB50DBA9C8C1FAEB7F9AF59304F0440A6E605F7391D679ED818B59
                Function 0045F368 Relevance: 12.1, APIs: 8, Instructions: 71windowCOMMON
                Download Yara Rule
                APIs
                • GetWindowLongA.USER32(?,000000EC), ref: 0045F376
                • IsIconic.USER32(?), ref: 0045F3A4
                • IsWindowVisible.USER32(?), ref: 0045F3B4
                • ShowWindow.USER32(?,00000000,?,?,?,000000EC,00000001,?,?,00000000,004695D0,?,?,?,0046974B,00000000), ref: 0045F3D1
                • SetWindowLongA.USER32(?,000000EC,00000000), ref: 0045F3E4
                • SetWindowLongA.USER32(?,000000EC,00000000), ref: 0045F3F5
                • ShowWindow.USER32(?,00000006,?,000000EC,00000000,?,?,?,000000EC,00000001,?,?,00000000,004695D0), ref: 0045F415
                • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,?,?,000000EC,00000001,?,?,00000000,004695D0), ref: 0045F41F
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Window$LongShow$IconicVisible
                • String ID:
                • API String ID: 3484284227-0
                • Opcode ID: 77360bdc481944338770c7e511fdae7735d5fdef6b2e28d070cedf98d848fb8a
                • Instruction ID: 5b36a49d70424e8b2ebfbffc22a60a7dcad5f8fe14c47b6e1da7a6b29b9c2553
                • Opcode Fuzzy Hash: 77360bdc481944338770c7e511fdae7735d5fdef6b2e28d070cedf98d848fb8a
                • Instruction Fuzzy Hash: 9C11B60154D69035E62272261C02FAF19D98F9335AF18853BF9D4E12D3C12C594D922F
                Function 00477FC8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94comCOMMON
                Download Yara Rule
                APIs
                • CoGetClassObject.COMBASE(?,00000005,00000000,004780F0,00000000), ref: 0047801B
                  • Part of subcall function 0040708C: LoadStringA.USER32(00000000,0000FF93,?,00001000), ref: 004070BE
                • CoCreateInstance.COMBASE(?,00000000,00000005,00478100,00000000), ref: 004780AB
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: ClassCreateInstanceLoadObjectString
                • String ID: 0nG$8nG
                • API String ID: 3309443712-4224486916
                • Opcode ID: 8b5aee6b04a7a5909d54f2cc62322999e7df42ef42654fde9b309b566d380289
                • Instruction ID: 7fafe58bd72f42fc7cc46ced60253dcf116e24ba8bff02fa3acfeb39d05e525b
                • Opcode Fuzzy Hash: 8b5aee6b04a7a5909d54f2cc62322999e7df42ef42654fde9b309b566d380289
                • Instruction Fuzzy Hash: A3314671644108AFD700EB95CD86F9E73F8EF44704F61847AF504E7291DB78AE059B68
                Function 00450BE4 Relevance: 4.9, APIs: 3, Instructions: 353COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Capture
                • String ID:
                • API String ID: 1145282425-0
                • Opcode ID: 0844202f115b90b6f5dc74323ee413e8db8b75227dd1e8629873d917a2db8013
                • Instruction ID: ceb0886a14cee24358faae2bd5154e983e5d533ce7925031c7e2e4ed32ba7d3f
                • Opcode Fuzzy Hash: 0844202f115b90b6f5dc74323ee413e8db8b75227dd1e8629873d917a2db8013
                • Instruction Fuzzy Hash: F2E16534A00244EFDB10DF59C585BAEB7F5BF04715F2441A6E801AB7A3C779AE89DB08
                Function 0040A48C Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
                Download Yara Rule
                APIs
                • FindFirstFileA.KERNEL32(00000000,?,?,?,?,0050C7C4), ref: 0040A4A7
                • GetLastError.KERNEL32(00000000,?,?,?,?,0050C7C4), ref: 0040A4CC
                  • Part of subcall function 0040A408: FileTimeToLocalFileTime.KERNEL32(?), ref: 0040A438
                  • Part of subcall function 0040A408: FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0040A447
                  • Part of subcall function 0040A500: FindClose.KERNEL32(?,?,0040A4CA,00000000,?,?,?,?,0050C7C4), ref: 0040A50C
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: FileTime$Find$CloseDateErrorFirstLastLocal
                • String ID:
                • API String ID: 976985129-0
                • Opcode ID: 58b86a9969b8978c7e632020d003c5f579156ddd4af604b2261502d79d2efd57
                • Instruction ID: b2bcdd9dbcce2655ad94d43192dd6cc216bbaff1b33cacab1b74a73dd55f3823
                • Opcode Fuzzy Hash: 58b86a9969b8978c7e632020d003c5f579156ddd4af604b2261502d79d2efd57
                • Instruction Fuzzy Hash: 1FE0ED7AB0022017C3106E7E1C85A9F61889A8836434902BBF808FB3C3D67CDC2203EA
                Function 0044CE2C Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7ef57aee2ba52993add462926815641d28b53047036e0bd39df74ab27ef02788
                • Instruction ID: 77f7b116e8e10351c5ce93b8a2a4dd6e1ea627483d01e97a7598b4656fe13c93
                • Opcode Fuzzy Hash: 7ef57aee2ba52993add462926815641d28b53047036e0bd39df74ab27ef02788
                • Instruction Fuzzy Hash: 3B71B434A00641CFE715DF2DC4847AAB7E1AF05708F18806BE845D73A6DB789D8ACB4A
                Function 0041A3C0 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                Download Yara Rule
                APIs
                • FindResourceA.KERNEL32(?,00000000,0000000A), ref: 0041A3E2
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: FindResource
                • String ID:
                • API String ID: 1635176832-0
                • Opcode ID: 73e183580f29296243a8b15ebbfb83a8efd28d0c91bdaadd1d06b874fb7c29a1
                • Instruction ID: 140fb8096bcb8ca8922b2b9bfa99df77c90bf8305ece2e0d4e84c00b0f9804e4
                • Opcode Fuzzy Hash: 73e183580f29296243a8b15ebbfb83a8efd28d0c91bdaadd1d06b874fb7c29a1
                • Instruction Fuzzy Hash: 7901F771305304ABD301DF26EC82DAAB7EDDF89718751407AF500D7391DA79AC019618
                Function 00469650 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                Download Yara Rule
                APIs
                • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 0046967A
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: NtdllProc_Window
                • String ID:
                • API String ID: 4255912815-0
                • Opcode ID: 6f48085ff0a987fb09e9973f827258209665088b229d74b906421c4944275dd1
                • Instruction ID: a90c6cb6860682b33c480c8b5c8615a52a72a056329461d2c508c2213fed9954
                • Opcode Fuzzy Hash: 6f48085ff0a987fb09e9973f827258209665088b229d74b906421c4944275dd1
                • Instruction Fuzzy Hash: 77F0C579605608AFCB40DF9DC588D4AFBE8BB4C2A4B458595B988CB325C234FD808F90
                Function 00454AE4 Relevance: 25.8, APIs: 17, Instructions: 258COMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • GetWindowDC.USER32(00000000), ref: 00454B18
                • GetClientRect.USER32(00000000,?), ref: 00454B3B
                • GetWindowRect.USER32(00000000,?), ref: 00454B4D
                • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00454B63
                • OffsetRect.USER32(?,?,?), ref: 00454B78
                • ExcludeClipRect.GDI32(?,?,?,?,?,?,?,?,00000000,00000000,?,00000002,00000000,?,00000000,00454D97), ref: 00454B91
                • InflateRect.USER32(?,00000000,00000000), ref: 00454BAF
                • GetWindowLongA.USER32(00000000,000000F0), ref: 00454BC9
                • DrawEdge.USER32(?,?,?,00000008), ref: 00454CC8
                • IntersectClipRect.GDI32(?,?,?,?,?), ref: 00454CE1
                • OffsetRect.USER32(?,?,?), ref: 00454D0B
                • GetRgnBox.GDI32(?,?), ref: 00454D1A
                • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00454D30
                • IntersectRect.USER32(?,?,?), ref: 00454D41
                • OffsetRect.USER32(?,?,?), ref: 00454D56
                • FillRect.USER32(?,?,00000000), ref: 00454D72
                • ReleaseDC.USER32(00000000,?), ref: 00454D91
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Rect$Window$Offset$ClipIntersectPoints$ClientDrawEdgeExcludeFillInflateLongRelease
                • String ID:
                • API String ID: 2490777911-0
                • Opcode ID: 3b34b539370d0cf232521d31076355b2796d20599a2aa80e188283244d387d80
                • Instruction ID: 39bc3f1ea678f7c13eab0a62e3cc9a36698d92115f7d61dd1458af6ac4156215
                • Opcode Fuzzy Hash: 3b34b539370d0cf232521d31076355b2796d20599a2aa80e188283244d387d80
                • Instruction Fuzzy Hash: 58A10F71E04108AFCB01DF99C886EEEB7F9AF49305F1440A6F914FB252C779AE449B64
                Function 00459398 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 103registrylibraryloaderCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • GetCurrentProcessId.KERNEL32(?,00000000,00459510), ref: 004593B9
                • GlobalAddAtomA.KERNEL32(00000000), ref: 004593EC
                • GetCurrentThreadId.KERNEL32 ref: 00459407
                • GlobalAddAtomA.KERNEL32(00000000), ref: 0045943D
                • RegisterClipboardFormatA.USER32(00000000), ref: 00459453
                  • Part of subcall function 0041B0C0: RtlInitializeCriticalSection.NTDLL(0041821C), ref: 0041B0DF
                  • Part of subcall function 00458FA0: SetErrorMode.KERNEL32(00008000), ref: 00458FB9
                  • Part of subcall function 00458FA0: GetModuleHandleA.KERNEL32(USER32,00000000,00459106,?,00008000), ref: 00458FDD
                  • Part of subcall function 00458FA0: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 00458FEA
                  • Part of subcall function 00458FA0: LoadLibraryA.KERNEL32(imm32.dll,00000000,00459106,?,00008000), ref: 00459006
                  • Part of subcall function 00458FA0: GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 00459028
                  • Part of subcall function 00458FA0: GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 0045903D
                  • Part of subcall function 00458FA0: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 00459052
                  • Part of subcall function 00458FA0: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 00459067
                  • Part of subcall function 00458FA0: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 0045907C
                  • Part of subcall function 00458FA0: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 00459091
                  • Part of subcall function 00458FA0: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 004590A6
                  • Part of subcall function 00458FA0: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 004590BB
                  • Part of subcall function 00458FA0: GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 004590D0
                  • Part of subcall function 00458FA0: GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 004590E5
                  • Part of subcall function 00458FA0: SetErrorMode.KERNEL32(?,0045910D,00008000), ref: 00459100
                  • Part of subcall function 004678C8: GetKeyboardLayout.USER32(00000000), ref: 0046790D
                  • Part of subcall function 004678C8: GetDC.USER32(00000000), ref: 00467962
                  • Part of subcall function 004678C8: GetDeviceCaps.GDI32(00000000,0000005A), ref: 0046796C
                  • Part of subcall function 004678C8: ReleaseDC.USER32(00000000,00000000), ref: 00467977
                  • Part of subcall function 00468B48: LoadIconA.USER32(00400000,MAINICON), ref: 00468C3F
                  • Part of subcall function 00468B48: GetModuleFileNameA.KERNEL32(00400000,?,00000100,?,?,?,004594A8,00000000,00000000,?,?,00000000,00459510), ref: 00468C71
                  • Part of subcall function 00468B48: OemToCharA.USER32(?,?), ref: 00468C84
                  • Part of subcall function 00468B48: CharNextA.USER32(?,00400000,?,00000100,?,?,?,004594A8,00000000,00000000,?,?,00000000,00459510), ref: 00468CC3
                  • Part of subcall function 00468B48: CharLowerA.USER32(00000000,?,00400000,?,00000100,?,?,?,004594A8,00000000,00000000,?,?,00000000,00459510), ref: 00468CC9
                • GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,00459510), ref: 004594D7
                • GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 004594E8
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AddressProc$CharModule$AtomCurrentErrorGlobalHandleLoadMode$CapsClipboardCriticalDeviceFileFormatIconInitializeKeyboardLayoutLibraryLowerNameNextProcessRegisterReleaseSectionThread
                • String ID: <WD$AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
                • API String ID: 268368413-1671005890
                • Opcode ID: 631f813720f5a0dcc429f006d3e385f001ced7550a73d62dd4be61fd72dafd65
                • Instruction ID: 13477194ee734d82b607bba5ac3cdb5d227e3fff647c6012259c42d2d83c67c8
                • Opcode Fuzzy Hash: 631f813720f5a0dcc429f006d3e385f001ced7550a73d62dd4be61fd72dafd65
                • Instruction Fuzzy Hash: F04132759146059FC701EFB9DC8268E77E5EB59308B90443EF400E7352EB39AD089B59
                Function 00465F98 Relevance: 20.0, APIs: 13, Instructions: 473COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 113 465f98-465fbe 114 465fc0-465fca 113->114 115 465fed-466016 call 46b314 113->115 114->115 116 465fcc-465fe8 call 40708c call 40e504 call 404628 114->116 121 466596-46659d 115->121 122 46601c-466026 115->122 116->115 124 4665c4-4665db 121->124 125 46659f-4665a6 121->125 126 46602c-466071 call 403fb0 122->126 127 46648a-4664d0 call 403fb0 122->127 125->124 130 4665a8-4665b2 125->130 142 466093-46609d 126->142 143 466073-46607d 126->143 139 4664d2-4664d7 call 464cd0 127->139 140 4664dc-4664e6 127->140 130->124 134 4665b4-4665bf call 453b48 ShowWindow 130->134 134->124 139->140 147 4664f8-466502 140->147 148 4664e8-4664f3 140->148 144 46609f-4660b6 call 44b3d4 142->144 145 4660d9-4660ed call 467af4 142->145 149 466176-466188 143->149 150 466083-46608d 143->150 168 4660bb-4660d2 call 44b418 144->168 169 4660b8 144->169 177 4660f2-466106 call 467ae8 145->177 178 4660ef 145->178 152 466526-466539 call 453b48 GetActiveWindow 147->152 153 466504-466521 call 453b48 SetWindowPos 147->153 148->124 154 46618e-4661a0 149->154 155 46629b-46629d 149->155 150->142 150->149 181 46655b-46655d 152->181 182 46653b-46654a call 453b48 call 45f2ec 152->182 153->124 160 4661a2-4661b5 call 403f40 154->160 161 4661bd-4661bf 154->161 164 466396-4663aa 155->164 165 4662a3-4662ad 155->165 160->161 197 4661b7-4661ba 160->197 175 4661c1-4661c4 161->175 176 4661fe-466212 call 467af4 161->176 173 466465-466485 call 453b48 ShowWindow 164->173 174 4663b0-4663ba 164->174 166 4662af-4662c6 call 44b3d4 165->166 167 4662e9-4662f7 call 467b24 165->167 206 4662cb-4662e2 call 44b418 166->206 207 4662c8 166->207 212 4662fc-466310 call 467b0c 167->212 213 4662f9 167->213 204 46610b-466117 call 467b0c 168->204 217 4660d4-4660d7 168->217 169->168 173->124 183 4663f2-46643e call 453b48 ShowWindow call 453b48 CallWindowProcA call 44bcf0 174->183 184 4663bc-4663f0 call 453b48 SendMessageA call 453b48 ShowWindow 174->184 175->176 189 4661c6-4661da call 461b50 175->189 208 466217-46622b call 467ae8 176->208 209 466214 176->209 177->204 205 466108 177->205 178->177 192 466584-466594 call 453b48 ShowWindow 181->192 193 46655f-466582 call 453b48 SetWindowPos SetActiveWindow 181->193 182->181 245 46654c-466559 call 453b48 call 45f614 182->245 246 466443-466460 SendMessageA 183->246 184->246 228 4661df-4661f3 call 461b70 189->228 229 4661dc 189->229 192->124 193->124 197->161 239 466125-466131 call 467b00 204->239 240 466119-466123 call 467b0c 204->240 205->204 241 4662e4-4662e7 206->241 242 466345-466351 call 467b0c 206->242 207->206 243 466230-46623c call 467b0c 208->243 244 46622d 208->244 209->208 247 466315-466325 call 467b18 212->247 248 466312 212->248 213->212 217->204 250 4661f5 228->250 251 4661f8-4661fc 228->251 229->228 264 466133-46613d call 467b00 239->264 265 46613f-466163 239->265 240->239 241->242 271 466353-46635d call 467b0c 242->271 272 46635f-46636b call 467b00 242->272 266 46623e-466248 call 467b0c 243->266 267 46624a-466256 call 467b00 243->267 244->243 245->181 246->124 269 466327 247->269 270 46632a-46633e call 467b00 247->270 248->247 250->251 251->243 264->265 265->164 289 466169-466171 call 463940 265->289 266->267 290 466264-466288 267->290 291 466258-466262 call 467b00 267->291 269->270 292 466343 270->292 293 466340 270->293 271->272 287 46636d-466377 call 467b00 272->287 288 466379-466390 KiUserCallbackDispatcher 272->288 287->288 288->164 289->164 290->164 301 46628e-466296 call 463940 290->301 291->290 292->242 293->292 301->164
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: LoadString
                • String ID:
                • API String ID: 2948472770-0
                • Opcode ID: c0faf57c8a24d4bb890d2aa74084f286c706c7e044c069c58c258330813879a1
                • Instruction ID: b3cbd6cc516d4c6a5c59f3b8fb1240fc0cdde365d49f4b46e8a88c573d1ba5f4
                • Opcode Fuzzy Hash: c0faf57c8a24d4bb890d2aa74084f286c706c7e044c069c58c258330813879a1
                • Instruction Fuzzy Hash: 05027031A14204EFDB01DB6DD985F9D77E4AB05308F1601A6F904E73A2EB39BE44DB4A
                Function 004696D8 Relevance: 19.9, APIs: 13, Instructions: 391COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 304 4696d8-46970c 305 469740-469755 call 469568 304->305 306 46970e-46970f 304->306 311 469802-469807 305->311 312 46975b 305->312 308 469711-46972d call 41aaa4 306->308 339 46972f-469737 308->339 340 46973c-46973e 308->340 314 469858-46985d 311->314 315 469809 311->315 316 469761-469764 312->316 317 469c9d-469cb2 call 46ab8c 312->317 323 46987e-469883 314->323 324 46985f 314->324 318 469b14-469b1c 315->318 319 46980f-469814 315->319 320 469766 316->320 321 4697c0-4697c3 316->321 332 469d70-469d78 317->332 331 469b22-469b2d call 453b48 318->331 318->332 333 469816 319->333 334 46983f-469844 319->334 335 469ac2-469acc 320->335 336 46976c-46976f 320->336 337 4697c5 321->337 338 4697eb-4697ee 321->338 329 469cf0-469cf7 323->329 330 469889-46988f 323->330 326 469cb7-469cbe 324->326 327 469865-46986a 324->327 344 469cc0-469cd3 call 46a508 326->344 345 469cd8-469ceb call 46a564 326->345 342 469870-469873 327->342 343 469c5f-469c6c call 45f2ec 327->343 350 469d0a-469d19 329->350 351 469cf9-469d08 329->351 346 469895 330->346 347 469ad1-469aed call 46bdbc 330->347 331->332 395 469b33-469b42 call 453b48 IsWindowEnabled 331->395 341 469d8f-469d95 332->341 357 46981c-469821 333->357 358 469bad-469bb8 333->358 359 469c26-469c42 GetLastActivePopup 334->359 360 46984a-46984d 334->360 335->332 348 469775 336->348 349 469d69-469d6a call 469650 336->349 352 46997c-46999d call 469650 337->352 353 4697cb-4697ce 337->353 354 4697f4-4697f7 338->354 355 469d41-469d52 call 46877c call 469650 338->355 339->341 340->305 340->308 342->317 361 469879 342->361 343->332 412 469c72-469c7d GetFocus 343->412 344->332 345->332 346->349 347->332 348->321 399 469d6f 349->399 350->332 351->332 416 46999f-4699ad call 46c45c 352->416 417 4699d8-4699f5 call 469218 PostMessageA 352->417 366 4697d4-4697d7 353->366 367 469933-469943 call 469650 353->367 369 4697fd 354->369 370 469948-469956 call 469d98 354->370 355->332 375 469823-469829 357->375 376 46989a-4698aa 357->376 363 469bcc-469bd5 358->363 364 469bba-469bc0 358->364 359->332 372 469c48-469c5a 359->372 379 469af2-469aff call 46a2b0 360->379 380 469853 360->380 361->349 382 469bd7-469be3 call 46c45c 363->382 383 469c1a-469c21 363->383 364->363 387 469aa6-469aad 366->387 388 4697dd-4697e0 366->388 367->332 369->349 370->332 372->332 396 46982f-469834 375->396 397 469a7a-469aa1 SendMessageA 375->397 385 4698b5-4698bd call 469db4 376->385 386 4698ac-4698b1 376->386 379->332 425 469b05-469b0f 379->425 380->349 382->383 433 469be5-469bfa call 453b48 IsWindowEnabled 382->433 383->332 385->332 402 4698c2-4698ca call 469e94 386->402 403 4698b3-4698d6 call 469650 386->403 387->332 400 469ab3-469abd call 410080 call 404b08 387->400 405 4697e6 388->405 406 469d1b-469d3f call 458f3c call 4695e4 call 469650 388->406 395->332 439 469b48-469b57 call 453b48 IsWindowVisible 395->439 414 469d54-469d5e call 459c34 call 459d98 396->414 415 46983a 396->415 397->332 399->332 400->332 402->332 403->332 405->349 406->332 412->332 428 469c83-469c8c call 45f614 412->428 414->332 415->349 448 4699b6-4699d3 call 469278 PostMessageA 416->448 449 4699af 416->449 417->332 425->332 428->332 455 469c92-469c98 SetFocus 428->455 433->383 458 469bfc-469c0d call 453b48 433->458 439->332 460 469b5d-469ba8 GetFocus call 453b48 SetFocus call 44cd50 SetFocus 439->460 448->332 449->448 455->332 458->383 467 469c0f-469c15 SetFocus 458->467 460->332 467->383
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d767e3df9f3e9d275fa77d1ecaa0473a6472d67781a4f0bb020359971ce7f253
                • Instruction ID: 49589be54449dd1caded853ecafe18aecfd68da9052ccae6a2435e2bdee08ca4
                • Opcode Fuzzy Hash: d767e3df9f3e9d275fa77d1ecaa0473a6472d67781a4f0bb020359971ce7f253
                • Instruction Fuzzy Hash: 5BE19034604204DFC700EF69C585A9EB7B8AF05354F2441A7E405AB3A2E7BDEE45DB4B
                Function 00448374 Relevance: 16.6, APIs: 11, Instructions: 91COMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • IsWindowUnicode.USER32(?), ref: 0044838E
                • SetWindowLongW.USER32(?,000000FC,?), ref: 004483A9
                • GetWindowLongW.USER32(?,000000F0), ref: 004483B4
                • GetWindowLongW.USER32(?,000000F4), ref: 004483C6
                • SetWindowLongW.USER32(?,000000F4,?), ref: 004483D9
                • SetWindowLongA.USER32(?,000000FC,?), ref: 004483F2
                • GetWindowLongA.USER32(?,000000F0), ref: 004483FD
                • GetWindowLongA.USER32(?,000000F4), ref: 0044840F
                • SetWindowLongA.USER32(?,000000F4,?), ref: 00448422
                • SetPropA.USER32(?,00000000,00000000), ref: 00448439
                • SetPropA.USER32(?,00000000,00000000), ref: 00448450
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Window$Long$Prop$Unicode
                • String ID:
                • API String ID: 1693715928-0
                • Opcode ID: ea434ccda2fee9ee4cafaa40c9d421d5ed23645447d1d33f1764e36237b3e74e
                • Instruction ID: 22e67b48a3d72c76720219598ebbd10c7286eced480d4ed4a96702cf7f816e00
                • Opcode Fuzzy Hash: ea434ccda2fee9ee4cafaa40c9d421d5ed23645447d1d33f1764e36237b3e74e
                • Instruction Fuzzy Hash: 1B31B876908245BFDF10DFA9DC84EAA37A8AF08368F104615F914DB3E1E738E9409B55
                Function 004513D8 Relevance: 15.2, APIs: 10, Instructions: 231windowCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 759 4513d8-4513f3 760 4513f5-4513ff 759->760 761 45141e-451429 759->761 760->761 762 451401-45140b 760->762 763 4515a4-4515af 761->763 764 45142f-451436 761->764 762->761 765 45140d-451419 762->765 768 4515b5-4515bb 763->768 769 4516af-4516b5 763->769 766 45144d-451462 764->766 767 451438-451446 call 41ab00 764->767 765->761 766->763 771 451468-451483 call 41aaa4 766->771 767->766 777 451448-45144a 767->777 768->769 772 4515c1-4515c2 768->772 780 451485-45148c 771->780 781 451497-45149e 771->781 773 4515c9-4515e3 call 41aaa4 772->773 784 4516a5-4516a9 773->784 785 4515e9-4515ed 773->785 777->766 786 4514be-4514f7 call 4193a4 RectVisible 780->786 787 45148e-451495 780->787 782 451595-45159e 781->782 783 4514a4-4514ab 781->783 782->763 782->771 783->782 788 4514b1-4514b8 783->788 784->769 784->773 785->784 790 4515f3-4515f7 785->790 786->782 794 4514fd-451504 786->794 787->781 787->786 788->782 788->786 792 4515ff-451603 790->792 793 4515f9-4515fd 790->793 792->784 796 451609-45160d 792->796 793->792 795 45161d-4516a0 call 429ccc CreateSolidBrush call 4193a4 FrameRect DeleteObject call 429ccc CreateSolidBrush call 4193a4 FrameRect DeleteObject 793->795 797 451506-451509 794->797 798 45150f-451565 SaveDC call 44a064 IntersectClipRect call 44cd50 794->798 795->784 796->784 799 451613-451617 796->799 797->798 807 45156a-451584 RestoreDC 798->807 799->784 799->795
                APIs
                • RectVisible.GDI32(?,?), ref: 004514F0
                • SaveDC.GDI32(?), ref: 00451513
                • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00451553
                • RestoreDC.GDI32(?,00451376), ref: 0045157F
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Rect$ClipIntersectRestoreSaveVisible
                • String ID:
                • API String ID: 1976014923-0
                • Opcode ID: 6d9a27c4dab81b10c602cb5ebb2bad65c777e7f7ccd764ea895eda94ce9758c2
                • Instruction ID: 18e8078aaa453cc0af73e1804fc65aa622a66155f381e4b053d9057cfa6ca1a1
                • Opcode Fuzzy Hash: 6d9a27c4dab81b10c602cb5ebb2bad65c777e7f7ccd764ea895eda94ce9758c2
                • Instruction Fuzzy Hash: 7C910B74A00248AFDB05DF99C485FAE7BF5AF49304F0844A6E904EB3A6D738ED84CB54
                Function 0044B670 Relevance: 15.2, APIs: 10, Instructions: 150COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 812 44b670-44b681 813 44b804-44b818 812->813 814 44b687-44b68b 812->814 815 44b696 814->815 816 44b68d-44b694 814->816 817 44b69d-44b6a0 815->817 816->817 818 44b6b4 817->818 819 44b6a2-44b6b2 MulDiv 817->819 820 44b6b7-44b6ba 818->820 819->820 821 44b6d0-44b6d3 820->821 822 44b6bc-44b6ce MulDiv 820->822 823 44b6d7-44b6da 821->823 822->823 824 44b714-44b717 823->824 825 44b6dc-44b6e0 823->825 827 44b71b-44b71e 824->827 825->824 826 44b6e2-44b6e5 825->826 828 44b6e7-44b6fe MulDiv 826->828 829 44b700-44b712 MulDiv 826->829 830 44b720-44b724 827->830 831 44b75a-44b75d 827->831 828->827 829->827 830->831 832 44b726-44b729 830->832 833 44b761-44b798 call 44b514 KiUserCallbackDispatcher 831->833 834 44b746-44b758 MulDiv 832->834 835 44b72b-44b744 MulDiv 832->835 838 44b7b1-44b7c2 833->838 839 44b79a-44b7ab MulDiv 833->839 834->833 835->833 840 44b7c4-44b7d5 MulDiv 838->840 841 44b7db-44b7df 838->841 839->838 840->841 841->813 842 44b7e1-44b7e4 841->842 842->813 843 44b7e6-44b7ff call 42a4e4 MulDiv call 42a500 842->843 843->813
                APIs
                • MulDiv.KERNEL32(?,?,?), ref: 0044B6AB
                • MulDiv.KERNEL32(?,?,?), ref: 0044B6C5
                • MulDiv.KERNEL32(?,?,?), ref: 0044B6F3
                • MulDiv.KERNEL32(?,?,?), ref: 0044B709
                • MulDiv.KERNEL32(?,?,?), ref: 0044B737
                • MulDiv.KERNEL32(?,?,?), ref: 0044B74F
                • KiUserCallbackDispatcher.NTDLL(?,?), ref: 0044B781
                • MulDiv.KERNEL32(?), ref: 0044B7A6
                • MulDiv.KERNEL32(?), ref: 0044B7D0
                • MulDiv.KERNEL32(00000000), ref: 0044B7F6
                  • Part of subcall function 0042A500: MulDiv.KERNEL32(00000000,?,00000048), ref: 0042A50D
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CallbackDispatcherUser
                • String ID:
                • API String ID: 2492992576-0
                • Opcode ID: eed5189c95570797ebc7f6ae3c3ef90d02265ec93d28ae8244235bdc46a4faf7
                • Instruction ID: 40833c73329a435b356fe91ad4eb4be47a72a52a6f99bdbd4f5cc80cecb4b485
                • Opcode Fuzzy Hash: eed5189c95570797ebc7f6ae3c3ef90d02265ec93d28ae8244235bdc46a4faf7
                • Instruction Fuzzy Hash: 0B51EA706087506FD320AB6DC885A67BBF9DB49354F04482EF9D6C7752C739E8408BA6
                Function 00462E04 Relevance: 15.1, APIs: 10, Instructions: 133windowCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • GetWindowLongA.USER32(00000000,000000F0), ref: 00462E75
                • GetWindowLongA.USER32(00000000,000000EC), ref: 00462E87
                • GetClassLongA.USER32(00000000,000000E6), ref: 00462E9A
                • SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 00462EDA
                • SetWindowLongA.USER32(00000000,000000EC,?), ref: 00462EEE
                • SetClassLongA.USER32(00000000,000000E6,?), ref: 00462F02
                • SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 00462F3C
                • SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 00462F54
                • GetSystemMenu.USER32(00000000,000000FF,00000000,000000E6,?,00000000,000000EC,?,00000000,000000F0,00000000,?,00000000,000000EC,00000000,000000F0), ref: 00462F63
                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037,00000000,000000E6,?,00000000,000000EC,?,00000000,000000F0,00000000), ref: 00462F8C
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Long$Window$ClassMessageSend$MenuSystem
                • String ID:
                • API String ID: 494549727-0
                • Opcode ID: a3cf2b6eaa757080c5134fd96ce86e8d8173df99d269e64d26d88b3504c2be0a
                • Instruction ID: 9a00b2868935a558fdbbb5cd34caefb5f0e4d59dace987bd7f783f53dd41a251
                • Opcode Fuzzy Hash: a3cf2b6eaa757080c5134fd96ce86e8d8173df99d269e64d26d88b3504c2be0a
                • Instruction Fuzzy Hash: 1C411B60B0864136C6167B3D8C46B7FA65A1F8134AF08461AF454E72D3DFBDAD05A34F
                Function 004F0C80 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103libraryloaderCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1069 4f0c80-4f0ca7 call 4bfa1c 1072 4f0ca9-4f0cb6 call 404d68 1069->1072 1073 4f0cb8-4f0cc0 call 404d68 1069->1073 1076 4f0cc5-4f0cdb call 410628 1072->1076 1073->1076 1080 4f0d93-4f0da8 call 404cd0 1076->1080 1081 4f0ce1-4f0cec GetProcAddress 1076->1081 1083 4f0cf0-4f0cfe 1081->1083 1085 4f0d42-4f0d44 1083->1085 1086 4f0d00-4f0d04 1083->1086 1087 4f0d48-4f0d56 1085->1087 1086->1085 1088 4f0d06-4f0d0a 1086->1088 1089 4f0d58-4f0d6d GetProcAddress 1087->1089 1090 4f0d70-4f0d79 1087->1090 1088->1085 1091 4f0d0c-4f0d10 1088->1091 1089->1090 1090->1080 1092 4f0d7b-4f0d90 GetProcAddress 1090->1092 1091->1085 1093 4f0d12-4f0d16 1091->1093 1092->1080 1093->1085 1094 4f0d18-4f0d1c 1093->1094 1094->1085 1095 4f0d1e-4f0d22 1094->1095 1095->1085 1096 4f0d24-4f0d28 1095->1096 1096->1085 1097 4f0d2a-4f0d2e 1096->1097 1097->1085 1098 4f0d30-4f0d34 1097->1098 1098->1085 1099 4f0d36-4f0d3a 1098->1099 1099->1085 1100 4f0d3c-4f0d40 1099->1100 1100->1085 1101 4f0d46 1100->1101 1101->1087
                APIs
                • GetProcAddress.KERNEL32(00000000,InitSecurityInterfaceA), ref: 004F0CE7
                • GetProcAddress.KERNEL32(?,EncryptMessage), ref: 004F0D63
                • GetProcAddress.KERNEL32(?,DecryptMessage), ref: 004F0D86
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AddressProc
                • String ID: DecryptMessage$EncryptMessage$InitSecurityInterfaceA$secur32.dll$security.dll
                • API String ID: 190572456-747104660
                • Opcode ID: 12febfcc64473a01e6e2381f596a0fee65fbb1675bfa2f8901fee68adaafe9e9
                • Instruction ID: e34129094b6720cdf9ace6f56bce1ae4355dbd571da8e2342ae8d735a873135b
                • Opcode Fuzzy Hash: 12febfcc64473a01e6e2381f596a0fee65fbb1675bfa2f8901fee68adaafe9e9
                • Instruction Fuzzy Hash: 6D413D34500218DFDB60DB99C484B7677A5EF85314F9981E6E2089F3A3C378EC85CB9A
                Function 004519C0 Relevance: 13.7, APIs: 9, Instructions: 191COMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • BeginPaint.USER32(00000000,?), ref: 00451A2C
                  • Part of subcall function 00451240: BeginPaint.USER32(00000000,?), ref: 0045126B
                  • Part of subcall function 00451240: EndPaint.USER32(00000000,?,004513A6), ref: 00451399
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Paint$Begin
                • String ID:
                • API String ID: 3787552996-0
                • Opcode ID: f406becf81edbb1a0da45122b909b86f0190925360f7b2ea8e0aa26152c5b9e8
                • Instruction ID: 758323ec88bfa0954c72645ee8e785a291c6c4028cf0506426bc8e005e3e431a
                • Opcode Fuzzy Hash: f406becf81edbb1a0da45122b909b86f0190925360f7b2ea8e0aa26152c5b9e8
                • Instruction Fuzzy Hash: 67616171E00108AFDB05DFA9C952EAEBBF8EB48305F1040AAF904E7251D778AE04CB54
                Function 00468E9C Relevance: 13.6, APIs: 9, Instructions: 131windowregistryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1145 468e9c-468ebf 1146 468ec5-468ecd 1145->1146 1147 46901f-469034 call 404cd0 1145->1147 1146->1147 1149 468ed3-468f02 call 423294 GetClassInfoA 1146->1149 1153 468f04-468f1b RegisterClassA 1149->1153 1154 468f3e-468f50 1149->1154 1153->1154 1155 468f1d-468f39 call 40708c call 40e504 call 404628 1153->1155 1158 468f55-468f63 1154->1158 1159 468f52 1154->1159 1155->1154 1164 468f65 1158->1164 1165 468f68-468fb4 call 405160 call 408058 SetWindowLongA 1158->1165 1159->1158 1164->1165 1171 468fb6-468fd0 call 469d98 SendMessageA call 469d98 1165->1171 1172 468fe1-469010 GetSystemMenu DeleteMenu * 2 1165->1172 1177 468fd5-468fdc SetClassLongA 1171->1177 1172->1147 1173 469012-46901a DeleteMenu 1172->1173 1173->1147 1177->1172
                APIs
                  • Part of subcall function 00423294: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 004232B2
                • GetClassInfoA.USER32(00400000,00468B38,?), ref: 00468EFB
                • RegisterClassA.USER32(00534890), ref: 00468F13
                  • Part of subcall function 0040708C: LoadStringA.USER32(00000000,0000FF93,?,00001000), ref: 004070BE
                • SetWindowLongA.USER32(0000000E,000000FC,11000000), ref: 00468FA7
                • SendMessageA.USER32(0000000E,00000080,00000001,00000000), ref: 00468FC9
                • SetClassLongA.USER32(0000000E,000000F2,00000000), ref: 00468FDC
                • GetSystemMenu.USER32(0000000E,00000000,0000000E,000000FC,11000000), ref: 00468FE7
                • DeleteMenu.USER32(00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,11000000), ref: 00468FF6
                • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,11000000), ref: 00469003
                • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,11000000), ref: 0046901A
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Menu$ClassDelete$Long$AllocInfoLoadMessageRegisterSendStringSystemVirtualWindow
                • String ID:
                • API String ID: 2103932818-0
                • Opcode ID: abbbfa8a2167444d838895b1fda55df5299594377a9f9c12f9ead03d2b4c6dcf
                • Instruction ID: 3f2c8a80431efae89c86a994bede0647e9a6621495e98f4abe2d3ca93a42886b
                • Opcode Fuzzy Hash: abbbfa8a2167444d838895b1fda55df5299594377a9f9c12f9ead03d2b4c6dcf
                • Instruction Fuzzy Hash: 28415471B042406FE710EB69DC82F5633ECEB19704F544579FA00EB2D2EAB8BC449B69
                Function 0040F5F0 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                Download Yara Rule
                APIs
                • GetThreadLocale.KERNEL32(00000000,0040F8BB,?,?,00000000,00000000), ref: 0040F626
                  • Part of subcall function 0040DBC0: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040DBDE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Locale$InfoThread
                • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                • API String ID: 4232894706-2493093252
                • Opcode ID: 4b877254a26be70013c92709851191fc93b770d1f1ca3ffdf4da555d604d80d4
                • Instruction ID: 6b2562873809bb42ee8e2ac6fe2a59374851a6d284cce7efffd66d3dec960fdb
                • Opcode Fuzzy Hash: 4b877254a26be70013c92709851191fc93b770d1f1ca3ffdf4da555d604d80d4
                • Instruction Fuzzy Hash: 9D613D71A001089BDB10FBA5D851ADEB7B6AF98308F11D43AB100BB6D6CA7CDD0D9758
                Function 0044FD34 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134registryCOMMON
                Download Yara Rule
                APIs
                • GetClassInfoA.USER32(?,?,?), ref: 0044FDF8
                • UnregisterClassA.USER32(?,?), ref: 0044FE20
                • RegisterClassA.USER32(?), ref: 0044FE36
                • GetWindowLongA.USER32(00000000,000000F0), ref: 0044FE72
                • GetWindowLongA.USER32(00000000,000000F4), ref: 0044FE87
                • SetWindowLongA.USER32(00000000,000000F4,00000000), ref: 0044FE9A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: ClassLongWindow$InfoRegisterUnregister
                • String ID: @
                • API String ID: 717780171-2766056989
                • Opcode ID: c02a534a218cd4f7f1467c2952036bc9aad7c80df1d9b5bd23f51c51e596ca45
                • Instruction ID: 6a37a5cd156fae2c1fce10b8cc798468f1a518bd12169fde69efc1db9511ace1
                • Opcode Fuzzy Hash: c02a534a218cd4f7f1467c2952036bc9aad7c80df1d9b5bd23f51c51e596ca45
                • Instruction Fuzzy Hash: F651B170A003149BEB20DF69CC45B9BB3F8AF05308F10457AE945E7392DB38AD48CB59
                Function 00401DEC Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON
                Download Yara Rule
                APIs
                • Sleep.KERNEL32(00000000,?), ref: 00401E82
                • Sleep.KERNEL32(0000000A,00000000,?), ref: 00401E9C
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Sleep
                • String ID:
                • API String ID: 3472027048-0
                • Opcode ID: cd4418381252872662056f3721d8f2dcee23d1250e174110b194a8e57ab6d572
                • Instruction ID: e74bfcbb3b685ff6f4f5f081bf07988b78640700cb8a2e4d5f9f72c27a96bf7a
                • Opcode Fuzzy Hash: cd4418381252872662056f3721d8f2dcee23d1250e174110b194a8e57ab6d572
                • Instruction Fuzzy Hash: DE7112316042008FD715DB68C984B5BBBD4AB96318F18827FE844AB3F2C778C985C79A
                Function 0046A938 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0046BD34: GetActiveWindow.USER32 ref: 0046BD5B
                  • Part of subcall function 0046BD34: GetLastActivePopup.USER32(0001040C), ref: 0046BD6D
                • GetWindowRect.USER32(?,?), ref: 0046A9BA
                • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,?), ref: 0046A9F2
                • MessageBoxA.USER32(00000000,?,?,?), ref: 0046AA31
                • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,0046AAA7,?,00000000,0046AAA0), ref: 0046AA81
                • SetActiveWindow.USER32(00000000,0046AAA7,?,00000000,0046AAA0), ref: 0046AA92
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Window$Active$LastMessagePopupRect
                • String ID: (
                • API String ID: 3456420849-3887548279
                • Opcode ID: 82eb0501bc168a39c6c896245c6a6c3cb4fbb2041fd183727f14c4c92a17ee94
                • Instruction ID: 8ad15b2bcca0c79a1e7b5c6e38210e5fa7d537afd5a85adeafa32b89995e4b06
                • Opcode Fuzzy Hash: 82eb0501bc168a39c6c896245c6a6c3cb4fbb2041fd183727f14c4c92a17ee94
                • Instruction Fuzzy Hash: B251F7B5E00508AFDB04DBE9CD91FAEB7B9EB48304F54446AF500FB392D678AD048B56
                Function 00468B48 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135windowCOMMON
                Download Yara Rule
                APIs
                • LoadIconA.USER32(00400000,MAINICON), ref: 00468C3F
                • GetModuleFileNameA.KERNEL32(00400000,?,00000100,?,?,?,004594A8,00000000,00000000,?,?,00000000,00459510), ref: 00468C71
                • OemToCharA.USER32(?,?), ref: 00468C84
                • CharNextA.USER32(?,00400000,?,00000100,?,?,?,004594A8,00000000,00000000,?,?,00000000,00459510), ref: 00468CC3
                • CharLowerA.USER32(00000000,?,00400000,?,00000100,?,?,?,004594A8,00000000,00000000,?,?,00000000,00459510), ref: 00468CC9
                  • Part of subcall function 00468E9C: GetClassInfoA.USER32(00400000,00468B38,?), ref: 00468EFB
                  • Part of subcall function 00468E9C: RegisterClassA.USER32(00534890), ref: 00468F13
                  • Part of subcall function 00468E9C: SetWindowLongA.USER32(0000000E,000000FC,11000000), ref: 00468FA7
                  • Part of subcall function 00468E9C: SendMessageA.USER32(0000000E,00000080,00000001,00000000), ref: 00468FC9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Char$Class$FileIconInfoLoadLongLowerMessageModuleNameNextRegisterSendWindow
                • String ID: MAINICON
                • API String ID: 2763768735-2283262055
                • Opcode ID: 4c02971a90343d78276caa8954ce3475cba6c8da856202917947296956840a0f
                • Instruction ID: 05cfccdb3c21966f5071dd5018d736d529cf459f8b8901a800ef22322308d59d
                • Opcode Fuzzy Hash: 4c02971a90343d78276caa8954ce3475cba6c8da856202917947296956840a0f
                • Instruction Fuzzy Hash: E4515570A042449FDB40EF29C8C5B857BE5AF15308F0445BAE848DF357DBBD9948CB66
                Function 0046A3B8 Relevance: 10.6, APIs: 7, Instructions: 105windowCOMMON
                Download Yara Rule
                APIs
                • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0046A3CC
                • IsWindowUnicode.USER32 ref: 0046A3E0
                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0046A401
                • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0046A417
                • TranslateMessage.USER32 ref: 0046A4A0
                • DispatchMessageW.USER32 ref: 0046A4AC
                • DispatchMessageA.USER32 ref: 0046A4B4
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Message$Peek$Dispatch$TranslateUnicodeWindow
                • String ID:
                • API String ID: 2190272339-0
                • Opcode ID: 63e9ab0dc4d4355ee8b5d50ac46d1e57b63e3fb3b8165d9fa55e0e02252fbec2
                • Instruction ID: b6f0327a5ba10c1ca443f9dcc6593d3fffb5c47205ee74e8cf1f84d16ab87c14
                • Opcode Fuzzy Hash: 63e9ab0dc4d4355ee8b5d50ac46d1e57b63e3fb3b8165d9fa55e0e02252fbec2
                • Instruction Fuzzy Hash: 79214B30348B0026E63175254C457BB92855F91708F14889FF9CAB73C2FEEDAC56451F
                Function 004680FC Relevance: 10.6, APIs: 7, Instructions: 89COMMON
                Download Yara Rule
                APIs
                • SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00468151
                • CreateFontIndirectA.GDI32(?), ref: 0046815E
                • GetStockObject.GDI32(0000000D), ref: 00468174
                  • Part of subcall function 0042A500: MulDiv.KERNEL32(00000000,?,00000048), ref: 0042A50D
                • SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 0046819D
                • CreateFontIndirectA.GDI32(?), ref: 004681AD
                • CreateFontIndirectA.GDI32(?), ref: 004681C6
                • GetStockObject.GDI32(0000000D), ref: 004681EC
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CreateFontIndirect$InfoObjectParametersStockSystem
                • String ID:
                • API String ID: 2891467149-0
                • Opcode ID: e108d54cfdc68f8a0c71447c72882223eb0576a620830aab711fff3d2c4c239c
                • Instruction ID: d7645e421b6bdba4ef9f8ae61564230c99c694b0daa39cf3898a8d8ae314010e
                • Opcode Fuzzy Hash: e108d54cfdc68f8a0c71447c72882223eb0576a620830aab711fff3d2c4c239c
                • Instruction Fuzzy Hash: 9731C730704604ABD750FB69DC85B9A37A4AB05304F904076BD08DB297EE789C49C73A
                Function 00401A68 Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
                Download Yara Rule
                APIs
                • Sleep.KERNEL32(00000000,?,00401A36), ref: 00401B1F
                • Sleep.KERNEL32(0000000A,00000000,?,00401A36), ref: 00401B35
                • Sleep.KERNEL32(00000000,?,?,?,00401A36), ref: 00401B63
                • Sleep.KERNEL32(0000000A,00000000,?,?,?,00401A36), ref: 00401B79
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Sleep
                • String ID:
                • API String ID: 3472027048-0
                • Opcode ID: 4ce39374f22b9f2bae8b597d068e1e62d247ed3d5bc20517d886286fa3d0d18e
                • Instruction ID: d6abd4e26022a127e3789074106e34c1551d60756381ba4634a83bc2bd71fe1c
                • Opcode Fuzzy Hash: 4ce39374f22b9f2bae8b597d068e1e62d247ed3d5bc20517d886286fa3d0d18e
                • Instruction Fuzzy Hash: 6EC1587A6056108BD715CF28D8C4392BBE0EB96314F18827FD4499B3F1D378E889DB98
                Function 00423350 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59registryCOMMON
                Download Yara Rule
                APIs
                • GetClassInfoA.USER32(00400000,00423340,?), ref: 00423371
                • UnregisterClassA.USER32(00423340,00400000), ref: 0042339A
                • RegisterClassA.USER32(00533B98), ref: 004233A4
                • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 004233EF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Class$InfoLongRegisterUnregisterWindow
                • String ID: @3B
                • API String ID: 4025006896-3814855006
                • Opcode ID: 286523ab583a1580705b0a4bdc877bfe3f7a316f6e809678a7077cf8d7a7c451
                • Instruction ID: 8b72950fd1ed91873b4305a673563a9eb447f903d180b152dbf293c3740273b6
                • Opcode Fuzzy Hash: 286523ab583a1580705b0a4bdc877bfe3f7a316f6e809678a7077cf8d7a7c451
                • Instruction Fuzzy Hash: 7C0182B17041047BC700EF58AC41E9B73A8F715309F50852AF954E73E1CA3DEB498768
                Function 00461558 Relevance: 7.7, APIs: 5, Instructions: 183COMMON
                Download Yara Rule
                APIs
                • MulDiv.KERNEL32(00000000,00000060,?), ref: 00461627
                • MulDiv.KERNEL32(?,00000000,00000000), ref: 004616B9
                • MulDiv.KERNEL32(?,00000000,00000000), ref: 004616E8
                • MulDiv.KERNEL32(?,00000000,00000000), ref: 00461717
                • MulDiv.KERNEL32(?,00000000,00000000), ref: 0046173A
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9cff51acc1e1da0fdfb93e07ceea8056a4d2ae3674fb0c1dca3b3d7a82ff4e5c
                • Instruction ID: 1679f1b20b41cf8d62fd17a23953428757b33a8c7ae4fa6ae46667b13ec342bd
                • Opcode Fuzzy Hash: 9cff51acc1e1da0fdfb93e07ceea8056a4d2ae3674fb0c1dca3b3d7a82ff4e5c
                • Instruction Fuzzy Hash: 0581D874B00204EFD744DB99C589E9EB7F9AF49304F2941F6E808DB362DB34AE409B55
                Function 00463460 Relevance: 7.7, APIs: 5, Instructions: 174windowCOMMON
                Download Yara Rule
                APIs
                • GetMenu.USER32(00000000), ref: 00463584
                • SetMenu.USER32(00000000,00000000), ref: 004635A1
                • SetMenu.USER32(00000000,00000000), ref: 004635D6
                • SetMenu.USER32(00000000,00000000), ref: 004635F2
                  • Part of subcall function 0040708C: LoadStringA.USER32(00000000,0000FF93,?,00001000), ref: 004070BE
                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 00463639
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Menu$LoadStringWindow
                • String ID:
                • API String ID: 1738039741-0
                • Opcode ID: 630f1c35740f8efbffcbc757cce722f3f7e95522b165d85d679e5237732c1a6e
                • Instruction ID: 324e18542d5ec6a7d2c58787f8da087c2b0e579ae6affcc11c3ede5e7fd3b55d
                • Opcode Fuzzy Hash: 630f1c35740f8efbffcbc757cce722f3f7e95522b165d85d679e5237732c1a6e
                • Instruction Fuzzy Hash: 0E51CF30A043846BDB21AF3AC88675A67955F4070AF0444BFFC05DB393EA7DDE08875A
                Function 00451240 Relevance: 7.6, APIs: 5, Instructions: 126COMMON
                Download Yara Rule
                APIs
                • BeginPaint.USER32(00000000,?), ref: 0045126B
                • SaveDC.GDI32(00000000), ref: 004512A4
                • ExcludeClipRect.GDI32(00000000,?,?,?,?,00000000,00451362,?,00000000,0045139F), ref: 00451326
                • RestoreDC.GDI32(00000000,?), ref: 0045135C
                • EndPaint.USER32(00000000,?,004513A6), ref: 00451399
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Paint$BeginClipExcludeRectRestoreSave
                • String ID:
                • API String ID: 3808407030-0
                • Opcode ID: eab5a8f3db08ccd4c58a002b3962468e1c78a0a03ee2939c775a2fa5d0716538
                • Instruction ID: bdca988d5914e4200c3d9f6d0b976fc1b228d4bd2e69326d889f7e7ba68c2125
                • Opcode Fuzzy Hash: eab5a8f3db08ccd4c58a002b3962468e1c78a0a03ee2939c775a2fa5d0716538
                • Instruction Fuzzy Hash: 50417170A042449FEB04DB99C869FAEBBF4FF49305F1544AAED04977A2D778AD04CB48
                Function 00422130 Relevance: 7.6, APIs: 5, Instructions: 59threadsynchronizationwindowCOMMON
                Download Yara Rule
                APIs
                • GetCurrentThreadId.KERNEL32 ref: 0042213E
                • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0042216A
                • MsgWaitForMultipleObjects.USER32(00000002,?,00000000,000003E8,00000040), ref: 0042217F
                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004221AC
                • GetExitCodeThread.KERNEL32(?,?,?,000000FF), ref: 004221B7
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: ThreadWait$CodeCurrentExitMessageMultipleObjectObjectsPeekSingle
                • String ID:
                • API String ID: 1797888035-0
                • Opcode ID: 30473b8ddfc46f4747322b808a6bd7bc8fc6003958245e3175d13a01b21d5427
                • Instruction ID: 0289a092d9a8c3777953f4e1b8a3701e795ebe0c46aed04bb9e41a56edcf4215
                • Opcode Fuzzy Hash: 30473b8ddfc46f4747322b808a6bd7bc8fc6003958245e3175d13a01b21d5427
                • Instruction Fuzzy Hash: DF11E571B443207BD610EA79DCC2F6F72D89B15724F904A2AF654E72D0D678EC50834A
                Function 004360A8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 243COMMON
                Download Yara Rule
                APIs
                • DrawTextA.USER32(00000000,00000000,?,?,00000000), ref: 004361FC
                • OffsetRect.USER32(?,00000001,00000001), ref: 004362B0
                • OffsetRect.USER32(?,000000FF,000000FF), ref: 00436304
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: OffsetRect$DrawText
                • String ID: ...
                • API String ID: 1225015809-440645147
                • Opcode ID: 5f411672e9345348ea0b663541ecbe21aba761f5a6017284dbe604fc42a8bcbb
                • Instruction ID: 8494d79ea5c22facac3a8bb38e7e8e2a2c94e4aa05f4fb002b011ad07b641060
                • Opcode Fuzzy Hash: 5f411672e9345348ea0b663541ecbe21aba761f5a6017284dbe604fc42a8bcbb
                • Instruction Fuzzy Hash: 3E915270A00115AFDB10DBA9C885AAEB7F5EF49314F5681B6E804E7356C738EE41CB58
                Function 00431E1C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58COMMON
                Download Yara Rule
                APIs
                • MulDiv.KERNEL32(00000008,00000060,00000048), ref: 00431E42
                  • Part of subcall function 00431DD8: GetDC.USER32(00000000), ref: 00431DE1
                  • Part of subcall function 00431DD8: SelectObject.GDI32(00000000,058A00B4), ref: 00431DF3
                  • Part of subcall function 00431DD8: GetTextMetricsA.GDI32(00000000), ref: 00431DFE
                  • Part of subcall function 00431DD8: ReleaseDC.USER32(00000000,00000000), ref: 00431E0F
                Strings
                • SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 00431E98
                • MS Shell Dlg 2, xrefs: 00431EAC
                • Tahoma, xrefs: 00431E64
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: MetricsObjectReleaseSelectText
                • String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
                • API String ID: 2013942131-1011973972
                • Opcode ID: 93e75bf9f0d28a5144269e42455f6e14e40e45b8f9994c0caff86ab2a706ede4
                • Instruction ID: 15e00e373cb308cde7ae889aff0f469f4e6c14960bc7fbb20eeac95bcefe22f7
                • Opcode Fuzzy Hash: 93e75bf9f0d28a5144269e42455f6e14e40e45b8f9994c0caff86ab2a706ede4
                • Instruction Fuzzy Hash: BE118230704208AFD711EF65DC5299E77F5EB4A704F9150B6F800977A1D7399E41D718
                Function 004678C8 Relevance: 6.1, APIs: 4, Instructions: 99COMMON
                Download Yara Rule
                APIs
                • GetKeyboardLayout.USER32(00000000), ref: 0046790D
                • GetDC.USER32(00000000), ref: 00467962
                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0046796C
                • ReleaseDC.USER32(00000000,00000000), ref: 00467977
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CapsDeviceKeyboardLayoutRelease
                • String ID:
                • API String ID: 3331096196-0
                • Opcode ID: 059f7c254cbd168cb75151cdc2ab3e158ed8c306412925314b90365fdbbadbd8
                • Instruction ID: eec0873e43643339beaed194919317ba03c3711d658d89e447fd20e5216d10fa
                • Opcode Fuzzy Hash: 059f7c254cbd168cb75151cdc2ab3e158ed8c306412925314b90365fdbbadbd8
                • Instruction Fuzzy Hash: 3731F6706042419FD744EF2AD8C2B457BE5AB04308F0491BEF908DF3A6EB79AC08CB59
                Function 00451104 Relevance: 6.1, APIs: 4, Instructions: 93windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageA.USER32(?,?,?,?), ref: 0045116E
                  • Part of subcall function 00429CCC: GetSysColor.USER32(?), ref: 00429CD6
                • SetTextColor.GDI32(?,00000000), ref: 00451188
                • SetBkColor.GDI32(?,00000000), ref: 004511A2
                  • Part of subcall function 0042AAEC: CreateBrushIndirect.GDI32(?), ref: 0042AB97
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Color$BrushCreateIndirectMessageSendText
                • String ID:
                • API String ID: 3173815208-0
                • Opcode ID: 8c6548ed520882543da5157f818c1f8ae4686c6cccc002c752f529d6c724e752
                • Instruction ID: 2692720189af68bfa054ff5a2d71e5baab468869551e431ae8f9cbae1d59d654
                • Opcode Fuzzy Hash: 8c6548ed520882543da5157f818c1f8ae4686c6cccc002c752f529d6c724e752
                • Instruction Fuzzy Hash: 39313C716006009BCB50EEA9C980B47B7E9AF49315B14849AF909CF326CB78EC45CB69
                Function 0046911C Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                Download Yara Rule
                APIs
                • EnumWindows.USER32(Function_000690A4), ref: 00469146
                • GetWindow.USER32(?,00000003), ref: 0046915E
                • GetWindowLongA.USER32(00000000,000000EC), ref: 0046916B
                • SetWindowPos.USER32(00000000,000000EC,00000000,00000000,00000000,00000000,00000213,00000000,000000EC,?,00000003,Function_000690A4), ref: 004691AA
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Window$EnumLongWindows
                • String ID:
                • API String ID: 4191631535-0
                • Opcode ID: 1ef9d09c92d75c0d1c23e1a9ada2e0caed8cfe1162169ab1939d0ad2a51b6cf9
                • Instruction ID: 8bfe35be2a7363db8537a10d6163e01802750b5f6caca49a3392796b317ea8f3
                • Opcode Fuzzy Hash: 1ef9d09c92d75c0d1c23e1a9ada2e0caed8cfe1162169ab1939d0ad2a51b6cf9
                • Instruction Fuzzy Hash: 1B11A5306082116FEB10AB28CC89F9673D8AF05764F24417AFD58EF2D6D7B89C40C796
                Function 0041E450 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                Download Yara Rule
                APIs
                • FindResourceA.KERNEL32(?,?,?), ref: 0041E467
                • LoadResource.KERNEL32(?,0041E4EC,?,?,?,00418BC0,?,00000001,00000000,?,0041E392,00000000,?), ref: 0041E481
                • SizeofResource.KERNEL32(?,0041E4EC,?,0041E4EC,?,?,?,00418BC0,?,00000001,00000000,?,0041E392,00000000,?), ref: 0041E49B
                • LockResource.KERNEL32(0041E0D0,00000000,?,0041E4EC,?,0041E4EC,?,?,?,00418BC0,?,00000001,00000000,?,0041E392,00000000), ref: 0041E4A5
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Resource$FindLoadLockSizeof
                • String ID:
                • API String ID: 3473537107-0
                • Opcode ID: 4fc7be0ee5dba165a1be36828ecc9b6e68be3cfd786ebe19b030062fd20ee26d
                • Instruction ID: 6453017276cc4f171172522b448a9afdd2cd70e885e886dedcaae4617b14323b
                • Opcode Fuzzy Hash: 4fc7be0ee5dba165a1be36828ecc9b6e68be3cfd786ebe19b030062fd20ee26d
                • Instruction Fuzzy Hash: FAF06D76A052046F8744EE6EA881EAB77DCEE88364310446FFE18D7342DA39ED0147BD
                Function 00470F20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0044FD34: GetClassInfoA.USER32(?,?,?), ref: 0044FDF8
                  • Part of subcall function 0044FD34: UnregisterClassA.USER32(?,?), ref: 0044FE20
                  • Part of subcall function 0044FD34: RegisterClassA.USER32(?), ref: 0044FE36
                  • Part of subcall function 0044FD34: GetWindowLongA.USER32(00000000,000000F0), ref: 0044FE72
                  • Part of subcall function 0044FD34: GetWindowLongA.USER32(00000000,000000F4), ref: 0044FE87
                  • Part of subcall function 0044FD34: SetWindowLongA.USER32(00000000,000000F4,00000000), ref: 0044FE9A
                  • Part of subcall function 00429CCC: GetSysColor.USER32(?), ref: 00429CD6
                • SendMessageA.USER32(00000000,0000111D,00000000,00000000), ref: 00470F5B
                • SendMessageA.USER32(00000000,0000111E,00000000,00000000), ref: 00470F83
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: ClassLongWindow$MessageSend$ColorInfoRegisterUnregister
                • String ID: explorer
                • API String ID: 120395180-3892292846
                • Opcode ID: 986e1dd5757e787c9830d179b0eb3e1efbb2dafbf0300313d5099e68c8d3e253
                • Instruction ID: d68fcdef8a3404cb41bf5a7e850bf1bf20289270483702ffc5956303c1d0d623
                • Opcode Fuzzy Hash: 986e1dd5757e787c9830d179b0eb3e1efbb2dafbf0300313d5099e68c8d3e253
                • Instruction Fuzzy Hash: 6B71CA34B01145EFDB00EB6DCA86E9D73F1AF49704F2581F6B508DB362DA78AE019B48
                Function 0047D584 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45networkCOMMON
                Download Yara Rule
                APIs
                • WSAStartup.WS2_32(00000202,00545D78), ref: 0047D5A8
                  • Part of subcall function 0040DB74: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,00410001,00000000,0041005B), ref: 0040DB93
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: FormatMessageStartup
                • String ID: WSAStartup$pA
                • API String ID: 3641380939-1610543030
                • Opcode ID: 2fedb46dc5e4a8f7fc8968b2bfdc17c30e82d876fb9e06605759438fa27a8d64
                • Instruction ID: 537595900b767b2b873002f28d9603a21b62f7e5c25ba2f45d49200178f87eb8
                • Opcode Fuzzy Hash: 2fedb46dc5e4a8f7fc8968b2bfdc17c30e82d876fb9e06605759438fa27a8d64
                • Instruction Fuzzy Hash: 2B01B570E04749AFD700DFA5CC82AAEBBF8EB49704F51843AE504E7381E7B96904CB59
                Function 0040A24C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                Download Yara Rule
                APIs
                • GetFileAttributesA.KERNEL32(00000000,?,?,00426DC5), ref: 0040A258
                • GetLastError.KERNEL32(00000000,?,?,00426DC5), ref: 0040A26A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AttributesErrorFileLast
                • String ID: {
                • API String ID: 1799206407-366298937
                • Opcode ID: d98b87ea89ae01699f5600bd7d8c3ad6a09e7ba306926ce2375cd7a11b811b88
                • Instruction ID: c1e3ee8e8745ae79dc0492e2864a77296bab9bfb62f18fb196c8ebadbb1b2d75
                • Opcode Fuzzy Hash: d98b87ea89ae01699f5600bd7d8c3ad6a09e7ba306926ce2375cd7a11b811b88
                • Instruction Fuzzy Hash: B7E04F6661672015CDA560FD18CA5AF034489163E83680ABFFC11F73D2D23F5C62529F
                Function 00427C5C Relevance: 4.6, APIs: 3, Instructions: 144registryCOMMON
                Download Yara Rule
                APIs
                • RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00427E0D), ref: 00427CD5
                • RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00000000,00427E0D), ref: 00427D45
                • RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?), ref: 00427DB0
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Open
                • String ID:
                • API String ID: 71445658-0
                • Opcode ID: 633c0e1225bd5326e817a021a3fce843f7883a04ab19841f0da278ae88889207
                • Instruction ID: 686c271aeb4358f628470987e7e7ec70f88e767d21c25f19f73163f3f64fb188
                • Opcode Fuzzy Hash: 633c0e1225bd5326e817a021a3fce843f7883a04ab19841f0da278ae88889207
                • Instruction Fuzzy Hash: 8441B530B04618ABDB11DB65D842B9FB7FAEF48304F9444BAB804E3281C779AF05E758
                Function 00478BB0 Relevance: 4.6, APIs: 3, Instructions: 56memoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00478498: GlobalFree.KERNEL32(?), ref: 004784A6
                • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00478BDB
                • GlobalLock.KERNEL32(?), ref: 00478BFE
                • GlobalUnlock.KERNEL32(?), ref: 00478C3B
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Global$AllocFreeLockUnlock
                • String ID:
                • API String ID: 1984110005-0
                • Opcode ID: e8df69e0bcca917c79e456c3df120e9c3c758385b18a54459af940b46eede84b
                • Instruction ID: 7b3f8150574b6ea542b2788507cccecc64d7d32efee86ec04ca80752e54f6d67
                • Opcode Fuzzy Hash: e8df69e0bcca917c79e456c3df120e9c3c758385b18a54459af940b46eede84b
                • Instruction Fuzzy Hash: 9C11A570700600AFC711DF6DC849D5AB7E8EF4D71076184B9F908DB351DA34AC009B64
                Function 0040F52C Relevance: 4.6, APIs: 3, Instructions: 56threadCOMMON
                Download Yara Rule
                APIs
                • GetThreadLocale.KERNEL32 ref: 0040F54E
                • GetSystemMetrics.USER32(0000004A), ref: 0040F5A1
                • GetSystemMetrics.USER32(0000002A), ref: 0040F5B0
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: MetricsSystem$LocaleThread
                • String ID:
                • API String ID: 2159509485-0
                • Opcode ID: 313ca7552c83208f6beace3a1cd279d47bf1f70cc756307d3a1d50ea0cea4b0c
                • Instruction ID: 569938910a0f35879df658cd2d76250f3dfc99baaf4e07749eab83258e30c1ba
                • Opcode Fuzzy Hash: 313ca7552c83208f6beace3a1cd279d47bf1f70cc756307d3a1d50ea0cea4b0c
                • Instruction Fuzzy Hash: E7014860A05751AAD3309F269C01363B7D8DF11315F04C43FE888A7BD2EA3CD949C369
                Function 0045F464 Relevance: 4.5, APIs: 3, Instructions: 27windowCOMMON
                Download Yara Rule
                APIs
                • IsWindowVisible.USER32(?), ref: 0045F474
                • IsWindowEnabled.USER32(?), ref: 0045F47E
                • EnableWindow.USER32(?,00000000), ref: 0045F4A4
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Window$EnableEnabledVisible
                • String ID:
                • API String ID: 3234591441-0
                • Opcode ID: 496b4cce4b2c4815c180a96effcfef94b876ee1b036f7b8b5c63d14263f386f1
                • Instruction ID: 8a7c966e619ce3f0b55d48f0a9efcb1ee9ade75df528b200df0b5e0f86cb4fc1
                • Opcode Fuzzy Hash: 496b4cce4b2c4815c180a96effcfef94b876ee1b036f7b8b5c63d14263f386f1
                • Instruction Fuzzy Hash: 43E0C9705042006FD300AB369C81E1B76AEEF66365F51912AA854963D2DB38E849AA6A
                Function 00402624 Relevance: 3.8, APIs: 3, Instructions: 32sleepmemoryCOMMON
                Download Yara Rule
                APIs
                • Sleep.KERNEL32(00000000,004026EE,?,?,?,00402781), ref: 0040263A
                • Sleep.KERNEL32(0000000A,00000000,004026EE,?,?,?,00402781), ref: 00402653
                • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,004026EE,?,?,?,00402781), ref: 00402681
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Sleep$AllocVirtual
                • String ID:
                • API String ID: 3510833457-0
                • Opcode ID: 693e1d31023c7d93942292400fbe6f97a2643ac2c131c076aeffd759d37036c0
                • Instruction ID: 1d5429827b3f1d3c3770ae10490022e08e9617fa1474a8bf91ac62ca8e244a4b
                • Opcode Fuzzy Hash: 693e1d31023c7d93942292400fbe6f97a2643ac2c131c076aeffd759d37036c0
                • Instruction Fuzzy Hash: 77F0A7B864434155EB2077714E8EBD52691873274DF04483FA2803A2F3C5FE4ACD9B0E
                Function 00427FB4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47registryCOMMON
                Download Yara Rule
                APIs
                • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 00427FDF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: QueryValue
                • String ID: txB
                • API String ID: 3660427363-3549285084
                • Opcode ID: 4773d064b3a0918e120cb0a21b8975f9528e69c8c5e26d0f8cb11a65dade5040
                • Instruction ID: a94bd7fac7a5a76328c290aadef98871dc215f931fa7265e82ad30a0e0f0e02c
                • Opcode Fuzzy Hash: 4773d064b3a0918e120cb0a21b8975f9528e69c8c5e26d0f8cb11a65dade5040
                • Instruction Fuzzy Hash: 70018476B04108ABD700DE99DC81ADFB7ACDB49314F00817BFA04D7381DA359E04C7A4
                Function 0043C594 Relevance: 3.1, APIs: 2, Instructions: 123COMMON
                Download Yara Rule
                APIs
                • DrawTextA.USER32(00000000,00000000,000000FF,?,00000000), ref: 0043C6F8
                  • Part of subcall function 0043B9A0: InflateRect.USER32(?,000000FF,000000FF), ref: 0043B9E3
                • InflateRect.USER32(?,?,?), ref: 0043C631
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: InflateRect$DrawText
                • String ID:
                • API String ID: 4118083156-0
                • Opcode ID: 8e230b9c83281f2fdc271ef0a81c3299573f2d05228c0ccab97bbb36508b3dbc
                • Instruction ID: e64ed8831fd7774430ae98bf518d8abd6f1f55d4bba6e9e0ba91f4aa8307d076
                • Opcode Fuzzy Hash: 8e230b9c83281f2fdc271ef0a81c3299573f2d05228c0ccab97bbb36508b3dbc
                • Instruction Fuzzy Hash: 8B41A4716042049FCB00EF69DCC2AAB77B9AF89315F14157AFD05EB257C638AD05CBA8
                Function 0046A5F8 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                Download Yara Rule
                APIs
                • GetWindowLongA.USER32(?,000000EC), ref: 0046A6BF
                • SetWindowLongA.USER32(?,000000EC,00000000), ref: 0046A6CD
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: LongWindow
                • String ID:
                • API String ID: 1378638983-0
                • Opcode ID: 928edef73c201076636d2539cdcb85aa418d74f02e0ad482b63e784abf6cecf2
                • Instruction ID: ba08cb22e3347253173da47cd7a9682585e76fb9130dbe1f870b2f55d3653994
                • Opcode Fuzzy Hash: 928edef73c201076636d2539cdcb85aa418d74f02e0ad482b63e784abf6cecf2
                • Instruction Fuzzy Hash: B631F730604B109FDB10EF24C881A6ABBF5EF49325F1541AAFC40AB396E73DDD50CA5A
                Function 00427B38 Relevance: 3.1, APIs: 2, Instructions: 94registryCOMMON
                Download Yara Rule
                APIs
                • RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00427C3D), ref: 00427BB2
                • RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00427C3D), ref: 00427BE6
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CreateOpen
                • String ID:
                • API String ID: 436179556-0
                • Opcode ID: a853bf9690b05917144c48ce013e14653161da3e32408b3ab85763185011e762
                • Instruction ID: 33ecdcb2003a6cc79c1d8e3a013da3a96dc9b747ac1f5ac973d405378fde3122
                • Opcode Fuzzy Hash: a853bf9690b05917144c48ce013e14653161da3e32408b3ab85763185011e762
                • Instruction Fuzzy Hash: E6319430B04618AFDB11DBB6D842B9FB7F8EB08304F9044BAB500E7281D678AF049718
                Function 004365F4 Relevance: 3.1, APIs: 2, Instructions: 57COMMON
                Download Yara Rule
                APIs
                • GetDC.USER32(00000000), ref: 00436629
                • ReleaseDC.USER32(00000000,?), ref: 0043669C
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Release
                • String ID:
                • API String ID: 1375353473-0
                • Opcode ID: 5a2c8b9fd4bef168987a870c284602444c75dd1d2bd9179887fd22776851c230
                • Instruction ID: be155b460f86359509bbc05f6fdc2480a35c628bd16d7bda84665b6782b82325
                • Opcode Fuzzy Hash: 5a2c8b9fd4bef168987a870c284602444c75dd1d2bd9179887fd22776851c230
                • Instruction Fuzzy Hash: 3D11B234A04108AFD701DF99D491AEEB7F8EB48718F5540EAF90497391D738AE10DB95
                Function 0045F4B4 Relevance: 3.1, APIs: 2, Instructions: 51threadCOMMON
                Download Yara Rule
                APIs
                • GetCurrentThreadId.KERNEL32 ref: 0045F50A
                • EnumThreadWindows.USER32(00000000,0045F464,00000000), ref: 0045F510
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Thread$CurrentEnumWindows
                • String ID:
                • API String ID: 2396873506-0
                • Opcode ID: 8ea453c7305d489a00aeb61e3a170171a625488fed0abe1b2cd59c40b61b5424
                • Instruction ID: 636cb97778da70744efca652379a227b8b772e7535bbf80290894bfe6f0dc35c
                • Opcode Fuzzy Hash: 8ea453c7305d489a00aeb61e3a170171a625488fed0abe1b2cd59c40b61b5424
                • Instruction Fuzzy Hash: 1B118E70A14704BFD305CF65EC51A0ABBE8E75A710F238476E804D37A1E7357509EE15
                Function 00467C84 Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                Download Yara Rule
                APIs
                • LoadCursorA.USER32(00000000,00007F00), ref: 00467C91
                • LoadCursorA.USER32(00000000,00000000), ref: 00467CC0
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CursorLoad
                • String ID:
                • API String ID: 3238433803-0
                • Opcode ID: bdda68e548c36f819ded4508dab65b54df92091df65405bb4d49320351324ed6
                • Instruction ID: b4be52a72ef7448b0aa5c47192141ad7c9a5f1a181788a0fbd6173c8ff100727
                • Opcode Fuzzy Hash: bdda68e548c36f819ded4508dab65b54df92091df65405bb4d49320351324ed6
                • Instruction Fuzzy Hash: 47F0A761B0820417D620563E5CD1A7E7285DFD6739B20033BF979D73D1E63D6C4242AB
                Function 00410627 Relevance: 3.0, APIs: 2, Instructions: 34libraryCOMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNEL32 ref: 00410632
                • LoadLibraryA.KERNEL32(00000000,00000000,0041067C,?,00000000,0041069A), ref: 00410661
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: ErrorLibraryLoadMode
                • String ID:
                • API String ID: 2987862817-0
                • Opcode ID: 63ac723b3a8d8509899428f1ba6359b11307207a3d40632056bd6dd9e2fa0488
                • Instruction ID: b64b6aad114e247a1759fb21db4d9a2a526ef5d589af83c38377bd021345f4b1
                • Opcode Fuzzy Hash: 63ac723b3a8d8509899428f1ba6359b11307207a3d40632056bd6dd9e2fa0488
                • Instruction Fuzzy Hash: 5AF0AE70A047047FDB115F768C6295F7BECE74DB107534876F800B2691E57D5C60C568
                Function 0040A1BC Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                Download Yara Rule
                APIs
                • SetFilePointer.KERNEL32(?,?,?), ref: 0040A1DE
                • GetLastError.KERNEL32(?,?,?), ref: 0040A1EC
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: ErrorFileLastPointer
                • String ID:
                • API String ID: 2976181284-0
                • Opcode ID: e7014238344f85e397013c0ff2038b5e5e7b56f97d336c64f76388d06d9f80f4
                • Instruction ID: b3f882a012a14c55094475c3b33b3143e681fe645b7fa11ca7e7346eb142f326
                • Opcode Fuzzy Hash: e7014238344f85e397013c0ff2038b5e5e7b56f97d336c64f76388d06d9f80f4
                • Instruction Fuzzy Hash: 29F0BD75914208AFDB50DAA898818DEB7FCEA09270F204666E964E73C0E634AE409795
                Function 00410628 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNEL32 ref: 00410632
                • LoadLibraryA.KERNEL32(00000000,00000000,0041067C,?,00000000,0041069A), ref: 00410661
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: ErrorLibraryLoadMode
                • String ID:
                • API String ID: 2987862817-0
                • Opcode ID: 591194e2b2e4c3816f95d2986194465465168ac13dd3bc1fe492ddb2a3e940f1
                • Instruction ID: 196c09f0ab6f751a367373321a25e921a885a579ffeafdb1a4e909c188fcb5c7
                • Opcode Fuzzy Hash: 591194e2b2e4c3816f95d2986194465465168ac13dd3bc1fe492ddb2a3e940f1
                • Instruction Fuzzy Hash: BFF0AE70A047047FDB115F768C6295F7BECE74DB107534876F800B2691E57D5C60C568
                Function 004054EC Relevance: 3.0, APIs: 2, Instructions: 25memoryCOMMON
                Download Yara Rule
                APIs
                • SysFreeString.OLEAUT32 ref: 004054BE
                • SysReAllocStringLen.OLEAUT32(?,?,?), ref: 00405506
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: String$AllocFree
                • String ID:
                • API String ID: 344208780-0
                • Opcode ID: 57e41f446d0e49effd6288ec74dd29c57df827ff7fca3e535d60a0643b7d3d91
                • Instruction ID: 4769b80a956c5479a37c9cbb9d14ee595f0a66cba687178a7dfa7f3e859e59a9
                • Opcode Fuzzy Hash: 57e41f446d0e49effd6288ec74dd29c57df827ff7fca3e535d60a0643b7d3d91
                • Instruction Fuzzy Hash: 1AE086B4111B016EFB145A158C547772669DBC1307BA8C97EE8017B3D4DA3D9C408A2C
                Function 00427AA0 Relevance: 3.0, APIs: 2, Instructions: 18registryCOMMON
                Download Yara Rule
                APIs
                • RegFlushKey.ADVAPI32(00000000,?,00427B0C,?,?,00000000,00427C27,?,00000000,00000000,00000000,?,?,00000000,00427C3D), ref: 00427AB1
                • RegCloseKey.ADVAPI32(00000000,?,00427B0C,?,?,00000000,00427C27,?,00000000,00000000,00000000,?,?,00000000,00427C3D), ref: 00427ABA
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CloseFlush
                • String ID:
                • API String ID: 320916635-0
                • Opcode ID: 0645fba58b211e75af762ad110a6cd0c2afb421ef2e1c1fdffbc3ba9d9370b17
                • Instruction ID: 851f36df53c87cb547ccd00b71a11fec5372e96f77aef3f8eb3f3426f1fc5105
                • Opcode Fuzzy Hash: 0645fba58b211e75af762ad110a6cd0c2afb421ef2e1c1fdffbc3ba9d9370b17
                • Instruction Fuzzy Hash: 48D012B0B052009BDF50DE7A99C1B0B7BD85F04354B08C4ABAC08DF187D638D4009724
                Function 0040A4DC Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                Download Yara Rule
                APIs
                • FindNextFileA.KERNEL32(?,?,?,0050C8B1), ref: 0040A4E7
                • GetLastError.KERNEL32(?,?,?,0050C8B1), ref: 0040A4F9
                  • Part of subcall function 0040A408: FileTimeToLocalFileTime.KERNEL32(?), ref: 0040A438
                  • Part of subcall function 0040A408: FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0040A447
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: FileTime$DateErrorFindLastLocalNext
                • String ID:
                • API String ID: 2103556486-0
                • Opcode ID: e8712560845b0b29b748e10b99c1e78511de1b8937f9ff43533275df911ec516
                • Instruction ID: 36e8791ac266006ac7e11d665136c79116465c15f591e9ff2fcadc1ba7f05e0b
                • Opcode Fuzzy Hash: e8712560845b0b29b748e10b99c1e78511de1b8937f9ff43533275df911ec516
                • Instruction Fuzzy Hash: 10C012A264020467CB40BAFA5CC5D57328C5A08205750457BBA04EB183EA7CF8615226
                Function 004AC4F0 Relevance: 2.6, APIs: 2, Instructions: 67memoryCOMMON
                Download Yara Rule
                APIs
                • VirtualAlloc.KERNEL32(?,00000000,00001000,00000040), ref: 004AC53F
                • VirtualAlloc.KERNEL32(?,00000000,00001000,00000040), ref: 004AC56C
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AllocVirtual
                • String ID:
                • API String ID: 4275171209-0
                • Opcode ID: 0e1d0b004b8768345fce6e91cb09a440d107727db670313b2d94397504b40068
                • Instruction ID: d2ec73071a63dd3d05c6e52adff2401d9b25bc99714ffe73e979f64d4801a1f7
                • Opcode Fuzzy Hash: 0e1d0b004b8768345fce6e91cb09a440d107727db670313b2d94397504b40068
                • Instruction Fuzzy Hash: DC219D75A00214AFCB50DF69C8C1B4AB3E8EF58354F14445AFA08EB382D678FD40CBA8
                Function 00477C50 Relevance: 1.7, APIs: 1, Instructions: 217COMMON
                Download Yara Rule
                APIs
                • CreateStreamOnHGlobal.COMBASE(?,00000000,00000000), ref: 00477D30
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CreateGlobalStream
                • String ID:
                • API String ID: 2244384528-0
                • Opcode ID: 57412214da5cf598ee0ad6a1243e91a531a6a5ab0ef1f9ec9f00c907e5b91efb
                • Instruction ID: 164f09c183fe83d00f5751add848b78cf1bff260edac5d5a0138634ba0b88f09
                • Opcode Fuzzy Hash: 57412214da5cf598ee0ad6a1243e91a531a6a5ab0ef1f9ec9f00c907e5b91efb
                • Instruction Fuzzy Hash: F291D775A04104AFD740DBA9C989FAAB7F8EF09304F5581E6F919EB3A1C734AD04CB18
                Function 00435FF0 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                Download Yara Rule
                APIs
                • DrawTextA.USER32(?,00000000,?,?,?), ref: 0043609A
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: DrawText
                • String ID:
                • API String ID: 2175133113-0
                • Opcode ID: d8209ba7acd297bdd36f87cbd65b9ff7602ebb4e0b412a776950d4b47b28a063
                • Instruction ID: 793c60ad637257413205b24c9d9bf3422daf3e2050a60e1a9c64301ade5a8e8e
                • Opcode Fuzzy Hash: d8209ba7acd297bdd36f87cbd65b9ff7602ebb4e0b412a776950d4b47b28a063
                • Instruction Fuzzy Hash: DF11A271300246AB9B04EFA9C882AAB77B99F0C358F11D46BFD44DB342DA39DD058779
                Function 004AC83C Relevance: 1.6, APIs: 1, Instructions: 65memoryCOMMON
                Download Yara Rule
                APIs
                • VirtualProtect.KERNEL32(?,?,00000000,?), ref: 004AC8BA
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: ProtectVirtual
                • String ID:
                • API String ID: 544645111-0
                • Opcode ID: 53e21ef1d4d29644083b417c0e57dc8362ff05593e4847d30c9ba768da40bc3e
                • Instruction ID: 93ae6398b90872743a3f47b25e168c564e00c60b6bc1c7c0fca34d04de79104c
                • Opcode Fuzzy Hash: 53e21ef1d4d29644083b417c0e57dc8362ff05593e4847d30c9ba768da40bc3e
                • Instruction Fuzzy Hash: BC115B766042149FE750EE5AC9C4F6777E8BF2A791B05015AFD08CB366D23CEC008758
                Function 00478294 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                Download Yara Rule
                APIs
                • CallWindowProcA.USER32(?,00000000,?,?,?), ref: 004782F0
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CallProcWindow
                • String ID:
                • API String ID: 2714655100-0
                • Opcode ID: 2b1bd6420fdfed6fb833766c62c1111d1edc62fde1592402d3cc43efd71993bb
                • Instruction ID: 0f8f2babd8260a342a5d96b1d5d4e8997fdc81e6dc719f4738a24384052cb5f8
                • Opcode Fuzzy Hash: 2b1bd6420fdfed6fb833766c62c1111d1edc62fde1592402d3cc43efd71993bb
                • Instruction Fuzzy Hash: 3501F5727086005FE711DE6ED849E96B3DDEB49B15B20887FFD4CC3A42DA3D98448728
                Function 0046B314 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                Download Yara Rule
                APIs
                • IsChild.USER32(00000000,00000000), ref: 0046B372
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Child
                • String ID:
                • API String ID: 3815930669-0
                • Opcode ID: 36647be8d63b36cda634cc681d724530940a6a225c106b91079525d2bbb1cd35
                • Instruction ID: 4504c94949bbab149e9bc94f98a4f4ec2bb6e0aa1900ce2deb856ffe01772747
                • Opcode Fuzzy Hash: 36647be8d63b36cda634cc681d724530940a6a225c106b91079525d2bbb1cd35
                • Instruction Fuzzy Hash: 140175317092049BD720AA6A9885B9B73D8DB51759F1004BBFC44CB362FB799CC582EE
                Function 00428038 Relevance: 1.6, APIs: 1, Instructions: 50registryCOMMON
                Download Yara Rule
                APIs
                • RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,004280BE), ref: 004280A3
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Open
                • String ID:
                • API String ID: 71445658-0
                • Opcode ID: 87c7076ea546ae1cae25b35be35abec63944ab143fbfb738779f88ae3b2ae726
                • Instruction ID: bf5703d467f4b829d65a57e48e7487e90cfd19f180282f36778f1677fc8db6c8
                • Opcode Fuzzy Hash: 87c7076ea546ae1cae25b35be35abec63944ab143fbfb738779f88ae3b2ae726
                • Instruction Fuzzy Hash: DA017570B05618AFD714EB69D852A9FB7ECEF48304FA1007AB904E3381DA39AE049659
                Function 0050C640 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                Download Yara Rule
                APIs
                • GetDriveTypeA.KERNEL32(00000000,00000000,0050C6BF,?,?,?,00000000,00000000), ref: 0050C681
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: DriveType
                • String ID:
                • API String ID: 338552980-0
                • Opcode ID: a44e85de1749d2d78ee6d1fba2c894d4cc27dedbfe3b6ea3f0ddbccd814ef885
                • Instruction ID: 14a351730f3d408a2a90bde079475857a2dfca6f5699a44d5280b7b4bbfb87f3
                • Opcode Fuzzy Hash: a44e85de1749d2d78ee6d1fba2c894d4cc27dedbfe3b6ea3f0ddbccd814ef885
                • Instruction Fuzzy Hash: DF01F734600208AFDB20DB65CC91A5E7FACFB4A304F611575F500AB3D1CA3AED00CA59
                Function 00403CA8 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                Download Yara Rule
                APIs
                • CompareStringA.KERNEL32(00000800,00000001,00000000,00000000,00000000,00000000,00000000,00403D2F), ref: 00403D0E
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CompareString
                • String ID:
                • API String ID: 1825529933-0
                • Opcode ID: 4af95396df426f8a60ed4ef16be6c940f5e060df850eb16307cf44cd79f6527b
                • Instruction ID: 12434de897926d73c2c79dffc3552b8a966e074540d3ca69698d23354a666ced
                • Opcode Fuzzy Hash: 4af95396df426f8a60ed4ef16be6c940f5e060df850eb16307cf44cd79f6527b
                • Instruction Fuzzy Hash: B401D670708608AFDB10EB79DC83A8E76ACDB88708F51047AF508F22D1DA785F00895C
                Function 00408056 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                Download Yara Rule
                APIs
                • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408097
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CreateWindow
                • String ID:
                • API String ID: 716092398-0
                • Opcode ID: 01eb1355a162092c442146bac9164310af7bf80b67916e4f547f2fc484d69377
                • Instruction ID: a4ed40b5d295707a036a7169421b645f5f365cee71ad943231785b9ffbe7d835
                • Opcode Fuzzy Hash: 01eb1355a162092c442146bac9164310af7bf80b67916e4f547f2fc484d69377
                • Instruction Fuzzy Hash: 00F074B2700118BF9B40DE9EDC81E9B77ECEB4D264B054129BA0CE7201D634ED1087B4
                Function 00408058 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                Download Yara Rule
                APIs
                • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408097
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CreateWindow
                • String ID:
                • API String ID: 716092398-0
                • Opcode ID: b18f59b301b28175ead8474ca2e5f8d5b6172b1ab1e503d6e8685cfaf78df50e
                • Instruction ID: d08739ee55399cfb9b384cd4998a9f41edfbd2adfdad16134b8fe81064569bf5
                • Opcode Fuzzy Hash: b18f59b301b28175ead8474ca2e5f8d5b6172b1ab1e503d6e8685cfaf78df50e
                • Instruction Fuzzy Hash: 38F074B2600118AF8B40DE9EDC81E9B77ECEB4D264B054129BA0CE7201D634ED1087B4
                Function 0043772C Relevance: 1.5, APIs: 1, Instructions: 41windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageA.USER32(00000000,00000143,00000000,00000000), ref: 0043775D
                  • Part of subcall function 0040708C: LoadStringA.USER32(00000000,0000FF93,?,00001000), ref: 004070BE
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: LoadMessageSendString
                • String ID:
                • API String ID: 1946433856-0
                • Opcode ID: 462f2c54b26e9df815d6a990c5f30a98464bbcd6ecea1929dcc08e611a745766
                • Instruction ID: 9348d1ea79736fcabd3142b28690515b47b9a9cb67a7ad1327e0036b149bbdce
                • Opcode Fuzzy Hash: 462f2c54b26e9df815d6a990c5f30a98464bbcd6ecea1929dcc08e611a745766
                • Instruction Fuzzy Hash: E3F0A470704604BBE311EB66CC92F5973D8DB49708F510476FA00A7692DA79BE04955C
                Function 00404C54 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                Download Yara Rule
                APIs
                • CreateThread.KERNEL32(?,?,Function_00004C1C,00000000,?,?), ref: 00404CA4
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CreateThread
                • String ID:
                • API String ID: 2422867632-0
                • Opcode ID: c1998dafd13a8c6ba196485e371a41e0a9d9ba19e0f058f607ead6f0d1d6e562
                • Instruction ID: c3e0b29029ab048ff034bf6adb9615aada427bde042b6a47db78eeb5752ab8ca
                • Opcode Fuzzy Hash: c1998dafd13a8c6ba196485e371a41e0a9d9ba19e0f058f607ead6f0d1d6e562
                • Instruction Fuzzy Hash: 1AF062B1205104AFE304DF8DD848E5BBBBCEBD9364F11802AF608D72A1C6759D459764
                Function 00427E2C Relevance: 1.5, APIs: 1, Instructions: 36registryCOMMON
                Download Yara Rule
                APIs
                • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,00428032,?,?,?,?,?,00428032), ref: 00427E5E
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: QueryValue
                • String ID:
                • API String ID: 3660427363-0
                • Opcode ID: a2ea3b4b87824eee0d55b8ca38681b9679c787b1ddd17d55bb882adca093a45a
                • Instruction ID: d3c35bc087862324a8ef63238a974093d77486d3af5364ca0ed8539426b07a15
                • Opcode Fuzzy Hash: a2ea3b4b87824eee0d55b8ca38681b9679c787b1ddd17d55bb882adca093a45a
                • Instruction Fuzzy Hash: D8F0A0723092086BE700EA6E9C41FABBBCCDB88354F00803EB548C7291DA24DC098369
                Function 00404C52 Relevance: 1.5, APIs: 1, Instructions: 35threadCOMMON
                Download Yara Rule
                APIs
                • CreateThread.KERNEL32(?,?,Function_00004C1C,00000000,?,?), ref: 00404CA4
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CreateThread
                • String ID:
                • API String ID: 2422867632-0
                • Opcode ID: bc9afb5187311c6c655a753152518e196e4c233e13b2ee9246b837effd88223a
                • Instruction ID: 89854bda9592eba121d83e8721f9a80745042cad0e51470854502c1b09c83ae5
                • Opcode Fuzzy Hash: bc9afb5187311c6c655a753152518e196e4c233e13b2ee9246b837effd88223a
                • Instruction Fuzzy Hash: 3EF05EB2205104BFE304CA8DAC44EABB7ACDBD9364F10802AF608D7291D2759D4597A4
                Function 0040A10C Relevance: 1.5, APIs: 1, Instructions: 33fileCOMMON
                Download Yara Rule
                APIs
                • CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,00418A40,0041DFB2,00000000,0041E030,?,?,00418A40), ref: 0040A15A
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: 93f50b73edb0bea0e3151b10386cb5971150f9d94978b33c8c003af2ac9b77bb
                • Instruction ID: 12ed9be405e2699fb29f738c4e96613806131aa8ae98785a5be634e7574c4ffd
                • Opcode Fuzzy Hash: 93f50b73edb0bea0e3151b10386cb5971150f9d94978b33c8c003af2ac9b77bb
                • Instruction Fuzzy Hash: D1E092B2B8061426F330B5AD9CC2B4B914EC785769F19413AF214FB3D1C0BCDD1662A9
                Function 0044B8EC Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                Download Yara Rule
                APIs
                • KiUserCallbackDispatcher.NTDLL(?,?), ref: 0044B927
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CallbackDispatcherUser
                • String ID:
                • API String ID: 2492992576-0
                • Opcode ID: c4643b4b68760a8d6199615b02a577f63622df5181be579b687e7404b3f1c16c
                • Instruction ID: ae7e1c5642afe656c6ce1464cd9707bf1fd320cf40c09bb8fbf1a9685e4a0d09
                • Opcode Fuzzy Hash: c4643b4b68760a8d6199615b02a577f63622df5181be579b687e7404b3f1c16c
                • Instruction Fuzzy Hash: 7EF0D4362042019FC704DF5CC8C498ABBE5FF89255F4446A8FA89CB356DA32E858CB92
                Function 00406504 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                Download Yara Rule
                APIs
                • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00406522
                  • Part of subcall function 00406768: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 00406784
                  • Part of subcall function 00406768: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 004067A2
                  • Part of subcall function 00406768: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 004067C0
                  • Part of subcall function 00406768: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 004067DE
                  • Part of subcall function 00406768: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,0040686D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00406827
                  • Part of subcall function 00406768: RegQueryValueExA.ADVAPI32(?,004069D4,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,0040686D,?,80000001), ref: 00406845
                  • Part of subcall function 00406768: RegCloseKey.ADVAPI32(?,00406874,00000000,00000000,00000005,00000000,0040686D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00406867
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Open$FileModuleNameQueryValue$Close
                • String ID:
                • API String ID: 2796650324-0
                • Opcode ID: 7bd40a2100f2e8fb669a6646d875a65553c9f466fd8db7fd34cb199ef84c5c4b
                • Instruction ID: bf081ebca2c20d612ac7e034353e4a339b0e2e09191e47d35eb5c0dd29852a33
                • Opcode Fuzzy Hash: 7bd40a2100f2e8fb669a6646d875a65553c9f466fd8db7fd34cb199ef84c5c4b
                • Instruction Fuzzy Hash: DBE06D71A003249BCB10DE6CD8C1A4733D8AB08B54F4145A6BC55EF38AD374DD2087E5
                Function 0040A164 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                Download Yara Rule
                APIs
                • ReadFile.KERNEL32(?,?,00000004,?,00000000,00000004,?,?,?,004B0BB8,00000000,004B0C46), ref: 0040A178
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: FileRead
                • String ID:
                • API String ID: 2738559852-0
                • Opcode ID: 4a1c7a00da40de06c3b150d4df75132f8b8e6f3d4a19b37c57cc54aff7f87f5b
                • Instruction ID: bdd6f1eb07f32a21a2dc8538c13de6c80f33bc5f0064890eb3efa8525ed1dee9
                • Opcode Fuzzy Hash: 4a1c7a00da40de06c3b150d4df75132f8b8e6f3d4a19b37c57cc54aff7f87f5b
                • Instruction Fuzzy Hash: CFD05B723082107AD220955F5C44DBB6BDCCBC5770F10063EB658D71C0D6308C0183B6
                Function 0044B11C Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                Download Yara Rule
                APIs
                • KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,0044DEF3), ref: 0044B131
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CallbackDispatcherUser
                • String ID:
                • API String ID: 2492992576-0
                • Opcode ID: 1fdc49b91a679787852b4947ab6534624f61db1d2af03c5af9ef9462ae2f5afe
                • Instruction ID: f37b007e81e86a469ccd8db6028da11f04f6c59cdc8caa55b75a1ac0cb529b7a
                • Opcode Fuzzy Hash: 1fdc49b91a679787852b4947ab6534624f61db1d2af03c5af9ef9462ae2f5afe
                • Instruction Fuzzy Hash: 80E092712042409FEB48CE5DC4D9B867BE9AF49254F0880A5EE49CB25AEB75EC049BA0
                Function 0044B0E8 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                Download Yara Rule
                APIs
                • KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,0044DEFD), ref: 0044B0FB
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CallbackDispatcherUser
                • String ID:
                • API String ID: 2492992576-0
                • Opcode ID: 67c763cfa67595037f9505727f7c97d967f40723b66cb0ccb95a92d150f2dc89
                • Instruction ID: e4ccffe24f59fc81e07e9473c8e07a13acb5260de10f4f66b354790a7a253ca5
                • Opcode Fuzzy Hash: 67c763cfa67595037f9505727f7c97d967f40723b66cb0ccb95a92d150f2dc89
                • Instruction Fuzzy Hash: 91E092712002449FEB89CE5CC4C5B823BE8AF09215F0880A5EE49CB34AEB65AC44CB60
                Function 0044B150 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                Download Yara Rule
                APIs
                • KiUserCallbackDispatcher.NTDLL(?,00000091,?,?,00437878), ref: 0044B163
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CallbackDispatcherUser
                • String ID:
                • API String ID: 2492992576-0
                • Opcode ID: 2db6bfee83c96cc05a8d0e8abf5e713d6523af880ce472c61bee6ac9df0207c6
                • Instruction ID: 6de2b06e76a9545a37969f6266e59a29ea37ca8d49f2e6b04a139162ade80660
                • Opcode Fuzzy Hash: 2db6bfee83c96cc05a8d0e8abf5e713d6523af880ce472c61bee6ac9df0207c6
                • Instruction Fuzzy Hash: B3E092712002409BEB48CE59C4C4B927BE9AF49254F4880A9EE49CB25AEB75AC44CBA0
                Function 0044B184 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                Download Yara Rule
                APIs
                • KiUserCallbackDispatcher.NTDLL(00000019,?,?,?,00437884), ref: 0044B197
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CallbackDispatcherUser
                • String ID:
                • API String ID: 2492992576-0
                • Opcode ID: b0e61481ec24ad3fbeb691294c4ff858e0bed5c0029e4bcab090e1db3ed2264e
                • Instruction ID: 1a71a72fff03a0811300c86cd9afafb9f2aaefb790647d2dbd2693d369fc5863
                • Opcode Fuzzy Hash: b0e61481ec24ad3fbeb691294c4ff858e0bed5c0029e4bcab090e1db3ed2264e
                • Instruction Fuzzy Hash: 58E09A712041409BEB44CE59C4C4B927BE4AF49255F0880A9ED45CB35ADB759C04CFA0
                Function 00422100 Relevance: 1.5, APIs: 1, Instructions: 17threadCOMMON
                Download Yara Rule
                APIs
                • ResumeThread.KERNEL32(?,?,?,0047F367), ref: 00422108
                  • Part of subcall function 00421E10: GetLastError.KERNEL32(00000000,004221C9,?,?,?,000000FF), ref: 00421E17
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: ErrorLastResumeThread
                • String ID:
                • API String ID: 1307702467-0
                • Opcode ID: d235e4f50d320f130096ed5aef23416b2e7f73a998e8d9adaf6b35cd9754b87d
                • Instruction ID: 26cc30304ad3ffbdc98e74555205ee6746941e6ab71b93a458dae99b235776f4
                • Opcode Fuzzy Hash: d235e4f50d320f130096ed5aef23416b2e7f73a998e8d9adaf6b35cd9754b87d
                • Instruction Fuzzy Hash: 8DD02222B016310BCB326ABC2CC0B5A52884F182A5B4988A6B940FF383C5A8CC1003A4
                Function 0040A294 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                Download Yara Rule
                APIs
                • GetFileAttributesA.KERNEL32(00000000,00000001,0040A338,00000000,0040A3A1,?,?,00000000,00000000,00000000,00000000), ref: 0040A29F
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AttributesFile
                • String ID:
                • API String ID: 3188754299-0
                • Opcode ID: 3d62bc228ff5a4d93715a2fbac26689e68a7e12656113bb75e7ea1fad2f4b15f
                • Instruction ID: 8cc4b529787aeb29973cb0aacd7bed998981e4b1ec7c213dcc91a6a61ce9c189
                • Opcode Fuzzy Hash: 3d62bc228ff5a4d93715a2fbac26689e68a7e12656113bb75e7ea1fad2f4b15f
                • Instruction Fuzzy Hash: B0C08CB0B113000BDE10A1BD0CC564B02884A183783A41BBBF029F2BD2D23EA836201A
                Function 0045F650 Relevance: 1.5, APIs: 1, Instructions: 12windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageA.USER32(00000000,?,00000000,00000000), ref: 0045F660
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: MessageSend
                • String ID:
                • API String ID: 3850602802-0
                • Opcode ID: a99d481cbc96c81a612d16258346245a9c9e7a638fa73b34b8c15d3e49176368
                • Instruction ID: 9abf6844623baf8f79e15dc8178f95acd3cd1788fb4f0acf1a6b67dfc3ff2294
                • Opcode Fuzzy Hash: a99d481cbc96c81a612d16258346245a9c9e7a638fa73b34b8c15d3e49176368
                • Instruction Fuzzy Hash: 33C08CA21143202AD900C295BCC2F3A2318E3A8700F104006F204872C0C33938002970
                Function 0040A500 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • FindClose.KERNEL32(?,?,0040A4CA,00000000,?,?,?,?,0050C7C4), ref: 0040A50C
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CloseFind
                • String ID:
                • API String ID: 1863332320-0
                • Opcode ID: a03584371173035dad7d5e146195512fd8cf255241b1aef09afaedf037d782bc
                • Instruction ID: 5c751ee274e9b239e3ba2c5ca8e4d1c1dda9fe8d24e5562bdf25e973d3ee2b49
                • Opcode Fuzzy Hash: a03584371173035dad7d5e146195512fd8cf255241b1aef09afaedf037d782bc
                • Instruction Fuzzy Hash: 94C04CB0504700568B549E7D4CC841726986A453393604755A534DA3E6D73CD9624AA5
                Function 00410683 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNEL32(?,004106A1), ref: 00410694
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: ErrorMode
                • String ID:
                • API String ID: 2340568224-0
                • Opcode ID: d2b95dc3fd8c27ffd7c2b884766e48916dcfa36687f3b25fae790f41840676b0
                • Instruction ID: c1610e4dc49b0163cfb3ee65ab196569d586d217f7900a5d7277c8f6e83c70ef
                • Opcode Fuzzy Hash: d2b95dc3fd8c27ffd7c2b884766e48916dcfa36687f3b25fae790f41840676b0
                • Instruction Fuzzy Hash: 20B09B7AA1C6009DA705A695641145C63D4D7C87203A14877F404D7580D57D54604528
                Function 00404CB4 Relevance: 1.5, APIs: 1, Instructions: 10threadCOMMON
                Download Yara Rule
                APIs
                • RtlExitUserThread.NTDLL(?,?,00421C32), ref: 00404CC9
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: ExitThreadUser
                • String ID:
                • API String ID: 3424019298-0
                • Opcode ID: 862be077cde0dd77227f36172a63123808341cd566e0b9834f3aeca75a9f8fd6
                • Instruction ID: af8cde3afec1f5418a0bc48430989ea7964698506baf137e6f45650a0770c419
                • Opcode Fuzzy Hash: 862be077cde0dd77227f36172a63123808341cd566e0b9834f3aeca75a9f8fd6
                • Instruction Fuzzy Hash: ACC09BB120124057D30877F56CCC74621685758367F511875F106963A2C67C49CCD714
                Function 0041069F Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNEL32(?,004106A1), ref: 00410694
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: ErrorMode
                • String ID:
                • API String ID: 2340568224-0
                • Opcode ID: 601cab2394ba844bb935772c166756b22bab6ba3c566764bdf27a13b1b2436bf
                • Instruction ID: 5a4783672e99598e752c9e3ed506b594ef423b7692e1ca0ddb8f8a088cb3da1e
                • Opcode Fuzzy Hash: 601cab2394ba844bb935772c166756b22bab6ba3c566764bdf27a13b1b2436bf
                • Instruction Fuzzy Hash: 4EA0223CC08000BECF00BAE8800088C23282A8C300BC00C82B002A3000C03EA080022A
                Function 00421C44 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32(00000000,00421CEE), ref: 00421CA4
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: ErrorLast
                • String ID:
                • API String ID: 1452528299-0
                • Opcode ID: 04d24916059caf2be016209bae8e6801a0f4a966d8c7515f49681e39508cdf85
                • Instruction ID: 4d57d9e6aec65d1b694838a78f4ca9ad216596939de8ed0b1de0a7aea9641653
                • Opcode Fuzzy Hash: 04d24916059caf2be016209bae8e6801a0f4a966d8c7515f49681e39508cdf85
                • Instruction Fuzzy Hash: E3115B74B043185FD310EBB79C816AF77A49B55304F81883EE514E33D1D6796908C719
                Function 00423294 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                Download Yara Rule
                APIs
                • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 004232B2
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AllocVirtual
                • String ID:
                • API String ID: 4275171209-0
                • Opcode ID: c609c3248c736b1a94b1f318808a43a08e5a1b338ad1236a22ddb497e16b1664
                • Instruction ID: 0c4e164c2904b1eaa4ac9ef2e60aa4a84096b45b44a556744da0de22b71741ad
                • Opcode Fuzzy Hash: c609c3248c736b1a94b1f318808a43a08e5a1b338ad1236a22ddb497e16b1664
                • Instruction Fuzzy Hash: C71148342007159BC710DF19D881B82FBE5EF48351F10C57AE9988B386E378EA04CBA8
                Function 00401876 Relevance: 1.3, APIs: 1, Instructions: 41COMMON
                Download Yara Rule
                APIs
                • VirtualFree.KERNEL32(?,00000000,00008000), ref: 004018A7
                • VirtualQuery.KERNEL32(?,?,0000001C), ref: 004018CA
                • VirtualFree.KERNEL32(?,00000000,00008000,?,?,0000001C), ref: 004018D7
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Virtual$Free$Query
                • String ID:
                • API String ID: 778034434-0
                • Opcode ID: 3a70847dada6d9913a68aa52dbbcbfce048293e370cc647fde7ec9a1bb11c0e5
                • Instruction ID: 960ae0452c7b12065740c1a8f2b1b3a8e146c2b436c06b0ebfdf5d3bc69e9d2b
                • Opcode Fuzzy Hash: 3a70847dada6d9913a68aa52dbbcbfce048293e370cc647fde7ec9a1bb11c0e5
                • Instruction Fuzzy Hash: EAF0A975300600AFD301EB1AC881B57BBE5EFC8310F15C27AE888973B1D234DC028796
                Function 00401754 Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON
                Download Yara Rule
                APIs
                • VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004), ref: 0040176A
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AllocVirtual
                • String ID:
                • API String ID: 4275171209-0
                • Opcode ID: 2c4197b80e4a32fd569d67d0360016a61cb1a9856ab118297ee84576b079dd66
                • Instruction ID: 5bfb2d41a8b323327078e46ae7594706784ed20e77ed65a67c7230a11e82a6df
                • Opcode Fuzzy Hash: 2c4197b80e4a32fd569d67d0360016a61cb1a9856ab118297ee84576b079dd66
                • Instruction Fuzzy Hash: D0F049B8B517004BDB088F798D813467ED6E79A349F10817EE609EB3A8E77584469B48
                Function 00401814 Relevance: 1.3, APIs: 1, Instructions: 35memoryCOMMON
                Download Yara Rule
                APIs
                • VirtualAlloc.KERNEL32(00000000,?,00101000,00000004), ref: 00401834
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AllocVirtual
                • String ID:
                • API String ID: 4275171209-0
                • Opcode ID: 1feb0c568f8cba9ace5b2d3b3d66b4d7e571a5318074756fef4b8ebdd3e182b1
                • Instruction ID: cf9b7297c0f559f89ec00f3124ce1c9819fac186fdf5c521016ad1bfa7edda33
                • Opcode Fuzzy Hash: 1feb0c568f8cba9ace5b2d3b3d66b4d7e571a5318074756fef4b8ebdd3e182b1
                • Instruction Fuzzy Hash: F3F0E9F6A007557BD3119F5A9C80782BFD4FB51718F01413EF648A73A1C774AA048798

                Non-executed Functions

                Function 004F3114 Relevance: 707.4, Strings: 564, Instructions: 2438COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: LoadString
                • String ID: ASN1_INTEGER_get$ASN1_INTEGER_set$ASN1_INTEGER_to_BN$ASN1_STRING_free$ASN1_STRING_type_new$ASN1_dup$Assertion failure$BIO_ctrl$BIO_f_base64$BIO_f_cipher$BIO_f_md$BIO_f_reliable$BIO_free$BIO_get_ex_data$BIO_int_ctrl$BIO_new$BIO_new_file$BIO_new_mem_buf$BIO_ptr_ctrl$BIO_puts$BIO_read$BIO_s_file$BIO_s_mem$BIO_set_cipher$BIO_set_ex_data$BIO_write$BN_bn2dec$BN_bn2hex$BN_free$BN_hex2bn$BN_new$BN_set_word$CRYPTO_cleanup_all_ex_data$CRYPTO_free$CRYPTO_lock$CRYPTO_malloc$CRYPTO_mem_ctrl$CRYPTO_mem_leaks$CRYPTO_num_locks$CRYPTO_set_locking_callback$CRYPTO_set_mem_debug_functions$CRYPTO_set_mem_functions$D:\Users\Desktop\Indy10.6.2\Lib\Protocols\IdSSLOpenSSLHeaders.pas$DES_ecb_encrypt$DES_set_key$DES_set_odd_parity$DH_free$DTLSv1_client_method$DTLSv1_method$DTLSv1_server_method$ERR_clear_error$ERR_error_string$ERR_error_string_n$ERR_free_strings$ERR_func_error_string$ERR_get_error$ERR_lib_error_string$ERR_load_CRYPTO_strings$ERR_load_ERR_strings$ERR_peek_error$ERR_peek_last_error$ERR_put_error$ERR_reason_error_string$ERR_remove_state$ERR_remove_thread_state$EVP_CIPHER_CTX_block_size$EVP_CIPHER_CTX_cipher$EVP_CIPHER_CTX_cleanup$EVP_CIPHER_CTX_copy$EVP_CIPHER_CTX_ctrl$EVP_CIPHER_CTX_flags$EVP_CIPHER_CTX_free$EVP_CIPHER_CTX_get_app_data$EVP_CIPHER_CTX_init$EVP_CIPHER_CTX_iv_length$EVP_CIPHER_CTX_key_length$EVP_CIPHER_CTX_new$EVP_CIPHER_CTX_nid$EVP_CIPHER_CTX_rand_key$EVP_CIPHER_CTX_set_app_data$EVP_CIPHER_CTX_set_key_length$EVP_CIPHER_CTX_set_padding$EVP_CIPHER_asn1_to_param$EVP_CIPHER_block_size$EVP_CIPHER_do_all$EVP_CIPHER_do_all_sorted$EVP_CIPHER_flags$EVP_CIPHER_get_asn1_iv$EVP_CIPHER_iv_length$EVP_CIPHER_key_length$EVP_CIPHER_nid$EVP_CIPHER_param_to_asn1$EVP_CIPHER_set_asn1_iv$EVP_CIPHER_type$EVP_CipherFinal$EVP_CipherFinal_ex$EVP_CipherInit$EVP_CipherInit_ex$EVP_CipherUpdate$EVP_DecodeBlock$EVP_DecodeFinal$EVP_DecodeInit$EVP_DecodeUpdate$EVP_DecryptFinal$EVP_DecryptFinal_ex$EVP_DecryptInit$EVP_DecryptInit_ex$EVP_DecryptUpdate$EVP_DigestFinal_ex$EVP_DigestInit$EVP_DigestInit_ex$EVP_DigestSignFinal$EVP_DigestSignInit$EVP_DigestUpdate$EVP_DigestVerifyFinal$EVP_DigestVerifyInit$EVP_EncodeBlock$EVP_EncodeFinal$EVP_EncodeInit$EVP_EncodeUpdate$EVP_EncryptFinal$EVP_EncryptFinal_ex$EVP_EncryptInit$EVP_EncryptInit_ex$EVP_EncryptUpdate$EVP_MD_CTX_cleanup$EVP_MD_CTX_init$EVP_MD_CTX_md$EVP_MD_block_size$EVP_MD_do_all$EVP_MD_do_all_sorted$EVP_MD_flags$EVP_MD_size$EVP_MD_type$EVP_OpenFinal$EVP_OpenInit$EVP_PBE_CipherInit$EVP_PBE_alg_add$EVP_PBE_alg_add_type$EVP_PBE_cleanup$EVP_PBE_find$EVP_PKEY_CTX_ctrl$EVP_PKEY_CTX_ctrl_str$EVP_PKEY_CTX_dup$EVP_PKEY_CTX_free$EVP_PKEY_CTX_get0_peerkey$EVP_PKEY_CTX_get0_pkey$EVP_PKEY_CTX_get_app_data$EVP_PKEY_CTX_get_cb$EVP_PKEY_CTX_get_data$EVP_PKEY_CTX_get_keygen_info$EVP_PKEY_CTX_get_operation$EVP_PKEY_CTX_new$EVP_PKEY_CTX_new_id$EVP_PKEY_CTX_set0_keygen_info$EVP_PKEY_CTX_set_app_data$EVP_PKEY_CTX_set_cb$EVP_PKEY_CTX_set_data$EVP_PKEY_asn1_add0$EVP_PKEY_asn1_add_alias$EVP_PKEY_asn1_copy$EVP_PKEY_asn1_find$EVP_PKEY_asn1_find_str$EVP_PKEY_asn1_free$EVP_PKEY_asn1_get0$EVP_PKEY_asn1_get0_info$EVP_PKEY_asn1_get_count$EVP_PKEY_asn1_new$EVP_PKEY_asn1_set_ctrl$EVP_PKEY_asn1_set_free$EVP_PKEY_asn1_set_param$EVP_PKEY_asn1_set_private$EVP_PKEY_asn1_set_public$EVP_PKEY_assign$EVP_PKEY_base_id$EVP_PKEY_bits$EVP_PKEY_cmp$EVP_PKEY_cmp_parameters$EVP_PKEY_copy_parameters$EVP_PKEY_decrypt$EVP_PKEY_decrypt_init$EVP_PKEY_decrypt_old$EVP_PKEY_derive$EVP_PKEY_derive_init$EVP_PKEY_derive_set_peer$EVP_PKEY_encrypt$EVP_PKEY_encrypt_init$EVP_PKEY_encrypt_old$EVP_PKEY_free$EVP_PKEY_get0$EVP_PKEY_get0_asn1$EVP_PKEY_get1_DH$EVP_PKEY_get1_DSA$EVP_PKEY_get1_EC_KEY$EVP_PKEY_get1_RSA$EVP_PKEY_get_default_digest_nid$EVP_PKEY_id$EVP_PKEY_keygen$EVP_PKEY_keygen_init$EVP_PKEY_meth_add0$EVP_PKEY_meth_copy$EVP_PKEY_meth_find$EVP_PKEY_meth_free$EVP_PKEY_meth_get0_info$EVP_PKEY_meth_new$EVP_PKEY_meth_set_cleanup$EVP_PKEY_meth_set_copy$EVP_PKEY_meth_set_ctrl$EVP_PKEY_meth_set_decrypt$EVP_PKEY_meth_set_derive$EVP_PKEY_meth_set_encrypt$EVP_PKEY_meth_set_init$EVP_PKEY_meth_set_keygen$EVP_PKEY_meth_set_paramgen$EVP_PKEY_meth_set_sign$EVP_PKEY_meth_set_signctx$EVP_PKEY_meth_set_verify$EVP_PKEY_meth_set_verify_recover$EVP_PKEY_meth_set_verifyctx$EVP_PKEY_missing_parameters$EVP_PKEY_new$EVP_PKEY_new_mac_key$EVP_PKEY_paramgen$EVP_PKEY_paramgen_init$EVP_PKEY_print_params$EVP_PKEY_print_private$EVP_PKEY_print_public$EVP_PKEY_save_parameters$EVP_PKEY_set1_DH$EVP_PKEY_set1_DSA$EVP_PKEY_set1_EC_KEY$EVP_PKEY_set1_RSA$EVP_PKEY_set_type$EVP_PKEY_set_type_str$EVP_PKEY_sign$EVP_PKEY_sign_init$EVP_PKEY_size$EVP_PKEY_type$EVP_PKEY_verify$EVP_PKEY_verify_init$EVP_PKEY_verify_recover$EVP_PKEY_verify_recover_init$EVP_SealFinal$EVP_SealInit$EVP_SignFinal$EVP_VerifyFinal$EVP_add_cipher$EVP_add_digest$EVP_aes_128_cbc$EVP_aes_128_cbc_hmac_sha1$EVP_aes_128_ccm$EVP_aes_128_cfb1$EVP_aes_128_cfb128$EVP_aes_128_cfb8$EVP_aes_128_ctr$EVP_aes_128_ecb$EVP_aes_128_gcm$EVP_aes_128_ofb$EVP_aes_128_xts$EVP_aes_192_cbc$EVP_aes_192_ccm$EVP_aes_192_cfb1$EVP_aes_192_cfb128$EVP_aes_192_ctr$EVP_aes_192_ecb$EVP_aes_192_gcm$EVP_aes_192_ofb$EVP_aes_256_cbc$EVP_aes_256_cbc_hmac_sha1$EVP_aes_256_ccm$EVP_aes_256_cfb1$EVP_aes_256_cfb128$EVP_aes_256_cfb8$EVP_aes_256_ctr$EVP_aes_256_ecb$EVP_aes_256_gcm$EVP_aes_256_ofb$EVP_aes_256_xts$EVP_bf_cbc$EVP_bf_cfb64$EVP_bf_ecb$EVP_bf_ofb$EVP_cast5_cbc$EVP_cast5_cfb64$EVP_cast5_ecb$EVP_cast5_ofb$EVP_cleanup$EVP_des_cfb1$EVP_des_cfb64$EVP_des_cfb8$EVP_des_ecb$EVP_des_ede$EVP_des_ede3$EVP_des_ede3_cbc$EVP_des_ede3_ecb$EVP_des_ede_cfb64$EVP_des_ede_ecb$EVP_dss$EVP_dss1$EVP_ecdsa$EVP_get_cipherbyname$EVP_get_digestbyname$EVP_idea_cbc$EVP_idea_cfb64$EVP_idea_ecb$EVP_idea_ofb$EVP_md4$EVP_md5$EVP_md_null$EVP_mdc2$EVP_rc2_40_cbc$EVP_rc2_64_cbc$EVP_rc2_cbc$EVP_rc2_cfb64$EVP_rc2_ecb$EVP_rc2_ofb$EVP_rc4$EVP_rc4_40$EVP_rc4_hmac_md5$EVP_ripemd160$EVP_seed_cbc$EVP_seed_cfb128$EVP_seed_ecb$EVP_seed_ofb$EVP_sha$EVP_sha1$EVP_sha224$EVP_sha256$EVP_sha384$EVP_sha512$EVP_whirlpool$FIPS_mode$FIPS_mode_set$HMAC_CTX_cleanup$HMAC_CTX_init$HMAC_Final$HMAC_Init_ex$HMAC_Update$OBJ_nid2ln$OBJ_nid2obj$OBJ_nid2sn$OBJ_obj2nid$OPENSSL_add_all_algorithms_noconf$OpenSSL_add_all_algorithms$OpenSSL_add_all_ciphers$OpenSSL_add_all_digests$PEM_X509_INFO_read_bio$PEM_read_bio_DHparams$PEM_read_bio_DSAPrivateKey$PEM_read_bio_DSAparams$PEM_read_bio_NETSCAPE_CERT_SEQUENCE$PEM_read_bio_PKCS7$PEM_read_bio_PrivateKey$PEM_read_bio_RSAPrivateKey$PEM_read_bio_RSAPublicKey$PEM_read_bio_X509$PEM_read_bio_X509_AUX$PEM_read_bio_X509_CRL$PEM_read_bio_X509_REQ$PEM_write_bio_DHparams$PEM_write_bio_DSAPrivateKey$PEM_write_bio_DSAparams$PEM_write_bio_NETSCAPE_CERT_SEQUENCE$PEM_write_bio_PKCS7$PEM_write_bio_PKCS8PrivateKey$PEM_write_bio_PrivateKey$PEM_write_bio_RSAPrivateKey$PEM_write_bio_RSAPublicKey$PEM_write_bio_X509$PEM_write_bio_X509_CRL$PEM_write_bio_X509_REQ$PKCS12_create$PKCS12_free$PKCS12_parse$PKCS5_PBE_add$PKCS5_PBE_keyivgen$PKCS5_PBKDF2_HMAC$PKCS5_PBKDF2_HMAC_SHA1$PKCS5_v2_PBE_keyivgen$RAND_add$RAND_bytes$RAND_cleanup$RAND_event$RAND_pseudo_bytes$RAND_screen$RAND_seed$RAND_status$RSA_check_key$RSA_free$RSA_generate_key$RSA_generate_key_ex$RSA_new$RSA_private_decrypt$RSA_public_encrypt$RSA_size$SSL_CIPHER_description$SSL_CIPHER_get_bits$SSL_CIPHER_get_name$SSL_CIPHER_get_version$SSL_COMP_get_compression_methods$SSL_CTX_callback_ctrl$SSL_CTX_check_private_key$SSL_CTX_ctrl$SSL_CTX_free$SSL_CTX_get_verify_depth$SSL_CTX_load_verify_locations$SSL_CTX_new$SSL_CTX_set_cipher_list$SSL_CTX_set_client_CA_list$SSL_CTX_set_default_passwd_cb$SSL_CTX_set_default_passwd_cb_userdata$SSL_CTX_set_default_verify_paths$SSL_CTX_set_session_id_context$SSL_CTX_set_verify$SSL_CTX_set_verify_depth$SSL_CTX_use_PrivateKey$SSL_CTX_use_PrivateKey_file$SSL_CTX_use_certificate$SSL_CTX_use_certificate_chain_file$SSL_CTX_use_certificate_file$SSL_SESSION_get_id$SSL_accept$SSL_alert_desc_string_long$SSL_alert_type_string_long$SSL_callback_ctrl$SSL_connect$SSL_copy_session_id$SSL_ctrl$SSL_free$SSL_get_current_cipher$SSL_get_error$SSL_get_ex_data$SSL_get_peer_certificate$SSL_get_session$SSL_library_init$SSL_load_client_CA_file$SSL_load_error_strings$SSL_new$SSL_peek$SSL_pending$SSL_read$SSL_set_accept_state$SSL_set_connect_state$SSL_set_ex_data$SSL_set_fd$SSL_set_shutdown$SSL_shutdown$SSL_state_string_long$SSL_write$SSLeay$SSLeay_version$SSLv23_client_method$SSLv23_method$SSLv23_server_method$SSLv2_client_method$SSLv2_method$SSLv2_server_method$SSLv3_client_method$SSLv3_method$SSLv3_server_method$TLSv1_1_client_method$TLSv1_1_method$TLSv1_1_server_method$TLSv1_2_client_method$TLSv1_2_method$TLSv1_2_server_method$TLSv1_client_method$TLSv1_method$TLSv1_server_method$X509V3_EXT_conf_nid$X509V3_set_ctx$X509_EXTENSION_create_by_NID$X509_EXTENSION_free$X509_INFO_free$X509_LOOKUP_ctrl$X509_NAME_add_entry_by_txt$X509_NAME_cmp$X509_NAME_free$X509_NAME_hash$X509_NAME_new$X509_NAME_oneline$X509_PUBKEY_get$X509_REQ_add_extensions$X509_REQ_free$X509_REQ_new$X509_REQ_set_pubkey$X509_REQ_sign$X509_STORE_CTX_get_current_cert$X509_STORE_CTX_get_error$X509_STORE_CTX_get_error_depth$X509_STORE_CTX_get_ex_data$X509_STORE_CTX_set_error$X509_STORE_add_cert$X509_STORE_add_crl$X509_STORE_add_lookup$X509_STORE_load_locations$X509_add_ext$X509_digest$X509_free$X509_get_default_cert_file$X509_get_default_cert_file_env$X509_get_issuer_name$X509_get_serialNumber$X509_get_subject_name$X509_gmtime_adj$X509_new$X509_print$X509_set_issuer_name$X509_set_notAfter$X509_set_notBefore$X509_set_pubkey$X509_set_subject_name$X509_set_version$X509_sign$X509_to_X509_REQ$X509_verify$\ O$_ossl_old_des_ecb_encrypt$_ossl_old_des_set_key$_ossl_old_des_set_odd_parity$d2i_AutoPrivateKey$d2i_DHparams$d2i_DSAPrivateKey$d2i_DSAparams$d2i_PKCS12_bio$d2i_PKCS7$d2i_PrivateKey$d2i_PrivateKey_bio$d2i_PublicKey$d2i_RSAPrivateKey$d2i_RSAPublicKey$d2i_X509$d2i_X509_CRL$d2i_X509_NAME$d2i_X509_REQ$d2i_X509_bio$i2d_DHparams$i2d_DSAPrivateKey$i2d_DSAparams$i2d_NETSCAPE_CERT_SEQUENCE$i2d_PKCS12_bio$i2d_PKCS7$i2d_PrivateKey$i2d_PrivateKey_bio$i2d_PublicKey$i2d_RSAPrivateKey$i2d_RSAPublicKey$i2d_X509$i2d_X509_CRL$i2d_X509_NAME$i2d_X509_REQ$i2d_X509_REQ_bio$i2d_X509_bio$libeay32.dll$sk_dup$sk_find$sk_free$sk_new$sk_new_null$sk_num$sk_pop_free$sk_push$sk_value$ssleay32.dll
                • API String ID: 2948472770-1022291926
                • Opcode ID: 6b3ff117653456881415de2203df30af6448655008a2e43f9a350b44763a4815
                • Instruction ID: 059adc63c6c073d3eb616761af404178a4f0c8d7f246b84d2749cc1033352c8f
                • Opcode Fuzzy Hash: 6b3ff117653456881415de2203df30af6448655008a2e43f9a350b44763a4815
                • Instruction Fuzzy Hash: 8B136A72A1550E8BA304EF7F59421657AA2EBA4308305D03BF31DDB325EB7D440ABB6D
                Function 004C8A58 Relevance: 54.4, APIs: 15, Strings: 16, Instructions: 119libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 004C8A7D
                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 004C8AB1
                • GetProcAddress.KERNEL32(00000000,getnameinfo), ref: 004C8ACB
                • GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 004C8AE5
                • GetProcAddress.KERNEL32(00000000,inet_pton), ref: 004C8B0E
                • GetProcAddress.KERNEL32(00000000,inet_ntop), ref: 004C8B23
                • GetProcAddress.KERNEL32(00000000,GetAddrInfoExA), ref: 004C8B38
                • GetProcAddress.KERNEL32(00000000,SetAddrInfoExA), ref: 004C8B4D
                • GetProcAddress.KERNEL32(00000000,FreeAddrInfoEx), ref: 004C8B62
                • GetProcAddress.KERNEL32(00000000,WSASetSocketSecurity), ref: 004C8B98
                • GetProcAddress.KERNEL32(00000000,WSAQuerySocketSecurity), ref: 004C8BAD
                • GetProcAddress.KERNEL32(00000000,WSASetSocketPeerTargetName), ref: 004C8BC2
                • GetProcAddress.KERNEL32(00000000,WSADeleteSocketPeerTargetName), ref: 004C8BD7
                • GetProcAddress.KERNEL32(00000000,WSAImpersonateSocketPeer), ref: 004C8BEC
                • GetProcAddress.KERNEL32(00000000,WSARevertImpersonation), ref: 004C8C01
                  • Part of subcall function 004BFB98: FreeLibrary.KERNEL32(00000000), ref: 004BFC00
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AddressProc$FreeLibrary
                • String ID: FreeAddrInfoEx$Fwpuclnt.dll$GetAddrInfoExA$SetAddrInfoExA$WSADeleteSocketPeerTargetName$WSAImpersonateSocketPeer$WSAQuerySocketSecurity$WSARevertImpersonation$WSASetSocketPeerTargetName$WSASetSocketSecurity$Wship6.dll$freeaddrinfo$getaddrinfo$getnameinfo$inet_ntop$inet_pton
                • API String ID: 1649943339-4072954507
                • Opcode ID: 79d57ce29a6dca5b07e4ed64e49c6db432a9a2c631a00cafe1eac90b45c85ce9
                • Instruction ID: 14e63b9929c402559f1a036be7a9fd4a7a9f89ee513b4dc28acdf3bd630769c2
                • Opcode Fuzzy Hash: 79d57ce29a6dca5b07e4ed64e49c6db432a9a2c631a00cafe1eac90b45c85ce9
                • Instruction Fuzzy Hash: 064139F59053109FD780EBB9AD41FA937E8E725308750052FB500D7B51DBBCE848ABA9
                Function 0042F31C Relevance: 48.5, APIs: 32, Instructions: 500windowCOMMON
                Download Yara Rule
                APIs
                • GetObjectA.GDI32(00000000,00000054,?), ref: 0042F39C
                • GetDC.USER32(00000000), ref: 0042F3AD
                • CreateCompatibleDC.GDI32(00000000), ref: 0042F3BE
                • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0042F40A
                • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0042F42E
                • SelectObject.GDI32(00000000,?), ref: 0042F68B
                • SelectPalette.GDI32(00000000,00000000,00000000), ref: 0042F6CB
                • RealizePalette.GDI32(00000000), ref: 0042F6D7
                • SetTextColor.GDI32(00000000,00000000), ref: 0042F740
                • SetBkColor.GDI32(00000000,00000000), ref: 0042F75A
                • SetDIBColorTable.GDI32(00000000,00000000,00000002,0042FB97,00000000,00000000,00000000,00000000,00000000,0042F8E8,?,00000000,0042F90A,?,00000000,0042F91B), ref: 0042F7A2
                • FillRect.USER32(00000000,?,00000000), ref: 0042F728
                  • Part of subcall function 00429CCC: GetSysColor.USER32(?), ref: 00429CD6
                • PatBlt.GDI32(00000000,00000000,00000000,?,?,00FF0062), ref: 0042F7C4
                • CreateCompatibleDC.GDI32(00000000), ref: 0042F7D7
                • SelectObject.GDI32(00000000,00000000), ref: 0042F7FA
                • SelectPalette.GDI32(00000000,00000000,00000000), ref: 0042F816
                • RealizePalette.GDI32(00000000), ref: 0042F821
                • SetTextColor.GDI32(00000000,00000000), ref: 0042F83F
                • SetBkColor.GDI32(00000000,00000000), ref: 0042F859
                • BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 0042F881
                • SelectPalette.GDI32(00000000,00000000,000000FF), ref: 0042F893
                • SelectObject.GDI32(00000000,00000000), ref: 0042F89D
                • DeleteDC.GDI32(00000000), ref: 0042F8B8
                  • Part of subcall function 0042AAEC: CreateBrushIndirect.GDI32(?), ref: 0042AB97
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: ColorSelect$CreatePalette$Object$Compatible$BitmapRealizeText$BrushDeleteFillIndirectRectTable
                • String ID:
                • API String ID: 1299887459-0
                • Opcode ID: 709ce91820cf6ad3252c9d48942780e35a804d5264fe4ef889e3ea9ccc058568
                • Instruction ID: 7f9427d14d096efdd96b7515b18b5220abb1e3108fc369f797ecd47898d6c0eb
                • Opcode Fuzzy Hash: 709ce91820cf6ad3252c9d48942780e35a804d5264fe4ef889e3ea9ccc058568
                • Instruction Fuzzy Hash: 9C12FE71A00218AFDB00EFA9D985F9E77B8EF08314F908466F914EB291C778ED85CB55
                Function 004065A4 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 004065C1
                • GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 004065D8
                • lstrcpyn.KERNEL32(?,?,?), ref: 00406608
                • lstrcpyn.KERNEL32(?,?,?,kernel32.dll), ref: 0040666C
                • lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll), ref: 004066A2
                • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 004066B5
                • FindClose.KERNEL32(000000FF,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 004066C7
                • lstrlen.KERNEL32(?,000000FF,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 004066D3
                • lstrcpyn.KERNEL32(0000005D,?,00000104), ref: 00406707
                • lstrlen.KERNEL32(?,0000005D,?,00000104), ref: 00406713
                • lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104), ref: 00406735
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                • String ID: GetLongPathNameA$\$kernel32.dll
                • API String ID: 3245196872-1565342463
                • Opcode ID: 99fa0644526dbe1311c793936ae260c4d41cf5f51afef812bb541deed777fe54
                • Instruction ID: c023a1bace13f362c8a584ed1d3a6d079a56b308cb06f43b6d68fe85f6b7174f
                • Opcode Fuzzy Hash: 99fa0644526dbe1311c793936ae260c4d41cf5f51afef812bb541deed777fe54
                • Instruction Fuzzy Hash: 23419171D00218AFDB10DBA8CC89ADEB3BCAF48308F0544B6A545F7281D6389E508B58
                Function 0048D15C Relevance: 19.9, APIs: 10, Strings: 1, Instructions: 605windowCOMMON
                Download Yara Rule
                APIs
                • CreateCompatibleDC.GDI32(00000000), ref: 0048D2E7
                • CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 0048D32E
                • DeleteObject.GDI32(00000000), ref: 0048D34C
                • DeleteDC.GDI32(00000000), ref: 0048D355
                • SelectObject.GDI32(00000000,00000000), ref: 0048D386
                • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,00CC0020), ref: 0048D3B5
                • BitBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,00CC0020), ref: 0048D91C
                • SelectObject.GDI32(00000000,?), ref: 0048D929
                • DeleteObject.GDI32(00000000), ref: 0048D932
                • DeleteDC.GDI32(00000000), ref: 0048D93B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: DeleteObject$CreateSelect$CompatibleSection
                • String ID: hyH
                • API String ID: 1283611041-1065306263
                • Opcode ID: f12f0f2f535f7bbb01b74221eba1f06ef48eb0a2794a59ea42a104a4fd105cdb
                • Instruction ID: 565c53b25935ca5924d869ea411839280fccbe5447f149d1d748a5bd674a1052
                • Opcode Fuzzy Hash: f12f0f2f535f7bbb01b74221eba1f06ef48eb0a2794a59ea42a104a4fd105cdb
                • Instruction Fuzzy Hash: 7D427D71E052588FCB14DFA9C881BADBBF1FF49300F1485AAE854EB396C638A941DF54
                Function 00444B2C Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 405nativeCOMMON
                Download Yara Rule
                APIs
                • SaveDC.GDI32(?), ref: 00444DFC
                • RestoreDC.GDI32(?,?), ref: 00444E70
                • GetWindowDC.USER32(?,00000000,00445060), ref: 00444EEA
                • SaveDC.GDI32(?), ref: 00444F21
                • RestoreDC.GDI32(?,?), ref: 00444F8E
                • NtdllDefWindowProc_A.NTDLL(?,?,?,?,00000000,00445060), ref: 00445042
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: RestoreSaveWindow$NtdllProc_
                • String ID: [D
                • API String ID: 1346906915-3436156298
                • Opcode ID: a7adc5505bfce61d6d25a5d3bd25a2d5ac913ff7c73bb5fae13185d08386c656
                • Instruction ID: 6aa2df55253cc45c2c128468a0d15676e73786904ae97ccf799f6b674c68acdd
                • Opcode Fuzzy Hash: a7adc5505bfce61d6d25a5d3bd25a2d5ac913ff7c73bb5fae13185d08386c656
                • Instruction Fuzzy Hash: ACE17E74A00605DFEB10DF69C581A9EF7F5FF88304B6585AAE404A7362CB38ED41CB99
                Function 00471C38 Relevance: 12.8, APIs: 8, Instructions: 753windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageA.USER32(00000000,0000110F,00000000,00000000), ref: 00472368
                • GetWindowLongA.USER32(00000000,000000FC), ref: 0047237B
                • SetWindowLongA.USER32(?,000000FC,?), ref: 0047239F
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: LongWindow$MessageSend
                • String ID:
                • API String ID: 2178440468-0
                • Opcode ID: 81c93694087b4edf90d9fc261a75392e3c5085230a73057000072c6542a07a00
                • Instruction ID: be08e22d28bf5c8e9c6e946e043ea1f3a930fc2bbf86473d609ec6cbc43fa9e8
                • Opcode Fuzzy Hash: 81c93694087b4edf90d9fc261a75392e3c5085230a73057000072c6542a07a00
                • Instruction Fuzzy Hash: 0E620B34A00209DFCB10DF59C685AEEB7F1FF49314F6480A6E808AB366C778AE45DB55
                Function 0051EDC4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 101fileCOMMON
                Download Yara Rule
                APIs
                • CreateFileA.KERNEL32(\\.\PhysicalDrive0,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 0051EDFD
                • CreateFileA.KERNEL32(\\.\SMARTVSD,00000000,00000000,00000000,00000001,00000000,00000000), ref: 0051EE1B
                • DeviceIoControl.KERNEL32(000000FF,0004D004,?,0000002C,?,?,?,00000000), ref: 0051EEAE
                • CloseHandle.KERNEL32(000000FF,0051EEF7,0000002C,?,?,?,00000000,00000000,0051EEF0), ref: 0051EEEA
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CreateFile$CloseControlDeviceHandle
                • String ID: \\.\PhysicalDrive0$\\.\SMARTVSD
                • API String ID: 998109204-3031026761
                • Opcode ID: 4cb5a56ea5d57db76ee070c7e18927ecee5e6fb44d5633ddfd0487248ce5f6e0
                • Instruction ID: a0ed4d1c6665b2057b1d3c85aca0113b7e321b6fffb83c77ca4b7bd06a9adc34
                • Opcode Fuzzy Hash: 4cb5a56ea5d57db76ee070c7e18927ecee5e6fb44d5633ddfd0487248ce5f6e0
                • Instruction Fuzzy Hash: 8A3106706443449EEB218F28CCC6B827F98EB05318F1442E5FA44AF2C6D7B5E994CBA5
                Function 0051EC44 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 82fileCOMMON
                Download Yara Rule
                APIs
                • CreateFileA.KERNEL32(\\.\PhysicalDrive0,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 0051EC7D
                • CreateFileA.KERNEL32(\\.\SMARTVSD,00000000,00000000,00000000,00000001,00000000,00000000), ref: 0051EC9B
                • DeviceIoControl.KERNEL32(000000FF,0007C088,00000200,00000020,?,00000210,?,00000000), ref: 0051ED3D
                • CloseHandle.KERNEL32(000000FF,0051ED6E), ref: 0051ED61
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CreateFile$CloseControlDeviceHandle
                • String ID: \\.\PhysicalDrive0$\\.\SMARTVSD
                • API String ID: 998109204-3031026761
                • Opcode ID: 7efb9983f694dd2c489a5ab04247effc857b2340784613eb41335c9d73dd0de6
                • Instruction ID: 6a6f184de17b866df87796427720452e7c5e83dbc595379b18b06ad660e7a4ea
                • Opcode Fuzzy Hash: 7efb9983f694dd2c489a5ab04247effc857b2340784613eb41335c9d73dd0de6
                • Instruction Fuzzy Hash: 0D31A730A8431CAAF73097259C8BBD9BAA8AB55704F5005E9B508B61D1D6B86FC08B55
                Function 00469E94 Relevance: 9.1, APIs: 6, Instructions: 99nativewindowCOMMON
                Download Yara Rule
                APIs
                • SetActiveWindow.USER32(?,?,?,004698CA,00000000,00469D7A), ref: 00469EB3
                • ShowWindow.USER32(00000000,00000009,?,?,?,004698CA,00000000,00469D7A), ref: 00469ED8
                • IsWindowEnabled.USER32(00000000), ref: 00469EF7
                • NtdllDefWindowProc_A.NTDLL(?,00000112,0000F120,00000000,00000000,?,?,?,004698CA,00000000,00469D7A), ref: 00469F10
                • SetWindowPos.USER32(?,00000000,00000000,?,?,004698CA,00000000,00469D7A), ref: 00469F56
                • SetFocus.USER32(00000000,?,?,?,004698CA,00000000,00469D7A), ref: 00469FA4
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Window$ActiveEnabledFocusNtdllProc_Show
                • String ID:
                • API String ID: 3940358795-0
                • Opcode ID: fc2748f557cef480b0fd57721c4d9dd88c2a7636798a00c6ab1558657a6fdaa0
                • Instruction ID: ff904c14e8e3da5131ef0c7dceb37d218fa6b0be4411756da4629fcfdbc028e5
                • Opcode Fuzzy Hash: fc2748f557cef480b0fd57721c4d9dd88c2a7636798a00c6ab1558657a6fdaa0
                • Instruction Fuzzy Hash: 97312070B04200ABDB54EB69CD85B6A37986F04709F4904AAFD04DF3D7EABDEC44875A
                Function 00424BF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004249F4: GetProcAddress.KERNEL32(76910000,00000000), ref: 00424A73
                • MonitorFromWindow.USER32(?,?), ref: 00424C20
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AddressFromMonitorProcWindow
                • String ID: MonitorFromWindow
                • API String ID: 2184870004-2842599566
                • Opcode ID: 5749f63353c4c887d069e498b5df88b44a4dde5c01493f7a6044cd182b66d6ab
                • Instruction ID: 063f5696591d61cc28b0c26b7acdd8cd0d10f1bcea94b4643b4c602b076bd694
                • Opcode Fuzzy Hash: 5749f63353c4c887d069e498b5df88b44a4dde5c01493f7a6044cd182b66d6ab
                • Instruction Fuzzy Hash: 7701A271A055685B8700EB6AACC19FF735CEF86308BC14217F911A7242EB3CAD4597BE
                Function 0047DC64 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39networkCOMMON
                Download Yara Rule
                APIs
                • bind.WS2_32(?,?,00000010), ref: 0047DC75
                  • Part of subcall function 0047D4C8: WSAGetLastError.WS2_32(00000000,0047D575), ref: 0047D4F1
                  • Part of subcall function 0047DC04: WSAAsyncSelect.WS2_32(?,00000000,00000000,?), ref: 0047DC33
                  • Part of subcall function 0047DC04: ioctlsocket.WS2_32(?,8004667E), ref: 0047DC53
                • listen.WS2_32(?,?), ref: 0047DCAD
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AsyncErrorLastSelectbindioctlsocketlisten
                • String ID: bind$listen
                • API String ID: 233599514-3336150537
                • Opcode ID: 7605d0bc8871e06287b636a2067784725e37e3c2c04511e6fafef2e0c1bc0ca7
                • Instruction ID: 4afde2ffd5df9f03f6c48fe2421831c50478d7ace2e8b2aed4ddc4ba0d3bb9d1
                • Opcode Fuzzy Hash: 7605d0bc8871e06287b636a2067784725e37e3c2c04511e6fafef2e0c1bc0ca7
                • Instruction Fuzzy Hash: FEF01D61B141405BDB00AA7E8CD1A9B96A95F85308F55C47FB50DDF347CAB8EC498368
                Function 004AC650 Relevance: 6.1, APIs: 4, Instructions: 128libraryCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(?,?,00000014), ref: 004AC692
                • IsBadReadPtr.KERNEL32(?,00000014), ref: 004AC79F
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: LibraryLoadRead
                • String ID:
                • API String ID: 1452896035-0
                • Opcode ID: 68671f36cbfc829c1876579640452d4e5b2bc1d4ee0a2825290bf06463606a97
                • Instruction ID: 6de572f2f9b14f4c1c8408b891e2889b620ee9320178c7394f87adb49d89fe05
                • Opcode Fuzzy Hash: 68671f36cbfc829c1876579640452d4e5b2bc1d4ee0a2825290bf06463606a97
                • Instruction Fuzzy Hash: B0512A75D00209EFCB40DFA9C884BADB7F4BF29314F1485A6E815AB341D378A9808F95
                Function 00469DB4 Relevance: 6.1, APIs: 4, Instructions: 70nativeCOMMON
                Download Yara Rule
                APIs
                • SetActiveWindow.USER32(?,?,004698BD,00000000,00469D7A), ref: 00469DD2
                  • Part of subcall function 004693D4: EnumWindows.USER32(00469300,00000000), ref: 00469408
                  • Part of subcall function 004693D4: ShowWindow.USER32(?,00000000,00469300,00000000,?,?,0283F460,0046C494,0001040C,?,?,00462248), ref: 0046943D
                  • Part of subcall function 004693D4: ShowOwnedPopups.USER32(00000000,0285C440), ref: 0046946C
                • IsWindowEnabled.USER32(00000000), ref: 00469E05
                • SetWindowPos.USER32(?,00000000,00000000,00000000,?,00000000,00000040,00000000,?,?,004698BD,00000000,00469D7A), ref: 00469E4F
                • NtdllDefWindowProc_A.NTDLL(?,00000112,0000F020,00000000,?,00000000,00000000,00000000,?,00000000,00000040,00000000,?,?,004698BD,00000000), ref: 00469E64
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Window$Show$ActiveEnabledEnumNtdllOwnedPopupsProc_Windows
                • String ID:
                • API String ID: 2964316467-0
                • Opcode ID: e02f169951871d71e37544b32201aa8f1ae89f56956a630ac9bf957b7e5c6e27
                • Instruction ID: ae71123ab0e235d62a410e7215712678ca5d5d473735ea601b5ac50dd614f90f
                • Opcode Fuzzy Hash: e02f169951871d71e37544b32201aa8f1ae89f56956a630ac9bf957b7e5c6e27
                • Instruction Fuzzy Hash: 7221FF706041005BDB54EF69C9C6B56379D6F14709F4804AAFE04DF29BEABAEC44871A
                Function 0043D344 Relevance: 6.1, APIs: 4, Instructions: 68clipboardCOMMON
                Download Yara Rule
                APIs
                • EnumClipboardFormats.USER32(00000000), ref: 0043D36B
                • GetClipboardData.USER32(00000000), ref: 0043D38B
                • GetClipboardData.USER32(00000009), ref: 0043D394
                • EnumClipboardFormats.USER32(00000000), ref: 0043D3B3
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Clipboard$DataEnumFormats
                • String ID:
                • API String ID: 1256399260-0
                • Opcode ID: 4fca55bb8b4f2b73da53a1c706ec150870d229c69cd21b69f6b72fe71b06a642
                • Instruction ID: f70091a4d4cc97e9c2af683c27c64a6806ecf0888ca6d930b070b9af9b87a04e
                • Opcode Fuzzy Hash: 4fca55bb8b4f2b73da53a1c706ec150870d229c69cd21b69f6b72fe71b06a642
                • Instruction Fuzzy Hash: A511E670F082009FD700BB6AE85192EB7E8EF89318B50047BF804D73D1DD79AD01975A
                Function 0043D240 Relevance: 6.1, APIs: 4, Instructions: 56memoryclipboardCOMMON
                Download Yara Rule
                APIs
                • GlobalAlloc.KERNEL32(00002002,?,00000000,0043D312), ref: 0043D26F
                • GlobalLock.KERNEL32(?), ref: 0043D289
                • SetClipboardData.USER32(?,?), ref: 0043D2B7
                • GlobalUnlock.KERNEL32(?), ref: 0043D2CD
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Global$AllocClipboardDataLockUnlock
                • String ID:
                • API String ID: 3735636508-0
                • Opcode ID: 98d926a51f9728327d8ed5c1ad21cbaba26a8c2760043906452e1beee1e4caae
                • Instruction ID: 78887bb9c262648ede36a8c6b1810c2d8a570751ab41de6e76e355c632d4af8c
                • Opcode Fuzzy Hash: 98d926a51f9728327d8ed5c1ad21cbaba26a8c2760043906452e1beee1e4caae
                • Instruction Fuzzy Hash: D611C874E04604BFDB11DF6ADD52C5BBBEEEB8D714B1048BAF40093691CA39AD40C655
                Function 004AE374 Relevance: 4.6, APIs: 3, Instructions: 93fileCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00405908: SysAllocStringLen.OLEAUT32(?,?), ref: 00405916
                • FindFirstFileW.KERNEL32(00000000,?,00000000,004AE4CC,?,?,?,?,?,004AE06C,?,00000000,004AE0B1), ref: 004AE3C1
                • FindFirstFileA.KERNEL32(00000000,?,00000000,004AE4CC,?,?,?,?,?,004AE06C,?,00000000,004AE0B1), ref: 004AE3E9
                • FindClose.KERNEL32(00000000,00000000,?,00000000,004AE4CC,?,?,?,?,?,004AE06C,?,00000000,004AE0B1), ref: 004AE4A6
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Find$FileFirst$AllocCloseString
                • String ID:
                • API String ID: 2269826694-0
                • Opcode ID: a6f451b1735c6c52fdb8cc74442fa039a2935d7ba84db6ff25a3216d0952afe1
                • Instruction ID: 9f17558f2eeb115d3e05934dd3d28a124ca79dca44fbb18bde01e658d76ef4dd
                • Opcode Fuzzy Hash: a6f451b1735c6c52fdb8cc74442fa039a2935d7ba84db6ff25a3216d0952afe1
                • Instruction Fuzzy Hash: EB410E749016189FCB25DF56C88468AFBF9EF89314F60C6EAE46CA3390D3349A418F44
                Function 00468834 Relevance: 4.5, APIs: 3, Instructions: 33synchronizationthreadCOMMON
                Download Yara Rule
                APIs
                • GetCurrentThreadId.KERNEL32 ref: 00468840
                • GetCursorPos.USER32(?), ref: 0046885D
                • WaitForSingleObject.KERNEL32(00000000,00000064), ref: 0046887D
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CurrentCursorObjectSingleThreadWait
                • String ID:
                • API String ID: 1359611202-0
                • Opcode ID: f1957fd7c0e2dc35a09d2fc3d4092e0fe482096f12d514ff8c9f9e11b9737a2b
                • Instruction ID: 12ee954cf729c3364874b3bb6d7640f6986ce7bb78b3d67a199c1b0b30d285ca
                • Opcode Fuzzy Hash: f1957fd7c0e2dc35a09d2fc3d4092e0fe482096f12d514ff8c9f9e11b9737a2b
                • Instruction Fuzzy Hash: 14F05431508304EBEB10BB56D886B9A73E8AB00318F90027FA110D72E2FF79EC44C65B
                Function 00452BE4 Relevance: 3.1, APIs: 2, Instructions: 64windowCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CaptureIconic
                • String ID:
                • API String ID: 2277910766-0
                • Opcode ID: 2d46a599011097ca05f16ba71e25e1421d34e3bfbf27ed691a1b59992c5ae348
                • Instruction ID: fdd5f625d16418d50c33f30c43a8ac0fcf78838cc0621122408cad9c4fd8c0c6
                • Opcode Fuzzy Hash: 2d46a599011097ca05f16ba71e25e1421d34e3bfbf27ed691a1b59992c5ae348
                • Instruction Fuzzy Hash: 591182317002069BDB15EB59C68596E73E6AF07305B144077EC04DB357D7B8ED09A748
                Function 0051EB94 Relevance: 3.0, APIs: 2, Instructions: 48COMMON
                Download Yara Rule
                APIs
                • GetAdaptersInfo.IPHLPAPI(00000000,00001400), ref: 0051EBC4
                • SetLastError.KERNEL32(00000000,00000000,0051EC09), ref: 0051EBD8
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AdaptersErrorInfoLast
                • String ID:
                • API String ID: 2176680810-0
                • Opcode ID: f57008f4b4470cd45cb236dbb6ecded7f45b96a81f245f0dd59e0451d093179a
                • Instruction ID: 5906af7a1cd7f2e9023328c4f493d117655eb9dbd0b85ca4382b0bc40ce957c7
                • Opcode Fuzzy Hash: f57008f4b4470cd45cb236dbb6ecded7f45b96a81f245f0dd59e0451d093179a
                • Instruction Fuzzy Hash: 8701F7315082049FE711EB65DC468CEBBFCEB45768B51057AF905A3281EA356D409794
                Function 0043D5B4 Relevance: 3.0, APIs: 2, Instructions: 46clipboardCOMMON
                Download Yara Rule
                APIs
                • SetClipboardData.USER32(?,?), ref: 0043D5FD
                • SetClipboardData.USER32(00000009,00000000), ref: 0043D60E
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: ClipboardData
                • String ID:
                • API String ID: 2952336681-0
                • Opcode ID: d1e3b5669603a4afe7c339f3e9acaf4138c83dc39e5a6a36f38cf69716c020c4
                • Instruction ID: d06421ca4193f8916779bb90a6370cb3850e4a3acf7de8806d7ebf8693d3b1fd
                • Opcode Fuzzy Hash: d1e3b5669603a4afe7c339f3e9acaf4138c83dc39e5a6a36f38cf69716c020c4
                • Instruction Fuzzy Hash: 9D011770E04209AFCB00DFA9C885AAEB7F8FF4D300F1005A6E514E72A1DB74AE45CB95
                Function 0043D530 Relevance: 3.0, APIs: 2, Instructions: 45clipboardCOMMON
                Download Yara Rule
                APIs
                • SetClipboardData.USER32(?,?), ref: 0043D579
                • SetClipboardData.USER32(00000009,00000000), ref: 0043D58A
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: ClipboardData
                • String ID:
                • API String ID: 2952336681-0
                • Opcode ID: c7a18dadf0f0cdfe6c26df3c6f322e645383923e9752cb73abf3d2367aaad2d6
                • Instruction ID: 8217fc3ac9ad464c3a9b05f193fe75a976f79ae1d77058a55c568b3bcdf42f52
                • Opcode Fuzzy Hash: c7a18dadf0f0cdfe6c26df3c6f322e645383923e9752cb73abf3d2367aaad2d6
                • Instruction Fuzzy Hash: 7C012D70E00209AFCB01DFA9D8419AEB7F8EB4C314F100566F500D7291D674AE40CB55
                Function 0040A20A Relevance: 3.0, APIs: 2, Instructions: 23fileCOMMON
                Download Yara Rule
                APIs
                • FindFirstFileA.KERNEL32(00000000,?), ref: 0040A227
                • FindClose.KERNEL32(00000000,00000000,?), ref: 0040A232
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Find$CloseFileFirst
                • String ID:
                • API String ID: 2295610775-0
                • Opcode ID: e2aa32bb72a666863f5b5f112c83421530ec3c640bf73d00a2510f9b3b4ddc9a
                • Instruction ID: fc3700fb9d0a0d3451d7b7316ca8d97015fe7db29823add279647f63ade930dc
                • Opcode Fuzzy Hash: e2aa32bb72a666863f5b5f112c83421530ec3c640bf73d00a2510f9b3b4ddc9a
                • Instruction Fuzzy Hash: 69E0CD31E0430C17C71051BA1C457A7758C5B08328F0407FBB91CF12D2F63DAE50006A
                Function 0040A20C Relevance: 3.0, APIs: 2, Instructions: 23fileCOMMON
                Download Yara Rule
                APIs
                • FindFirstFileA.KERNEL32(00000000,?), ref: 0040A227
                • FindClose.KERNEL32(00000000,00000000,?), ref: 0040A232
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Find$CloseFileFirst
                • String ID:
                • API String ID: 2295610775-0
                • Opcode ID: 50e97948b0a707bc4b526ae7a7b75150924008d83ccf48d12d44489f6e6402eb
                • Instruction ID: 8ba3df3b4710c1dbb630455c0649a1cf678fcaa8bd44d38ef5e441042c396e3e
                • Opcode Fuzzy Hash: 50e97948b0a707bc4b526ae7a7b75150924008d83ccf48d12d44489f6e6402eb
                • Instruction Fuzzy Hash: 11E0CD31D0830C12C71051BA1C45797758C5B08328F0407FBB91CF12D2F63DAE10006A
                Function 00484D50 Relevance: 2.9, Strings: 2, Instructions: 368COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID:
                • String ID: @$TVS
                • API String ID: 0-3300387789
                • Opcode ID: c74377afd30b741a64fc59f018c8cf255431ddc04cd885406065582c58eec471
                • Instruction ID: fab57aa7de952d8c9d5ad38bb40825d112a4ea18a2e0f64fd026c3bfc707ff1d
                • Opcode Fuzzy Hash: c74377afd30b741a64fc59f018c8cf255431ddc04cd885406065582c58eec471
                • Instruction Fuzzy Hash: B6F16830E0061ACFCF14DF98C5846EEBBB2FF89314F24855AD811A7390D7795A82CB99
                Function 00494F00 Relevance: 1.8, APIs: 1, Instructions: 286COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00431228: DeleteObject.GDI32(00000000), ref: 0043136E
                • DeleteObject.GDI32(?), ref: 00495029
                  • Part of subcall function 00494DC8: CreatePalette.GDI32 ref: 00494E65
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: DeleteObject$CreatePalette
                • String ID:
                • API String ID: 2847964905-0
                • Opcode ID: 1684c707bb1586542c6bbc782e975997a6751ed907b93be3af5233b65bb00037
                • Instruction ID: d82d1ed542d2a8dbb1f16576099f34b2b4b40b13f76dc41e35b983e0b6becb75
                • Opcode Fuzzy Hash: 1684c707bb1586542c6bbc782e975997a6751ed907b93be3af5233b65bb00037
                • Instruction Fuzzy Hash: 00C11934A002589FDF51DB69C985BDDBBF5AF49304F6081EAE804AB351DB38AE85CF44
                Function 00492BF8 Relevance: 1.6, Strings: 1, Instructions: 389COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID: 0-3916222277
                • Opcode ID: fee649cdfd8f8aa277ea49c29b705a34bb58a420d69e57213b916dc9cf17bde4
                • Instruction ID: 14a76516daa1f298995e29bab93159775d53f1eaedff189e61e18771bef2c609
                • Opcode Fuzzy Hash: fee649cdfd8f8aa277ea49c29b705a34bb58a420d69e57213b916dc9cf17bde4
                • Instruction Fuzzy Hash: D6128174E0424A9FCF08CF98C5909EEBBB2FF89314F24815AD855AB355C735AA42CF94
                Function 004BE470 Relevance: 1.6, APIs: 1, Instructions: 94timeCOMMON
                Download Yara Rule
                APIs
                • GetTimeZoneInformation.KERNEL32(?,00000000,004BE591,?,?,?,?,004BE42F), ref: 004BE49E
                  • Part of subcall function 0040708C: LoadStringA.USER32(00000000,0000FF93,?,00001000), ref: 004070BE
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: InformationLoadStringTimeZone
                • String ID:
                • API String ID: 2315373741-0
                • Opcode ID: 94bbb8578f2e1f47180654c1f4e0b678f3940a31cfa19dc8942e4889091d0bf9
                • Instruction ID: 8e449b9856ff9fd08b552eb9b80f316917ce256c785e64ec0404950f3b28b5f0
                • Opcode Fuzzy Hash: 94bbb8578f2e1f47180654c1f4e0b678f3940a31cfa19dc8942e4889091d0bf9
                • Instruction Fuzzy Hash: 5131B970A04314DBDB24DF66DC81BD97376AB88308F0445BAA508E32D1E738AD44DB3A
                Function 00509404 Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID: 0-3916222277
                • Opcode ID: b8a502fc15358cfa77a7630a6cef2c8a7470afd55341190b9a1e58dd386123f2
                • Instruction ID: bc09f113c31cbefe19bb534c1cd423f75d3adf34cc96a2578f20810d27a51584
                • Opcode Fuzzy Hash: b8a502fc15358cfa77a7630a6cef2c8a7470afd55341190b9a1e58dd386123f2
                • Instruction Fuzzy Hash: 23C1A933E115259BCB58DEB8D88168E77A1EBC8314F4982B5DC05E7345D938FE52CB84
                Function 0040A692 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                Download Yara Rule
                APIs
                • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 0040A6B5
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: DiskFreeSpace
                • String ID:
                • API String ID: 1705453755-0
                • Opcode ID: 2b79d92104fa0af58487e8917dd1dd28653f5570df54a52f8f2d3e3a788c251e
                • Instruction ID: abc103ee13669f759a4fb18ba7283f703003de2a5b3041b29427d01aa34a6109
                • Opcode Fuzzy Hash: 2b79d92104fa0af58487e8917dd1dd28653f5570df54a52f8f2d3e3a788c251e
                • Instruction Fuzzy Hash: 6511C0B5E00209AFDB04CF99CD819AFB7F9EFC8304B14C569A509EB254E6719E018B90
                Function 0043C17C Relevance: 1.5, APIs: 1, Instructions: 41nativeCOMMON
                Download Yara Rule
                APIs
                • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 0043C1E1
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: NtdllProc_Window
                • String ID:
                • API String ID: 4255912815-0
                • Opcode ID: 1ea0499dac8e5765f93ffb4958d777abe36625eb51b51a605c910f3a75aba6c5
                • Instruction ID: b5b819f4d7612dfbe25f6c0b4a53e123ee2fb213ebfe19d04d81ca3ee0585a53
                • Opcode Fuzzy Hash: 1ea0499dac8e5765f93ffb4958d777abe36625eb51b51a605c910f3a75aba6c5
                • Instruction Fuzzy Hash: 39F0C276A04204AFDB00DE9AD882C96B7ECEB4D36075140B7F904E7241D235AD00DB64
                Function 0040DBC0 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                Download Yara Rule
                APIs
                • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040DBDE
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: InfoLocale
                • String ID:
                • API String ID: 2299586839-0
                • Opcode ID: fa7882f515298f8e23db2986ae8193d47ac4011f960ade53795300245f3ff239
                • Instruction ID: 59d921e14370b36ece12169b3d118fe46f189b175682aee119f0172623de6650
                • Opcode Fuzzy Hash: fa7882f515298f8e23db2986ae8193d47ac4011f960ade53795300245f3ff239
                • Instruction Fuzzy Hash: 27E0D8B1B0421857D715A5999C86EFAB35CAB9C310F00427FBE04E73C2EDB4AD4446ED
                Function 0040DC0C Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                Download Yara Rule
                APIs
                • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040F6A2,00000000,0040F8BB,?,?,00000000,00000000), ref: 0040DC1F
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: InfoLocale
                • String ID:
                • API String ID: 2299586839-0
                • Opcode ID: 2873633efb38d6239b65c69a934dc9d3da9631396eb010f1244059b683344d86
                • Instruction ID: 66b4868294c750d49ad29bdf330f005303b83195e928891062f779fd866f48fa
                • Opcode Fuzzy Hash: 2873633efb38d6239b65c69a934dc9d3da9631396eb010f1244059b683344d86
                • Instruction Fuzzy Hash: EED05EA670D2603AF220559B2D85DBB5ADCCACA7B1F10443FB548D6282D2648C0AE2B6
                Function 0040C4C4 Relevance: 1.5, APIs: 1, Instructions: 22timeCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: LocalTime
                • String ID:
                • API String ID: 481472006-0
                • Opcode ID: 6652d45eb51c4466045cd739b1972b28e5cf2c71a1dfc57f94c9bb315ca26473
                • Instruction ID: b61a956ea170abc8c9448218bef48046a33e8da2148631834c9367b778441501
                • Opcode Fuzzy Hash: 6652d45eb51c4466045cd739b1972b28e5cf2c71a1dfc57f94c9bb315ca26473
                • Instruction Fuzzy Hash: 2BE0456040D622E1C244AF56C89147EB7E5AED5B42F408D5EF8D4501D2EA39C5A8D367
                Function 0045F2EC Relevance: 1.5, APIs: 1, Instructions: 10windowCOMMON
                Download Yara Rule
                APIs
                • IsIconic.USER32(0001040C), ref: 0045F303
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Iconic
                • String ID:
                • API String ID: 110040809-0
                • Opcode ID: 110056494f7182c461c7f8764ec4f2a94ac6aed24226cfb28f93c2a7fb73f334
                • Instruction ID: 9f66de55b5d4ffe4d94a684c967e1724bf1bbff54fde3af3c4de4bc689ec54fe
                • Opcode Fuzzy Hash: 110056494f7182c461c7f8764ec4f2a94ac6aed24226cfb28f93c2a7fb73f334
                • Instruction Fuzzy Hash: 84C08C648252009BEF40AB3898C4A8137557BA130AF9044A2D40081007DB38ECCC6212
                Function 00502468 Relevance: 1.4, Strings: 1, Instructions: 162COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID:
                • String ID: boundary
                • API String ID: 0-1048445522
                • Opcode ID: b887092ccd453f3c28b93df0697cf692d16679d4a44e7d77428bb582939d99da
                • Instruction ID: c25f066292429d93af369d3838cec1d9ebbb5c3c8e8a19410da8f9cc52cf5fd6
                • Opcode Fuzzy Hash: b887092ccd453f3c28b93df0697cf692d16679d4a44e7d77428bb582939d99da
                • Instruction Fuzzy Hash: 5051D874301604AFDB04DF29C999EADBBE6FB88314F1181A9F809CB7A1DB31ED41CA54
                Function 004815C8 Relevance: .7, Instructions: 681COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 74704dc1dbfed0a5b285e0dd31689ae2a77acde531138e148eb9c4f22e6a457c
                • Instruction ID: fe7f45de77afde2e70f0ea5017638b1d06f1e79a79f6cf809742bfeaaeab1133
                • Opcode Fuzzy Hash: 74704dc1dbfed0a5b285e0dd31689ae2a77acde531138e148eb9c4f22e6a457c
                • Instruction Fuzzy Hash: 8F522874204240CFCB69EF18C5C0A6B7BA5AB55310F1489ABDC464F36BC738E857CB6A
                Function 0051E610 Relevance: .4, Instructions: 352COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c995d5336b935fb2f3f5ff5773b4ff0fb61fc17d45fcb39efa54818a91eae4d3
                • Instruction ID: 443fd751439d5cce9ff51a8bb73da5a56809a4be8d5f583e34bfcc3e3fd3e270
                • Opcode Fuzzy Hash: c995d5336b935fb2f3f5ff5773b4ff0fb61fc17d45fcb39efa54818a91eae4d3
                • Instruction Fuzzy Hash: 80E14C71D0021E9BDF01EBE5C8829DEBBB5FF84318F50863AE52077295D7389A45CB98
                Function 005097C8 Relevance: .3, Instructions: 305COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 28a04dd108d7533479dc39e6f9f23f5a0ea4994a53421a2ae98313657eff771f
                • Instruction ID: 5fa145ac52722dbae7565a58315f900c4807e7932dba2a516232d9c96a6ae6d7
                • Opcode Fuzzy Hash: 28a04dd108d7533479dc39e6f9f23f5a0ea4994a53421a2ae98313657eff771f
                • Instruction Fuzzy Hash: 6BC1B732E115259BCB58CEB8D84168E77A1EBC8314F4982B5DC05EB345DA38FE52CB84
                Function 004A92D0 Relevance: .3, Instructions: 289COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 81bb14349ae33a2bd8bdbce340547651d0a802f39fca9ec5a4161a6ffe2cc7f7
                • Instruction ID: 0540831777b70423ae72446c317f8e97a9698f1e042390fe9c6e0eda55e46cd9
                • Opcode Fuzzy Hash: 81bb14349ae33a2bd8bdbce340547651d0a802f39fca9ec5a4161a6ffe2cc7f7
                • Instruction Fuzzy Hash: D5B18EB16086009FC311CF18C981A26B7E2FFD9314F158A2EE899C7362D734EC16CB46
                Function 00480C98 Relevance: .2, Instructions: 238COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a46a25728c0e4dbe5aa0a1433bd48846487817f0c63754d6310f19dcd07371b1
                • Instruction ID: 67bf8cde432a2c322ee4c818b310221dc570a076ee201ce21a298020967f7bb5
                • Opcode Fuzzy Hash: a46a25728c0e4dbe5aa0a1433bd48846487817f0c63754d6310f19dcd07371b1
                • Instruction Fuzzy Hash: 0861682239D68103E73D9E7D5CE02BBEAD35FC531462ED97D94DAC3F42E85D641A4208
                Function 004A14B8 Relevance: .2, Instructions: 238COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6298db3ee3ba2ffd782bbf8305f51f6c4fbd5e69cf30464aee6186554bfd6534
                • Instruction ID: 2f207f417ebcc84ec385a483f320ae9a0b3dd71cee48bb29ad6d1fd4682257f2
                • Opcode Fuzzy Hash: 6298db3ee3ba2ffd782bbf8305f51f6c4fbd5e69cf30464aee6186554bfd6534
                • Instruction Fuzzy Hash: 75B12EB16042008FE748CF19D489B45BBE1BF49318F1680AAD9098F3A7D7BAD985CF95
                Function 00509144 Relevance: .2, Instructions: 201COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b70ae3a8fe4edb674ffdcb771d164dcc1828171a6cad46f9b5f9febc77c85221
                • Instruction ID: 0740b2544c77f5bc0bfeaf6c64a63c5dd6dd67be23a4b69783d038ff0f31343f
                • Opcode Fuzzy Hash: b70ae3a8fe4edb674ffdcb771d164dcc1828171a6cad46f9b5f9febc77c85221
                • Instruction Fuzzy Hash: FE714C71628742ABD314CE1CC8C065AFBE1FBC4354F488E2DF2A8C7296D274E949DB56
                Function 004871F4 Relevance: .2, Instructions: 190COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e0704f11d76231eb5c5ed24bf1b9c011729d19f172150dffda745de82652b3ad
                • Instruction ID: a8029c9347770cc0a97142b6472a06a1c62003b210fe2483f8d4be6c27f7fb9e
                • Opcode Fuzzy Hash: e0704f11d76231eb5c5ed24bf1b9c011729d19f172150dffda745de82652b3ad
                • Instruction Fuzzy Hash: F3713673D244775BEB609EA888443617392EF8921CFAF4AB0DE05BB646C634BC5297D0
                Function 004072EA Relevance: .1, Instructions: 108COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2ec52df44c9d3f4758785c0b16534d6520f45d6050de07a41abf2168d2d3dd17
                • Instruction ID: fb93890e9d099f23d1536013d737722facabb52043d9f890bb80494230a5a31c
                • Opcode Fuzzy Hash: 2ec52df44c9d3f4758785c0b16534d6520f45d6050de07a41abf2168d2d3dd17
                • Instruction Fuzzy Hash: 7441077140EBD19BD71A9F246BA22927F60F713304B0845ABCC80569B3D339B516EB5F
                Function 004023CC Relevance: .1, Instructions: 94COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                • Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
                • Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                • Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290
                Function 00521A44 Relevance: .1, Instructions: 86COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3895fb99a2c0443d65367aeca9a23909aba67186606891c20f0c5da8ca1eb9f6
                • Instruction ID: 38208e4d4cf2dd946d6494312235bb0bfd8db598fb88b0720e4e81489eb5c71c
                • Opcode Fuzzy Hash: 3895fb99a2c0443d65367aeca9a23909aba67186606891c20f0c5da8ca1eb9f6
                • Instruction Fuzzy Hash: D921CC73F209314B572C499D9891065E796AAD923035B037EDE7EF73E1CDE45C1286C0
                Function 00405E6C Relevance: .1, Instructions: 64COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d17ffc1b7c175c9f3f133bcf490b3ef334a0cf6f2a578ee1034f9dfeca47056c
                • Instruction ID: 285193d3b7d7c057dec1d8742126b7dcfdfa8b2b2a0f75fb2ec177bd1e400e05
                • Opcode Fuzzy Hash: d17ffc1b7c175c9f3f133bcf490b3ef334a0cf6f2a578ee1034f9dfeca47056c
                • Instruction Fuzzy Hash: 63018432B057110B874CDD7ECD9962BB6D3ABD8910F09C63E95C9D76C4DE318C1AC686
                Function 00432E24 Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(uxtheme.dll,00000000,004331D7), ref: 00432E5A
                • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 00432E72
                • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 00432E84
                • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 00432E96
                • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 00432EA8
                • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 00432EBA
                • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 00432ECC
                • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 00432EDE
                • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 00432EF0
                • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 00432F02
                • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 00432F14
                • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 00432F26
                • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 00432F38
                • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 00432F4A
                • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 00432F5C
                • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 00432F6E
                • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 00432F80
                • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 00432F92
                • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 00432FA4
                • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 00432FB6
                • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 00432FC8
                • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 00432FDA
                • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 00432FEC
                • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 00432FFE
                • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 00433010
                • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 00433022
                • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 00433034
                • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 00433046
                • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00433058
                • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0043306A
                • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0043307C
                • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0043308E
                • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 004330A0
                • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 004330B2
                • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 004330C4
                • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 004330D6
                • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 004330E8
                • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 004330FA
                • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0043310C
                • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0043311E
                • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 00433130
                • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 00433142
                • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 00433154
                • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 00433166
                • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 00433178
                • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0043318A
                • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0043319C
                • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 004331AE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AddressProc$LibraryLoad
                • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                • API String ID: 2238633743-2910565190
                • Opcode ID: d8ee5390ba17762cfb4e2abcf5acfbe9034a884e1eb1374a3a4005cc00343f0b
                • Instruction ID: 338fc02ad54acaa39535fb5077b8e024c8d0e52513fe80598bdd3ec637ab9770
                • Opcode Fuzzy Hash: d8ee5390ba17762cfb4e2abcf5acfbe9034a884e1eb1374a3a4005cc00343f0b
                • Instruction Fuzzy Hash: 5CA15674A04B10BFDB00EFA5DC85E6933A8E71B7097901576B400EF796D67CF9048BAA
                Function 00488734 Relevance: 49.7, APIs: 33, Instructions: 249windowCOMMON
                Download Yara Rule
                APIs
                • CreateCompatibleDC.GDI32(?), ref: 00488752
                • CreateDIBitmap.GDI32(?,?,00000004,?,?,00000000), ref: 00488767
                • SelectObject.GDI32(00000000,00000000), ref: 0048876E
                • CreateCompatibleDC.GDI32(?), ref: 004887A2
                • CreateCompatibleDC.GDI32(?), ref: 004887AE
                • CreateCompatibleDC.GDI32(?), ref: 004887BA
                • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 004887CD
                • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 004887DD
                • CreateCompatibleBitmap.GDI32(?,?,?), ref: 004887EB
                • SelectObject.GDI32(?,?), ref: 004887FB
                • SelectObject.GDI32(?,?), ref: 0048880B
                • SelectObject.GDI32(?,?), ref: 0048881B
                • SetBkColor.GDI32(00000000,?), ref: 00488828
                • StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0048884C
                • SetBkColor.GDI32(00000000,?), ref: 00488856
                • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00330008), ref: 00488872
                • BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 00488892
                • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,008800C6), ref: 004888AE
                • StretchBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,?,?,008800C6), ref: 004888CF
                • StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00EE0086), ref: 004888F0
                • BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 00488910
                • SelectObject.GDI32(?,?), ref: 0048891D
                • DeleteObject.GDI32(00000000), ref: 00488923
                • SelectObject.GDI32(?,?), ref: 00488930
                • DeleteObject.GDI32(00000000), ref: 00488936
                • SelectObject.GDI32(?,?), ref: 00488943
                • DeleteObject.GDI32(00000000), ref: 00488949
                • SelectObject.GDI32(00000000,?), ref: 00488953
                • DeleteObject.GDI32(00000000), ref: 00488959
                • DeleteDC.GDI32(?), ref: 00488962
                • DeleteDC.GDI32(?), ref: 0048896B
                • DeleteDC.GDI32(?), ref: 00488974
                • DeleteDC.GDI32(00000000), ref: 0048897A
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Object$CreateDeleteSelect$Compatible$Bitmap$Stretch$Color
                • String ID:
                • API String ID: 881050057-0
                • Opcode ID: 095665aeed10765eda3a313efa2cc276df29c01111b7651806e9a9ab44fe811d
                • Instruction ID: 0a3f5c1f00fd154efb47d94fccfe753a25271c99e2c0b59ca3118ab020de9f14
                • Opcode Fuzzy Hash: 095665aeed10765eda3a313efa2cc276df29c01111b7651806e9a9ab44fe811d
                • Instruction Fuzzy Hash: 638157B2E44208BBDB50EAE9CD86F9FB7BCAB09754F104415F604FB281C679BD008B65
                Function 00458FA0 Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95libraryloaderCOMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNEL32(00008000), ref: 00458FB9
                • GetModuleHandleA.KERNEL32(USER32,00000000,00459106,?,00008000), ref: 00458FDD
                • GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 00458FEA
                • LoadLibraryA.KERNEL32(imm32.dll,00000000,00459106,?,00008000), ref: 00459006
                • GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 00459028
                • GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 0045903D
                • GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 00459052
                • GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 00459067
                • GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 0045907C
                • GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 00459091
                • GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 004590A6
                • GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 004590BB
                • GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 004590D0
                • GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 004590E5
                • SetErrorMode.KERNEL32(?,0045910D,00008000), ref: 00459100
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AddressProc$ErrorMode$HandleLibraryLoadModule
                • String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$imm32.dll
                • API String ID: 3397921170-3950384806
                • Opcode ID: d9b162e1c31596c2686e18ba84ab45c4528db9847a947e2e6708718f354c41e3
                • Instruction ID: 2ffb95264bf30190cdf48acdbdbec49c1b44b44b61ec3cb016089b349223327d
                • Opcode Fuzzy Hash: d9b162e1c31596c2686e18ba84ab45c4528db9847a947e2e6708718f354c41e3
                • Instruction Fuzzy Hash: EB315674D04B12FFE7009F75AC8AA693798A317745794042AB500A7793DA7CBC0CEFA8
                Function 00410FF0 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                Download Yara Rule
                APIs
                • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 00410FF9
                  • Part of subcall function 00410FC4: GetProcAddress.KERNEL32(00000000), ref: 00410FDD
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AddressHandleModuleProc
                • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                • API String ID: 1646373207-1918263038
                • Opcode ID: 7bea1ddc7bca09b1e43a94ef4dfda68e67ca776680ffa1a2030dc4e0f8a66670
                • Instruction ID: ebbae436ade12adc284fb946249b96bd2397438d8712abb3f99e125e764e7451
                • Opcode Fuzzy Hash: 7bea1ddc7bca09b1e43a94ef4dfda68e67ca776680ffa1a2030dc4e0f8a66670
                • Instruction Fuzzy Hash: C741337550A204AB5314ABAE79034E673D8D646728360C07FF504DB6A3EFB87CC6D62D
                Function 004C8E98 Relevance: 31.6, APIs: 8, Strings: 10, Instructions: 57libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetProcAddress.KERNEL32(00000000,DownlevelGetLocaleScripts), ref: 004C8EC9
                • GetProcAddress.KERNEL32(00000000,DownlevelGetStringScripts), ref: 004C8EDE
                • GetProcAddress.KERNEL32(00000000,DownlevelVerifyScripts), ref: 004C8EF3
                • GetProcAddress.KERNEL32(00000000,IdnToUnicode), ref: 004C8F32
                • GetProcAddress.KERNEL32(00000000,IdnToNameprepUnicode), ref: 004C8F47
                • GetProcAddress.KERNEL32(00000000,IdnToAscii), ref: 004C8F5C
                • GetProcAddress.KERNEL32(00000000,IsNormalizedString), ref: 004C8F71
                • GetProcAddress.KERNEL32(00000000,NormalizeString), ref: 004C8F86
                  • Part of subcall function 00410628: SetErrorMode.KERNEL32 ref: 00410632
                  • Part of subcall function 00410628: LoadLibraryA.KERNEL32(00000000,00000000,0041067C,?,00000000,0041069A), ref: 00410661
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AddressProc$ErrorLibraryLoadMode
                • String ID: DownlevelGetLocaleScripts$DownlevelGetStringScripts$DownlevelVerifyScripts$IdnDL.dll$IdnToAscii$IdnToNameprepUnicode$IdnToUnicode$IsNormalizedString$Normaliz.dll$NormalizeString
                • API String ID: 1436929163-3684810310
                • Opcode ID: ce3c9035394eac138c236815300c4ad743d57775ef320b9966bae51d7b0b5358
                • Instruction ID: c591e8c3ed5f05712b5d712b4a578219af2274ec314d7559d1562318d4bf534a
                • Opcode Fuzzy Hash: ce3c9035394eac138c236815300c4ad743d57775ef320b9966bae51d7b0b5358
                • Instruction Fuzzy Hash: FA21BFF4D04200EED740DB65EC45FAB37A8A365304B50162FB1009BBA1C6FCA848EB99
                Function 004308DC Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 351windowCOMMON
                Download Yara Rule
                APIs
                • GetDC.USER32(00000000), ref: 00430B4A
                • CreateCompatibleDC.GDI32(00000001), ref: 00430BAF
                • CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 00430BC4
                • SelectObject.GDI32(?,00000000), ref: 00430BCE
                • SelectPalette.GDI32(?,?,00000000), ref: 00430BFE
                • RealizePalette.GDI32(?), ref: 00430C0A
                • CreateDIBitmap.GDI32(?,?,00000004,00000000,?,00000000), ref: 00430C2E
                • GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,00430C87,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 00430C3C
                • SelectPalette.GDI32(?,00000000,000000FF), ref: 00430C6E
                • SelectObject.GDI32(?,?), ref: 00430C7B
                • DeleteObject.GDI32(00000000), ref: 00430C81
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Select$CreateObjectPalette$BitmapCompatible$DeleteErrorLastRealize
                • String ID: ($BM
                • API String ID: 2831685396-2980357723
                • Opcode ID: 627f85fbeb22c06d75800933333b868e3a680a8959471f6acdaea696d4a50d58
                • Instruction ID: d80a32b8b42d6845105106f6b06d5662b1aefaa96b09b7ce3e92d49baf8afc67
                • Opcode Fuzzy Hash: 627f85fbeb22c06d75800933333b868e3a680a8959471f6acdaea696d4a50d58
                • Instruction Fuzzy Hash: 13D14D70E002189FDF14DFA9D895BAEBBB5FF4C304F10956AE904A7391D738A840CB69
                Function 00403268 Relevance: 27.1, APIs: 9, Strings: 9, Instructions: 110COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CharNext
                • String ID: $ $ $"$"$"$"$"$"
                • API String ID: 3213498283-3597982963
                • Opcode ID: d92ef8d600c6c12442d8be04175bb49d084a70b1b96b67d6bdbff7abc197b242
                • Instruction ID: 72316b39fc105ce68acf61fc0b05c810310bde065867312c4d4083739022383c
                • Opcode Fuzzy Hash: d92ef8d600c6c12442d8be04175bb49d084a70b1b96b67d6bdbff7abc197b242
                • Instruction Fuzzy Hash: DE314391A083906AFB333E758CC472E6ECC4B4B356F1804FBD9527A6D7D97C4A41931A
                Function 004080B0 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61registryclipboardwindowCOMMON
                Download Yara Rule
                APIs
                • FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 004080C8
                • RegisterClipboardFormatA.USER32(MSWHEEL_ROLLMSG), ref: 004080D4
                • RegisterClipboardFormatA.USER32(MSH_WHEELSUPPORT_MSG), ref: 004080E3
                • RegisterClipboardFormatA.USER32(MSH_SCROLL_LINES_MSG), ref: 004080EF
                • SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00408107
                • SendMessageA.USER32(00000000,?,00000000,00000000), ref: 0040812B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: ClipboardFormatRegister$MessageSend$FindWindow
                • String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
                • API String ID: 1416857345-3736581797
                • Opcode ID: 79621935af538e07b72629851116db977b3f699b5074aa218aa9492cf56c2731
                • Instruction ID: ee808f2a05c9db719e7bcf79d838aaae030538150194a4a2f3efe63488681488
                • Opcode Fuzzy Hash: 79621935af538e07b72629851116db977b3f699b5074aa218aa9492cf56c2731
                • Instruction Fuzzy Hash: 65114F75644305AFE3109F65CD42B2AB7A8EF49350F20447EF980AF3C1DAB86C428799
                Function 0045A308 Relevance: 18.1, APIs: 12, Instructions: 142COMMON
                Download Yara Rule
                APIs
                • GetWindowLongA.USER32(00000000,000000EC), ref: 0045A323
                • GetWindowRect.USER32(00000000,?), ref: 0045A33E
                • OffsetRect.USER32(?,?,?), ref: 0045A353
                • GetWindowDC.USER32(00000000,?,?,?,00000000,?,00000000,000000EC), ref: 0045A361
                • GetWindowLongA.USER32(00000000,000000F0), ref: 0045A392
                • GetSystemMetrics.USER32(00000002), ref: 0045A3A7
                • GetSystemMetrics.USER32(00000003), ref: 0045A3B0
                • InflateRect.USER32(?,000000FE,000000FE), ref: 0045A3BF
                • GetSysColorBrush.USER32(0000000F), ref: 0045A3EC
                • FillRect.USER32(?,?,00000000), ref: 0045A3FA
                • ExcludeClipRect.GDI32(?,?,?,?,?,00000000,0045A463,?,00000000,?,?,?,00000000,?,00000000,000000EC), ref: 0045A41F
                • ReleaseDC.USER32(00000000,?), ref: 0045A45D
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Rect$Window$LongMetricsSystem$BrushClipColorExcludeFillInflateOffsetRelease
                • String ID:
                • API String ID: 19621357-0
                • Opcode ID: d6b879019a5b76c5b881999aeed64079de1c1a7130785d6f6b121521b21a61e2
                • Instruction ID: 507f7c0fe463ca6ddaac2ffb13695ea580fe7bdf988aca24b5fad821c3c4d027
                • Opcode Fuzzy Hash: d6b879019a5b76c5b881999aeed64079de1c1a7130785d6f6b121521b21a61e2
                • Instruction Fuzzy Hash: 72414F71E04108ABCB01EEA9CC46EEFB7BDEF49315F100126F904F7292D639AE058765
                Function 0040287C Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON
                Download Yara Rule
                APIs
                • MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402C1A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Message
                • String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
                • API String ID: 2030045667-32948583
                • Opcode ID: a50677fbbaf9a5d51df9cd732fae71aecb250afa1f3c42459dd7d3984567513a
                • Instruction ID: b9de71b36a9fb43c743bbcf81951480ca915cb62f0dc16bf858ae4f5d06e75cb
                • Opcode Fuzzy Hash: a50677fbbaf9a5d51df9cd732fae71aecb250afa1f3c42459dd7d3984567513a
                • Instruction Fuzzy Hash: 0BA1B730B042548BDF21AE2DCA88B9977E5EB09314F1441F6E449BB3C2CBBD99C5CB59
                Function 00439598 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 168COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0042AC28: RtlInitializeCriticalSection.NTDLL(0042EE14), ref: 0042AC48
                  • Part of subcall function 0042B17C: FrameRect.USER32(?,?,00000000), ref: 0042B1A5
                • InflateRect.USER32(?,000000FF,000000FF), ref: 00439609
                • InflateRect.USER32(?,000000FF,000000FF), ref: 00439675
                • GetWindowLongA.USER32(00000000,000000F0), ref: 004396A4
                • GetSystemMetrics.USER32(00000014), ref: 004396D9
                • GetSystemMetrics.USER32(00000015), ref: 004396F7
                • DrawEdge.USER32(00000000,?,00000000,00000008), ref: 00439752
                • GetSystemMetrics.USER32(0000000A), ref: 00439759
                • DrawFrameControl.USER32(00000000,?,00000003,00004005), ref: 0043978E
                • DrawFrameControl.USER32(00000000,?,00000003,00004005), ref: 004397A9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: DrawFrameMetricsRectSystem$ControlInflate$CriticalEdgeInitializeLongSectionWindow
                • String ID: [D
                • API String ID: 1915978996-3436156298
                • Opcode ID: 4a73f2b25b18e3d8719f22faa48ebeb07f1a528fa095496f92bc6360e24921b9
                • Instruction ID: 44a75489065c2f4e13f9e6b08f5e42bde9e2d5a6dd86ea38b45f9fc04dbaa10b
                • Opcode Fuzzy Hash: 4a73f2b25b18e3d8719f22faa48ebeb07f1a528fa095496f92bc6360e24921b9
                • Instruction Fuzzy Hash: 1861E370A04205ABCB01EF69C996BDE77F4AF09304F5401BAFD04AB296D778AE04CB65
                Function 00424F9C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109COMMON
                Download Yara Rule
                APIs
                • EnumDisplayMonitors.USER32(?,?,?,?), ref: 00424FD5
                • GetSystemMetrics.USER32(00000000), ref: 00424FFA
                • GetSystemMetrics.USER32(00000001), ref: 00425005
                • GetClipBox.GDI32(?,?), ref: 00425017
                • GetDCOrgEx.GDI32(?,?), ref: 00425024
                • OffsetRect.USER32(?,?,?), ref: 0042503D
                • IntersectRect.USER32(?,?,?), ref: 0042504E
                • IntersectRect.USER32(?,?,?), ref: 00425064
                  • Part of subcall function 004249F4: GetProcAddress.KERNEL32(76910000,00000000), ref: 00424A73
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Rect$IntersectMetricsSystem$AddressClipDisplayEnumMonitorsOffsetProc
                • String ID: EnumDisplayMonitors
                • API String ID: 362875416-2491903729
                • Opcode ID: dc3c802b44957370622fea2f870a62982c4ec5dfe8a00fd03ca38e45eba6edd5
                • Instruction ID: 2b54c23c2b6732eb9e6911774d5debed4f3d7d7d8ac71964df6ef2d40efdfd8e
                • Opcode Fuzzy Hash: dc3c802b44957370622fea2f870a62982c4ec5dfe8a00fd03ca38e45eba6edd5
                • Instruction Fuzzy Hash: 84316D76E00619AFDB00DBA5DC849EF73BCAF45304F404127FE11E2241E7389904CBA5
                Function 0042DBFC Relevance: 16.7, APIs: 11, Instructions: 190fileCOMMON
                Download Yara Rule
                APIs
                • GetDC.USER32(00000000), ref: 0042DC50
                • GetDeviceCaps.GDI32(?,00000004), ref: 0042DC8A
                • GetDeviceCaps.GDI32(?,00000008), ref: 0042DCA5
                • GetDeviceCaps.GDI32(?,00000004), ref: 0042DCB1
                • MulDiv.KERNEL32(00000000,?,00000000), ref: 0042DCC8
                • GetDeviceCaps.GDI32(?,00000006), ref: 0042DCFA
                • GetDeviceCaps.GDI32(?,0000000A), ref: 0042DD15
                • GetDeviceCaps.GDI32(?,00000006), ref: 0042DD21
                • MulDiv.KERNEL32(00000000,?,00000000), ref: 0042DD38
                • CreateEnhMetaFileA.GDI32(?,00000000,?,00000000), ref: 0042DDC3
                • ReleaseDC.USER32(00000000,?), ref: 0042DDF6
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CapsDevice$CreateFileMetaRelease
                • String ID:
                • API String ID: 2098384581-0
                • Opcode ID: a53e59124d433b5495bdbbff1bfebd7b0c5ad1ded11ba0487cf09fcceda4979e
                • Instruction ID: 6d6b6dda2680eee9e83bf08584946d4bcb14e160946b37dcbc022266ad003156
                • Opcode Fuzzy Hash: a53e59124d433b5495bdbbff1bfebd7b0c5ad1ded11ba0487cf09fcceda4979e
                • Instruction Fuzzy Hash: CE614D75F00654AFDB00EFAAD985E5E73E9AF48304F5080AAF900EB391DA78ED41CB55
                Function 0042AD48 Relevance: 15.2, APIs: 10, Instructions: 224windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0042B1F0: RtlEnterCriticalSection.NTDLL(00545A74), ref: 0042B1F8
                  • Part of subcall function 0042B1F0: RtlLeaveCriticalSection.NTDLL(00545A74), ref: 0042B205
                  • Part of subcall function 0042B1F0: RtlEnterCriticalSection.NTDLL(00000038), ref: 0042B20E
                • CreateCompatibleDC.GDI32(00000000), ref: 0042ADEC
                • SelectObject.GDI32(?,?), ref: 0042ADFC
                • StretchBlt.GDI32(?,?,?,?,?,?,?,?,00000000,?,00CC0020), ref: 0042AEF6
                • SetTextColor.GDI32(?,00000000), ref: 0042AF04
                • SetBkColor.GDI32(?,00FFFFFF), ref: 0042AF18
                • StretchBlt.GDI32(?,?,?,?,?,?,?,?,00000000,?,00E20746), ref: 0042AF4B
                • SetTextColor.GDI32(?,?), ref: 0042AF5B
                • SetBkColor.GDI32(?,?), ref: 0042AF6B
                • SelectObject.GDI32(?,00000000), ref: 0042AF9B
                • DeleteDC.GDI32(?), ref: 0042AFA4
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Color$CriticalSection$EnterObjectSelectStretchText$CompatibleCreateDeleteLeave
                • String ID:
                • API String ID: 675119849-0
                • Opcode ID: 342b1920c349e70fad107e408f59d1f6c1e3240cfa945d35f3646d2adc0a5e54
                • Instruction ID: 74460f875a2927d4ca25dacea9edfd81de822042e36f14ecebcd5e416008696a
                • Opcode Fuzzy Hash: 342b1920c349e70fad107e408f59d1f6c1e3240cfa945d35f3646d2adc0a5e54
                • Instruction Fuzzy Hash: A491B6B5A04118AFCB40DFA9D985E9EBBF8EF0D304B5584AAF508E7251C638ED40CB65
                Function 00451768 Relevance: 15.2, APIs: 10, Instructions: 197COMMON
                Download Yara Rule
                APIs
                • SaveDC.GDI32(?), ref: 00451785
                  • Part of subcall function 0044A064: GetWindowOrgEx.GDI32(?), ref: 0044A072
                  • Part of subcall function 0044A064: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044A088
                • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004517BE
                • GetWindowLongA.USER32(00000000,000000EC), ref: 004517D2
                • GetWindowLongA.USER32(00000000,000000F0), ref: 004517F3
                • SetRect.USER32(00000010,00000000,00000000,?,?), ref: 00451853
                • IntersectClipRect.GDI32(?,00000000,00000000,00000010,?), ref: 004518C3
                  • Part of subcall function 004516B8: SaveDC.GDI32(?), ref: 004516C8
                  • Part of subcall function 004516B8: ExcludeClipRect.GDI32(?,?,?,?,?,00000000,0045174E,?,?), ref: 00451709
                  • Part of subcall function 004516B8: RestoreDC.GDI32(?,?), ref: 00451748
                • SetRect.USER32(?,00000000,00000000,?,?), ref: 004518E4
                • DrawEdge.USER32(?,?,00000000,00000000), ref: 004518F3
                • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0045191C
                • RestoreDC.GDI32(?,?), ref: 0045199B
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Rect$ClipWindow$Intersect$LongRestoreSave$DrawEdgeExclude
                • String ID:
                • API String ID: 3997055466-0
                • Opcode ID: 77a1d7f047feb64c354b0f43710b5f7c1883914307d24bd63e322aa887229c86
                • Instruction ID: 121d2a435a720fac569de6fb08091f672fc69b44b370e471ce0f5bd9dc104009
                • Opcode Fuzzy Hash: 77a1d7f047feb64c354b0f43710b5f7c1883914307d24bd63e322aa887229c86
                • Instruction Fuzzy Hash: AB71FE75E04209EFDB10EF99C985F9EB7B8AF48305F104196B900AB3A2C739AE45CB55
                Function 005200E0 Relevance: 15.1, APIs: 10, Instructions: 111memoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: memset$Heap$AllocateProcessmemcpy
                • String ID:
                • API String ID: 3305486205-0
                • Opcode ID: 38c4308a163e4958e5f5fc669c1f9ac97946bd03f0236c0e6678b911a303ae21
                • Instruction ID: d4e2d99bc14a7391a5376e387495fd3fce09065ce6dec811f886719b552b196a
                • Opcode Fuzzy Hash: 38c4308a163e4958e5f5fc669c1f9ac97946bd03f0236c0e6678b911a303ae21
                • Instruction Fuzzy Hash: 7B312BB2A0172177E3209614AC8AFB6775DEFC6344F444638FD45DB2C7E5B5D914C2A0
                Function 0046525C Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON
                Download Yara Rule
                APIs
                • GetSystemMenu.USER32(00000000,00000000), ref: 004652A7
                • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 004652C5
                • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004652D2
                • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004652DF
                • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004652EC
                • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 004652F9
                • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 00465306
                • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 00465313
                • EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 00465331
                • EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 0046534D
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Menu$Delete$EnableItem$System
                • String ID:
                • API String ID: 3985193851-0
                • Opcode ID: a9e5b4fa8346a8110626198734dd645a208989a6d2c4960b97f49dc382ae1b19
                • Instruction ID: c54ca0ad37bada042d3fc295b56ea769ce53a7a612f7fec816cb525ca014047f
                • Opcode Fuzzy Hash: a9e5b4fa8346a8110626198734dd645a208989a6d2c4960b97f49dc382ae1b19
                • Instruction Fuzzy Hash: DF214C707887007AE720AA24CC8EF597BD86B14B99F4444A5BA487F2D3C6F8B980865D
                Function 0040287A Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON
                Download Yara Rule
                Strings
                • The unexpected small block leaks are:, xrefs: 00402A53
                • bytes: , xrefs: 00402AA9
                • , xrefs: 00402B60
                • 7, xrefs: 004029ED
                • An unexpected memory leak has occurred. , xrefs: 004029DC
                • Unexpected Memory Leak, xrefs: 00402C0C
                • The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402B95
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID:
                • String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
                • API String ID: 0-2723507874
                • Opcode ID: a5b3d238fa3a1e84a5ca636682b3c22002706cc1cfd205bd896561417fc161de
                • Instruction ID: 27f5743b5f1cfa822e795204929ef82a9b3db309af7e89d870cfa8782dda9c7f
                • Opcode Fuzzy Hash: a5b3d238fa3a1e84a5ca636682b3c22002706cc1cfd205bd896561417fc161de
                • Instruction Fuzzy Hash: CE71A430A042548ADF31AA2CC988BD9BBE5EB09704F1041F6E449B72C2DBB94AC5CB59
                Function 00524324 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 113processsynchronizationCOMMON
                Download Yara Rule
                APIs
                • CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?,00000000,0052444C,?,00000000,0052447E), ref: 005243E9
                • WaitForSingleObject.KERNEL32(?,0001D4C0,00000000,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?,00000000,0052444C), ref: 005243FB
                • GetExitCodeProcess.KERNEL32(?,?), ref: 0052440A
                • TerminateProcess.KERNEL32(?,?,?,0001D4C0,00000000,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?,00000000), ref: 0052442B
                • CloseHandle.KERNEL32(?,?,?,?,0001D4C0,00000000,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00524434
                • CloseHandle.KERNEL32(?,?,?,?,?,0001D4C0,00000000,00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044), ref: 0052443D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Process$CloseHandle$CodeCreateExitObjectSingleTerminateWait
                • String ID: %s %s$D
                • API String ID: 786732093-228357124
                • Opcode ID: e15b95d64e8fdae3d369f981803052e6f995c2bfdc9f76edde111442f2d6ccea
                • Instruction ID: 78d9f20aa311e213c2eae4c2ab899dd20785b413aac91caad6321ff0e49a3202
                • Opcode Fuzzy Hash: e15b95d64e8fdae3d369f981803052e6f995c2bfdc9f76edde111442f2d6ccea
                • Instruction Fuzzy Hash: E3410C70E04308AFDB11EBE5D946B9EBBF8EF49704F60446AB504EB2C1D67869048B69
                Function 0046C5EC Relevance: 13.7, APIs: 9, Instructions: 219COMMON
                Download Yara Rule
                APIs
                • DrawEdge.USER32(00000000,?,00000008,00000003), ref: 0046C658
                • DrawEdge.USER32(00000000,?,00000002,0000000C), ref: 0046C666
                • DrawEdge.USER32(00000000,00000000,00000002,00000803), ref: 0046C683
                • DrawEdge.USER32(00000000,?,00000001,0000000C), ref: 0046C696
                • DrawEdge.USER32(00000000,?,00000004,00000003), ref: 0046C6AA
                • DrawEdge.USER32(00000000,00000000,00000004,0000080C), ref: 0046C6C1
                  • Part of subcall function 0042B280: Rectangle.GDI32(?,?,?,?,?), ref: 0042B2AF
                • InflateRect.USER32(00000000,000000FF,000000FF), ref: 0046C764
                • InflateRect.USER32(00000000,000000FF,000000FF), ref: 0046C790
                  • Part of subcall function 0042B570: SetPixel.GDI32(?,?,?,00000000), ref: 0042B5A0
                  • Part of subcall function 0042B244: Polyline.GDI32(?,?,00000003), ref: 0042B269
                • OffsetRect.USER32(?,00000001,00000001), ref: 0046C84B
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: DrawEdge$Rect$Inflate$OffsetPixelPolylineRectangle
                • String ID:
                • API String ID: 2112064845-0
                • Opcode ID: e2b53934e235c4cbe48111f935baca69d004a1a7e62e47aec860a0d2772dec23
                • Instruction ID: 7e41208a27c0d1f18af3f2df7ba00a9c5b76d0773a6c80846058ca43fe1272e3
                • Opcode Fuzzy Hash: e2b53934e235c4cbe48111f935baca69d004a1a7e62e47aec860a0d2772dec23
                • Instruction Fuzzy Hash: AC813F70A04109ABDB14EFA9DC81EAFB7B5AF48304F104556F911B7386D738EE41CBA9
                Function 0044C65C Relevance: 13.6, APIs: 9, Instructions: 122windowCOMMON
                Download Yara Rule
                APIs
                • GetDesktopWindow.USER32 ref: 0044C693
                • GetDCEx.USER32(?,00000000,00000402), ref: 0044C6A6
                • SelectObject.GDI32(?,00000000), ref: 0044C6C9
                • PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0044C6EF
                • PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0044C711
                • PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0044C730
                • PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0044C74A
                • SelectObject.GDI32(?,?), ref: 0044C757
                • ReleaseDC.USER32(?,?), ref: 0044C771
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: ObjectSelect$DesktopReleaseWindow
                • String ID:
                • API String ID: 1187665388-0
                • Opcode ID: c60276b941cb406819434d785e9500db068d26c2e79b8a347c9fd7adab22a4bc
                • Instruction ID: b8f22a3cb74253750853c4c0b80605ce90e6446f0b504c0abb7d44ee5f2781a8
                • Opcode Fuzzy Hash: c60276b941cb406819434d785e9500db068d26c2e79b8a347c9fd7adab22a4bc
                • Instruction Fuzzy Hash: 58311BB6E04219AFEB41DEEDCC85DAFBBBCAF09304B404565B504F7240C679AD048BA5
                Function 0047D7BC Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 200networkCOMMON
                Download Yara Rule
                APIs
                • WSAAsyncGetHostByName.WS2_32(00000000,00000403,00000000,00000000,00000400), ref: 0047D84D
                • WSAAsyncGetServByName.WS2_32(00000000,00000403,00000000,tcp,00000000,00000400), ref: 0047D969
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AsyncName$HostServ
                • String ID: WSAASyncGetHostByName$WSAASyncGetServByName$tcp
                • API String ID: 3936360078-1163084229
                • Opcode ID: 5d41a29cb9f4b1c9cc8444ed015c3d018214ec688ca29b58be21eecba07ad0f2
                • Instruction ID: 57e1bb4baba5d5bd5a38119128d45f6c2909ad83ddfe159254450b9ef9b6fe7c
                • Opcode Fuzzy Hash: 5d41a29cb9f4b1c9cc8444ed015c3d018214ec688ca29b58be21eecba07ad0f2
                • Instruction Fuzzy Hash: 677193B1A14244EFD700DF69C681A9E77F5EF49304F2580AAF909AB391D738EE01DB58
                Function 004121E4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139COMMON
                Download Yara Rule
                APIs
                • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0041227D
                • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00412299
                • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 004122D2
                • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041234F
                • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 00412368
                • VariantCopy.OLEAUT32(?), ref: 0041239D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                • String ID:
                • API String ID: 351091851-3916222277
                • Opcode ID: 1c181cf4e4ca085fe8ce13b597a79b6aced10d7e3bd412de8366d49bb0fddb5a
                • Instruction ID: 5bf19cd51ef12f9a16f122347510b8dd828f15e21874f8a99e856ab02e7bcc5a
                • Opcode Fuzzy Hash: 1c181cf4e4ca085fe8ce13b597a79b6aced10d7e3bd412de8366d49bb0fddb5a
                • Instruction Fuzzy Hash: C051FE7590022D9BCB22DB59C981BD9B3BCAF48304F0041DAF649E7211D678AFC58F69
                Function 0042E480 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 122fileCOMMON
                Download Yara Rule
                APIs
                • MulDiv.KERNEL32(?,000009EC,00000000), ref: 0042E522
                • MulDiv.KERNEL32(?,000009EC,00000000), ref: 0042E53F
                • SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 0042E56B
                • GetEnhMetaFileHeader.GDI32(00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 0042E58B
                • DeleteEnhMetaFile.GDI32(00000016), ref: 0042E5AC
                • SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC), ref: 0042E5BF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: FileMeta$Bits$DeleteHeader
                • String ID: `
                • API String ID: 1990453761-2679148245
                • Opcode ID: 9f9db8ea1979f8e32ceb550222cdeda945d44f8b9320f3e99c39869b6a50049c
                • Instruction ID: 3d1c89746b34e36c8bb57c58171902418aa1498e7a7c73b031a03b47e4e58082
                • Opcode Fuzzy Hash: 9f9db8ea1979f8e32ceb550222cdeda945d44f8b9320f3e99c39869b6a50049c
                • Instruction Fuzzy Hash: 2E412E71E00218AFDB00EFA9D485AAFB7F9EF48714F50846AF904E7241E7399D40CB69
                Function 004219C4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109threadCOMMON
                Download Yara Rule
                APIs
                • GetCurrentThreadId.KERNEL32 ref: 004219CF
                • GetCurrentThreadId.KERNEL32 ref: 004219DE
                  • Part of subcall function 00421978: ResetEvent.KERNEL32(0000020C,00421A19), ref: 0042197E
                • RtlEnterCriticalSection.NTDLL(005459D0), ref: 00421A23
                • InterlockedExchange.KERNEL32(00533B74,?), ref: 00421A3F
                • RtlLeaveCriticalSection.NTDLL(005459D0), ref: 00421A98
                • RtlEnterCriticalSection.NTDLL(005459D0), ref: 00421B07
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CriticalSection$CurrentEnterThread$EventExchangeInterlockedLeaveReset
                • String ID: oA
                • API String ID: 2189153385-126849778
                • Opcode ID: 47163d1ae6f2d1623df0cc5f8bbefd20c344f4338a9b8fa2b48e84e1963c2368
                • Instruction ID: 03ad3064a879ecbaf49c3899ae3acbf5ca58e84a12c8b056f68d21f504d01ce6
                • Opcode Fuzzy Hash: 47163d1ae6f2d1623df0cc5f8bbefd20c344f4338a9b8fa2b48e84e1963c2368
                • Instruction Fuzzy Hash: 1E31F930B04744AFD701DF65EC52AAABBF8EB19704FA18476F400E36B1E77D6900CA29
                Function 00424D20 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68stringCOMMON
                Download Yara Rule
                APIs
                • GetMonitorInfoA.USER32(?,?), ref: 00424D51
                • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00424D78
                • GetSystemMetrics.USER32(00000000), ref: 00424D8D
                • GetSystemMetrics.USER32(00000001), ref: 00424D98
                • lstrcpy.KERNEL32(?,DISPLAY), ref: 00424DC2
                  • Part of subcall function 004249F4: GetProcAddress.KERNEL32(76910000,00000000), ref: 00424A73
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: System$InfoMetrics$AddressMonitorParametersProclstrcpy
                • String ID: DISPLAY$GetMonitorInfo
                • API String ID: 1539801207-1633989206
                • Opcode ID: 09eb1f532a47fc50c1b53112111b3bb5fce2f5112d6149a4d3cbb956192ac70d
                • Instruction ID: 3b452bf0f8c3407e43ad33cff1f1fd53a230969f22abab76dbcbb1083e79ad51
                • Opcode Fuzzy Hash: 09eb1f532a47fc50c1b53112111b3bb5fce2f5112d6149a4d3cbb956192ac70d
                • Instruction Fuzzy Hash: 38113A7A7117119FD3208F61EC807A7B7A8EF46714F40862BEC4597240D374A444CBA5
                Function 0051F0FC Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 62libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleA.KERNEL32(shell32.dll,00000000,0051F1C1), ref: 0051F12F
                • LoadLibraryA.KERNEL32(shell32.dll,shell32.dll,00000000,0051F1C1), ref: 0051F13F
                • GetProcAddress.KERNEL32(00000000,ShellExecuteExA), ref: 0051F150
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AddressHandleLibraryLoadModuleProc
                • String ID: <$ShellExecuteExA$runas$shell32.dll
                • API String ID: 310444273-175376615
                • Opcode ID: 2446aaad8579cae2c8e6e8e27f37871c9acc95b59f5c4567fe30116f2093d24e
                • Instruction ID: 9ded35848fbe354389d2fda229b52764663956e4a3389e8be47981d3b2e73c6f
                • Opcode Fuzzy Hash: 2446aaad8579cae2c8e6e8e27f37871c9acc95b59f5c4567fe30116f2093d24e
                • Instruction Fuzzy Hash: 02113D70E44608FFEB11EFA5C886A8EBAF8EB48314F50043AE404F6681DB789E41CB54
                Function 00404A7C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                Download Yara Rule
                APIs
                • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00404B43,?,?,?,00000002,00404BEE,0040307B,004030C2), ref: 00404AB5
                • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00404B43,?,?,?,00000002,00404BEE,0040307B,004030C2), ref: 00404ABB
                • GetStdHandle.KERNEL32(000000F5,00404B04,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00404B43), ref: 00404AD0
                • WriteFile.KERNEL32(00000000,000000F5,00404B04,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00404B43), ref: 00404AD6
                • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404AF4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: FileHandleWrite$Message
                • String ID: Error$Runtime error at 00000000
                • API String ID: 1570097196-2970929446
                • Opcode ID: 3144130b8bd7a90fe5ba6d5be327f0b5e42e707808ab0f592e78e27e9822c593
                • Instruction ID: a1d949831430663ba27030e943ea6584adc58326a8c9b877661a1d1cca49b84b
                • Opcode Fuzzy Hash: 3144130b8bd7a90fe5ba6d5be327f0b5e42e707808ab0f592e78e27e9822c593
                • Instruction Fuzzy Hash: 92F090E878434076F714B3A59D47F9A27989785B69F20423AB310F80E287FC55C8A72D
                Function 004669B8 Relevance: 12.2, APIs: 8, Instructions: 154windowCOMMON
                Download Yara Rule
                APIs
                • GetCapture.USER32 ref: 00466A29
                • GetCapture.USER32 ref: 00466A38
                • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00466A3E
                • ReleaseCapture.USER32 ref: 00466A43
                • GetActiveWindow.USER32 ref: 00466A94
                • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00466B2A
                • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00466B97
                • GetActiveWindow.USER32 ref: 00466BA6
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CaptureMessageSend$ActiveWindow$Release
                • String ID:
                • API String ID: 862346643-0
                • Opcode ID: 11263eb918585b95affb43a0130c43dd0b239fc20e7a4c17efeab579fce02e49
                • Instruction ID: 2d79969512088bfff87bea13960c550acac0bd1ea340c3484c9818b8195235f8
                • Opcode Fuzzy Hash: 11263eb918585b95affb43a0130c43dd0b239fc20e7a4c17efeab579fce02e49
                • Instruction Fuzzy Hash: 0E514370A00644EFDB01EF69C986F9D7BF5EF45708F1540AAF400A7262EB38AD44DB49
                Function 0046A188 Relevance: 12.1, APIs: 8, Instructions: 99windowthreadCOMMON
                Download Yara Rule
                APIs
                • GetCapture.USER32 ref: 0046A1AE
                • IsWindowUnicode.USER32(00000000), ref: 0046A1F1
                • SendMessageW.USER32(00000000,-0000BBEE,0283F460,?), ref: 0046A20C
                • SendMessageA.USER32(00000000,-0000BBEE,0283F460,?), ref: 0046A22B
                • GetWindowThreadProcessId.USER32(00000000), ref: 0046A23A
                • GetWindowThreadProcessId.USER32(0001040C,?), ref: 0046A248
                • SendMessageA.USER32(00000000,-0000BBEE,0283F460,?), ref: 0046A268
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: MessageSendWindow$ProcessThread$CaptureUnicode
                • String ID:
                • API String ID: 1994056952-0
                • Opcode ID: eef12c3992636579e218475f040015c7237700127b6481d3b2225f4846c122eb
                • Instruction ID: d459c482f322a96bce926a154138c90dbcdbb046f0fd235dcf54af367f8df6fa
                • Opcode Fuzzy Hash: eef12c3992636579e218475f040015c7237700127b6481d3b2225f4846c122eb
                • Instruction Fuzzy Hash: F6219371608A04AFD660FA99C940F67B3DCAF15354B10442AFD59E3342FA29FC108B6F
                Function 00401FE7 Relevance: 10.9, APIs: 7, Instructions: 362COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9de2e41ca2449485e2f69d20e6b4a826fd40f3858f04b70106ca512af4de434e
                • Instruction ID: 345f87cbf250f5fca370808c13147eb1f7475dfe806d65ff57619417d98d078c
                • Opcode Fuzzy Hash: 9de2e41ca2449485e2f69d20e6b4a826fd40f3858f04b70106ca512af4de434e
                • Instruction Fuzzy Hash: 5BB115767006000BD714AABDDE897AA73C5DBC5325F18827FE214EB3E5DABC8985C358
                Function 0048E9AC Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 255COMMON
                Download Yara Rule
                APIs
                • CreateCompatibleDC.GDI32(?), ref: 0048E9F5
                • CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 0048EA24
                • SelectObject.GDI32(?,?), ref: 0048EA34
                • DeleteObject.GDI32(?), ref: 0048EC35
                • DeleteDC.GDI32(?), ref: 0048EC41
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CreateDeleteObject$CompatibleSectionSelect
                • String ID: xyH
                • API String ID: 2986811175-593095655
                • Opcode ID: 075b269f8b1ada24f00b3a704f23e1bb7b70348a57056f0b360749353a35c929
                • Instruction ID: 2243c5a896b8ce662322e828096083177ce5715bb46d137407855adfdad802a0
                • Opcode Fuzzy Hash: 075b269f8b1ada24f00b3a704f23e1bb7b70348a57056f0b360749353a35c929
                • Instruction Fuzzy Hash: CFB1C4B4E002199FDB44EFAAC985A9EB7F5FF48304F2045AAE414E7351D734AD418F68
                Function 004555B4 Relevance: 10.7, APIs: 7, Instructions: 207COMMON
                Download Yara Rule
                APIs
                • SetWindowPos.USER32(00000000,000000FF,?,?,?,?,00000010,00000000,0045581F), ref: 00455720
                • GetTickCount.KERNEL32 ref: 00455725
                  • Part of subcall function 0044B150: KiUserCallbackDispatcher.NTDLL(?,00000091,?,?,00437878), ref: 0044B163
                • SystemParametersInfoA.USER32(00001016,00000000,?,00000000), ref: 00455769
                • SystemParametersInfoA.USER32(00001018,00000000,00000000,00000000), ref: 00455781
                • AnimateWindow.USER32(00000000,00000064,?), ref: 004557C6
                • ShowWindow.USER32(00000000,00000004,00000000,000000FF,?,?,?,?,00000010,00000000,0045581F), ref: 004557E9
                • GetTickCount.KERNEL32 ref: 00455806
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Window$CountInfoParametersSystemTick$AnimateCallbackDispatcherShowUser
                • String ID:
                • API String ID: 2863835916-0
                • Opcode ID: eecc10a1b59bb1d0d7392479860c6ef09650aa4b2678ac54308cf5df85f95198
                • Instruction ID: e0f6e378d109d244860a50d22e15792f175fb7128c88d0d85e2d3962b62447b7
                • Opcode Fuzzy Hash: eecc10a1b59bb1d0d7392479860c6ef09650aa4b2678ac54308cf5df85f95198
                • Instruction Fuzzy Hash: B3713034A00605DFDB00EF69CD82AAE77F5AF44309F20446AF504E7352EA78EE45DB59
                Function 00489E94 Relevance: 10.7, APIs: 7, Instructions: 198windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00489AFC: DeleteObject.GDI32(?), ref: 00489B07
                  • Part of subcall function 00489AFC: DeleteDC.GDI32(?), ref: 00489B14
                  • Part of subcall function 00489AFC: DeleteObject.GDI32(?), ref: 00489B30
                • CreateCompatibleDC.GDI32(00000000), ref: 00489FFF
                • CreateHalftonePalette.GDI32(?,00000000), ref: 0048A03A
                • ResizePalette.GDI32(?,00000001), ref: 0048A06F
                • SelectPalette.GDI32(?,?,00000000), ref: 0048A094
                • RealizePalette.GDI32(?), ref: 0048A09F
                • CreateDIBSection.GDI32(?,-00000471,00000000,-00000450,00000000,00000000), ref: 0048A0CA
                • SelectObject.GDI32(?,00000000), ref: 0048A0DD
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Palette$CreateDeleteObject$Select$CompatibleHalftoneRealizeResizeSection
                • String ID:
                • API String ID: 2525607832-0
                • Opcode ID: e30e827b8122e350d0335ec4b589437817100232e2c81646625f1c86a0cdb301
                • Instruction ID: 94ad52c67ed73fd21dc1013cff5cae857c56424395f58f9660684b7918c238c2
                • Opcode Fuzzy Hash: e30e827b8122e350d0335ec4b589437817100232e2c81646625f1c86a0cdb301
                • Instruction Fuzzy Hash: A97112716009209FDB44EB19C4D5F6A77A4AF0A304F0945E6F2049F3AAC678EC46CB9A
                Function 00449030 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 139threadCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00449478: WindowFromPoint.USER32(00449258,52FF108B,00000000,0044904A,?,00545C3C,?), ref: 0044947E
                  • Part of subcall function 00449478: GetParent.USER32(00000000), ref: 00449495
                • GetWindow.USER32(00000000,00000004), ref: 00449052
                • GetCurrentThreadId.KERNEL32 ref: 00449126
                • EnumThreadWindows.USER32(00000000,00448FC4,?), ref: 0044912C
                • GetWindowRect.USER32(00000000,?), ref: 00449143
                • IntersectRect.USER32(?,?,?), ref: 004491B1
                  • Part of subcall function 004484B8: GetWindowThreadProcessId.USER32(?), ref: 004484C5
                  • Part of subcall function 004484B8: GetCurrentProcessId.KERNEL32(?,?,?,00000000,00000000,0044906C,?,00545C3C,?), ref: 004484CE
                  • Part of subcall function 004484B8: GlobalFindAtomA.KERNEL32(00000000,?,?,?,00000000,00000000,0044906C,?,00545C3C,?), ref: 004484E3
                  • Part of subcall function 004484B8: GetPropA.USER32(?,00000000), ref: 004484FA
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Window$Thread$CurrentProcessRect$AtomEnumFindFromGlobalIntersectParentPointPropWindows
                • String ID: |ZD
                • API String ID: 2202917067-2471458929
                • Opcode ID: 26e218bc60868f52a4a1274ade6a3d0cf4095bbd4f3884c38ec173f80325fb6b
                • Instruction ID: a3d1583b77151065ef57e1f75fae45c5ba950f63a750743ae93d8c976bacbc7a
                • Opcode Fuzzy Hash: 26e218bc60868f52a4a1274ade6a3d0cf4095bbd4f3884c38ec173f80325fb6b
                • Instruction Fuzzy Hash: 5451B031A0420AAFEB10DF69C884AAFB7F4BF05354F1441A6F904EB351D739EE019B99
                Function 00421F3C Relevance: 10.6, APIs: 7, Instructions: 108synchronizationthreadCOMMON
                Download Yara Rule
                APIs
                • GetCurrentThreadId.KERNEL32 ref: 00421F49
                • CreateEventA.KERNEL32(00000000,000000FF,00000000,00000000), ref: 00421F94
                • RtlEnterCriticalSection.NTDLL(005459D0), ref: 00421FBC
                • RtlLeaveCriticalSection.NTDLL(005459D0), ref: 00422033
                • WaitForSingleObject.KERNEL32(?,000000FF,00000000,0042206C,?,005459D0,00000000,0042208B,?,005459D0,00000000,004220B2), ref: 0042204F
                • RtlEnterCriticalSection.NTDLL(005459D0), ref: 00422066
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CriticalSection$Enter$CreateCurrentEventLeaveObjectSingleThreadWait
                • String ID:
                • API String ID: 1504017990-0
                • Opcode ID: 1d1b43c34268efa4c8f9f79cfe411fb81a717485585f0165afdab3f77dfefc7b
                • Instruction ID: de8afb3981c73ada443d78cba345373234f87fed88b473746b2e946142f6241d
                • Opcode Fuzzy Hash: 1d1b43c34268efa4c8f9f79cfe411fb81a717485585f0165afdab3f77dfefc7b
                • Instruction Fuzzy Hash: 5541F230B08200BFC710DF65E952B9AFBB4EB09314FA181A7F810A73E1D2B9AD00DA15
                Function 0042EAC8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99COMMON
                Download Yara Rule
                APIs
                • MulDiv.KERNEL32(?,?,000009EC), ref: 0042EB1A
                • MulDiv.KERNEL32(?,?,000009EC), ref: 0042EB31
                • GetDC.USER32(00000000), ref: 0042EB48
                • GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?,00000000,0042EC03,?,00000000,?,?,000009EC,?,?,000009EC), ref: 0042EB6C
                • GetWinMetaFileBits.GDI32(?,?,?,00000008,?,00000000,0042EBE3,?,?,00000000,00000000,00000008,?,00000000,0042EC03), ref: 0042EB9F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: BitsFileMeta
                • String ID: `
                • API String ID: 858000408-2679148245
                • Opcode ID: 6c1a4bda7fb24d0fd8106d42aa41315814294f2719af70957361f40f7775da9d
                • Instruction ID: fc08877e1400a766764d0d90fc9b446f2c7030667510327c4de112be9445d83b
                • Opcode Fuzzy Hash: 6c1a4bda7fb24d0fd8106d42aa41315814294f2719af70957361f40f7775da9d
                • Instruction Fuzzy Hash: 02315475B04218ABDF00DFD5D881EAEB7B8EF09714F504466F904EB381D678AE40DBA9
                Function 00424DF4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68stringCOMMON
                Download Yara Rule
                APIs
                • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00424E4C
                • GetSystemMetrics.USER32(00000000), ref: 00424E61
                • GetSystemMetrics.USER32(00000001), ref: 00424E6C
                • lstrcpy.KERNEL32(?,DISPLAY), ref: 00424E96
                  • Part of subcall function 004249F4: GetProcAddress.KERNEL32(76910000,00000000), ref: 00424A73
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: System$Metrics$AddressInfoParametersProclstrcpy
                • String ID: DISPLAY$GetMonitorInfoA
                • API String ID: 2545840971-1370492664
                • Opcode ID: 29265de2007238fc5a5ecfabcdf0a6d5e31911dc145d8f3d6061de6a99fcc97c
                • Instruction ID: 9e4b0e4d8aaf648031f72d7a4af6d035ec37478f6048a18c5a94fc31689e41de
                • Opcode Fuzzy Hash: 29265de2007238fc5a5ecfabcdf0a6d5e31911dc145d8f3d6061de6a99fcc97c
                • Instruction Fuzzy Hash: 06113A757007209FE320CF61AC44BABB7E9FB46315F814A2BED1597680D7747444CBA9
                Function 00424EC8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68stringCOMMON
                Download Yara Rule
                APIs
                • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00424F20
                • GetSystemMetrics.USER32(00000000), ref: 00424F35
                • GetSystemMetrics.USER32(00000001), ref: 00424F40
                • lstrcpy.KERNEL32(?,DISPLAY), ref: 00424F6A
                  • Part of subcall function 004249F4: GetProcAddress.KERNEL32(76910000,00000000), ref: 00424A73
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: System$Metrics$AddressInfoParametersProclstrcpy
                • String ID: DISPLAY$GetMonitorInfoW
                • API String ID: 2545840971-2774842281
                • Opcode ID: c45f2a8e0c95be6ea24fc6efd267ed36708335dcb6765969ca1c314f6654935f
                • Instruction ID: e24c95dfac7d9d854b5fe58b2d4260dc8312fd58ec6e3a1f5821dc42e2d12284
                • Opcode Fuzzy Hash: c45f2a8e0c95be6ea24fc6efd267ed36708335dcb6765969ca1c314f6654935f
                • Instruction Fuzzy Hash: 851124757047109FC720CF25AE40BA7B7E8EB96314F81462AEC0597741E3B8A808C7A9
                Function 0042F214 Relevance: 10.6, APIs: 7, Instructions: 66COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0042C158: GetObjectA.GDI32(00000000,00000004), ref: 0042C16F
                  • Part of subcall function 0042C158: GetPaletteEntries.GDI32(00000000,00000000,?,?), ref: 0042C192
                • GetDC.USER32(00000000), ref: 0042F252
                • CreateCompatibleDC.GDI32(?), ref: 0042F25E
                • SelectObject.GDI32(?), ref: 0042F26B
                • SetDIBColorTable.GDI32(?,00000000,00000000,?,00000000,0042F2C3,?,?,?,?,00000000), ref: 0042F28F
                • SelectObject.GDI32(?,?), ref: 0042F2A9
                • DeleteDC.GDI32(?), ref: 0042F2B2
                • ReleaseDC.USER32(00000000,?), ref: 0042F2BD
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Object$Select$ColorCompatibleCreateDeleteEntriesPaletteReleaseTable
                • String ID:
                • API String ID: 4046155103-0
                • Opcode ID: cd5d2a831617003e81126aa56688ffe10625ad891770947aa843f643cb458986
                • Instruction ID: 3deae8a3ac8e92f0890565553bce46561bb8e4116f534deb40e2938005f98b9e
                • Opcode Fuzzy Hash: cd5d2a831617003e81126aa56688ffe10625ad891770947aa843f643cb458986
                • Instruction Fuzzy Hash: 3011BC76E04218ABDB00EBE9DC51EAEB3BCEF09304F8184B7F504E7281D6799D408B65
                Function 00468060 Relevance: 10.6, APIs: 7, Instructions: 57threadwindowCOMMON
                Download Yara Rule
                APIs
                • GetCursorPos.USER32 ref: 0046807B
                • WindowFromPoint.USER32(?,?), ref: 00468088
                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00468096
                • GetCurrentThreadId.KERNEL32 ref: 0046809D
                • SendMessageA.USER32(00000000,00000084,00000000,?), ref: 004680C6
                • SendMessageA.USER32(00000000,00000020,00000000,?), ref: 004680D8
                • SetCursor.USER32(00000000), ref: 004680EA
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                • String ID:
                • API String ID: 1770779139-0
                • Opcode ID: 5e555a489bf050b1fbf451ad09dbe280ddd24cfb56d68ce0ace95fcacc14387d
                • Instruction ID: 22b96766d37f5b358c1973bb0c4e83eb85e6a4261097738a3ba0a6f9cb1351c9
                • Opcode Fuzzy Hash: 5e555a489bf050b1fbf451ad09dbe280ddd24cfb56d68ce0ace95fcacc14387d
                • Instruction Fuzzy Hash: 0E01D62610931035C6203B258C41B3F77A89F84B45F00892FF984A6292FA7D9C04936B
                Function 0040E40C Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0040E284: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040E2A1
                  • Part of subcall function 0040E284: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040E2C5
                  • Part of subcall function 0040E284: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040E2E0
                  • Part of subcall function 0040E284: LoadStringA.USER32(00000000,0000FFD0,?,00000100), ref: 0040E376
                • CharToOemA.USER32(?,?), ref: 0040E443
                • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,0040EBF5,0040ED2E,004109EC,00000000,00410B30), ref: 0040E460
                • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,0040EBF5,0040ED2E,004109EC,00000000,00410B30), ref: 0040E466
                • GetStdHandle.KERNEL32(000000F4,0040E4D0,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,0040EBF5,0040ED2E,004109EC,00000000,00410B30), ref: 0040E47B
                • WriteFile.KERNEL32(00000000,000000F4,0040E4D0,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,0040EBF5,0040ED2E,004109EC,00000000), ref: 0040E481
                • LoadStringA.USER32(00000000,0000FFD1,?,00000040), ref: 0040E4A3
                • MessageBoxA.USER32(00000000,?,?,00002010), ref: 0040E4B9
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
                • String ID:
                • API String ID: 185507032-0
                • Opcode ID: e2febc6c04d7cfbaae905e1241a71673f8a228f20c3e67f342875616c8a47786
                • Instruction ID: 0c8b10d09d83d297868e3f50993bd40428ad8b98cf442c3159a11d087430f890
                • Opcode Fuzzy Hash: e2febc6c04d7cfbaae905e1241a71673f8a228f20c3e67f342875616c8a47786
                • Instruction Fuzzy Hash: D9115EB25482047ED200E7A5CC82F9B77ECAB45708F40493BB654E71E2DA78FA44976B
                Function 00438DC4 Relevance: 9.3, APIs: 6, Instructions: 304windowCOMMON
                Download Yara Rule
                APIs
                • GetTickCount.KERNEL32 ref: 00438E2F
                • GetTickCount.KERNEL32 ref: 00438E55
                  • Part of subcall function 00438CB8: SendMessageA.USER32(00000000,00000140), ref: 00438CE5
                • SendMessageA.USER32(00000000,0000014E,000000FF,00000000), ref: 00438F48
                • SendMessageA.USER32(00000000,00000142,00000000,?), ref: 00438F99
                  • Part of subcall function 00438CFC: SendMessageA.USER32(00000000,00000140,?,?), ref: 00438D3D
                  • Part of subcall function 00438CFC: SendMessageA.USER32(00000000,0000014E,000000FF,00000000), ref: 00438D69
                  • Part of subcall function 00438CFC: SendMessageA.USER32(00000000,00000142,00000000,?), ref: 00438D9B
                • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 004390EA
                • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00439138
                  • Part of subcall function 004379F4: SendMessageA.USER32(00000000,00000157,00000000,00000000), ref: 00437A08
                  • Part of subcall function 00437A18: SendMessageA.USER32(00000000,0000014F,?,00000000), ref: 00437A34
                  • Part of subcall function 00437A18: InvalidateRect.USER32(00000000,000000FF,000000FF), ref: 00437A51
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Message$Send$CountPeekTick$InvalidateRect
                • String ID:
                • API String ID: 2065907832-0
                • Opcode ID: 2d50ce99df3bca85cd547a43ea7af3f4c48730bd1cd1d0ff14144ec45122c280
                • Instruction ID: 7a3f70e75c40f4e0b656a8976dc71d70fc0d1669ffcb8301f25594a17c9921b6
                • Opcode Fuzzy Hash: 2d50ce99df3bca85cd547a43ea7af3f4c48730bd1cd1d0ff14144ec45122c280
                • Instruction Fuzzy Hash: 01C15430A04209DBDF10EBA5C985BDEB7B5EF49304F2441A6F414BB396CB78AE05DB58
                Function 0045AE5C Relevance: 9.2, APIs: 6, Instructions: 170windowCOMMON
                Download Yara Rule
                APIs
                • SetTextColor.GDI32(00000000,00FFFFFF), ref: 0045AFA9
                • SetBkColor.GDI32(00000000,00000000), ref: 0045AFB1
                • BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 0045AFD6
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Color$Text
                • String ID:
                • API String ID: 657580467-0
                • Opcode ID: f179f29f39ac2b2589bc67d52972dd3c0c067758c50504c5c5bad28d1fe5000b
                • Instruction ID: 8a95558c12c32751f4d34af21bdad5900b9756332dbba8cf1c9b799e3a533a37
                • Opcode Fuzzy Hash: f179f29f39ac2b2589bc67d52972dd3c0c067758c50504c5c5bad28d1fe5000b
                • Instruction Fuzzy Hash: 0A512C71700115AFDB40EF6DDD82F9E37A8AF08304F50115AF904EB386CA78EC559BAA
                Function 00462764 Relevance: 9.2, APIs: 6, Instructions: 150COMMON
                Download Yara Rule
                APIs
                • FillRect.USER32(?,?), ref: 004627DD
                • GetClientRect.USER32(00000000,?), ref: 00462808
                • FillRect.USER32(?,?,00000000), ref: 00462827
                  • Part of subcall function 004626D8: CallWindowProcA.USER32(?,?,?,?,?), ref: 00462712
                • BeginPaint.USER32(?,?), ref: 0046289F
                • GetWindowRect.USER32(?,?), ref: 004628CC
                • EndPaint.USER32(?,?,00462940), ref: 0046292C
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Rect$FillPaintWindow$BeginCallClientProc
                • String ID:
                • API String ID: 901200654-0
                • Opcode ID: f4d75ba7f06cc1c723c4b3daf5ef0287de4379c4a8f137837756d0cd4049fd11
                • Instruction ID: 5b9c502fd9a4c1ded124713944ecd5b5e34cea3dfa0e43a4604807ba08b8009a
                • Opcode Fuzzy Hash: f4d75ba7f06cc1c723c4b3daf5ef0287de4379c4a8f137837756d0cd4049fd11
                • Instruction Fuzzy Hash: 9F51FE74E04508EFCB00DFA9C689E9EB7F8AF48314F1481A6E404EB352D778AE45CB55
                Function 00464E60 Relevance: 9.1, APIs: 6, Instructions: 125COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0042B1F0: RtlEnterCriticalSection.NTDLL(00545A74), ref: 0042B1F8
                  • Part of subcall function 0042B1F0: RtlLeaveCriticalSection.NTDLL(00545A74), ref: 0042B205
                  • Part of subcall function 0042B1F0: RtlEnterCriticalSection.NTDLL(00000038), ref: 0042B20E
                • SaveDC.GDI32(?), ref: 00464EAD
                • ExcludeClipRect.GDI32(?,?,?,?,?,?,?,00000000,00465038,?,00000000,0046505B), ref: 00464F34
                • GetStockObject.GDI32(00000004), ref: 00464F56
                • FillRect.USER32(00000000,?,00000000), ref: 00464F6F
                • RestoreDC.GDI32(00000000,?), ref: 00464FE5
                  • Part of subcall function 00429CCC: GetSysColor.USER32(?), ref: 00429CD6
                • SetBkColor.GDI32(00000000,00000000), ref: 00464FBA
                  • Part of subcall function 0042B140: FillRect.USER32(?,00000000,00000000), ref: 0042B169
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CriticalRectSection$ColorEnterFill$ClipExcludeLeaveObjectRestoreSaveStock
                • String ID:
                • API String ID: 3001281481-0
                • Opcode ID: 69dd2de978002751ee9f532751e670070f45248f32366567e57bc2023eb4c083
                • Instruction ID: 74dfcd95c2e3d51d0dcfb61633c914ca4c4ff3bb5c8c41460f192688992cf057
                • Opcode Fuzzy Hash: 69dd2de978002751ee9f532751e670070f45248f32366567e57bc2023eb4c083
                • Instruction Fuzzy Hash: BB511874A00104EFDB44EFA9C989E9AB7F9EF49304F1540A6F804AB352D738EE40CB56
                Function 0042C408 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                Download Yara Rule
                APIs
                • GetSystemMetrics.USER32(0000000B), ref: 0042C456
                • GetSystemMetrics.USER32(0000000C), ref: 0042C462
                • GetDC.USER32(00000000), ref: 0042C47E
                • GetDeviceCaps.GDI32(00000000,0000000E), ref: 0042C4A5
                • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042C4B2
                • ReleaseDC.USER32(00000000,00000000), ref: 0042C4EB
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CapsDeviceMetricsSystem$Release
                • String ID:
                • API String ID: 447804332-0
                • Opcode ID: 891aae4064a12fd073660cc91db8b194d7ef7c47770e37b53dabb6cf1b179577
                • Instruction ID: 6fc41af8c430de4b53a5529e288d1d18ee8e850a9fafd82023bc6318b2b09cd3
                • Opcode Fuzzy Hash: 891aae4064a12fd073660cc91db8b194d7ef7c47770e37b53dabb6cf1b179577
                • Instruction Fuzzy Hash: 1D317370E04214AFEB00EF55C891AAEBBB5FF49710F50C16AF414BB395C678AD41CB69
                Function 0042C880 Relevance: 9.1, APIs: 6, Instructions: 65windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0042C72C: GetObjectA.GDI32(?,00000054), ref: 0042C740
                • CreateCompatibleDC.GDI32(00000000), ref: 0042C8A2
                • SelectPalette.GDI32(?,?,00000000), ref: 0042C8C3
                • RealizePalette.GDI32(?), ref: 0042C8CF
                • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0042C8E6
                • SelectPalette.GDI32(?,00000000,00000000), ref: 0042C90E
                • DeleteDC.GDI32(?), ref: 0042C917
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Palette$Select$BitsCompatibleCreateDeleteObjectRealize
                • String ID:
                • API String ID: 1221726059-0
                • Opcode ID: 66ed7bfbbe9bed92aaec71799be1bb3354ee2c565697b24d632b5df8e6d8c189
                • Instruction ID: 470ed0ec2df5d84b612f1fa203cef4b09cc21e53d748e354ec84248f83acb97a
                • Opcode Fuzzy Hash: 66ed7bfbbe9bed92aaec71799be1bb3354ee2c565697b24d632b5df8e6d8c189
                • Instruction Fuzzy Hash: 651182B5F042047FDB10EAA9CC82F5EB7FCEB49700F908466B514E7281D678A900C769
                Function 0042C0B4 Relevance: 9.1, APIs: 6, Instructions: 56windowCOMMON
                Download Yara Rule
                APIs
                • CreateCompatibleDC.GDI32(00000000), ref: 0042C0CD
                • SelectObject.GDI32(00000000,00000000), ref: 0042C0D6
                • GetDIBColorTable.GDI32(00000000,00000000,00000100,?,00000000,00000000,00000000,00000000,?,?,0043069F,?,?,?,?,0042F0AF), ref: 0042C0EA
                • SelectObject.GDI32(00000000,00000000), ref: 0042C0F6
                • DeleteDC.GDI32(00000000), ref: 0042C0FC
                • CreatePalette.GDI32 ref: 0042C143
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CreateObjectSelect$ColorCompatibleDeletePaletteTable
                • String ID:
                • API String ID: 2515223848-0
                • Opcode ID: 267e09ca5b4e69442a92555d19569344a952dc78c8d7b2e00253d34414a04c54
                • Instruction ID: fa4bd6ada78e79db956b83943e59830ac57db8d351d55776fcb3fdaaf0c10835
                • Opcode Fuzzy Hash: 267e09ca5b4e69442a92555d19569344a952dc78c8d7b2e00253d34414a04c54
                • Instruction Fuzzy Hash: 5401846170831062E614776A9C87BAF72A89FC0758F44C82FB588A72C3E67C9C44939B
                Function 004370C8 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                Download Yara Rule
                APIs
                • GetDC.USER32(00000000), ref: 004370D4
                • GetTextMetricsA.GDI32(?,?), ref: 004370F2
                  • Part of subcall function 0042A1D8: CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,0042A3CC,?,00000000,0042A3F4), ref: 0042A307
                • SelectObject.GDI32(?,00000000), ref: 00437107
                • GetTextMetricsA.GDI32(?,?), ref: 00437116
                • SelectObject.GDI32(?,00000000), ref: 00437120
                • ReleaseDC.USER32(00000000,?), ref: 00437138
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: MetricsObjectSelectText$CompareReleaseString
                • String ID:
                • API String ID: 1563205963-0
                • Opcode ID: 552deff41c94874b162c9309ea88d4f88a5ab710295e157252363d0869e6af6a
                • Instruction ID: 2862f79a494c5350378564e1895ce77e6fca9e1ccd2886f1cc77fee30c0b14ab
                • Opcode Fuzzy Hash: 552deff41c94874b162c9309ea88d4f88a5ab710295e157252363d0869e6af6a
                • Instruction Fuzzy Hash: 0401F4B6E48208BFEB50EBE9CC42D9EB7FCEB1C704F514466B504E3291D538AD408765
                Function 00431228 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112windowCOMMON
                Download Yara Rule
                APIs
                • GetDC.USER32(00000000), ref: 004312E4
                • CreateHalftonePalette.GDI32(00000000,00000000), ref: 004312F1
                • ReleaseDC.USER32(00000000,00000000), ref: 00431300
                • DeleteObject.GDI32(00000000), ref: 0043136E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CreateDeleteHalftoneObjectPaletteRelease
                • String ID: (
                • API String ID: 577518360-3887548279
                • Opcode ID: e8a3e7981e5a5756533b8aaad02d2123facb645fe653d7e268a554003a6346ad
                • Instruction ID: f7023221f59aef076054e56dc3816b316769581c9865044050618c6f80b16091
                • Opcode Fuzzy Hash: e8a3e7981e5a5756533b8aaad02d2123facb645fe653d7e268a554003a6346ad
                • Instruction Fuzzy Hash: CE41A370A04208DFDB10DFA5D485B9EB7F6EF4D304F5050AAE804AB3A1D7785E45DB89
                Function 0047E598 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 108networkCOMMON
                Download Yara Rule
                APIs
                • ioctlsocket.WS2_32(?,4004667F,00000000), ref: 0047E5F3
                • WSAGetLastError.WS2_32(?,?,?,00000000,00000000,0047E6C5,?,00000000,0047E6E2), ref: 0047E62D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: ErrorLastioctlsocket
                • String ID: 3'$recv$pA
                • API String ID: 1021210092-1249244695
                • Opcode ID: 0967f6376fa7a339cb632a8818392baaa3ade259cc63ce2c86f2db0d79f082d2
                • Instruction ID: ed52d02da9f1272e74a917e7ad8170c3a271ac94729a6091556817612eff6dff
                • Opcode Fuzzy Hash: 0967f6376fa7a339cb632a8818392baaa3ade259cc63ce2c86f2db0d79f082d2
                • Instruction Fuzzy Hash: 11416270D00248AFDB00DFAAC885ADEB7F4EB1D314F6085AAE408E3391D7389E40DB58
                Function 0047E410 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 95networkCOMMON
                Download Yara Rule
                APIs
                • send.WS2_32(?,?,?,00000000), ref: 0047E46B
                • WSAGetLastError.WS2_32(?,?,?,00000000,00000000,0047E515,?,00000000,0047E532), ref: 0047E47D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: ErrorLastsend
                • String ID: 3'$send$pA
                • API String ID: 1802528911-3472033055
                • Opcode ID: ab98135728f0949c11ab5fef54d118f81d043f178199ee38a923a89faab5a2b9
                • Instruction ID: f7e29d88ba94e9427f405a897a6c6bec27dcb567771e382228015a4854872087
                • Opcode Fuzzy Hash: ab98135728f0949c11ab5fef54d118f81d043f178199ee38a923a89faab5a2b9
                • Instruction Fuzzy Hash: 3E315274D04248AFDB00DFA9C885ADDBBF4EB4D318F6485AAE408A3391D7796E00DB58
                Function 004325B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50threadCOMMON
                Download Yara Rule
                APIs
                • IsWindow.USER32(?), ref: 004325CD
                • FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 004325FE
                • GetWindowThreadProcessId.USER32(?,00000000), ref: 00432637
                • GetCurrentThreadId.KERNEL32 ref: 0043263E
                  • Part of subcall function 004071C4: TlsGetValue.KERNEL32(00000000,00000000,004030A1,?,?,?,?,?,0040478C), ref: 004071E9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Window$Thread$CurrentFindProcessValue
                • String ID: OleMainThreadWndClass
                • API String ID: 973455579-3883841218
                • Opcode ID: 151d6356d028db59899dcd6740183639055a228577608f53271ac03b1b3842df
                • Instruction ID: 35132418b47a8ebdf1ccd2308f00127e02e81abf14de527aecd6d2b034a70fa5
                • Opcode Fuzzy Hash: 151d6356d028db59899dcd6740183639055a228577608f53271ac03b1b3842df
                • Instruction Fuzzy Hash: B301DB30908284AAC720F7A58D59BA636947F05318F1514FBF5405F2E2C7FC6C40D75A
                Function 004787A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45windowCOMMON
                Download Yara Rule
                APIs
                • GetWindowLongA.USER32(?,000000FC), ref: 004787F2
                • SetWindowLongA.USER32(00000000,000000FC,Function_00048374), ref: 00478812
                • SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00478824
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: LongWindow$MessageSend
                • String ID: (nG$TDG
                • API String ID: 2178440468-2170266305
                • Opcode ID: 9b71d9eb0524d78079caa223a265145337388786068c598ad0373c01e66393b1
                • Instruction ID: 9b8f479e3202ecc3d49ebddec83c490608b75ffc31a235f52e7b80a66ab6a62e
                • Opcode Fuzzy Hash: 9b71d9eb0524d78079caa223a265145337388786068c598ad0373c01e66393b1
                • Instruction Fuzzy Hash: 9D011E70649210AFDB10AF69DD89F9A37E4AF05324F15567AF9089F2D2CB386840CB69
                Function 004AF3B4 Relevance: 7.7, APIs: 5, Instructions: 242fileCOMMON
                Download Yara Rule
                APIs
                • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 004AF44D
                • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 004AF456
                • CloseHandle.KERNEL32(000000FF), ref: 004AF54A
                • ReadFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004AF60A
                • GetLastError.KERNEL32(000000FF,?,?,?,00000000), ref: 004AF613
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: ErrorFileLastRead$CloseHandle
                • String ID:
                • API String ID: 2667441831-0
                • Opcode ID: 9abc3363b6e1f94789b2663724688371f57522f7599d5fc13503c868efc2c98a
                • Instruction ID: b49b58f5295d1517dfd3814c580a0b01326b482e489584c996a3153a7643e7f6
                • Opcode Fuzzy Hash: 9abc3363b6e1f94789b2663724688371f57522f7599d5fc13503c868efc2c98a
                • Instruction Fuzzy Hash: 4CA13A75900205DFCB10CF99C980AAA77F5FF69324F24866AE844AB346D338ED46CF95
                Function 00471410 Relevance: 7.6, APIs: 5, Instructions: 146COMMON
                Download Yara Rule
                APIs
                • GetDC.USER32(?), ref: 00471511
                • GetWindowRect.USER32(?,?), ref: 00471535
                • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0047154C
                • ReleaseDC.USER32(?,?), ref: 00471586
                • CallWindowProcA.USER32(?,?,?,?,?), ref: 004715BC
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Window$CallPointsProcRectRelease
                • String ID:
                • API String ID: 908809887-0
                • Opcode ID: 80e61e5edc056a1b6a7b400b84868759877ae3d521d57eadaab18abf730d849d
                • Instruction ID: 2a4ee6a02eb35b91847e18adb6beac26f99192a1d1a143a08b4316785fa0973e
                • Opcode Fuzzy Hash: 80e61e5edc056a1b6a7b400b84868759877ae3d521d57eadaab18abf730d849d
                • Instruction Fuzzy Hash: B341A372608104EFD714DFACD9899AA77E8EB89310F6184B6F409DB7A1D738ED04CA19
                Function 004AC0D4 Relevance: 7.6, APIs: 5, Instructions: 116COMMON
                Download Yara Rule
                APIs
                • SaveDC.GDI32(?), ref: 004AC0F7
                • GetViewportOrgEx.GDI32(?,?), ref: 004AC107
                • SetViewportOrgEx.GDI32(?,?,?,00000000), ref: 004AC126
                • IntersectClipRect.GDI32(?,00000000,00000000,00000000,00000000), ref: 004AC14B
                • RestoreDC.GDI32(?,?), ref: 004AC1D9
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Viewport$ClipIntersectRectRestoreSave
                • String ID:
                • API String ID: 2577595460-0
                • Opcode ID: 085c759a5bbaac99b26cbaed34d0854c10d0fab806d853789f03a9df3ff8f731
                • Instruction ID: d4bd2ac46390f8bf2a79ba3ba1d09990beefc88ffe73caea05a8b15bb647e30f
                • Opcode Fuzzy Hash: 085c759a5bbaac99b26cbaed34d0854c10d0fab806d853789f03a9df3ff8f731
                • Instruction Fuzzy Hash: 9341E975B04208EFDB40DF99C981F9EBBB9EF59314F1041E5FA04AB792C634AE009B54
                Function 004693D4 Relevance: 7.6, APIs: 5, Instructions: 109COMMON
                Download Yara Rule
                APIs
                • EnumWindows.USER32(00469300,00000000), ref: 00469408
                • ShowWindow.USER32(?,00000000,00469300,00000000,?,?,0283F460,0046C494,0001040C,?,?,00462248), ref: 0046943D
                • ShowOwnedPopups.USER32(00000000,0285C440), ref: 0046946C
                • ShowWindow.USER32(?,00000005,?,?,0283F460,0046C494,0001040C,?,?,00462248), ref: 004694D2
                • ShowOwnedPopups.USER32(00000000,0285C440), ref: 00469501
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Show$OwnedPopupsWindow$EnumWindows
                • String ID:
                • API String ID: 315437064-0
                • Opcode ID: 6a972c02f9e95f0851bcb6cd34d02a030b6af7128733e32c068895dfb44ba755
                • Instruction ID: b7e1cb903973a6bce0b539517651bed1993c5b15b045e923d0e4450f66927491
                • Opcode Fuzzy Hash: 6a972c02f9e95f0851bcb6cd34d02a030b6af7128733e32c068895dfb44ba755
                • Instruction Fuzzy Hash: 6231B9316046009FD710A739D844B9A73A9EB5136CF04452BE459873E3EB78AC86CB56
                Function 00432670 Relevance: 7.6, APIs: 5, Instructions: 86windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004325B0: IsWindow.USER32(?), ref: 004325CD
                  • Part of subcall function 004325B0: FindWindowExA.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 004325FE
                  • Part of subcall function 004325B0: GetWindowThreadProcessId.USER32(?,00000000), ref: 00432637
                  • Part of subcall function 004325B0: GetCurrentThreadId.KERNEL32 ref: 0043263E
                • MsgWaitForMultipleObjectsEx.USER32(?,?,?,000000BF,?), ref: 0043269E
                • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004326B9
                • TranslateMessage.USER32(?), ref: 004326C6
                • DispatchMessageA.USER32(?), ref: 004326CF
                • WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,00000000), ref: 004326FB
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: MessageWindow$MultipleObjectsThreadWait$CurrentDispatchFindPeekProcessTranslate
                • String ID:
                • API String ID: 2725875890-0
                • Opcode ID: 6aa626266e0b5cd55d2f81bc7ad64dc8185c070e7e0db36e0d29cc167919be8e
                • Instruction ID: 66cb5b80736f4384753a5702bdfc48fe44e1918f9174e53249edfc96cc96552a
                • Opcode Fuzzy Hash: 6aa626266e0b5cd55d2f81bc7ad64dc8185c070e7e0db36e0d29cc167919be8e
                • Instruction Fuzzy Hash: 55216575A04209ABDB10DEA5CD85FAB73A9FB08350F20552AFE04D7280D6BDD94087A9
                Function 004CC318 Relevance: 7.6, APIs: 5, Instructions: 85fileCOMMON
                Download Yara Rule
                APIs
                • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000080,00000000), ref: 004CC34C
                • GetFileSizeEx.KERNEL32(000000FF,?,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,004CC3F3,?,00000000,80000000,00000001,00000000), ref: 004CC399
                • GetFileSize.KERNEL32(000000FF,?,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,004CC3F3,?,00000000,80000000,00000001,00000000), ref: 004CC3B2
                • GetLastError.KERNEL32(000000FF,?,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,004CC3F3,?,00000000,80000000,00000001,00000000), ref: 004CC3C0
                • CloseHandle.KERNEL32(000000FF,004CC3FA,00000000,00000000,00000000,00000000,00000000,004CC3F3,?,00000000,80000000,00000001,00000000,00000003,08000080,00000000), ref: 004CC3ED
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: File$Size$CloseCreateErrorHandleLast
                • String ID:
                • API String ID: 3878045067-0
                • Opcode ID: 7db3b924890ea0b6315134f65b9988de62725ac505a39361757b1a883f7a3b91
                • Instruction ID: 9b10787837f107136a8b754c85e13901d5848f2725a7f6ecefc69b6dc6bb752d
                • Opcode Fuzzy Hash: 7db3b924890ea0b6315134f65b9988de62725ac505a39361757b1a883f7a3b91
                • Instruction Fuzzy Hash: 31219178E00204AFDB50DBA9EC95F9EB7B8EB08314F10856AF904F32D0D778A941CB59
                Function 00430654 Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON
                Download Yara Rule
                APIs
                • GetDC.USER32(00000000), ref: 004306AA
                • GetDeviceCaps.GDI32(00000000,0000000C), ref: 004306BF
                • GetDeviceCaps.GDI32(00000000,0000000E), ref: 004306C9
                • CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,0042F0AF,00000000,0042F13B), ref: 004306ED
                • ReleaseDC.USER32(00000000,00000000), ref: 004306F8
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CapsDevice$CreateHalftonePaletteRelease
                • String ID:
                • API String ID: 2404249990-0
                • Opcode ID: f5ccb66b8e45d73b113ad1a12499e519ec53c6792fc51968d0336a1fbf0a6df5
                • Instruction ID: fadaab01a80b2e562dd9808276fce13bb57b357b0b0e732aa0fe71833405a8c3
                • Opcode Fuzzy Hash: f5ccb66b8e45d73b113ad1a12499e519ec53c6792fc51968d0336a1fbf0a6df5
                • Instruction Fuzzy Hash: 51112921A453699AEB20EF71D8557EF3B90AF44358F00232BF800963C1D7BCAC90C7A9
                Function 004671A0 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                Download Yara Rule
                APIs
                • GetWindowLongA.USER32(00000000,000000EC), ref: 004671D4
                • SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 00467206
                • SetLayeredWindowAttributes.USER32(00000000,?,?,00000000,00000000,000000EC,?,?,0046456C), ref: 0046723F
                • SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 00467258
                • RedrawWindow.USER32(00000000,00000000,00000000,00000485,00000000,000000EC,00000000,00000000,000000EC,?,?,0046456C), ref: 0046726E
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Window$Long$AttributesLayeredRedraw
                • String ID:
                • API String ID: 1758778077-0
                • Opcode ID: c2ee10da2e8c8ac75dcedfc937120e84687a67bc514c15d12ab1878396fbcd34
                • Instruction ID: e24072e5e4d3e298da75e84d2a686b6605df0199eea66a1f952d63f20f945047
                • Opcode Fuzzy Hash: c2ee10da2e8c8ac75dcedfc937120e84687a67bc514c15d12ab1878396fbcd34
                • Instruction Fuzzy Hash: B4110A60E083902ACF126F754C85F56268C5B1236FF0805BBBD54EA3D3CA3CE948876D
                Function 0042C01C Relevance: 7.6, APIs: 5, Instructions: 55windowCOMMON
                Download Yara Rule
                APIs
                • GetDC.USER32(00000000), ref: 0042C034
                • GetDeviceCaps.GDI32(?,00000068), ref: 0042C050
                • GetPaletteEntries.GDI32(20080DD9,00000000,00000008,?), ref: 0042C068
                • GetPaletteEntries.GDI32(20080DD9,00000008,00000008,?), ref: 0042C080
                • ReleaseDC.USER32(00000000,?), ref: 0042C09C
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: EntriesPalette$CapsDeviceRelease
                • String ID:
                • API String ID: 3128150645-0
                • Opcode ID: 72a2c92e7a193d0698e783e8d690eca7e62f9f7da38c09a61b554a40ab5a4725
                • Instruction ID: 1854eb36669ae60b39ff5b54299426de766df93a2c3f2ff4981eaa352a6c4578
                • Opcode Fuzzy Hash: 72a2c92e7a193d0698e783e8d690eca7e62f9f7da38c09a61b554a40ab5a4725
                • Instruction Fuzzy Hash: FF11E971A4C204AFF711DBE59C82F6D7798E70A704F9080AAF204AA1C2D6796404D325
                Function 0040DF98 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                Download Yara Rule
                APIs
                • GetThreadLocale.KERNEL32(?,00000000,0040E02F,?,?,00000000), ref: 0040DFB0
                  • Part of subcall function 0040DBC0: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040DBDE
                • GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040E02F,?,?,00000000), ref: 0040DFE0
                • EnumCalendarInfoA.KERNEL32(Function_0000DEE4,00000000,00000000,00000004), ref: 0040DFEB
                • GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040E02F,?,?,00000000), ref: 0040E009
                • EnumCalendarInfoA.KERNEL32(Function_0000DF20,00000000,00000000,00000003), ref: 0040E014
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Locale$InfoThread$CalendarEnum
                • String ID:
                • API String ID: 4102113445-0
                • Opcode ID: c6aac3933856ad7c00734a052f48ccea971e14d98a5a40363cffe41be10ee6ba
                • Instruction ID: a5f89ad139b415f36797c3dcf55dab7a08595ba26ab67332058f1da6688b6205
                • Opcode Fuzzy Hash: c6aac3933856ad7c00734a052f48ccea971e14d98a5a40363cffe41be10ee6ba
                • Instruction Fuzzy Hash: B301F771A042057BE311E7B6CC13B9A765CDB46718F614577F500B6AC2DA7CAE00426E
                Function 00468948 Relevance: 7.5, APIs: 5, Instructions: 25synchronizationthreadCOMMON
                Download Yara Rule
                APIs
                • UnhookWindowsHookEx.USER32(00000000), ref: 00468957
                • SetEvent.KERNEL32(00000000,0046B612,?,0046B483), ref: 00468972
                • GetCurrentThreadId.KERNEL32 ref: 00468977
                • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0046B612,?,0046B483), ref: 0046898C
                • CloseHandle.KERNEL32(00000000,00000000,0046B612,?,0046B483), ref: 00468997
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CloseCurrentEventHandleHookObjectSingleThreadUnhookWaitWindows
                • String ID:
                • API String ID: 2429646606-0
                • Opcode ID: d78b591bb94a12724f1393629c091532d482433a740b51e3398f3544d3e2511c
                • Instruction ID: d47f78cc1c2dad98c02acd062f01a2725e73e9f8dfb9b2f1e5c256c2ea1b5d1e
                • Opcode Fuzzy Hash: d78b591bb94a12724f1393629c091532d482433a740b51e3398f3544d3e2511c
                • Instruction Fuzzy Hash: 25F0FEB4904B009BD751AB78EDC969633B4631630DB00092AE010D73E2FE38AC48AB16
                Function 0044C898 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 168COMMON
                Download Yara Rule
                APIs
                • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0044C8F5
                • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0044C9F7
                • MapWindowPoints.USER32(00000000,00000000,?,00000001), ref: 0044CA34
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: PointsWindow
                • String ID: |ZD
                • API String ID: 4123100037-2471458929
                • Opcode ID: d7b00876be250b93cde2b9c01517f947dbb65082a1bdf2ed0815ff316db825c0
                • Instruction ID: cd2fb39542018c3bded0bd4ea460d3dd6d93b0ea38d2231ead040f299d079ef1
                • Opcode Fuzzy Hash: d7b00876be250b93cde2b9c01517f947dbb65082a1bdf2ed0815ff316db825c0
                • Instruction Fuzzy Hash: FF519371E012099FDB11DF69C881AEEB7F5AF49704F0440AAED14B7392C7789E05CBA5
                Function 004B0C8C Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154fileCOMMON
                Download Yara Rule
                APIs
                • ReadFile.KERNEL32(?,?,00014000,?,00000000,00000000,004B0E7E,?,00000000,00000000,00000003,00000000), ref: 004B0DA5
                • ReadFile.KERNEL32(?,?,00000006,?,00000000,?,?,00014000,?,00000000,00000000,004B0E7E,?,00000000,00000000,00000003), ref: 004B0E33
                • CloseHandle.KERNEL32(?,004B0E85,?,00000000,00000000,004B0E7E,?,00000000,00000000,00000003,00000000), ref: 004B0E78
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: FileRead$CloseHandle
                • String ID: .EXE
                • API String ID: 1447241488-1663838841
                • Opcode ID: 4c9eab37ef26898e21ba200038555d0098bab54b5071a8dd7b6ee925e81429e6
                • Instruction ID: 432cca30d14fb0b1f5d6e9f6243fbe920beda6a539327f2c2f9aaeb1d23723c0
                • Opcode Fuzzy Hash: 4c9eab37ef26898e21ba200038555d0098bab54b5071a8dd7b6ee925e81429e6
                • Instruction Fuzzy Hash: 7E510671A042189EDB21DF66CC41FCB77A9EB49704F1144F6F608EB291D7389A80CB79
                Function 0040E048 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
                Download Yara Rule
                APIs
                • GetThreadLocale.KERNEL32(?,00000000,0040E218,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040E077
                  • Part of subcall function 0040DBC0: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040DBDE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Locale$InfoThread
                • String ID: eeee$ggg$yyyy
                • API String ID: 4232894706-1253427255
                • Opcode ID: b67511f5c09a26975d8456d9d66024b0a91581b3767694db3d6517895765b849
                • Instruction ID: f861896a6c69efd921db90e54d03e2f077c83ad14a3244300d7773f717b9f054
                • Opcode Fuzzy Hash: b67511f5c09a26975d8456d9d66024b0a91581b3767694db3d6517895765b849
                • Instruction Fuzzy Hash: F64124703041114BC711A6BB88816BFB2AAEB95308B644C7BF551FB3C5DA3CDE12966F
                Function 00449A28 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID:
                • String ID: D[D$YD
                • API String ID: 0-2040119146
                • Opcode ID: a07048ffb0b0b912616309de2928d71b15b1d36a883925e46524307b39a0c11c
                • Instruction ID: 4fd53f15fbfade41c5e2dac5346c5b2e645532b431c4525388f581bf876fdb7a
                • Opcode Fuzzy Hash: a07048ffb0b0b912616309de2928d71b15b1d36a883925e46524307b39a0c11c
                • Instruction Fuzzy Hash: CA518034E04649DFEB04CF69D880A9EBBF5FF99318F1080AAE800A7351D775AD45DB58
                Function 004043BE Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 124COMMON
                Download Yara Rule
                APIs
                • UnhandledExceptionFilter.KERNEL32(00000006,00000000), ref: 00404492
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: ExceptionFilterUnhandled
                • String ID: (@$D@
                • API String ID: 3192549508-1509158990
                • Opcode ID: a71d11c017a9282d84d7eaf781e1e81e1a65b92414e69af3465f7e8c6584e16c
                • Instruction ID: 5639a8153dbe7c18a28a53680c4421becbbbb2b5c5e45c2c45c585efc6d1ff52
                • Opcode Fuzzy Hash: a71d11c017a9282d84d7eaf781e1e81e1a65b92414e69af3465f7e8c6584e16c
                • Instruction Fuzzy Hash: AD41C2B4204201AFD720DF15D884B27B7E5EBC8714F24857AE644AB3E1D739EC85CB69
                Function 00449210 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113keyboardwindowCOMMON
                Download Yara Rule
                APIs
                • GetKeyState.USER32(00000011), ref: 00449237
                • IsWindowVisible.USER32(00000000), ref: 004492B5
                  • Part of subcall function 004491CC: IsChild.USER32(00000000,00000000), ref: 004491FC
                • PtInRect.USER32(?,?,?), ref: 0044930A
                  • Part of subcall function 0044893C: IsChild.USER32(00000000,00000000), ref: 00448993
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Child$RectStateVisibleWindow
                • String ID: <\T
                • API String ID: 718993507-2822259283
                • Opcode ID: 2826d9db3e21f7153f8b1d8da697f8338a52a0a8cc28889350e0c5b00c96a32e
                • Instruction ID: 42faf9ddbef93230d72f49ec66ab5e94130880c39cdf766d0e793209a505ffc5
                • Opcode Fuzzy Hash: 2826d9db3e21f7153f8b1d8da697f8338a52a0a8cc28889350e0c5b00c96a32e
                • Instruction Fuzzy Hash: F5416235A0020A9BDB01DFA9D485BEFF7B5AF0A304F140166E900A7392DB38AD49DB95
                Function 004498B8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113COMMON
                Download Yara Rule
                APIs
                • GetCursorPos.USER32(00545C3C), ref: 004498D9
                • GetCursor.USER32(00545C3C), ref: 004498F5
                  • Part of subcall function 00448A98: SetCapture.USER32(00000000,00000000,00449909,00545C3C), ref: 00448AA7
                • GetDesktopWindow.USER32 ref: 004499E7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Cursor$CaptureDesktopWindow
                • String ID: |ZD
                • API String ID: 669539147-2471458929
                • Opcode ID: 68b200f2658f720b0de78ba24441fcee575c4ff62149cf4fb0ee70eb543d26eb
                • Instruction ID: 328b6b09b9f285ffa1f1229c5dbed35d04bcd848e97ad86beeaa24a0e1e080f4
                • Opcode Fuzzy Hash: 68b200f2658f720b0de78ba24441fcee575c4ff62149cf4fb0ee70eb543d26eb
                • Instruction Fuzzy Hash: D741B0B56047048FD308DF2DD8C8A9A7BE1BB9A308B15856ED4889B362EF34DC45EB45
                Function 0041DEE8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 105fileCOMMON
                Download Yara Rule
                APIs
                • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,0041E030,?,?,00418A40,00000001), ref: 0041DF44
                • GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,0041E030,?,?,00418A40,00000001), ref: 0041DF72
                  • Part of subcall function 0040A10C: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,00418A40,0041DFB2,00000000,0041E030,?,?,00418A40), ref: 0040A15A
                  • Part of subcall function 0040A658: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,00418A40,0041DFCD,00000000,0041E030,?,?,00418A40,00000001), ref: 0040A677
                • GetLastError.KERNEL32(00000000,0041E030,?,?,00418A40,00000001), ref: 0041DFD7
                  • Part of subcall function 0040DB74: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,00410001,00000000,0041005B), ref: 0040DB93
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CreateErrorFileLast$FormatFullMessageNamePath
                • String ID: p}A
                • API String ID: 503785936-821741567
                • Opcode ID: 37edc90ed2fc79164c9dcd8f00a14a4dc1b98c25e304e554418527a169e635ce
                • Instruction ID: 0fbc860a9f65939208f11fc2c880fd741132dbd10e9b5ca1a5f8b30f291ac631
                • Opcode Fuzzy Hash: 37edc90ed2fc79164c9dcd8f00a14a4dc1b98c25e304e554418527a169e635ce
                • Instruction Fuzzy Hash: 17318374A046189FDB00EFA6CC417DEB7F0AB49308F50447AE904B73C1D77D59458B6A
                Function 0047E0AC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75networkCOMMON
                Download Yara Rule
                APIs
                • closesocket.WS2_32(?), ref: 0047E120
                • WSACancelAsyncRequest.WS2_32(?), ref: 0047E0D8
                  • Part of subcall function 0047D4C8: WSAGetLastError.WS2_32(00000000,0047D575), ref: 0047D4F1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AsyncCancelErrorLastRequestclosesocket
                • String ID: WSACancelASyncRequest$closesocket
                • API String ID: 716599516-4005323415
                • Opcode ID: 7c54e5c24c5f8aeaf0d30d7f45f6d18484400b7d024541edfd18521439dfc368
                • Instruction ID: 936640fa435ec5ab5dd28b3d2f8953af0417e3a6399f947f1d889209e3c9d2da
                • Opcode Fuzzy Hash: 7c54e5c24c5f8aeaf0d30d7f45f6d18484400b7d024541edfd18521439dfc368
                • Instruction Fuzzy Hash: E6214F71A04104EFC704DBAAC98299EB7F5EF49314B65C2E6F408AB361D739EE019B58
                Function 0044411C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58windowCOMMON
                Download Yara Rule
                APIs
                • GetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0044416A
                • SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 004441BC
                • DrawMenuBar.USER32(00000000), ref: 004441C9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Menu$InfoItem$Draw
                • String ID: P
                • API String ID: 3227129158-3110715001
                • Opcode ID: 9733ddc7fecdb2501cb84ebb570a5866982540ab5e8bad2cac111ebfd73aa5bd
                • Instruction ID: ddbf9ff4bb17d627bbbee136c6afca76fbf282688306c37d98902d2fe1a1cfd5
                • Opcode Fuzzy Hash: 9733ddc7fecdb2501cb84ebb570a5866982540ab5e8bad2cac111ebfd73aa5bd
                • Instruction Fuzzy Hash: C811BF306053106FE320DB28CC85B4B7AD5AB85328F148A2AF094DB3D9D73DD884C78A
                Function 0042EC10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51fileclipboardCOMMON
                Download Yara Rule
                APIs
                • GetClipboardData.USER32(0000000E), ref: 0042EC1D
                • CopyEnhMetaFileA.GDI32(00000000,00000000), ref: 0042EC3F
                • GetEnhMetaFileHeader.GDI32(?,00000064,?,00000000,00000000), ref: 0042EC51
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: FileMeta$ClipboardCopyDataHeader
                • String ID: 8TB
                • API String ID: 1752724394-2470237654
                • Opcode ID: ebd20c5edffddfd7bcbe0387914c3323ef52eb4d61cebd1bfa51fc35abc95ebb
                • Instruction ID: 7c9bacca59ba007455349639b1315285900abbb987340acea0f40ccd51ab1e41
                • Opcode Fuzzy Hash: ebd20c5edffddfd7bcbe0387914c3323ef52eb4d61cebd1bfa51fc35abc95ebb
                • Instruction Fuzzy Hash: F4113972B003048FC710EFAAC885A9ABBF8EF49314F54456EE948DB252DB75EC05CB95
                Function 00424B60 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43COMMON
                Download Yara Rule
                APIs
                • GetSystemMetrics.USER32(00000000), ref: 00424BB1
                • GetSystemMetrics.USER32(00000001), ref: 00424BBD
                  • Part of subcall function 004249F4: GetProcAddress.KERNEL32(76910000,00000000), ref: 00424A73
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: MetricsSystem$AddressProc
                • String ID: MonitorFromRect$`KB
                • API String ID: 1792783759-3205665099
                • Opcode ID: b6a4ac4b07b96f20a816070508fd0171cde0255f143aab3c51a3a0a5de23a36f
                • Instruction ID: 7007baba0aae94e5f4a1a483253bfd392f9d50ac28f7f30985298186b2e44079
                • Opcode Fuzzy Hash: b6a4ac4b07b96f20a816070508fd0171cde0255f143aab3c51a3a0a5de23a36f
                • Instruction Fuzzy Hash: CA01A2393005289FDB108F15F8C5B96BB58EB92769F948253E814CB243C378EC44DBB8
                Function 00455948 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28COMMON
                Download Yara Rule
                APIs
                • ClientToScreen.USER32(?,X[E), ref: 00455960
                • GetWindowRect.USER32(?,?), ref: 0045596A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: ClientRectScreenWindow
                • String ID: X[E$X[E
                • API String ID: 3371951266-1762271554
                • Opcode ID: 70f5f356be6b3c5f53bd16139bc730eaf08204284230f5230335764e963f4a37
                • Instruction ID: 2fc79b6b7ec2c8339d75fb549ccd50bb232a80313467c7915272c433e5633dc5
                • Opcode Fuzzy Hash: 70f5f356be6b3c5f53bd16139bc730eaf08204284230f5230335764e963f4a37
                • Instruction Fuzzy Hash: 0BF09EB1D04209AFCB00DFE9C9818EEBBFCEE08210F10416AA945E3241E630AA408BA5
                Function 004100C4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 004100CA
                • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 004100DB
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AddressHandleModuleProc
                • String ID: GetDiskFreeSpaceExA$kernel32.dll
                • API String ID: 1646373207-3712701948
                • Opcode ID: eaf386f6c3ed527926ccb7cf2bb3e560abd35a4241b7579b6e3f2ab384e5b39c
                • Instruction ID: 1fa99cb342fdd168adacc94530a1c3edb467429dbb5615a8cca558733d1db5cb
                • Opcode Fuzzy Hash: eaf386f6c3ed527926ccb7cf2bb3e560abd35a4241b7579b6e3f2ab384e5b39c
                • Instruction Fuzzy Hash: 85D05EB0645384BBD700ABE06CC979A3A98C325326B604C3BB00075385E6FD99CCA719
                Function 00432754 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleA.KERNEL32(ole32.dll,?,004327CE), ref: 0043275A
                • GetProcAddress.KERNEL32(00000000,CoWaitForMultipleHandles), ref: 0043276B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AddressHandleModuleProc
                • String ID: CoWaitForMultipleHandles$ole32.dll
                • API String ID: 1646373207-2593175619
                • Opcode ID: e3a78530b34ac3ae4653c245d16c5a7881768af1ebe82870a678e5da578192cf
                • Instruction ID: 41e7bce46665b085546576d95634af1560086b2855a516aede272bf4b1254f20
                • Opcode Fuzzy Hash: e3a78530b34ac3ae4653c245d16c5a7881768af1ebe82870a678e5da578192cf
                • Instruction Fuzzy Hash: 39D0C7745407056FD7005BA66DC675731D8772E30EFD0323BA00125652E7FC9C48975D
                Function 0041CE9C Relevance: 6.4, APIs: 5, Instructions: 139COMMON
                Download Yara Rule
                APIs
                • CharNextA.USER32(?,?,00000000,0041D02A), ref: 0041CEFC
                • CharNextA.USER32(?,?,00000000,0041D02A), ref: 0041CF97
                • CharNextA.USER32(?,?,00000000,0041D02A), ref: 0041CFB9
                • CharNextA.USER32(00000000,?,?,00000000,0041D02A), ref: 0041CFD0
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CharNext
                • String ID:
                • API String ID: 3213498283-0
                • Opcode ID: 5272b9320be7ebf73d99787e1c854df3e1d5c28f1419e92c61fe54247e49d285
                • Instruction ID: 4bb48846b4c798488f377e7ff73f9d9c91b45f81d266351055748c976e291bc5
                • Opcode Fuzzy Hash: 5272b9320be7ebf73d99787e1c854df3e1d5c28f1419e92c61fe54247e49d285
                • Instruction Fuzzy Hash: 0E516E70A44245AFDB11DB68C895A9EBFB2EF0A304F5500A6F440E7291D73CAED2CB48
                Function 0044EC68 Relevance: 6.3, APIs: 4, Instructions: 308COMMON
                Download Yara Rule
                APIs
                • MulDiv.KERNEL32(?,00000000,00000000), ref: 0044EDE7
                • MulDiv.KERNEL32(?,?,?), ref: 0044EE22
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6c12d4e96be99efd0278ee6cb88b84629a083d0080493621550ac57df861b5fd
                • Instruction ID: ca422ed34d93a87a8c1763051ac2b727a3b5b64336a51d637323fdc80289e783
                • Opcode Fuzzy Hash: 6c12d4e96be99efd0278ee6cb88b84629a083d0080493621550ac57df861b5fd
                • Instruction Fuzzy Hash: 3ED16B71A00A06DFDB11CF69C484AABBBF2BF49300F20896AE456DB355C735ED46CB51
                Function 004495D0 Relevance: 6.2, APIs: 4, Instructions: 212COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CursorDesktopWindow
                • String ID:
                • API String ID: 3023140981-0
                • Opcode ID: 8c1af3c5eba9742925d61ef5f057132d95cc3fca4ab92a54c8d91db6dfb85dad
                • Instruction ID: 4ead402371f6872a2df1d6a3a35788fa8c1fd96281aa08274bae4a6347c9dabf
                • Opcode Fuzzy Hash: 8c1af3c5eba9742925d61ef5f057132d95cc3fca4ab92a54c8d91db6dfb85dad
                • Instruction Fuzzy Hash: 13919039610B09CFD705DF29D4C4A9677E1BB66308F44819AE8049B377EB38EC49EB45
                Function 004B00E4 Relevance: 6.2, APIs: 4, Instructions: 166fileCOMMON
                Download Yara Rule
                APIs
                • WriteFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,00000000,?,00000000), ref: 004B01D8
                • GetLastError.KERNEL32(?,?,?,?,00000000,?,00000000,?,00000000,?,00000000), ref: 004B01E1
                • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004B0235
                • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 004B023E
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: ErrorFileLastWrite
                • String ID:
                • API String ID: 442123175-0
                • Opcode ID: 42c468327d25247cd4b025faa649570de28c22586d47d314ba210cc80173a3fd
                • Instruction ID: e833ae5637e3a2868fb08192cf1ef843049f7880e6d0cdbc4be1eaddcc81d6e8
                • Opcode Fuzzy Hash: 42c468327d25247cd4b025faa649570de28c22586d47d314ba210cc80173a3fd
                • Instruction Fuzzy Hash: B651F675A002059FDB44DF69C884AAF77F5FF88314F6586A6E804DB20AD334ED418BA5
                Function 004391AC Relevance: 6.2, APIs: 4, Instructions: 158windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageA.USER32(00000000,0000014C,000000FF,00000000), ref: 0043921C
                • SendMessageA.USER32(00000000,0000014F,00000000,00000000), ref: 00439271
                • SendMessageA.USER32(00000000,0000014E,000000FF,00000000), ref: 00439289
                • SendMessageA.USER32(00000000,00000142,00000000), ref: 00439326
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: MessageSend
                • String ID:
                • API String ID: 3850602802-0
                • Opcode ID: 861224f542de7baec404b7ddcefd877135a2f45511effcf9c7a40e39e13c8499
                • Instruction ID: 9cd363cde84ab5d518d4f67d077187387b5b8ef3f8661b82076b3b0112b8caff
                • Opcode Fuzzy Hash: 861224f542de7baec404b7ddcefd877135a2f45511effcf9c7a40e39e13c8499
                • Instruction Fuzzy Hash: 6051A170E04205ABDB00EF69C885B9EB7A5AF49704F1041BAF815BB3D6CB78AE05C759
                Function 00493274 Relevance: 6.1, APIs: 4, Instructions: 128libraryCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(?), ref: 004932B6
                • IsBadReadPtr.KERNEL32(?,00000014), ref: 004933C3
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: LibraryLoadRead
                • String ID:
                • API String ID: 1452896035-0
                • Opcode ID: 68671f36cbfc829c1876579640452d4e5b2bc1d4ee0a2825290bf06463606a97
                • Instruction ID: e973e59f25c19206fda99420c4703854c9dc22fb1f62a72481b5e6904d9bd4ba
                • Opcode Fuzzy Hash: 68671f36cbfc829c1876579640452d4e5b2bc1d4ee0a2825290bf06463606a97
                • Instruction Fuzzy Hash: E9511771D40209EFCF10CFA9C884BADFBB4AF05315F0485A6E855EB341D779AA90CB55
                Function 00411F44 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                Download Yara Rule
                APIs
                • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00411FF3
                • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041200F
                • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00412086
                • VariantClear.OLEAUT32(?), ref: 004120AF
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: ArraySafe$Bound$ClearIndexVariant
                • String ID:
                • API String ID: 920484758-0
                • Opcode ID: 8aa00cc61b707ac15c9433f3790f772ad147275ad2ddf2cbfec09d81ee21ca74
                • Instruction ID: 53d1ad3e5581e53da9bb8ae42abb98742a06e799491bb23657bc3f1a2cbc55e6
                • Opcode Fuzzy Hash: 8aa00cc61b707ac15c9433f3790f772ad147275ad2ddf2cbfec09d81ee21ca74
                • Instruction Fuzzy Hash: 4441327590021D9FCB61DB59C981BC9B3BCAF08314F0041DAE648E7312D674AFC18F58
                Function 00437254 Relevance: 6.1, APIs: 4, Instructions: 109windowCOMMON
                Download Yara Rule
                APIs
                • IsWindow.USER32(?), ref: 00437297
                • PostMessageA.USER32(00000000,0000B04D,00000000,00000000), ref: 0043733A
                • GetDC.USER32(00000000), ref: 00437356
                • ReleaseDC.USER32(00000000,?), ref: 004373AB
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: MessagePostReleaseWindow
                • String ID:
                • API String ID: 3940843980-0
                • Opcode ID: 046256559ca7b9f28eccc8df213c225907192480c6f850805ffb522b1e2ed8e3
                • Instruction ID: 622464755c68bb5461190525a43686cb28cc280ba2fff758abb76ce9672cf81d
                • Opcode Fuzzy Hash: 046256559ca7b9f28eccc8df213c225907192480c6f850805ffb522b1e2ed8e3
                • Instruction Fuzzy Hash: A04167B0A08204EFCB10DFA9C985A9DB7F5EF09314F5451A6FD44AB351D7399E00EB98
                Function 00476794 Relevance: 6.1, APIs: 4, Instructions: 108windowfileCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0042B1F0: RtlEnterCriticalSection.NTDLL(00545A74), ref: 0042B1F8
                  • Part of subcall function 0042B1F0: RtlLeaveCriticalSection.NTDLL(00545A74), ref: 0042B205
                  • Part of subcall function 0042B1F0: RtlEnterCriticalSection.NTDLL(00000038), ref: 0042B20E
                • SelectPalette.GDI32(00000000,00000000,000000FF), ref: 004767E9
                • RealizePalette.GDI32(00000000), ref: 004767F2
                • PlayEnhMetaFile.GDI32(00000000,?), ref: 00476822
                • SelectPalette.GDI32(00000000,00000000,000000FF), ref: 00476877
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CriticalPaletteSection$EnterSelect$FileLeaveMetaPlayRealize
                • String ID:
                • API String ID: 468229889-0
                • Opcode ID: 2f3d973b925ed3d46f922fe666f861f15886d97b9848b004685855ad50b88264
                • Instruction ID: 7c9a744284d36099f2804010a673ae3649ea324860587f6cd2b301d358298293
                • Opcode Fuzzy Hash: 2f3d973b925ed3d46f922fe666f861f15886d97b9848b004685855ad50b88264
                • Instruction Fuzzy Hash: 63314BB1600104AFD700EFADC885EAAB7FDEB09314F5185AAF508D7291C738AD408B65
                Function 0040E284 Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                Download Yara Rule
                APIs
                • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040E2A1
                • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040E2C5
                • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040E2E0
                • LoadStringA.USER32(00000000,0000FFD0,?,00000100), ref: 0040E376
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: FileModuleName$LoadQueryStringVirtual
                • String ID:
                • API String ID: 3990497365-0
                • Opcode ID: d52e64651a7f18818d55854c9ee617cabf669a19584042495a39c2abaecead18
                • Instruction ID: 6566bf32de86b15ded8711ddb29dea72f603b3c6d835275f02324dbd6260f095
                • Opcode Fuzzy Hash: d52e64651a7f18818d55854c9ee617cabf669a19584042495a39c2abaecead18
                • Instruction Fuzzy Hash: FA4131719002589BDB21EB65CC85BDAB7FC9B08304F4440FAA548F7392D7789F948F55
                Function 0040E282 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                Download Yara Rule
                APIs
                • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040E2A1
                • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040E2C5
                • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040E2E0
                • LoadStringA.USER32(00000000,0000FFD0,?,00000100), ref: 0040E376
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: FileModuleName$LoadQueryStringVirtual
                • String ID:
                • API String ID: 3990497365-0
                • Opcode ID: 5c17c8c4e4026d1a48ac670dbd592a51b62d5a234ecffe76b3c736d8ae83791e
                • Instruction ID: 7cba5811f62027ccf629d3b42e5d0a508b60091b41131f5f4a7b42a30231b0da
                • Opcode Fuzzy Hash: 5c17c8c4e4026d1a48ac670dbd592a51b62d5a234ecffe76b3c736d8ae83791e
                • Instruction Fuzzy Hash: 15414171A002589BDB21EB65CC85BDAB7FC9B08304F4440FAA548F7392D7789F988B59
                Function 0042F05C Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0042B1F0: RtlEnterCriticalSection.NTDLL(00545A74), ref: 0042B1F8
                  • Part of subcall function 0042B1F0: RtlLeaveCriticalSection.NTDLL(00545A74), ref: 0042B205
                  • Part of subcall function 0042B1F0: RtlEnterCriticalSection.NTDLL(00000038), ref: 0042B20E
                  • Part of subcall function 00430654: GetDC.USER32(00000000), ref: 004306AA
                  • Part of subcall function 00430654: GetDeviceCaps.GDI32(00000000,0000000C), ref: 004306BF
                  • Part of subcall function 00430654: GetDeviceCaps.GDI32(00000000,0000000E), ref: 004306C9
                  • Part of subcall function 00430654: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,0042F0AF,00000000,0042F13B), ref: 004306ED
                  • Part of subcall function 00430654: ReleaseDC.USER32(00000000,00000000), ref: 004306F8
                • CreateCompatibleDC.GDI32(00000000), ref: 0042F0B1
                • SelectObject.GDI32(00000000,?), ref: 0042F0CA
                • SelectPalette.GDI32(00000000,?,000000FF), ref: 0042F0F3
                • RealizePalette.GDI32(00000000), ref: 0042F0FF
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CriticalPaletteSection$CapsCreateDeviceEnterSelect$CompatibleHalftoneLeaveObjectRealizeRelease
                • String ID:
                • API String ID: 979337279-0
                • Opcode ID: 90a43e1f1f500a0ee319a856ec1feb903bc42abe4b7a7454ff975b805658e3e4
                • Instruction ID: 55a261e17a09e68aacc7713bff6187bae898989b0afd6d152002fc754e55a6f7
                • Opcode Fuzzy Hash: 90a43e1f1f500a0ee319a856ec1feb903bc42abe4b7a7454ff975b805658e3e4
                • Instruction Fuzzy Hash: 88310974B04628EFD704EF5AD981D5DB3F5EF48314BA241A6E804AB362D738EE40DB44
                Function 004447E0 Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
                Download Yara Rule
                APIs
                • GetMenuState.USER32(?,?,?), ref: 00444803
                • GetSubMenu.USER32(?,?), ref: 0044480E
                • GetMenuItemID.USER32(?,?), ref: 00444827
                • GetMenuStringA.USER32(?,?,?,?,?), ref: 0044487A
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Menu$ItemStateString
                • String ID:
                • API String ID: 306270399-0
                • Opcode ID: decb1a3b69f59b9ee409db539b0bba1b1b5dbe2b67d3ca9bf8a3faf779fcbfb5
                • Instruction ID: f83cbeae0a3096ea06b4c17b1377701cfee7d2337dff52f2a634b674d29233a8
                • Opcode Fuzzy Hash: decb1a3b69f59b9ee409db539b0bba1b1b5dbe2b67d3ca9bf8a3faf779fcbfb5
                • Instruction Fuzzy Hash: B1118435605254AFE740EE6ECC85AAF77E8AF89364B10443AF805E7381D638DD0197A9
                Function 00469300 Relevance: 6.1, APIs: 4, Instructions: 71threadwindowCOMMON
                Download Yara Rule
                APIs
                • GetWindow.USER32(?,00000004), ref: 00469310
                • GetWindowThreadProcessId.USER32(0001040C,?), ref: 0046932A
                • GetCurrentProcessId.KERNEL32(?,00000004), ref: 00469336
                • IsWindowVisible.USER32(?), ref: 00469386
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Window$Process$CurrentThreadVisible
                • String ID:
                • API String ID: 3926708836-0
                • Opcode ID: 14707a187bb654cd22a20ecdb7cf7cf1ea15b80bef9e445c44df7d722c233a90
                • Instruction ID: 0cd55883da278a3917b2b9a27197d405ae4bce9affbc3b6ee0977fab7f428c65
                • Opcode Fuzzy Hash: 14707a187bb654cd22a20ecdb7cf7cf1ea15b80bef9e445c44df7d722c233a90
                • Instruction Fuzzy Hash: 01218E75600701AFD700EB5AD8C19AE73ACAF1A318B145076EC009B393EB78FC85975A
                Function 004ACBF8 Relevance: 6.1, APIs: 4, Instructions: 70memoryCOMMON
                Download Yara Rule
                APIs
                • FreeLibrary.KERNEL32(?,?,?,00000000,?,00000000), ref: 004ACC59
                • VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,?,00000000), ref: 004ACC82
                • GetProcessHeap.KERNEL32(00000000,?,?,?,00000000,?,00000000), ref: 004ACC8C
                • HeapFree.KERNEL32(00000000,00000000,?,?,?,00000000,?,00000000), ref: 004ACC92
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Free$Heap$LibraryProcessVirtual
                • String ID:
                • API String ID: 548792435-0
                • Opcode ID: 087cd4dfdea1525ac90e564d5d3a05555323ba0e63af6db3ad016be01a4abf64
                • Instruction ID: 2ce6dfd663b7e3bb074e4a6367cbdee6e48f03449c699d4fa929e72bc3cc7844
                • Opcode Fuzzy Hash: 087cd4dfdea1525ac90e564d5d3a05555323ba0e63af6db3ad016be01a4abf64
                • Instruction Fuzzy Hash: 17218171604200AFDB50DF69C8C5B4677A8AF15734F244156F91CEB282D775ED50C7A8
                Function 00431C3C Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Object$Delete$IconInfo
                • String ID:
                • API String ID: 507670407-0
                • Opcode ID: ef766ff2665da576d33b136fbdb4f76458cd6402e6c3842bb7193db40b978d3c
                • Instruction ID: f226883642a5b7e7a9d4ab1092400a275d85f480ee8bc2934edcd1237340b2ac
                • Opcode Fuzzy Hash: ef766ff2665da576d33b136fbdb4f76458cd6402e6c3842bb7193db40b978d3c
                • Instruction Fuzzy Hash: 33111F75E04208AFDB04DFA6D985C9EB7FDEB4C300F5095AAE904E7351DA35EE01CA94
                Function 0040A408 Relevance: 6.1, APIs: 4, Instructions: 54timefileCOMMON
                Download Yara Rule
                APIs
                • FindNextFileA.KERNEL32(?,?), ref: 0040A419
                • GetLastError.KERNEL32(?,?), ref: 0040A422
                • FileTimeToLocalFileTime.KERNEL32(?), ref: 0040A438
                • FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0040A447
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: FileTime$DateErrorFindLastLocalNext
                • String ID:
                • API String ID: 2103556486-0
                • Opcode ID: 0a2a0254fb0a3be5feb91c6bd113beb875e2b01310d1f372d2133f16503f326c
                • Instruction ID: 2c615eceede5e29118501601aaa15ec543fc9b14640094394d898a7375c1d633
                • Opcode Fuzzy Hash: 0a2a0254fb0a3be5feb91c6bd113beb875e2b01310d1f372d2133f16503f326c
                • Instruction Fuzzy Hash: 2B116572A04200AFDB44EF69C8C589777ECEF8831475185B7ED44DB24AF638E8118BA6
                Function 0046B27C Relevance: 6.1, APIs: 4, Instructions: 54windowCOMMON
                Download Yara Rule
                APIs
                • IsWindowVisible.USER32(00000000), ref: 0046B28D
                • GetWindowLongA.USER32(00000000,000000EC), ref: 0046B2CC
                • SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 0046B2DD
                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,-00000001,02846690,?,0046B392,?,?,?,02846690), ref: 0046B302
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Window$Long$Visible
                • String ID:
                • API String ID: 2967648141-0
                • Opcode ID: 26e2a38d6c063838a97cc548494392ac2722db5cc6924e22dfd8c3b98cdb21db
                • Instruction ID: ca9af799ef94b02d5c1676a1dd684fc0beaaaf1cdbed6eff00c846ec4b7994fd
                • Opcode Fuzzy Hash: 26e2a38d6c063838a97cc548494392ac2722db5cc6924e22dfd8c3b98cdb21db
                • Instruction Fuzzy Hash: 020180316051546FDB00EB69DC94E69BBD8EF09354F440586F880CB3A2C238FD818B9A
                Function 0040A3B0 Relevance: 6.0, APIs: 4, Instructions: 40timeCOMMON
                Download Yara Rule
                APIs
                • DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 0040A3CD
                • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0040A3DE
                • SetFileTime.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3F0
                • GetLastError.KERNEL32(?,00000000,00000000,?,?,?), ref: 0040A3F9
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Time$File$DateErrorLastLocal
                • String ID:
                • API String ID: 4098483309-0
                • Opcode ID: 854088da2febd06998784a9a3942d809a2ee9df642bed8e3cc85065bce7a4743
                • Instruction ID: c0970ccd3912e3340c5a15977563468e806e5ba840d923fe9322a4434feb1e58
                • Opcode Fuzzy Hash: 854088da2febd06998784a9a3942d809a2ee9df642bed8e3cc85065bce7a4743
                • Instruction Fuzzy Hash: C2F01D66E142086ADB50DAEA4D41BEFB2EC9B08255F500577BE04F2181F678EE44936A
                Function 00449418 Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON
                Download Yara Rule
                APIs
                • GetWindowThreadProcessId.USER32(00000000), ref: 00449425
                • GetCurrentProcessId.KERNEL32(?,00545C3C,00000000,00449490,00449258,52FF108B,00000000,0044904A,?,00545C3C,?), ref: 0044942E
                • GlobalFindAtomA.KERNEL32(00000000,?,00545C3C,00000000,00449490,00449258,52FF108B,00000000,0044904A,?,00545C3C,?), ref: 00449443
                • GetPropA.USER32(00000000,00000000), ref: 0044945A
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Process$AtomCurrentFindGlobalPropThreadWindow
                • String ID:
                • API String ID: 2582817389-0
                • Opcode ID: 3365c9dd863c2fc99c7096c348632eef401666d6d82b1cd7b221eb0ed52bbe42
                • Instruction ID: 84a6419105ae9eb2b1208e8731db4ed7246bd3dbfaed94a0d7e4340b03453ac1
                • Opcode Fuzzy Hash: 3365c9dd863c2fc99c7096c348632eef401666d6d82b1cd7b221eb0ed52bbe42
                • Instruction Fuzzy Hash: 66F055A5A1EA2613F2107777CC818BF128C9E02398388443FFC80E2652EA2CDC43717E
                Function 004899BC Relevance: 6.0, APIs: 4, Instructions: 37windowCOMMON
                Download Yara Rule
                APIs
                • GetObjectA.GDI32(?,00000004), ref: 004899D1
                • ResizePalette.GDI32(?,00000000), ref: 004899E5
                • GetPaletteEntries.GDI32(?,00000000,?,?), ref: 004899F7
                • SetPaletteEntries.GDI32(?,00000000,?,?), ref: 00489A09
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Palette$Entries$ObjectResize
                • String ID:
                • API String ID: 1521636530-0
                • Opcode ID: 9b93514fcb148834166ec639a8fc12d11a70e1a9a7260b41c23818ecc53034e5
                • Instruction ID: a7e2a922563f248436b8397711191ba0bee63dc8ca1ccc8c927e30f052d03328
                • Opcode Fuzzy Hash: 9b93514fcb148834166ec639a8fc12d11a70e1a9a7260b41c23818ecc53034e5
                • Instruction Fuzzy Hash: D6F0FEF16086007FE210F6A99D81FBB72DC9F48754F14482AB688D61D1E638ED4097AB
                Function 004484B8 Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON
                Download Yara Rule
                APIs
                • GetWindowThreadProcessId.USER32(?), ref: 004484C5
                • GetCurrentProcessId.KERNEL32(?,?,?,00000000,00000000,0044906C,?,00545C3C,?), ref: 004484CE
                • GlobalFindAtomA.KERNEL32(00000000,?,?,?,00000000,00000000,0044906C,?,00545C3C,?), ref: 004484E3
                • GetPropA.USER32(?,00000000), ref: 004484FA
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: Process$AtomCurrentFindGlobalPropThreadWindow
                • String ID:
                • API String ID: 2582817389-0
                • Opcode ID: 1aa075bad5751be417c40254156ff5ce38eae629569007717ed3ab9ed2f0ad2a
                • Instruction ID: 3dc2122b47835a11d702c550a593153a9e6c0bb23e9c369aba5f800b7dde7ef4
                • Opcode Fuzzy Hash: 1aa075bad5751be417c40254156ff5ce38eae629569007717ed3ab9ed2f0ad2a
                • Instruction Fuzzy Hash: 1CF03765A0561177E6107BB65DC196F16DC8917398344083FF901E6243DD3CDC45567D
                Function 004688D4 Relevance: 6.0, APIs: 4, Instructions: 34threadCOMMON
                Download Yara Rule
                APIs
                • GetCurrentThreadId.KERNEL32 ref: 004688EC
                • SetWindowsHookExA.USER32(00000003,00468890,00000000,00000000), ref: 004688FC
                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,0046BBB9,?,?,?,?,?,?,?,?,?,?), ref: 00468917
                • CreateThread.KERNEL32(00000000,000003E8,00468834,00000000,00000000), ref: 0046893B
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CreateThread$CurrentEventHookWindows
                • String ID:
                • API String ID: 1195359707-0
                • Opcode ID: fedf7b34e2732dc7cad1c9b90ff3a99f1d2f8b5ef4fb94fe6aea0664ed3ede22
                • Instruction ID: d6c9a1f96245c31c6857958fbdb9473474abe055279f57e5b28a6471831b9bfa
                • Opcode Fuzzy Hash: fedf7b34e2732dc7cad1c9b90ff3a99f1d2f8b5ef4fb94fe6aea0664ed3ede22
                • Instruction Fuzzy Hash: D7F030B4A847007FF75167649C86B662664A322B19F90016EF204793D2FFB82888962F
                Function 00431DD8 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                Download Yara Rule
                APIs
                • GetDC.USER32(00000000), ref: 00431DE1
                • SelectObject.GDI32(00000000,058A00B4), ref: 00431DF3
                • GetTextMetricsA.GDI32(00000000), ref: 00431DFE
                • ReleaseDC.USER32(00000000,00000000), ref: 00431E0F
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: MetricsObjectReleaseSelectText
                • String ID:
                • API String ID: 2013942131-0
                • Opcode ID: 998467f69aed556f4b649bce7da98ee2dc65d14aeb1d70103a307e04f8f7581a
                • Instruction ID: 498c1929110fcc4b4f7e84fe63f7b92c67f6f02ecc8c1514d1f13729c9fea5a3
                • Opcode Fuzzy Hash: 998467f69aed556f4b649bce7da98ee2dc65d14aeb1d70103a307e04f8f7581a
                • Instruction Fuzzy Hash: 3FE04F51A4A53022E51121675C83FEB274C4F16666F08117BFD54AA2D1EA1EDD0082FB
                Function 00449C60 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00448AE0: ReleaseCapture.USER32 ref: 00448AE3
                • SetCursor.USER32(00000000,00000000,00449F03,?,00000000,00449F75), ref: 00449DEF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CaptureCursorRelease
                • String ID: (lD$|ZD
                • API String ID: 1375868664-4028956711
                • Opcode ID: 93ee7dd8eed20a5aaa9d5232db0219479addd95d797dc53e61be53f66bfed94d
                • Instruction ID: 0dff3528800302b22a935581111c6ef05252f7c766feb6daaac0d6aca31a6785
                • Opcode Fuzzy Hash: 93ee7dd8eed20a5aaa9d5232db0219479addd95d797dc53e61be53f66bfed94d
                • Instruction Fuzzy Hash: 2281C878A047449FE715CF69D8C8B9B7BE1FB5A308F1481A6D40087367EB389C49EB44
                Function 0042A1D8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 172COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004294B8: RtlEnterCriticalSection.NTDLL(?), ref: 004294BC
                • CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000,Default,00000000,0042A3CC,?,00000000,0042A3F4), ref: 0042A307
                • CreateFontIndirectA.GDI32(?), ref: 0042A3A9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CompareCreateCriticalEnterFontIndirectSectionString
                • String ID: Default
                • API String ID: 249151401-753088835
                • Opcode ID: 215c787532ab94a227d30ca2beffe1ea7fda618752a79649a4c9e857c9f5b0bb
                • Instruction ID: 413785ff93333ea3be1515d8895338aef7407ee88af2f9f2a69b308f0dce89a1
                • Opcode Fuzzy Hash: 215c787532ab94a227d30ca2beffe1ea7fda618752a79649a4c9e857c9f5b0bb
                • Instruction Fuzzy Hash: 2E619171B04258DFDB01DFA9D440B9DBBF5AF49304F9840AAEC00A7392C3789E55DB6A
                Function 0047E284 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135networkCOMMON
                Download Yara Rule
                APIs
                • send.WS2_32(?,?,00000000,00000000), ref: 0047E319
                • WSAGetLastError.WS2_32(?,?,00000000,00000000), ref: 0047E325
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: ErrorLastsend
                • String ID: 3'
                • API String ID: 1802528911-280543908
                • Opcode ID: d064d480775b9c16a10890a6575da64ea1b2587cdacb3182e3b1f1f72f7cd5b3
                • Instruction ID: 7a75bb72c9b99c153c2f86bdd2c5620f3b983c48ad141b580dbfa9bfcc383582
                • Opcode Fuzzy Hash: d064d480775b9c16a10890a6575da64ea1b2587cdacb3182e3b1f1f72f7cd5b3
                • Instruction Fuzzy Hash: 89413E71A04108EFC710DB9AC985DDEB7F9AB48324B2482E6F80897392C778AE409B55
                Function 0047AB2C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CreateInstance
                • String ID: @nG
                • API String ID: 542301482-2619197128
                • Opcode ID: bdf0df3460db81a8a2702a0fb88b20653fbfa16ab5d18a08dd65d18d72d536f0
                • Instruction ID: 95dd6879c32cc4eeb4d265f94bc59a8fd70883331449b2f3a2e9d78a213a6dbf
                • Opcode Fuzzy Hash: bdf0df3460db81a8a2702a0fb88b20653fbfa16ab5d18a08dd65d18d72d536f0
                • Instruction Fuzzy Hash: 7E319974610204AFDB05EB95C981BEE77E8EF89704F50806BF905A7385D73CAD018B9E
                Function 004C4768 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004C47D4
                  • Part of subcall function 0040708C: LoadStringA.USER32(00000000,0000FF93,?,00001000), ref: 004070BE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AddressLoadProcString
                • String ID: WSARecvFrom$hGL
                • API String ID: 2390443819-341034993
                • Opcode ID: 1446384eb79f3c1866bb08bacfd2b297cc94cbcf09206f104a857f00b073995c
                • Instruction ID: 32f8b5409a2ef9b37e492d2abbb096ddb37c39794d445c160154abedfc383f1b
                • Opcode Fuzzy Hash: 1446384eb79f3c1866bb08bacfd2b297cc94cbcf09206f104a857f00b073995c
                • Instruction Fuzzy Hash: 18314DB5A04208AFDB80EFA9DD91E9E77FCEB48304F01457AFA04E7241D738A9049B65
                Function 00404292 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                Download Yara Rule
                APIs
                • UnhandledExceptionFilter.KERNEL32(00000006,00000000), ref: 004042FE
                • UnhandledExceptionFilter.KERNEL32(?,?,?,Function_00004294), ref: 0040433B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: ExceptionFilterUnhandled
                • String ID: (@
                • API String ID: 3192549508-1346038526
                • Opcode ID: 58b2d78b84ca2f7df9e36badf4867be2976d4e59855d6a0904295e34f57dd5ef
                • Instruction ID: 817647e1acd3709eac3cb367aa33831e849c51ff738d30bde3d5f4bc830ff572
                • Opcode Fuzzy Hash: 58b2d78b84ca2f7df9e36badf4867be2976d4e59855d6a0904295e34f57dd5ef
                • Instruction Fuzzy Hash: 8A3171B4704300AFD728EB54C885B2777E9EBC5714F15856EEA08A7391C738EC84D769
                Function 004C4540 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 82libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004C45AC
                  • Part of subcall function 0040708C: LoadStringA.USER32(00000000,0000FF93,?,00001000), ref: 004070BE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AddressLoadProcString
                • String ID: @EL$WSARecv
                • API String ID: 2390443819-1368589902
                • Opcode ID: e32878ca863363afb901cf6af80c59b347c383016ac7ad6317d215ef8ecf9553
                • Instruction ID: 1ed111860f783a0d26fa279243ea9366881afbd4df3a052951b1791ff973f5d9
                • Opcode Fuzzy Hash: e32878ca863363afb901cf6af80c59b347c383016ac7ad6317d215ef8ecf9553
                • Instruction Fuzzy Hash: 503189B5A04208AFDB40DFA9DD81E9E77FCEB48304F00453AFA14E3280D738A9049B68
                Function 004C2B6C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 82libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004C2BD8
                  • Part of subcall function 0040708C: LoadStringA.USER32(00000000,0000FF93,?,00001000), ref: 004070BE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AddressLoadProcString
                • String ID: WSAAsyncGetHostByAddr$l+L
                • API String ID: 2390443819-3474157363
                • Opcode ID: bbf57a8b29c4196ba6eb29f418132706acc3b6186d29d8c87621c30ba7c438ac
                • Instruction ID: ff54418be2c6b0a1c84eebea2125d0919f586a2251e004c253c2be8e76708116
                • Opcode Fuzzy Hash: bbf57a8b29c4196ba6eb29f418132706acc3b6186d29d8c87621c30ba7c438ac
                • Instruction Fuzzy Hash: AF316DB5A04209AFDB40DFA9DD81F9E77FCEB08304F01447ABA04E7351D7B8AA049B25
                Function 004C31E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 82libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004C324C
                  • Part of subcall function 0040708C: LoadStringA.USER32(00000000,0000FF93,?,00001000), ref: 004070BE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AddressLoadProcString
                • String ID: WSAConnect$1L
                • API String ID: 2390443819-1525341514
                • Opcode ID: 769e7f2f6ff71b174f32ef9b4d5c269a8ec2203ace20dab757e908f78cb7db42
                • Instruction ID: a103d2359318a5f8fa99d78cba7b92449696b5dd76fda8766660ba599e575276
                • Opcode Fuzzy Hash: 769e7f2f6ff71b174f32ef9b4d5c269a8ec2203ace20dab757e908f78cb7db42
                • Instruction Fuzzy Hash: 5631FF75A04109AFDB40DFA9DC81F9E77FCEB08304F41857AB904E7291D778AA049B65
                Function 004C26E4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004C2750
                  • Part of subcall function 0040708C: LoadStringA.USER32(00000000,0000FF93,?,00001000), ref: 004070BE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AddressLoadProcString
                • String ID: WSAAsyncGetServByPort$&L
                • API String ID: 2390443819-301247049
                • Opcode ID: 3deb74eed54095cbd557807e896ff3970f9efd4677b44500094819515a20d9cf
                • Instruction ID: b33282bf13023cefa1bd98875f2ee769cc82c6a3bae27b0d0df1d1bf7a3858d9
                • Opcode Fuzzy Hash: 3deb74eed54095cbd557807e896ff3970f9efd4677b44500094819515a20d9cf
                • Instruction Fuzzy Hash: A5212CB5A04208AFD740DFA9DD81E9E77FCEB08304F40457ABA04E7391D7B8A9049B65
                Function 004C4DE4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004C4E50
                  • Part of subcall function 0040708C: LoadStringA.USER32(00000000,0000FF93,?,00001000), ref: 004070BE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AddressLoadProcString
                • String ID: WSASocketA$ML
                • API String ID: 2390443819-3439294958
                • Opcode ID: 4a366f875adbdd66021b7f567a43944d7968572decf19bad4d3485b02f49700e
                • Instruction ID: ce138db852cec450b3b645d9deb9ec5050877e283ae5e9b24ff68558ad3310f8
                • Opcode Fuzzy Hash: 4a366f875adbdd66021b7f567a43944d7968572decf19bad4d3485b02f49700e
                • Instruction Fuzzy Hash: 0D217AB4A04208AFDB40DFA9DD91A9E77FCFB48304F01453AFA04E7281D738A9049B69
                Function 0040C7F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON
                Download Yara Rule
                APIs
                • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0040C8E2), ref: 0040C87A
                • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,0040C8E2), ref: 0040C880
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: DateFormatLocaleThread
                • String ID: yyyy
                • API String ID: 3303714858-3145165042
                • Opcode ID: 65acd12e86e10bcaa68a14d98f9bcd762afeb8ba3b8136ea647a862359fc213a
                • Instruction ID: f20bee7e9e8685dd63151fe3a9e8c4546d724fb8d7ab14b273228b16dca3c39e
                • Opcode Fuzzy Hash: 65acd12e86e10bcaa68a14d98f9bcd762afeb8ba3b8136ea647a862359fc213a
                • Instruction Fuzzy Hash: B7215571A04218DFDB14EB65C8816AA73B8EF48701F5141BBF904F7381D6789E44976D
                Function 004C2928 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004C2994
                  • Part of subcall function 0040708C: LoadStringA.USER32(00000000,0000FF93,?,00001000), ref: 004070BE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AddressLoadProcString
                • String ID: ()L$WSAAsyncGetProtoByNumber
                • API String ID: 2390443819-4064746841
                • Opcode ID: da38b64807081a2a34e67e02454e84767eb39e404b590ab076a1a4babadbcdfc
                • Instruction ID: 04df7f362004a63fe0f132f7443e5cc003b0abe278e035a743084d2e2292231f
                • Opcode Fuzzy Hash: da38b64807081a2a34e67e02454e84767eb39e404b590ab076a1a4babadbcdfc
                • Instruction Fuzzy Hash: 5A216DB5A04208AFD740DFA9DD81B9E77BCEB08304F40457AFA04E7391D7B9A9049B65
                Function 004C2A4C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004C2AB8
                  • Part of subcall function 0040708C: LoadStringA.USER32(00000000,0000FF93,?,00001000), ref: 004070BE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AddressLoadProcString
                • String ID: L*L$WSAAsyncGetHostByName
                • API String ID: 2390443819-3415978915
                • Opcode ID: f44e20975be7af21a2f506f4318e6c4d6cda7f2e83a5928114b1d3965113af49
                • Instruction ID: d0c90908f3822b8af3213bfcc1c9ae5e79774012a8972314463ad2c942e9f885
                • Opcode Fuzzy Hash: f44e20975be7af21a2f506f4318e6c4d6cda7f2e83a5928114b1d3965113af49
                • Instruction Fuzzy Hash: A0213E75A04209AFDB40DFA9DD81B9E77FCEB08304F41447ABA04E7291E7B8AD049B65
                Function 004C512C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004C5198
                  • Part of subcall function 0040708C: LoadStringA.USER32(00000000,0000FF93,?,00001000), ref: 004070BE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AddressLoadProcString
                • String ID: ,QL$WSAWaitForMultipleEvents
                • API String ID: 2390443819-1145625605
                • Opcode ID: 0d2ed33248a23be8c2e667a7eae8380184e1df1803f54560f960a28708532d0a
                • Instruction ID: 7af4a8238eaf9acad911cb65642a1874988db1b3ee3a9aaef8d96733e6a1dcdd
                • Opcode Fuzzy Hash: 0d2ed33248a23be8c2e667a7eae8380184e1df1803f54560f960a28708532d0a
                • Instruction Fuzzy Hash: C3214DB5A04208AFDB40DFA9DC81B9E77FCEB08304F40457ABA04E7791D778A9049B65
                Function 004C5250 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004C52BC
                  • Part of subcall function 0040708C: LoadStringA.USER32(00000000,0000FF93,?,00001000), ref: 004070BE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AddressLoadProcString
                • String ID: PRL$WSAAddressToStringA
                • API String ID: 2390443819-3642557193
                • Opcode ID: a6287878ebaee8d14a4a8f3fd08ed22a3945d50a9195c2849635cea628e40ebf
                • Instruction ID: d54fc37f6091bd858d1a01c0cad6a751bcc9d1400f59cc55b310923a7d78e83b
                • Opcode Fuzzy Hash: a6287878ebaee8d14a4a8f3fd08ed22a3945d50a9195c2849635cea628e40ebf
                • Instruction Fuzzy Hash: 38216FB5A04248AFDB40DFA9DC81E9E77FCEB08304F40447AF904E7391D778A9049B25
                Function 004C536C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004C53D8
                  • Part of subcall function 0040708C: LoadStringA.USER32(00000000,0000FF93,?,00001000), ref: 004070BE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AddressLoadProcString
                • String ID: WSAAddressToStringW$lSL
                • API String ID: 2390443819-623665299
                • Opcode ID: 8b4d334775ae327b9f44ee10eca03682e99ad82dab5b26e3cc59e8d3c2d6f19e
                • Instruction ID: 5c0a866270dc1defef4e45c6a3c99710e8c89e747f65f965e996cbaa0d510e06
                • Opcode Fuzzy Hash: 8b4d334775ae327b9f44ee10eca03682e99ad82dab5b26e3cc59e8d3c2d6f19e
                • Instruction Fuzzy Hash: 5B218DB5A04608AFDB40DFA9DC81B9E77BCEB08304F40457AFA04E7391D778A944DB69
                Function 00524754 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMON
                Download Yara Rule
                APIs
                • GetTempPathA.KERNEL32(00000201,?,00000000,0052487C), ref: 005247AC
                  • Part of subcall function 0040A24C: GetFileAttributesA.KERNEL32(00000000,?,?,00426DC5), ref: 0040A258
                • DeleteFileA.KERNEL32(00000000), ref: 0052483C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: File$AttributesDeletePathTemp
                • String ID: %s%s_%s%s
                • API String ID: 3528745955-1180962075
                • Opcode ID: 4908dfe81d852a745ae8bacea69ff0be960ed89dd0f41b017105605b891d66c5
                • Instruction ID: 17cd6f929a719e85797b2cde7a2c863fbb73e2e4b038926bb438cbbd8d865457
                • Opcode Fuzzy Hash: 4908dfe81d852a745ae8bacea69ff0be960ed89dd0f41b017105605b891d66c5
                • Instruction Fuzzy Hash: 18311C749052589EDB20EBA9D889B8EBBF8EF49304F5000FAA408E3382D7795F458E55
                Function 004C6838 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004C68A4
                  • Part of subcall function 0040708C: LoadStringA.USER32(00000000,0000FF93,?,00001000), ref: 004070BE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AddressLoadProcString
                • String ID: 8hL$WSAGetServiceClassInfoA
                • API String ID: 2390443819-1813061171
                • Opcode ID: 2cc1601f4f397f01b1c3b89932c3d65596b4e034e84dbd5912b4e26c8cf6b5bb
                • Instruction ID: dc7db77efa992f9f4f971d4761612803d6c8142fcaf0f89d557a34e75ef36b00
                • Opcode Fuzzy Hash: 2cc1601f4f397f01b1c3b89932c3d65596b4e034e84dbd5912b4e26c8cf6b5bb
                • Instruction Fuzzy Hash: 322130B5A04208AFD740EFA9DC81B9E77BCEB08304F41857AF604E7391D779AD049B29
                Function 004C5C40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004C5CAC
                  • Part of subcall function 0040708C: LoadStringA.USER32(00000000,0000FF93,?,00001000), ref: 004070BE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AddressLoadProcString
                • String ID: @\L$WSALookupServiceNextA
                • API String ID: 2390443819-1986741584
                • Opcode ID: a2bdf51e335e2e025eddcb1650c95d65dc5d91f1a5bc290cb807f8993a51c0d4
                • Instruction ID: 033bb77fa7602e56be2b44799ef513cf20337d5731d8f97e377606c038cb838d
                • Opcode Fuzzy Hash: a2bdf51e335e2e025eddcb1650c95d65dc5d91f1a5bc290cb807f8993a51c0d4
                • Instruction Fuzzy Hash: 2F216075A04608AFDB40DFA9DC81B9E77BCEB08304F40847AF904E7391D778AD049B29
                Function 004C5D5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004C5DC8
                  • Part of subcall function 0040708C: LoadStringA.USER32(00000000,0000FF93,?,00001000), ref: 004070BE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AddressLoadProcString
                • String ID: WSALookupServiceNextW$\]L
                • API String ID: 2390443819-990713098
                • Opcode ID: 76375587847025ab1f12ca0d531993f77b5f6e47ede32d5218d0bdf503908280
                • Instruction ID: dd8177b5e2dcec5c8d56e088bc004e9d5945c336b5fa17545337e8321caa1e83
                • Opcode Fuzzy Hash: 76375587847025ab1f12ca0d531993f77b5f6e47ede32d5218d0bdf503908280
                • Instruction Fuzzy Hash: 5B216DB5A04208AFD740DFA9DC81B9E77BCEB08304F41457AFA04E7391D778AA049B69
                Function 004C5E78 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004C5EE4
                  • Part of subcall function 0040708C: LoadStringA.USER32(00000000,0000FF93,?,00001000), ref: 004070BE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AddressLoadProcString
                • String ID: WSALookupServiceNextA$x^L
                • API String ID: 2390443819-3234122455
                • Opcode ID: 33ad62d31839d3f5b29758a981c306c957f2ef08f382dca6a81d4b3a74aca952
                • Instruction ID: ad780ffd96fb1b18f7cb34fe0e95085157225e531095baa5c83c5bf71641d673
                • Opcode Fuzzy Hash: 33ad62d31839d3f5b29758a981c306c957f2ef08f382dca6a81d4b3a74aca952
                • Instruction Fuzzy Hash: 9A212CB5A04608AFDB40DFA9DC81A9E77FCEB18304F41457EFA04E7391D778A9049B29
                Function 004C4328 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004C4394
                  • Part of subcall function 0040708C: LoadStringA.USER32(00000000,0000FF93,?,00001000), ref: 004070BE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AddressLoadProcString
                • String ID: (CL$WSANtohl
                • API String ID: 2390443819-1362518296
                • Opcode ID: 2afd098802860e00f355320221370b8f7a6c98a2c02fa7f2c3a177b1f1c1736c
                • Instruction ID: 24882919b8e3983163ba5d8e0bd5945986a48db97f496c2615cb8e9686b6dea4
                • Opcode Fuzzy Hash: 2afd098802860e00f355320221370b8f7a6c98a2c02fa7f2c3a177b1f1c1736c
                • Instruction Fuzzy Hash: EF21D1B4A04208AFD740DFA9DD91F9E77BCEB48304F51457AF904E7391D738A9049B28
                Function 004C4434 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004C44A0
                  • Part of subcall function 0040708C: LoadStringA.USER32(00000000,0000FF93,?,00001000), ref: 004070BE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AddressLoadProcString
                • String ID: 4DL$WSANtohs
                • API String ID: 2390443819-4229421331
                • Opcode ID: 70585ba62db087ed66961e86cb38b4bfc25ec79267e9e35c25e6dd48cdefb2df
                • Instruction ID: 511d95ddd912355dc263998ebb3041231da35b76a07baf780ee529e149a1b6f9
                • Opcode Fuzzy Hash: 70585ba62db087ed66961e86cb38b4bfc25ec79267e9e35c25e6dd48cdefb2df
                • Instruction Fuzzy Hash: BE218375A04208AFDB40DFA9DD51B9E77BCEB48304F50447AFA04E7391E778AD049B29
                Function 004C6EE4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004C6F50
                  • Part of subcall function 0040708C: LoadStringA.USER32(00000000,0000FF93,?,00001000), ref: 004070BE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AddressLoadProcString
                • String ID: WSAGetServiceClassNameByClassIdA$nL
                • API String ID: 2390443819-1760365199
                • Opcode ID: 9984ac8bd816ee798da1a095460a1a5d8dfb38208ccf086b3926c698e1784a7e
                • Instruction ID: 14059a8d46bcd037ac3aac2a0ac9f117f36997beefebfbc388460c2d71537d82
                • Opcode Fuzzy Hash: 9984ac8bd816ee798da1a095460a1a5d8dfb38208ccf086b3926c698e1784a7e
                • Instruction Fuzzy Hash: 23213075A04204AFDB40DFA9DC41E9E77BCEB08304F41857EF904E7391D779A9049B65
                Function 004C7228 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004C7294
                  • Part of subcall function 0040708C: LoadStringA.USER32(00000000,0000FF93,?,00001000), ref: 004070BE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AddressLoadProcString
                • String ID: (rL$WSASetServiceA
                • API String ID: 2390443819-390976361
                • Opcode ID: 50980c312f3716857b01ea553f300b293c9d85514267d462841b894ea492ac20
                • Instruction ID: 87e613079205feb0818df241a3872ebce8e6742f61de5bab700f4f5e2866ae68
                • Opcode Fuzzy Hash: 50980c312f3716857b01ea553f300b293c9d85514267d462841b894ea492ac20
                • Instruction Fuzzy Hash: 04214175A04204AFD740DFA9DC41E9E77BCEB08304F40857AFA14E7391D778A904DB65
                Function 004C7338 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004C73A4
                  • Part of subcall function 0040708C: LoadStringA.USER32(00000000,0000FF93,?,00001000), ref: 004070BE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AddressLoadProcString
                • String ID: 8sL$WSAProviderConfigChange
                • API String ID: 2390443819-1997233543
                • Opcode ID: f221c9eaf01a1cf6fb9822c3b8d2348837477deb3fdb863aeeeea5816b71893f
                • Instruction ID: 563c918f785570907e7a1b05c091c2d7cdd6aa88dc8cf9a1b213c657883d59cf
                • Opcode Fuzzy Hash: f221c9eaf01a1cf6fb9822c3b8d2348837477deb3fdb863aeeeea5816b71893f
                • Instruction Fuzzy Hash: 2D2130B5A08204AFDB40DFA9DC81A9E77BCEB08304F40857AF914E7791D778A9049F69
                Function 004C5B28 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004C5B94
                  • Part of subcall function 0040708C: LoadStringA.USER32(00000000,0000FF93,?,00001000), ref: 004070BE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AddressLoadProcString
                • String ID: ([L$WSALookupServiceBeginA
                • API String ID: 2390443819-300428608
                • Opcode ID: ff8cbe045e99b7ee222398441762bfc9c53b0a1fdeb1d7b2bd96eb4865a37f8b
                • Instruction ID: eaaf23e5c863804c404d6f9d6c93223a62744f5b3b9d74bf80a47f202c2fbd74
                • Opcode Fuzzy Hash: ff8cbe045e99b7ee222398441762bfc9c53b0a1fdeb1d7b2bd96eb4865a37f8b
                • Instruction Fuzzy Hash: 51214175A04604AFD740EFA9DC81BAE77BCEB48304F40497AF504E7391E778AD049B65
                Function 004C4658 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004C46C4
                  • Part of subcall function 0040708C: LoadStringA.USER32(00000000,0000FF93,?,00001000), ref: 004070BE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AddressLoadProcString
                • String ID: WSARecvDisconnect$XFL
                • API String ID: 2390443819-2696068054
                • Opcode ID: 212e84280cc4be1b5d0413f83d08c284a95d1087b8d39e1097c5b567bc5ffb00
                • Instruction ID: 2b9a693fdeea4b61b1d4a46e56eec9456b7e6ed41288afb49798c5db3d04f026
                • Opcode Fuzzy Hash: 212e84280cc4be1b5d0413f83d08c284a95d1087b8d39e1097c5b567bc5ffb00
                • Instruction Fuzzy Hash: F421B2B4A04204AFDB40EFA9DD91B9E77FCEB49304F40457AF514E7391D73869049B29
                Function 004C6954 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004C69C0
                  • Part of subcall function 0040708C: LoadStringA.USER32(00000000,0000FF93,?,00001000), ref: 004070BE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AddressLoadProcString
                • String ID: TiL$WSAEnumNameSpaceProvidersA
                • API String ID: 2390443819-1961273748
                • Opcode ID: bdfc08d264c306542acaec08ee68d5974014b9e2782abc24e30ac7eb6ed62eb2
                • Instruction ID: 87a2c28a143c036e7c21a566550cf80899bb0248ca29547476a25d6699065282
                • Opcode Fuzzy Hash: bdfc08d264c306542acaec08ee68d5974014b9e2782abc24e30ac7eb6ed62eb2
                • Instruction Fuzzy Hash: 4221A474A04204AFD740DFA9DC41B9E77BCEB09304F41857AF504E7391E779AD049B69
                Function 004C6A6C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004C6AD8
                  • Part of subcall function 0040708C: LoadStringA.USER32(00000000,0000FF93,?,00001000), ref: 004070BE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AddressLoadProcString
                • String ID: WSAEnumNameSpaceProvidersW$ljL
                • API String ID: 2390443819-2734856452
                • Opcode ID: ab5c2bd6a893047224caa6e3f0f4f83e66cbb7939ae15f048d1191542d2e0769
                • Instruction ID: 7aa946cf3c340c9059a80742d03994dab530172cf38516bf43038552f2a42019
                • Opcode Fuzzy Hash: ab5c2bd6a893047224caa6e3f0f4f83e66cbb7939ae15f048d1191542d2e0769
                • Instruction Fuzzy Hash: ED218175A04208AFD740DFA9DC41B9E77B8EB48304F41847AF904E7391E779AD049B29
                Function 004C63E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004C644C
                  • Part of subcall function 0040708C: LoadStringA.USER32(00000000,0000FF93,?,00001000), ref: 004070BE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AddressLoadProcString
                • String ID: WSAInstallServiceClassA$cL
                • API String ID: 2390443819-1061281994
                • Opcode ID: 909fd37ee830cd2efc38c23c71c9ffc618c5b0d7214ed052ad4e5055a6e0f546
                • Instruction ID: 90251ada25bb09c7fa22038395a0405f18d94d2aac5471233759b02ec924a2ca
                • Opcode Fuzzy Hash: 909fd37ee830cd2efc38c23c71c9ffc618c5b0d7214ed052ad4e5055a6e0f546
                • Instruction Fuzzy Hash: 04217174A04208AFD740EFA9DC41BAE77BCEB48304F41857AF904E7391D77869049B6D
                Function 004C4CE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004C4D4C
                  • Part of subcall function 0040708C: LoadStringA.USER32(00000000,0000FF93,?,00001000), ref: 004070BE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: AddressLoadProcString
                • String ID: WSASetEvent$LL
                • API String ID: 2390443819-1416854471
                • Opcode ID: 433da88a32979dd3328a6f575fc94bfbb7376490980ae6f976008070f3d10636
                • Instruction ID: cb8ae82c9f4f65bcac637f4acaff207e751677bbb6db0a9c94bda947ee1b7a91
                • Opcode Fuzzy Hash: 433da88a32979dd3328a6f575fc94bfbb7376490980ae6f976008070f3d10636
                • Instruction Fuzzy Hash: 7621D0B4A04208AFD740EFA9DD91B9E77BCEB48304F41457AF910E7391E7786E049B29
                Function 00424C88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                Download Yara Rule
                APIs
                • GetSystemMetrics.USER32(00000000), ref: 00424CD6
                • GetSystemMetrics.USER32(00000001), ref: 00424CE8
                  • Part of subcall function 004249F4: GetProcAddress.KERNEL32(76910000,00000000), ref: 00424A73
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: MetricsSystem$AddressProc
                • String ID: MonitorFromPoint
                • API String ID: 1792783759-1072306578
                • Opcode ID: b7d75b5bb9af1387c715121b4ed160c2ac07491c774a6f1a3774591aeea9a18d
                • Instruction ID: a1dbb7b8d0447a6512949c895e11fff5b3f27244f1b537bc621cd5308dd9e4fb
                • Opcode Fuzzy Hash: b7d75b5bb9af1387c715121b4ed160c2ac07491c774a6f1a3774591aeea9a18d
                • Instruction Fuzzy Hash: 97012435305265ABCB004F0BF88478A7B10EBA1769F938117FC118B212C3B88C449778
                Function 0047D630 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43networkCOMMON
                Download Yara Rule
                APIs
                • WSACleanup.WS2_32 ref: 0047D64A
                  • Part of subcall function 0040DB74: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,00410001,00000000,0041005B), ref: 0040DB93
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: CleanupFormatMessage
                • String ID: WSACleanup$pA
                • API String ID: 1834180691-2755875816
                • Opcode ID: 05871b3805a9bf260155efe26faf4a2cce2ed760c8462e6c63bb39d2b0cc68b9
                • Instruction ID: 2aa2ec63be4d2517a88fee167c8cbc73b1d1c2c15ab7b3eb89dcd2537f8a2a1c
                • Opcode Fuzzy Hash: 05871b3805a9bf260155efe26faf4a2cce2ed760c8462e6c63bb39d2b0cc68b9
                • Instruction Fuzzy Hash: 0001B5B0D046499FD700DFA5C881AAEBBF8EB49304F51843BE508E3381E77D6904CB59
                Function 00427380 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                Download Yara Rule
                APIs
                • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004273B1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: PrivateProfileStringWrite
                • String ID: pA$TWB
                • API String ID: 390214022-363712496
                • Opcode ID: a3e7d8a7c8d4660f693608ad6dc375400d1abd7bbd96783964af7a19bbb3fe73
                • Instruction ID: 8f8cdeb98e4a737b3aa3c20ca7b8aeed648313f5f51f55e853866e28448d90de
                • Opcode Fuzzy Hash: a3e7d8a7c8d4660f693608ad6dc375400d1abd7bbd96783964af7a19bbb3fe73
                • Instruction Fuzzy Hash: 92F0AF75B045086BD700E66A9C82B4BB7DCCB48328F44403BF908EB281EA39AC008B6C
                Function 00424AD8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                Download Yara Rule
                APIs
                • GetSystemMetrics.USER32(?), ref: 00424B3A
                  • Part of subcall function 004249F4: GetProcAddress.KERNEL32(76910000,00000000), ref: 00424A73
                • GetSystemMetrics.USER32(?), ref: 00424B00
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: MetricsSystem$AddressProc
                • String ID: GetSystemMetrics
                • API String ID: 1792783759-96882338
                • Opcode ID: 884220677675a355a9a866b4d6a439ae667d93fa69c4f8fd6869420fbda94b2c
                • Instruction ID: efcc22d8d5a52f18fad9108fe7db3344e7dd992ddec5f1580c976b712b821240
                • Opcode Fuzzy Hash: 884220677675a355a9a866b4d6a439ae667d93fa69c4f8fd6869420fbda94b2c
                • Instruction Fuzzy Hash: 79F0F0703195204BCB108A3ABC88767BE45EBE2334FD08B23B1124A6D6E63CE845E61D
                Function 00474368 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                Download Yara Rule
                APIs
                • FreeLibrary.KERNEL32(00000000,00000000,004743D7), ref: 00474390
                • FreeLibrary.KERNEL32(00000000,00000000,004743D7), ref: 004743A4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: FreeLibrary
                • String ID: F
                • API String ID: 3664257935-2301166602
                • Opcode ID: aedbeddc8e6338a2d8a8579b7178b9909fd06b42f5ad97d6600ae62df7c4a631
                • Instruction ID: 446b1015a1dcecda54aeb6866c79c937594e3b0d41fc6f43034950ee0beb562d
                • Opcode Fuzzy Hash: aedbeddc8e6338a2d8a8579b7178b9909fd06b42f5ad97d6600ae62df7c4a631
                • Instruction Fuzzy Hash: F9F09035604B048BC7199B95FC096B637A8EB8A318B918537F804A66A1E77CA844DB19
                Function 0047DDD8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19networkCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.4696207598.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.4696190556.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000531000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000539000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053B000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000545000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000054F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.0000000000570000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.000000000072F000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.4696639041.00000000007A5000.00000040.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_hhcqxkb.jbxd
                Similarity
                • API ID: getservbynamehtons
                • String ID: tcp
                • API String ID: 3889749166-2993443014
                • Opcode ID: b0683fd4d3169aef520ff2c71765474ea975b858fe9bce76546447f23f3785bd
                • Instruction ID: d649ddca90ff36aa8acfa281bc700041c2e7be5858f0cfef53ea286ed1ca0e8b
                • Opcode Fuzzy Hash: b0683fd4d3169aef520ff2c71765474ea975b858fe9bce76546447f23f3785bd
                • Instruction Fuzzy Hash: EED0C9D6B20B61129A012AF618C69BB12989B992053E8887BB548EE142D96DDC40A3A8