Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Register.dll

Overview

General Information

Sample name:Register.dll
Analysis ID:1531071
MD5:40b9628354ef4e6ef3c87934575545f4
SHA1:8fb5da182dea64c842953bf72fc573a74adaa155
SHA256:372b14fce2eb35b264f6d4aeef7987da56d951d3a09ef866cf55ed72763caa12
Infos:

Detection

Score:30
Range:0 - 100
Whitelisted:false
Confidence:0%

Signatures

Contains functionality to infect the boot sector
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
One or more processes crash
Queries keyboard layouts
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 2052 cmdline: loaddll32.exe "C:\Users\user\Desktop\Register.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 6496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6904 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Register.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 3392 cmdline: rundll32.exe "C:\Users\user\Desktop\Register.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • WerFault.exe (PID: 2728 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 652 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 1280 cmdline: rundll32.exe C:\Users\user\Desktop\Register.dll,ActiveApp MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 4088 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 644 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 5696 cmdline: rundll32.exe C:\Users\user\Desktop\Register.dll,ActiveAppSpecial MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 5504 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5696 -s 644 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 6956 cmdline: rundll32.exe C:\Users\user\Desktop\Register.dll,ActiveTrial MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5388 cmdline: rundll32.exe "C:\Users\user\Desktop\Register.dll",ActiveApp MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 7160 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5388 -s 644 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 3944 cmdline: rundll32.exe "C:\Users\user\Desktop\Register.dll",ActiveAppSpecial MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 5208 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 644 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 7016 cmdline: rundll32.exe "C:\Users\user\Desktop\Register.dll",ActiveTrial MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 592 cmdline: rundll32.exe "C:\Users\user\Desktop\Register.dll",ValidateThreadLicense MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6280 cmdline: rundll32.exe "C:\Users\user\Desktop\Register.dll",GetSurplusDays MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7128 cmdline: rundll32.exe "C:\Users\user\Desktop\Register.dll",GetLicenseType MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 5772 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7128 -s 644 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 1208 cmdline: rundll32.exe "C:\Users\user\Desktop\Register.dll",ClearTrialData MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6820 cmdline: rundll32.exe "C:\Users\user\Desktop\Register.dll",CheckTrialInstalled MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6548 cmdline: rundll32.exe "C:\Users\user\Desktop\Register.dll",CheckLicenseLocatin MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 3708 cmdline: rundll32.exe "C:\Users\user\Desktop\Register.dll",CheckDbValue MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 6212 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 644 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: Register.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
Source: Register.dllStatic PE information: certificate valid
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0040C904 FindFirstFileW,FindClose,0_2_0040C904
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0040CB84 FindFirstFileW,GetLastError,0_2_0040CB84
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00407618 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,0_2_00407618
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0040C904 FindFirstFileW,FindClose,4_2_0040C904
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0040CB84 FindFirstFileW,GetLastError,4_2_0040CB84
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00407618 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,4_2_00407618
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0424C904 FindFirstFileW,FindClose,5_2_0424C904
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0424CB84 FindFirstFileW,GetLastError,5_2_0424CB84
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04247618 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,5_2_04247618
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0040C904 FindFirstFileW,FindClose,12_2_0040C904
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0040CB84 FindFirstFileW,GetLastError,12_2_0040CB84
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00407618 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,12_2_00407618
Source: Register.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Register.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Register.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Register.dllString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Register.dllString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: Register.dllString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Register.dllString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Register.dllString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Register.dllString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: Register.dllString found in binary or memory: http://ocsp.comodoca.com0
Source: Register.dllString found in binary or memory: http://ocsp.digicert.com0A
Source: Register.dllString found in binary or memory: http://ocsp.digicert.com0C
Source: Register.dllString found in binary or memory: http://ocsp.digicert.com0X
Source: Register.dllString found in binary or memory: http://ocsp.sectigo.com0
Source: Register.dllString found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Register.dllString found in binary or memory: http://s.symcd.com06
Source: Register.dllString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: Register.dllString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: Register.dllString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Amcache.hve.10.drString found in binary or memory: http://upx.sf.net
Source: rundll32.exe, rundll32.exe, 0000000C.00000002.2175465696.0000000004DDC000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.2174956438.0000000000401000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.2152369580.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000003.2151719950.000000000430C000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.2231857074.0000000000841000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.2232862653.00000000043FC000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2234195644.000000000430C000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2233135991.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000003.2182403949.000000000481C000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2194313102.0000000000401000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.2198822456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000003.2183923148.0000000004E9C000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2197564894.00000000043D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000015.00000003.2184355496.00000000045AC000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2231464418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000017.00000002.2233446732.0000000004CCC000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.2190485197.0000000004241000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000018.00000002.2191711725.000000000445C000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.2186408601.0000000004E0C000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000019.00000002.2203344145.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.indyproject.org/
Source: Register.dllString found in binary or memory: https://d.symcb.com/cps0%
Source: Register.dllString found in binary or memory: https://d.symcb.com/rpa0
Source: Register.dllString found in binary or memory: https://d.symcb.com/rpa0.
Source: Register.dllString found in binary or memory: https://sectigo.com/CPS0
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0048A650 GetObjectW,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,0_2_0048A650
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_004B76AC GetKeyboardState,0_2_004B76AC
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_004C7378: CreateFileW,GetLastError,DeviceIoControl,GetLastError,DeviceIoControl,GetLastError,CloseHandle,0_2_004C7378
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_004700080_2_00470008
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_004D20200_2_004D2020
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_004024C00_2_004024C0
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_004764C80_2_004764C8
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0047C5B80_2_0047C5B8
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_004D47000_2_004D4700
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00406D9C0_2_00406D9C
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_004C73780_2_004C7378
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0047540C0_2_0047540C
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_004AB5D00_2_004AB5D0
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0042F58C0_2_0042F58C
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_004756600_2_00475660
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_004759140_2_00475914
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00499A240_2_00499A24
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004700084_2_00470008
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004D20204_2_004D2020
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004024C04_2_004024C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004764C84_2_004764C8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0047C5B84_2_0047C5B8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004D47004_2_004D4700
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00406D9C4_2_00406D9C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004C73784_2_004C7378
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0047540C4_2_0047540C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004AB5D04_2_004AB5D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0042F58C4_2_0042F58C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004756604_2_00475660
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004759144_2_00475914
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00499A244_2_00499A24
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_042B64C85_2_042B64C8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_042424C05_2_042424C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_042BC5B85_2_042BC5B8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_043147005_2_04314700
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_042487F65_2_042487F6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_043120205_2_04312020
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_042B00085_2_042B0008
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04246D9C5_2_04246D9C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_042569085_2_04256908
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_042B540C5_2_042B540C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0426F58C5_2_0426F58C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_042495DC5_2_042495DC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_042EB5D05_2_042EB5D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_042B56605_2_042B5660
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_043073785_2_04307378
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_042B59145_2_042B5914
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_042D9A245_2_042D9A24
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0047000812_2_00470008
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_004D202012_2_004D2020
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_004024C012_2_004024C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_004764C812_2_004764C8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0047C5B812_2_0047C5B8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_004D470012_2_004D4700
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00406D9C12_2_00406D9C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_004C737812_2_004C7378
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0047540C12_2_0047540C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_004AB5D012_2_004AB5D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0042F58C12_2_0042F58C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0047566012_2_00475660
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0047591412_2_00475914
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00499A2412_2_00499A24
Source: C:\Windows\System32\loaddll32.exeCode function: String function: 00405B54 appears 111 times
Source: C:\Windows\System32\loaddll32.exeCode function: String function: 00405AB8 appears 75 times
Source: C:\Windows\System32\loaddll32.exeCode function: String function: 00405AC8 appears 40 times
Source: C:\Windows\System32\loaddll32.exeCode function: String function: 0046242C appears 112 times
Source: C:\Windows\System32\loaddll32.exeCode function: String function: 00408A94 appears 84 times
Source: C:\Windows\System32\loaddll32.exeCode function: String function: 00405B1C appears 36 times
Source: C:\Windows\System32\loaddll32.exeCode function: String function: 00405F9C appears 61 times
Source: C:\Windows\System32\loaddll32.exeCode function: String function: 004623EC appears 65 times
Source: C:\Windows\System32\loaddll32.exeCode function: String function: 00458E4C appears 31 times
Source: C:\Windows\System32\loaddll32.exeCode function: String function: 00404F5C appears 48 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 042A242C appears 112 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 04244F5C appears 48 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 00405B54 appears 222 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 04245B1C appears 36 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 04245F9C appears 61 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 00405B1C appears 72 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 00405F9C appears 122 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 04245AC8 appears 40 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 04245AB8 appears 84 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 04248A94 appears 84 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 042A23EC appears 65 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 04298E4C appears 31 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 00408458 appears 38 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 00405AB8 appears 150 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 00405AC8 appears 80 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 00405AC0 appears 36 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 0046242C appears 224 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 00408A94 appears 168 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 004623EC appears 130 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 04245B54 appears 111 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 00458E4C appears 62 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 00417508 appears 42 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 00458C24 appears 50 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 00404F5C appears 96 times
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 644
Source: Register.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
Source: classification engineClassification label: sus30.winDLL@39/30@0/0
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00488AAC GetLastError,FormatMessageW,0_2_00488AAC
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0040CF02 GetDiskFreeSpaceW,0_2_0040CF02
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0048DEB0 CoCreateInstance,0_2_0048DEB0
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_004089F2 FreeResource,0_2_004089F2
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1280
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3392
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3944
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3708
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5696
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5388
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7128
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6496:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\3e9b4938-9118-4a57-b64a-bc23af1c0044Jump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\ProgramData\{E0224FF9-7AE3-4F9E-991A-2F004F7E3952}\desktop.iniJump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Register.dll,ActiveApp
Source: loaddll32.exeString found in binary or memory: Start/Stop Count
Source: loaddll32.exeString found in binary or memory: Start/Stop Count
Source: loaddll32.exeString found in binary or memory: NATS-SEFI-ADD
Source: loaddll32.exeString found in binary or memory: NATS-DANO-ADD
Source: loaddll32.exeString found in binary or memory: JIS_C6229-1984-b-add
Source: loaddll32.exeString found in binary or memory: jp-ocr-b-add
Source: loaddll32.exeString found in binary or memory: JIS_C6229-1984-hand-add
Source: loaddll32.exeString found in binary or memory: jp-ocr-hand-add
Source: loaddll32.exeString found in binary or memory: ISO_6937-2-add
Source: rundll32.exeString found in binary or memory: Start/Stop Count
Source: rundll32.exeString found in binary or memory: Start/Stop Count
Source: rundll32.exeString found in binary or memory: NATS-SEFI-ADD
Source: rundll32.exeString found in binary or memory: NATS-DANO-ADD
Source: rundll32.exeString found in binary or memory: JIS_C6229-1984-b-add
Source: rundll32.exeString found in binary or memory: jp-ocr-b-add
Source: rundll32.exeString found in binary or memory: JIS_C6229-1984-hand-add
Source: rundll32.exeString found in binary or memory: jp-ocr-hand-add
Source: rundll32.exeString found in binary or memory: ISO_6937-2-add
Source: rundll32.exeString found in binary or memory: jp-ocr-b-add
Source: rundll32.exeString found in binary or memory: Start/Stop Count
Source: rundll32.exeString found in binary or memory: Start/Stop Count
Source: rundll32.exeString found in binary or memory: JIS_C6229-1984-hand-add
Source: rundll32.exeString found in binary or memory: jp-ocr-hand-add
Source: rundll32.exeString found in binary or memory: NATS-SEFI-ADD
Source: rundll32.exeString found in binary or memory: NATS-DANO-ADD
Source: rundll32.exeString found in binary or memory: ISO_6937-2-add
Source: rundll32.exeString found in binary or memory: JIS_C6229-1984-b-add
Source: rundll32.exeString found in binary or memory: Start/Stop Count
Source: rundll32.exeString found in binary or memory: Start/Stop Count
Source: rundll32.exeString found in binary or memory: NATS-SEFI-ADD
Source: rundll32.exeString found in binary or memory: NATS-DANO-ADD
Source: rundll32.exeString found in binary or memory: JIS_C6229-1984-b-add
Source: rundll32.exeString found in binary or memory: jp-ocr-b-add
Source: rundll32.exeString found in binary or memory: JIS_C6229-1984-hand-add
Source: rundll32.exeString found in binary or memory: jp-ocr-hand-add
Source: rundll32.exeString found in binary or memory: ISO_6937-2-add
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\Register.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Register.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Register.dll,ActiveApp
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 644
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 652
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Register.dll,ActiveAppSpecial
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5696 -s 644
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Register.dll,ActiveTrial
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",ActiveApp
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",ActiveAppSpecial
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",ActiveTrial
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",ValidateThreadLicense
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",GetSurplusDays
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",GetLicenseType
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",ClearTrialData
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",CheckTrialInstalled
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",CheckLicenseLocatin
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",CheckDbValue
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5388 -s 644
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 644
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7128 -s 644
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 644
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Register.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Register.dll,ActiveAppJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Register.dll,ActiveAppSpecialJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Register.dll,ActiveTrialJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",ActiveAppJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",ActiveAppSpecialJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",ActiveTrialJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",ValidateThreadLicenseJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",GetSurplusDaysJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",GetLicenseTypeJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",ClearTrialDataJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",CheckTrialInstalledJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",CheckLicenseLocatinJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",CheckDbValueJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: crtdll.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile written: C:\ProgramData\{E0224FF9-7AE3-4F9E-991A-2F004F7E3952}\desktop.iniJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Register.dllStatic PE information: certificate valid
Source: Register.dllStatic file information: File size 1081320 > 1048576
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_004D80C0 push 004D8146h; ret 0_2_004D813E
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_004D7AB0 push 004D7B75h; ret 0_2_004D7B6D
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00476048 push 00476074h; ret 0_2_0047606C
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0049205C push 00492094h; ret 0_2_0049208C
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0042E14C push 0042E178h; ret 0_2_0042E170
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00456170 push 004561B3h; ret 0_2_004561AB
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_004D613C push 004D6162h; ret 0_2_004D615A
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00466130 push 00466168h; ret 0_2_00466160
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_004A41C8 push 004A4222h; ret 0_2_004A421A
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_004C61F0 push 004C621Ch; ret 0_2_004C6214
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0042C228 push ecx; mov dword ptr [esp], edx0_2_0042C22D
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_004542D0 push ecx; mov dword ptr [esp], ecx0_2_004542D5
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_004082DE push 00408345h; ret 0_2_0040833D
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_004082E0 push 00408345h; ret 0_2_0040833D
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_004AC2FC push 004AC367h; ret 0_2_004AC35F
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00484280 push 004842E7h; ret 0_2_004842DF
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0046A2B8 push 0046A2F0h; ret 0_2_0046A2E8
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0046E358 push 0046E39Bh; ret 0_2_0046E393
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_004623BC push 004623E8h; ret 0_2_004623E0
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00494570 push 004945CAh; ret 0_2_004945C2
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0045A578 push 0045A5B0h; ret 0_2_0045A5A8
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_004C85BC push 004C8629h; ret 0_2_004C8621
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0049065C push 00490688h; ret 0_2_00490680
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00440620 push 00440663h; ret 0_2_0044065B
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_004206B8 push 00420705h; ret 0_2_004206FD
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00490828 push 0049086Ah; ret 0_2_00490862
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00416908 push 00416E10h; ret 0_2_00416E08
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00422980 push ecx; mov dword ptr [esp], edx0_2_00422985
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0043E9BC push 0043E9FDh; ret 0_2_0043E9F5
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00432A3C push 00432AA8h; ret 0_2_00432AA0
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00422AE4 push ecx; mov dword ptr [esp], edx0_2_00422AE9

Persistence and Installation Behavior

barindex
Contains functionality to infect the boot sector
Source: C:\Windows\System32\loaddll32.exeCode function: CreateFileW,GetLastError,DeviceIoControl,GetLastError,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%d0_2_004C7378
Source: C:\Windows\System32\loaddll32.exeCode function: CreateFileW,GetLastError,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%d0_2_004C764C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: CreateFileW,GetLastError,DeviceIoControl,GetLastError,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%d4_2_004C7378
Source: C:\Windows\SysWOW64\rundll32.exeCode function: CreateFileW,GetLastError,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%d4_2_004C764C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: CreateFileW,GetLastError,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%d5_2_0430764C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: CreateFileW,GetLastError,DeviceIoControl,GetLastError,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%d5_2_04307378
Source: C:\Windows\SysWOW64\rundll32.exeCode function: CreateFileW,GetLastError,DeviceIoControl,GetLastError,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%d12_2_004C7378
Source: C:\Windows\SysWOW64\rundll32.exeCode function: CreateFileW,GetLastError,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%d12_2_004C764C

Boot Survival

barindex
Contains functionality to infect the boot sector
Source: C:\Windows\System32\loaddll32.exeCode function: CreateFileW,GetLastError,DeviceIoControl,GetLastError,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%d0_2_004C7378
Source: C:\Windows\System32\loaddll32.exeCode function: CreateFileW,GetLastError,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%d0_2_004C764C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: CreateFileW,GetLastError,DeviceIoControl,GetLastError,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%d4_2_004C7378
Source: C:\Windows\SysWOW64\rundll32.exeCode function: CreateFileW,GetLastError,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%d4_2_004C764C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: CreateFileW,GetLastError,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%d5_2_0430764C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: CreateFileW,GetLastError,DeviceIoControl,GetLastError,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%d5_2_04307378
Source: C:\Windows\SysWOW64\rundll32.exeCode function: CreateFileW,GetLastError,DeviceIoControl,GetLastError,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%d12_2_004C7378
Source: C:\Windows\SysWOW64\rundll32.exeCode function: CreateFileW,GetLastError,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%d12_2_004C764C
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00490074 IsIconic,GetWindowPlacement,GetWindowRect,0_2_00490074
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_004BE398 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,0_2_004BE398
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00496D58 IsIconic,0_2_00496D58
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_004BED60 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongW,GetWindowLongW,GetWindowLongW,ScreenToClient,ScreenToClient,0_2_004BED60
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00496DD8 GetWindowLongW,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongW,SetWindowLongW,ShowWindow,ShowWindow,0_2_00496DD8
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_004BDA28 IsIconic,GetCapture,0_2_004BDA28
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00499A24 IsIconic,SetFocus,GetParent,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,0_2_00499A24
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00490074 IsIconic,GetWindowPlacement,GetWindowRect,4_2_00490074
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004BE398 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,4_2_004BE398
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00496D58 IsIconic,4_2_00496D58
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004BED60 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongW,GetWindowLongW,GetWindowLongW,ScreenToClient,ScreenToClient,4_2_004BED60
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00496DD8 GetWindowLongW,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongW,SetWindowLongW,ShowWindow,ShowWindow,4_2_00496DD8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004BDA28 IsIconic,GetCapture,4_2_004BDA28
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00499A24 IsIconic,SetFocus,GetParent,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,4_2_00499A24
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_042D0074 IsIconic,GetWindowPlacement,GetWindowRect,5_2_042D0074
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_042FE398 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,5_2_042FE398
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_042FED60 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongW,GetWindowLongW,GetWindowLongW,ScreenToClient,ScreenToClient,5_2_042FED60
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_042D6D58 IsIconic,5_2_042D6D58
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_042D6DD8 GetWindowLongW,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongW,SetWindowLongW,ShowWindow,ShowWindow,5_2_042D6DD8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_042FDA28 IsIconic,GetCapture,5_2_042FDA28
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_042D9A24 IsIconic,SetFocus,GetParent,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,5_2_042D9A24
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00490074 IsIconic,GetWindowPlacement,GetWindowRect,12_2_00490074
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_004BE398 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,12_2_004BE398
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00496D58 IsIconic,12_2_00496D58
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_004BED60 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongW,GetWindowLongW,GetWindowLongW,ScreenToClient,ScreenToClient,12_2_004BED60
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00496DD8 GetWindowLongW,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongW,SetWindowLongW,ShowWindow,ShowWindow,12_2_00496DD8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_004BDA28 IsIconic,GetCapture,12_2_004BDA28
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00499A24 IsIconic,SetFocus,GetParent,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,12_2_00499A24
Source: C:\Windows\System32\loaddll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\loaddll32.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,0_2_004A0790
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,4_2_004A0790
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,5_2_042E0790
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,12_2_004A0790
Source: C:\Windows\System32\loaddll32.exeAPI coverage: 4.2 %
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 3.7 %
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 3.7 %
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 3.7 %
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0040C904 FindFirstFileW,FindClose,0_2_0040C904
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0040CB84 FindFirstFileW,GetLastError,0_2_0040CB84
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00407618 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,0_2_00407618
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0040C904 FindFirstFileW,FindClose,4_2_0040C904
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0040CB84 FindFirstFileW,GetLastError,4_2_0040CB84
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00407618 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,4_2_00407618
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0424C904 FindFirstFileW,FindClose,5_2_0424C904
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0424CB84 FindFirstFileW,GetLastError,5_2_0424CB84
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04247618 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,5_2_04247618
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0040C904 FindFirstFileW,FindClose,12_2_0040C904
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0040CB84 FindFirstFileW,GetLastError,12_2_0040CB84
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00407618 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,12_2_00407618
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0040828E GetSystemInfo,0_2_0040828E
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: Amcache.hve.10.drBinary or memory string: VMware
Source: Amcache.hve.10.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.10.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.10.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.10.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.10.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.drBinary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.10.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.10.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.drBinary or memory string: vmci.sys
Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.10.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.10.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.drBinary or memory string: VMware20,1
Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.10.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.10.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.10.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.10.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.10.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.10.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.10.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.10.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.10.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\System32\loaddll32.exeAPI call chain: ExitProcess graph end nodegraph_0-64717
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_4-64738
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0426CE78 GetClassInfoW,UnregisterClassW,RegisterClassW,LdrInitializeThunk,SetWindowLongW,5_2_0426CE78
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Register.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_004CA434 cpuid 0_2_004CA434
Source: C:\Windows\System32\loaddll32.exeCode function: GetModuleFileNameW,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,lstrcpynW,GetThreadLocale,GetLocaleInfoW,lstrlenW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,0_2_00407814
Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_00412370
Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_00412322
Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_00412324
Source: C:\Windows\System32\loaddll32.exeCode function: lstrcpynW,GetThreadLocale,GetLocaleInfoW,lstrlenW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,0_2_0040794F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetModuleFileNameW,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,lstrcpynW,GetThreadLocale,GetLocaleInfoW,lstrlenW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,4_2_00407814
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,4_2_00412370
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,4_2_00412322
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,4_2_00412324
Source: C:\Windows\SysWOW64\rundll32.exeCode function: lstrcpynW,GetThreadLocale,GetLocaleInfoW,lstrlenW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,4_2_0040794F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetModuleFileNameW,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,lstrcpynW,GetThreadLocale,GetLocaleInfoW,lstrlenW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,5_2_04247814
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,5_2_04252324
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,5_2_04252322
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,5_2_04252370
Source: C:\Windows\SysWOW64\rundll32.exeCode function: lstrcpynW,GetThreadLocale,GetLocaleInfoW,lstrlenW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,5_2_0424794F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetModuleFileNameW,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,lstrcpynW,GetThreadLocale,GetLocaleInfoW,lstrlenW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,12_2_00407814
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,12_2_00412370
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,12_2_00412322
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,12_2_00412324
Source: C:\Windows\SysWOW64\rundll32.exeCode function: lstrcpynW,GetThreadLocale,GetLocaleInfoW,lstrlenW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,12_2_0040794F
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0040F2D4 GetLocalTime,0_2_0040F2D4
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00430F78 GetTimeZoneInformation,0_2_00430F78
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_004D80C0 GetVersion,0_2_004D80C0
Source: Amcache.hve.10.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.10.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.10.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.10.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.10.drBinary or memory string: MsMpEng.exe
Source: C:\Windows\System32\loaddll32.exeCode function: cmd.exe /k ping 0_2_00484FE8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: cmd.exe /k ping 4_2_00484FE8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: cmd.exe /k ping 5_2_042C4FE8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: cmd.exe /k ping 12_2_00484FE8

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
Command and Scripting Interpreter		1
Bootkit		11
Process Injection		11
Virtualization/Sandbox Evasion		11
Input Capture		2
System Time Discovery		Remote Services1
Screen Capture		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
DLL Side-Loading		11
Process Injection		LSASS Memory31
Security Software Discovery		Remote Desktop Protocol11
Input Capture		Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager11
Virtualization/Sandbox Evasion		SMB/Windows Admin Shares1
Archive Collected Data		SteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
Obfuscated Files or Information		NTDS11
Application Window Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Bootkit		LSA Secrets3
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Rundll32		Cached Domain Credentials35
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1531071 Sample: Register.dll Startdate: 10/10/2024 Architecture: WINDOWS Score: 30 7 loaddll32.exe 1 2->7         started        signatures3 35 Contains functionality to infect the boot sector 7->35 10 rundll32.exe 7->10         started        13 cmd.exe 1 7->13         started        15 rundll32.exe 7->15         started        17 12 other processes 7->17 process4 signatures5 37 Contains functionality to infect the boot sector 10->37 19 WerFault.exe 18 10->19         started        21 rundll32.exe 13->21         started        23 WerFault.exe 16 15->23         started        25 WerFault.exe 17->25         started        27 WerFault.exe 17->27         started        29 WerFault.exe 17->29         started        31 WerFault.exe 17->31         started        process6 process7 33 WerFault.exe 20 17 21->33         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Register.dll4%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://upx.sf.net0%URL Reputationsafe
https://sectigo.com/CPS00%URL Reputationsafe
http://www.indyproject.org/0%URL Reputationsafe
http://ocsp.sectigo.com00%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.netAmcache.hve.10.drfalse
  • URL Reputation: safe
unknown
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sRegister.dllfalse
    		unknown
    https://sectigo.com/CPS0Register.dllfalse
    • URL Reputation: safe
    		unknown
    http://www.indyproject.org/rundll32.exe, rundll32.exe, 0000000C.00000002.2175465696.0000000004DDC000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.2174956438.0000000000401000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.2152369580.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000003.2151719950.000000000430C000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.2231857074.0000000000841000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.2232862653.00000000043FC000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2234195644.000000000430C000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2233135991.0000000000C61000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000003.2182403949.000000000481C000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000012.00000002.2194313102.0000000000401000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.2198822456.0000000000401000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000003.2183923148.0000000004E9C000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2197564894.00000000043D1000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000015.00000003.2184355496.00000000045AC000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2231464418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000017.00000002.2233446732.0000000004CCC000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.2190485197.0000000004241000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000018.00000002.2191711725.000000000445C000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.2186408601.0000000004E0C000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000019.00000002.2203344145.0000000000401000.00000020.00000001.01000000.00000003.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://ocsp.sectigo.com0Register.dllfalse
    • URL Reputation: safe
    		unknown
    http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#Register.dllfalse
      		unknown

      World Map of Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox version:41.0.0 Charoite
      Analysis ID:1531071
      Start date and time:2024-10-10 20:12:52 +02:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 7m 54s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:37
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:Register.dll
      Detection:SUS
      Classification:sus30.winDLL@39/30@0/0
      EGA Information:
      • Successful, ratio: 100%
      HCA Information:
      • Successful, ratio: 88%
      • Number of executed functions: 63
      • Number of non-executed functions: 341
      Cookbook Comments:
      • Found application associated with file extension: .dll

      Warnings

      • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
      • Excluded IPs from analysis (whitelisted): 104.208.16.94
      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
      • Not all processes where analyzed, report is missing behavior information
      • Report creation exceeded maximum time and may have missing disassembly code information.
      • Report size exceeded maximum capacity and may have missing behavior information.
      • Report size exceeded maximum capacity and may have missing disassembly code.
      • VT rate limit hit for: Register.dll

      Simulations

      Behavior and APIs

      TimeTypeDescription
      14:13:45API Interceptor7x Sleep call for process: WerFault.exe modified
      14:13:48API Interceptor1x Sleep call for process: loaddll32.exe modified

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_67610627f3d80862be4395c8c3d38d7f16bdd81_7522e4b5_05c1c5a9-feca-4ea1-8b83-1995f0382e3d\Report.wer

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):65536
      Entropy (8bit):0.882699185522906
      Encrypted:false
      SSDEEP:192:mcZitOU60BU/wjeTFXzuiFeZ24IO8dci:FikUBBU/wjexzuiFeY4IO8dci
      MD5:F3471E446BFAA8F68F1786F1E33FC63D
      SHA1:04BADCC459BE8611747021724521BBF7C8F5CFBE
      SHA-256:B953614D8F176C122AAD8A2E4F8D7874DD30E2CC4FA0DF869797911D36254612
      SHA-512:7F813C60F1851F8657ADDDED1742A976C8A86072845922BC3E71B4B894BA762938AE5F3C3C7EFA3EB0EB032BC2F387802A280FEA51C47485207C8ED82A5C75A2
      Malicious:false
      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.0.5.7.6.2.9.5.9.0.6.3.3.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.0.5.7.6.3.1.0.5.9.3.8.1.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.5.c.1.c.5.a.9.-.f.e.c.a.-.4.e.a.1.-.8.b.8.3.-.1.9.9.5.f.0.3.8.2.e.3.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.9.0.1.7.1.6.a.-.4.8.e.3.-.4.8.b.a.-.a.e.8.e.-.0.d.2.6.5.2.f.3.e.0.5.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.6.8.-.0.0.0.1.-.0.0.1.5.-.3.a.7.e.-.3.9.2.7.4.0.1.b.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_67610627f3d80862be4395c8c3d38d7f16bdd81_7522e4b5_073317ce-26e9-4a8b-899e-5ad5b4c14d2f\Report.wer

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):65536
      Entropy (8bit):0.8831292141662811
      Encrypted:false
      SSDEEP:192:vb/zDi4Ox60BU/wjeTFXzuiFeZ24IO8dci:TnipxBBU/wjexzuiFeY4IO8dci
      MD5:318CA753EE79496BE953DCBDA29017A5
      SHA1:72E132B298A64BE114A6995BCC6D2014E4DDA962
      SHA-256:4A8E7B5484044E149DEA517D91DC63ADB1D50A369EC6A026EB0560B365ED6219
      SHA-512:CED2362CD4BB515077D5B98C3F5E0CB70138DAB2DEC6E8D2051180A33DF407D1ADEDD8704EDA3BF34C7B6698487EF9A49566D6681D3E2E3D591B554182DF3854
      Malicious:false
      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.0.5.7.6.2.2.9.1.6.3.2.0.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.0.5.7.6.2.3.1.8.1.9.4.4.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.7.3.3.1.7.c.e.-.2.6.e.9.-.4.a.8.b.-.8.9.9.e.-.5.a.d.5.b.4.c.1.4.d.2.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.0.b.6.8.d.5.9.-.f.6.3.1.-.4.b.0.7.-.9.b.8.4.-.b.f.9.8.5.8.0.c.2.1.1.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.4.0.-.0.0.0.1.-.0.0.1.5.-.3.4.1.2.-.9.e.2.3.4.0.1.b.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_67610627f3d80862be4395c8c3d38d7f16bdd81_7522e4b5_25afbb4a-fb05-4299-89cc-552653051d94\Report.wer

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):65536
      Entropy (8bit):0.8831870350292702
      Encrypted:false
      SSDEEP:96:ZkF/6i9KhVyPsj94sSTsfuQXIDcQvc6QcEVcw3cE/O/a/z+HbHg/BQAS/YyNl4EA:2EiYOP60BU/wjeTFXzuiFeZ24IO8dci
      MD5:CD083E6AD41A461CA7491FF219A531E6
      SHA1:75A7C0CAC3CB937BFD4E5A01280E58C155366C75
      SHA-256:C6D704F5469EA0A5069678FE886A78D4A900F7D9767620123889DF2E0846DD3E
      SHA-512:9ABE6DF8B788755139D3D1BCD0535E5535751B724A710CA52B746F6BAAD15A61528DF1460F0047D843B6F69EF4E11FA852576BFD38460B71A680C5E11783B8F5
      Malicious:false
      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.0.5.7.6.2.0.2.1.6.8.5.1.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.0.5.7.6.2.0.6.5.4.3.4.7.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.5.a.f.b.b.4.a.-.f.b.0.5.-.4.2.9.9.-.8.9.c.c.-.5.5.2.6.5.3.0.5.1.d.9.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.d.c.3.f.a.b.c.-.6.6.5.c.-.4.a.3.b.-.9.5.a.8.-.a.9.b.0.1.a.6.8.7.4.e.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.4.0.-.0.0.0.1.-.0.0.1.5.-.f.8.c.2.-.d.2.2.1.4.0.1.b.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_67610627f3d80862be4395c8c3d38d7f16bdd81_7522e4b5_7840c9f2-9337-4ce2-ae78-4357fbd0b120\Report.wer

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):65536
      Entropy (8bit):0.8831810337711334
      Encrypted:false
      SSDEEP:192:fgipOTZ60BU/wjeTFXzuiFeZ24IO8dci:IiANBBU/wjexzuiFeY4IO8dci
      MD5:2F03D982104F5C61C1650584660D4520
      SHA1:2CA936A490FF56117E13A2CFCE41F5938850BD10
      SHA-256:3741A5E15E39F975FD9DDC0B16586A7F448FD2C78FFF127CF9942FE484953392
      SHA-512:99E58457B4ECA5CC14BDC9EDA7ACD85EB212C095DFF7B9440195F7F17C2BEFB8A66600B359D79EB52531E351E3079599D403645D84A700144AA772AAB1183C86
      Malicious:false
      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.0.5.7.6.2.9.6.5.3.6.3.2.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.0.5.7.6.3.0.9.6.6.1.1.9.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.8.4.0.c.9.f.2.-.9.3.3.7.-.4.c.e.2.-.a.e.7.8.-.4.3.5.7.f.b.d.0.b.1.2.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.c.c.e.d.1.c.2.-.4.8.0.0.-.4.1.9.b.-.9.e.9.a.-.9.4.9.7.b.d.5.4.9.2.e.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.d.8.-.0.0.0.1.-.0.0.1.5.-.c.0.a.8.-.4.7.2.7.4.0.1.b.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_67610627f3d80862be4395c8c3d38d7f16bdd81_7522e4b5_935ab68d-2b79-41b7-8cda-70829c04b3ae\Report.wer

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):65536
      Entropy (8bit):0.8830051585662363
      Encrypted:false
      SSDEEP:96:UhFK6ichVy8sj94sSTsfuQXIDcQvc6QcEVcw3cE/O/a/z+HbHg/BQAS/YyNl4Efo:gticO860BU/wjeTFXzuiFeZ24IO8dci
      MD5:C6D32559F67AA33CA9780E900C2D3A65
      SHA1:FD36BA1FA61A8FA77071B78573EF39227AD2C0FC
      SHA-256:536001FE018B5B9F3997BC0F5271461CFA3CFD225C555F3E2EDA438817212BAC
      SHA-512:27E5644F745C30A18B0A9B413DC6667494014C2D20FD67DC3ED79209F722F28C241F448C426841993287D85527592D181F1124C51CD4F3C49ECFEA161CAA5B71
      Malicious:false
      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.0.5.7.6.2.9.4.8.7.9.7.1.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.0.5.7.6.3.0.9.5.6.7.1.8.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.3.5.a.b.6.8.d.-.2.b.7.9.-.4.1.b.7.-.8.c.d.a.-.7.0.8.2.9.c.0.4.b.3.a.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.9.e.2.5.4.c.6.-.3.8.7.1.-.4.a.1.c.-.a.9.3.7.-.3.2.5.6.3.0.3.9.b.0.f.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.0.c.-.0.0.0.1.-.0.0.1.5.-.6.a.5.e.-.3.8.2.7.4.0.1.b.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_67610627f3d80862be4395c8c3d38d7f16bdd81_7522e4b5_a503244f-1a73-41ca-95dd-8c855909acd8\Report.wer

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):65536
      Entropy (8bit):0.8830661211603622
      Encrypted:false
      SSDEEP:192:33p1ijOQd60BU/wjeTFXzuiFeZ24IO8dci9:np1iqSBBU/wjexzuiFeY4IO8dci9
      MD5:ED8EB5AB6F1C9E8C19DC1A35388BC4AD
      SHA1:A2A84ED33ACE8B0629974A11C8432807DF12FEB8
      SHA-256:2524A519EFD1C23344F88209FE445FFDC75B181171306DA0738D171D031D34E0
      SHA-512:7FE9BB02E4BC35FC793ABDD31AD2A1E933B63499EDF3B789781C37BF4D18DDC5C2FFA4307AF888208B2488F7A7B6EB4545C07B167364901EE9E638500E7CA6D8
      Malicious:false
      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.0.5.7.6.3.0.0.0.3.5.2.6.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.0.5.7.6.3.1.2.0.6.6.5.9.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.5.0.3.2.4.4.f.-.1.a.7.3.-.4.1.c.a.-.9.5.d.d.-.8.c.8.5.5.9.0.9.a.c.d.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.4.b.b.0.e.b.c.-.3.9.c.7.-.4.8.6.0.-.8.f.e.c.-.1.6.9.e.1.a.3.9.3.2.f.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.e.7.c.-.0.0.0.1.-.0.0.1.5.-.8.6.7.c.-.5.2.2.7.4.0.1.b.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_67610627f3d80862be4395c8c3d38d7f16bdd81_7522e4b5_f4a64302-c074-4cf3-a3fa-2c6a200a88d5\Report.wer

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):65536
      Entropy (8bit):0.8829779694691272
      Encrypted:false
      SSDEEP:96:t9FS6ia4hVy2sj94sSTsfuQXIDcQvc6QcEVcw3cE/O/a/z+HbHg/BQAS/YyNl4EA:fFitO260BU/wjeTFXzuiFeZ24IO8dci
      MD5:467C15AC2F2F9F4F11FC1EF22A5DFDFC
      SHA1:23E28A2D42309DF9932722A91A1C8D9E4512F399
      SHA-256:8BB531E5DCB28E239FF04C86B17AAC52E19D9B4596DE29533F3EF1116D0E3D38
      SHA-512:C87FF3DBAE8E3C3312723F1990E4D58E88BA09A325721FEB532A8921B8EC604E229F6A7DFC9515EEF067E65ECFF3AEE4A713015D5488D3B1CCCEE6799C5737B7
      Malicious:false
      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.0.5.7.6.2.0.1.9.6.3.3.4.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.0.5.7.6.2.0.9.7.7.5.9.0.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.4.a.6.4.3.0.2.-.c.0.7.4.-.4.c.f.3.-.a.3.f.a.-.2.c.6.a.2.0.0.a.8.8.d.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.d.c.4.b.4.d.6.-.9.4.7.9.-.4.4.3.1.-.9.c.2.a.-.e.f.8.1.6.4.8.d.b.a.0.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.0.0.-.0.0.0.1.-.0.0.1.5.-.e.6.7.0.-.c.f.2.1.4.0.1.b.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER559B.tmp.dmp

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Mini DuMP crash report, 14 streams, Thu Oct 10 18:13:40 2024, 0x1205a4 type
      Category:dropped
      Size (bytes):43196
      Entropy (8bit):1.9965361892649462
      Encrypted:false
      SSDEEP:192:MdeZ68X6ilO5H47foahW/cCLqNmsUTwnJdD:i5HM1W/ciqNsi
      MD5:ECB357DDAC6CCAA15F168C80E188C089
      SHA1:2E30081BABCAF43D9CE58FAAF946D53327133360
      SHA-256:B9C46D73C8DED7859F9E029BE672F48932B0FDE0ECBE0B0CBF3CE30BBDA486F3
      SHA-512:5582F240B45882AF5C5D1C93A3E8CCF36A8E2A9B0305568B1FEF028B9A82D8CA6AD8FB708386391EE66F3581CA4C1FD0C88444F63C1371CE02E5E41924661D45
      Malicious:false
      Preview:MDMP..a..... .......T..g........................x................*..........T.......8...........T.......................................................................................................................eJ..............GenuineIntel............T...........S..g.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER55BA.tmp.dmp

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Mini DuMP crash report, 14 streams, Thu Oct 10 18:13:40 2024, 0x1205a4 type
      Category:dropped
      Size (bytes):44876
      Entropy (8bit):1.9189676478506956
      Encrypted:false
      SSDEEP:192:MnVZTEXrXK5O5H4qWWRMFpSggJKbI4zi:+Q5HjWeMFpLg0
      MD5:98E6482176F963E7FF47509C940F74B2
      SHA1:6F32EA3E263B80CED964CDE5BBD06DD80017DDA2
      SHA-256:64A9BC1684FED4B3929144E2EDAB28EE9ADB4A2698659ED63F0F0BE091495356
      SHA-512:441F8689B820DAFC1B39918FB2719A019A9AC57E69F957BC317A6F6FC1B3E63D585911075D3F0DBDA6A7592896BCCBD27E87CDE69734B8240F7C2C0AAAF8D4BE
      Malicious:false
      Preview:MDMP..a..... .......T..g........................x................*..........T.......8...........T...............L.......................................................................................................eJ..............GenuineIntel............T.......@...S..g.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER5677.tmp.WERInternalMetadata.xml

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):8262
      Entropy (8bit):3.6909472189662114
      Encrypted:false
      SSDEEP:192:R6l7wVeJmL6IU66YH16HgmfTy3prB89bJWsfWjm:R6lXJC6IU66YV6HgmfTyUJ1fD
      MD5:4D0DF6366C984A1DFB3C5D548A3EFF4D
      SHA1:956C55D84A0DA8C9720D7FAED4C1F8917599C4C2
      SHA-256:32DA13FA7FC38ED063FA894992DBC44A8EBE090864DF7155B7E563251F2F39C2
      SHA-512:3ABACC44A975C9BA407864A79C36C5A4DC7803E1D2CBF3CBF998CDCB80A843BB0EFDEDC009437BA54276E5EEE442243F0563FC6F8359168008EAEC6A1D218EB6
      Malicious:false
      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.2.8.0.<./.P.i.

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER5678.tmp.WERInternalMetadata.xml

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):8264
      Entropy (8bit):3.693920432127488
      Encrypted:false
      SSDEEP:192:R6l7wVeJ+Y6IUs8n6Y9aH66BgmfTy3prt89bJSLsfPjm:R6lXJJ6IUs8n6Yo6cgmfTygJSQfi
      MD5:4FC86504DA493A07C6C6FCE76E162F91
      SHA1:0C1299B829E15FB4A6EC5E48B7E39FEC0414C3E7
      SHA-256:0C5BE4E7FD7313376BB61C7048A4EBA4EFD2B7DE716F63EB8CF789CF96D700E9
      SHA-512:2594EDF3CE8A9D4879DDB0BFA54BB4B9A8763BEAAECD8ADD8C4C8310607E75D881F7712293CA310DAA0BA17563DCE093FD053EFAD81A2E304C47B86E3B8218A9
      Malicious:false
      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.3.9.2.<./.P.i.

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER56D6.tmp.xml

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):4652
      Entropy (8bit):4.4602137115471585
      Encrypted:false
      SSDEEP:48:cvIwWl8zsuJg77aI9vcWpW8VYJYm8M4JCdPy+hFDj+q8/40LZxEGScS4d:uIjfkI79V7V9Jl+nj90kJ34d
      MD5:A215D4173D408E86A79323BE423687C9
      SHA1:457D6A4DDB9C9C80EE5793F0F61343182683F544
      SHA-256:C97FA987A100967CF01E9DB5673DF531EA7BDE83CC97898748101344294850D6
      SHA-512:418F685C84A805918CFA43AFEC36350B35CEFFCE3635C665E07D6AAFAE972D1C1F591B6B5E1C5B6C8B67B9EDD4973956158A99338CD798599B29A0DF05AF0C06
      Malicious:false
      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="537676" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER5744.tmp.xml

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):4652
      Entropy (8bit):4.460709932021838
      Encrypted:false
      SSDEEP:48:cvIwWl8zsuJg77aI9vcWpW8VYeYm8M4JCdPy+hFf+q8/40LDxGScSad:uIjfkI79V7VCJl+b90JJ3ad
      MD5:46745BFFE3916559C3FB747103D49C11
      SHA1:AC1880A93CD073D96306CE39A9E4BA84CBC668D0
      SHA-256:D3EFADAB24865F3473DF95AC17621AC8B4B15DB7C3701B40FF710382FC723CD3
      SHA-512:6D53DE6A91C9975045481A1B6FA770F4276FEB2E03E14283E240969F94F230ADE1F237AEB4740ACA2DCB56F2647BCE1C9CEC67CB556D1594D1C1AFE4AEC6A62E
      Malicious:false
      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="537676" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER603A.tmp.dmp

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Mini DuMP crash report, 14 streams, Thu Oct 10 18:13:42 2024, 0x1205a4 type
      Category:dropped
      Size (bytes):43936
      Entropy (8bit):1.9729227084345455
      Encrypted:false
      SSDEEP:192:yJZI8XkxO5H4vzCnh2Dqd+wTIwmOVS6ueuT0Bg:c5Ho2h2avVVu1A
      MD5:152DAACE14E0760F99E80BECBF5A5793
      SHA1:5108788673E69D18A324CEE1B6A00E9128447A9D
      SHA-256:0FD12E3BB42A72DF1EF80570E270C852503D3E93343DC1B41C3070A55471A128
      SHA-512:974868EFE24AA0B7C250178CF73DE737A5F9A8F0968BD1B856B373C7BC9A8FEF90BDA9458AA74CEF695BA8D649E7046C0D4FFDBF3953BDAA5EC8977A4B935846
      Malicious:false
      Preview:MDMP..a..... .......V..g........................x................*..........T.......8...........T......................................................................................................................eJ..............GenuineIntel............T.......@...V..g.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER6099.tmp.WERInternalMetadata.xml

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):8264
      Entropy (8bit):3.693226911135219
      Encrypted:false
      SSDEEP:192:R6l7wVeJha6IU+6YHY6mgmfTy3pra89byQsfw/cGm:R6lXJM6IU+6Y46mgmfTy5yjfwM
      MD5:56E6B587C1D18104BEEC131204B918E3
      SHA1:F2B8566A762D7AFC994182759CCAD158B55D7C54
      SHA-256:8A215520D9139E25F9914E892C55F1A302C6B675F954EBF87EB368148C7F8DB6
      SHA-512:008A4DCA18F080D2C5A2DF77020062BA2569E1572CC70D57FB794DCD90ED6EAE340BBB78E82E5EFED6F312420860CC1EB2C273EDBDB6AAC5631B44030D5B38A9
      Malicious:false
      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.6.9.6.<./.P.i.

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER60B9.tmp.xml

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):4652
      Entropy (8bit):4.463007910722485
      Encrypted:false
      SSDEEP:48:cvIwWl8zsuJg77aI9vcWpW8VYBYm8M4JCdPy+hFy+q8/40LIGScSrd:uIjfkI79V7V5Jl+G90UJ3rd
      MD5:292BD5500EC37AD0905AEAA53A63A653
      SHA1:A73494D539BF7BAC1CF207F6CDF80F1C0062C17A
      SHA-256:06C46B830BC6EE40126B582A206D78A9C21BF50325EE241FCA0E03054BEE89DF
      SHA-512:092FFB2376D066CB313FF4E863DFA69F56E066F18701F58F0CEF94C541EA3A67C3D740447A80384163A8D7117DE1EAC33AC6E82EACC3AC5CFDE2A7E62B15EDE2
      Malicious:false
      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="537676" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER7A2A.tmp.dmp

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Mini DuMP crash report, 14 streams, Thu Oct 10 18:13:49 2024, 0x1205a4 type
      Category:dropped
      Size (bytes):43900
      Entropy (8bit):1.9373043362815237
      Encrypted:false
      SSDEEP:96:5Q8oU0j0DuOurX8q1DWMwXDn87Yroi75I4v4qTs/wE0eKrIIxP5bEyYeAQrKVkjx:d1JuAXeO5H4iHrIGlh24sCzkO6N
      MD5:EADCAFF71647C48A62C890A99834ABF2
      SHA1:4D2F66FCDDAB365F12FC3B93FB0A071672CBFB8C
      SHA-256:AB55EF2ED378B98802FF9FAB3F2E2028891A624C53382FFB7CF7C5BF87B499B0
      SHA-512:D4DA55721C362AD63AFA50EB5CF44F316ABFB9D4B91DE8A4E3673F91E62B9E74E1EA094E2602404B3FA552A02567204896F2389D8647828DCBAB2E059BA59D9B
      Malicious:false
      Preview:MDMP..a..... .......]..g........................x................*..........T.......8...........T......................................................................................................................eJ..............GenuineIntel............T...........\..g.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER7A79.tmp.dmp

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Mini DuMP crash report, 14 streams, Thu Oct 10 18:13:50 2024, 0x1205a4 type
      Category:dropped
      Size (bytes):44800
      Entropy (8bit):1.9041099720484573
      Encrypted:false
      SSDEEP:96:538KKs0j0DuOurX8q0DWSwXDn8CToi75I4v4qHV35yprKVkjS68LWx4Wqx9avYfL:qfsJJKXqO5H44y2t/luhR27TNI96
      MD5:D701034A295513B518243D08DB794704
      SHA1:9A2F9AFE1905DDCB7243BA3BB4780A3514913166
      SHA-256:ED2E166C3B46E18EEBA0576F918F91DF569D6A12CA16CA06FF941D713A9DE5CA
      SHA-512:5FA441B59638A2002B9EB6E4682C0C5FFA8959A1FE5336D0126B08CBD33D544A72359918BFBD75972709567D5E5E5FFABC079A5C429089AEA0DE1D58AF49559D
      Malicious:false
      Preview:MDMP..a..... .......^..g........................x................*..........T.......8...........T...............P.......................................................................................................eJ..............GenuineIntel............T.......h...\..g.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER7A98.tmp.dmp

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Mini DuMP crash report, 14 streams, Thu Oct 10 18:13:49 2024, 0x1205a4 type
      Category:dropped
      Size (bytes):44860
      Entropy (8bit):1.9366340501964783
      Encrypted:false
      SSDEEP:192:dhJV8XdxKO5H4OuO4L/Cyo0ZhQ4l9BQYi:0n5Hx4LLXQc9x
      MD5:2EFA7A2D4027EE3A702DD1D450E9B90A
      SHA1:8389B5B225C8D80E1CFC7570D09EE1AB8CEE7CE4
      SHA-256:CFF232E86A3E8B2F2B41BBD9017783B8CD5CD8477E83F25D707EA49A35010C07
      SHA-512:ADE8F759739556ADE76E51643B7568D1FD1883899B4E31BCD4790814E3B02ED7F6FC872AC786179E37E133B293E82300C656C2158DC7AC997279C2994E4F91E5
      Malicious:false
      Preview:MDMP..a..... .......]..g........................x................*..........T.......8...........T.......................................................................................................................eJ..............GenuineIntel............T...........\..g.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER7B35.tmp.WERInternalMetadata.xml

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):8286
      Entropy (8bit):3.6933972139754174
      Encrypted:false
      SSDEEP:192:R6l7wVeJjHA6IU+UC6YHDT6bgmfTy3prd89b4UsfzIm:R6lXJk6IU+UC6YjT6bgmfTyw4Hfp
      MD5:3C9B002326A5EDE268FECC31BCDB317C
      SHA1:7DA0881276CA06EDCB20D7DFC6C0D1A406D2DF1C
      SHA-256:FC19A0F4AB9549A39DF49BE1F64987DA2828DCE6ACB6219D8E6225505B006458
      SHA-512:7466643AF0084D51D2B192B17C13FEAD6EE207822DCBB2A2406E4F31905AC4B652D80B70A526C791E6AE669E534903AD5358520646862E11A564278FE6B1DF7D
      Malicious:false
      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.3.8.8.<./.P.i.

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER7B75.tmp.xml

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):4652
      Entropy (8bit):4.4622719540969715
      Encrypted:false
      SSDEEP:48:cvIwWl8zsuJg77aI9vcWpW8VYPYm8M4JCdPy+hFg+q8/40Lw1GScSvd:uIjfkI79V7VjJl+M90wJ3vd
      MD5:08E87F5EF8B948523119CEE4104D4A11
      SHA1:B3D16B65D261E2F9D7E2DE96856DD8F8E72EF58E
      SHA-256:4714EC2637D390920AB02862F0E4D34D66B51756E2329EF7B2348B8AD5E32E0D
      SHA-512:E606677B347FEF9227424E3FEC441E1A822D8DA66897411A7E649A425CDFC0C8B700C06308DB83950A4D6AE9912435751AA1110ED62BB09C8904235F2CAFED45
      Malicious:false
      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="537676" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER7BF1.tmp.WERInternalMetadata.xml

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):8286
      Entropy (8bit):3.6938742710559542
      Encrypted:false
      SSDEEP:192:R6l7wVeJ5G6IUR6YHDu6VgmfTy3prQ89bY6sfnom:R6lXJY6IUR6Yju6VgmfTy3YZft
      MD5:0E5B3954673D84FB749B1E670C55CFA3
      SHA1:542A614D99A77D492ED1E45E91E53076559778D2
      SHA-256:60CD30C86812E7159CF3E3956E606B5AEAE78FFA5055D9CD526C00412F569D1F
      SHA-512:518F99A5E75D8F43F5E67A830C5001B92563D8D3A4BEED3A80A84D91882948C2C52BF5FBFD90F76B83D7140AD8B5395B026DBDB0477E682ED9FC46DAFFDA2AEB
      Malicious:false
      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.2.8.<./.P.i.

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER7C4D.tmp.dmp

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Mini DuMP crash report, 14 streams, Thu Oct 10 18:13:50 2024, 0x1205a4 type
      Category:dropped
      Size (bytes):44288
      Entropy (8bit):1.9333999397851058
      Encrypted:false
      SSDEEP:192:qUFJsDXRO5H4qtzo3OWFwgBM/a6SadgeiHiv:rV5HPtSOWFwgBM/Aageic
      MD5:F818E7492D053DE70562F88EE31408CD
      SHA1:FA4FACC2AF0909DA0A697271FC186149C699D80C
      SHA-256:14E6C6F896C886DD1CADB9E995610E6391CF62CAA3808DB5B50027E4301938FB
      SHA-512:910A5B6D0C8EB4077208C826131E30C0EC0213D3ABFDE6A5B71378AEF67446E4F4FABA0A64B098AD28A176828817CE88C9F8458F9977F3D52C32BBF5F5C1E3BD
      Malicious:false
      Preview:MDMP..a..... .......^..g........................x................*..........T.......8...........T...............P.......................................................................................................eJ..............GenuineIntel............T.......|...\..g.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER7C4F.tmp.xml

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):4652
      Entropy (8bit):4.46077206532534
      Encrypted:false
      SSDEEP:48:cvIwWl8zsuJg77aI9vcWpW8VY+oJYm8M4JCdPy+hFtp+q8/40L1GScSBd:uIjfkI79V7VNoYJl+xp90xJ3Bd
      MD5:909ED6AF7389718F8402C9A8A1569D64
      SHA1:31AFE60FCF63D5FA8310D5654EEBA1B73267E06A
      SHA-256:65DE9C52F2DA3A7E18BA20851D086F0F05536BC7FD0E578611D6B058E0B600C6
      SHA-512:512509303B01EF1153AF63000A4E35DA89882CC31561E97ED7A9A282A8B6EABFD607DE06D7ED175C11EA5E2C6115C3F5E41971C3240A81AD80F3C8ABEB898FB8
      Malicious:false
      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="537676" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER7C5E.tmp.WERInternalMetadata.xml

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):8286
      Entropy (8bit):3.692478602063614
      Encrypted:false
      SSDEEP:192:R6l7wVeJ/i6IUL8F6YHDU6VgmfTy3prx89bYxsfgom:R6lXJa6IUL8F6YjU6VgmfTyUYqfG
      MD5:2A9FB864EAAA79A521084A2375E46E62
      SHA1:0E7D157B03E92A4E9DB427BD359030661505A5A7
      SHA-256:8FAE14477F9958D1AD283A1A106689B06E581F83E7957ED11BE9EB390E1DC1A7
      SHA-512:0C57A2650C520C66D073A8953DCDEC54716406D83A9A889B3621FC08D88BEAC05AD54AA5B7F395A842D8F4742B580A5C97F8B8B1A36D34AF63A22EF12E8C9888
      Malicious:false
      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.9.4.4.<./.P.i.

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D0B.tmp.xml

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):4652
      Entropy (8bit):4.460346362935363
      Encrypted:false
      SSDEEP:48:cvIwWl8zsuJg77aI9vcWpW8VY+pPYm8M4JCdPy+hFe+q8/40LdHGScSUd:uIjfkI79V7VNpSJl+C90ZJ3Ud
      MD5:3FC74249224F25B6225619045455AB76
      SHA1:E0D760313CF71AE09E0F27EEA125CEC087F2B73E
      SHA-256:6768DB4299163FA3847397AC9171F6C6B899D86D953DEEBCCB07758DAF28E421
      SHA-512:42701F8BF95BD93E55EE22B9010B3F4C2BCEC26186A63C23FE35CBFA52B4F7D5E7847C71F22B9AEDBD300F1BC03471F8D597B1880AB88C8A13D9CA7E62F99EDD
      Malicious:false
      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="537676" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER7F7B.tmp.WERInternalMetadata.xml

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):8290
      Entropy (8bit):3.692532213717321
      Encrypted:false
      SSDEEP:192:R6l7wVeJp7l6IU2Bg16YHQ6xgmfTy3prA89bYusf0dpNom:R6lXJP6IU2Bg16Yw6xgmfTy3Ytfspn
      MD5:DCC90A6E9739D6E7900835DE488E03A3
      SHA1:359AFAF39D806D7E486C39B8A911F9B65C3B8121
      SHA-256:998F473DA9AB1EB3F684DD61755B79F8FBE1B7E6744C587B94FE63F9DE094088
      SHA-512:F17F7A1C92F2D0CFBBFF90CB3B0717E271DE7429B2FC0F9289A85125C497413DDFAFD753BC381AF8CD5CE0581E18F3504EED8579A562AB0B3948001EA61A181C
      Malicious:false
      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.7.0.8.<./.P.i.

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER7FAB.tmp.xml

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):4652
      Entropy (8bit):4.462582358215878
      Encrypted:false
      SSDEEP:48:cvIwWl8zsuJg77aI9vcWpW8VY+bYm8M4JCdPy+hFT/+q8/40L/GScSFd:uIjfkI79V7VN+Jl+P/90LJ3Fd
      MD5:58AF3858F94D107C6C95E3DBC2527FBE
      SHA1:B8EDE3B4AF0654F38079FB7F631341C33CFAB86A
      SHA-256:076FB54BC8EFF2AD345069299B9662CC3497868ED6A2BCCC64BA421734A7E186
      SHA-512:F50779B6E0F2106FE412ADE00C878F9EABDEC29417DA5D2D56117A6F7011FE53906CF1F025C00B40327ADADFDA35055634F20683B7CC95723906563AA40D8E54
      Malicious:false
      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="537676" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

      C:\ProgramData\{E0224FF9-7AE3-4F9E-991A-2F004F7E3952}\desktop.ini

      Download File
      Process:C:\Windows\SysWOW64\rundll32.exe
      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):138
      Entropy (8bit):3.5165238831051426
      Encrypted:false
      SSDEEP:3:Q+RlCQ8ql62fEPlnlACuelSJsaz+o5d8UpljlWUIY:Q+cqRsdOCXlSiw+9Up7TF
      MD5:582467533A2E4ADD0E131C41590CCC49
      SHA1:899E2A63C938F3B154A9AC32D869E704E4FC3209
      SHA-256:FC734CD1EB023A4BF907060BEC404438B646174C1E9130E52332CF051AD7E432
      SHA-512:598671E55C7F6C83F43C88184E3AEA036A17893F85D741C29C41186EAC424FDE09B8A3770937D1B17FDA8876E1113C3771FB58B64ABCDFEB86920C5296B1E60F
      Malicious:false
      Preview:..[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.D.B.6.F.l.a.g.=.4.8.0.E.A.5.B.8.9.3.1.F.2.6.7.E.4.A.7.5.5.8.F.0.1.1.1.B.5.F.7.1.........

      C:\Windows\appcompat\Programs\Amcache.hve

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:MS Windows registry file, NT/2000 or above
      Category:dropped
      Size (bytes):1835008
      Entropy (8bit):4.469390992421116
      Encrypted:false
      SSDEEP:6144:6zZfpi6ceLPx9skLmb0fYZWSP3aJG8nAgeiJRMMhA2zX4WABluuNFjDH5S:cZHtYZWOKnMM6bFpHj4
      MD5:2EFE27590EA35404D2F2F60E40BB77B2
      SHA1:E0020D692C5065B31155F9A934249EECC06490AE
      SHA-256:19CDD8CE38C877007E14EACD38C217A38057412EBB68D481D139326C80B1D0D7
      SHA-512:31A5100CAD7ECB3635D70D7A5F98741E4354C666A594715103EC5DE16630E8DE4DE131CDE1CA2E43EEDEC27E55047255D67339C2DAFCC1267D2E8F29A0BAD07C
      Malicious:false
      Preview:regfI...I....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.."@...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      Static File Info

      General

      File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Entropy (8bit):6.564787951526749
      TrID:
      • Win32 Dynamic Link Library (generic) (1002004/3) 98.12%
      • Windows Screen Saver (13104/52) 1.28%
      • Win16/32 Executable Delphi generic (2074/23) 0.20%
      • Generic Win/DOS Executable (2004/3) 0.20%
      • DOS Executable Generic (2002/1) 0.20%
      File name:Register.dll
      File size:1'081'320 bytes
      MD5:40b9628354ef4e6ef3c87934575545f4
      SHA1:8fb5da182dea64c842953bf72fc573a74adaa155
      SHA256:372b14fce2eb35b264f6d4aeef7987da56d951d3a09ef866cf55ed72763caa12
      SHA512:02b0ea82efbfbe2e7308f86bfbec7a5109f3fe91d42731812d2e46aebedce50aabc565d2da9d3fbcd0f46febbff49c534419d1a91e0c14d5a80f06b74888c641
      SSDEEP:24576:k0Rdvjw14ZCWQuTs54Qbz27j7BS2Nv+4BT8+u60:BDZ2zAj7pXT3i
      TLSH:43354D12A3D54433D0721F7A8D6AD6946C29BD312EA4D84E3EF8DB4C0F39B81AD34697
      File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

      File Icon

      Icon Hash:334c3ecbabbbb7b7

      Static PE Info

      General

      Entrypoint:0x4d8238
      Entrypoint Section:.itext
      Digitally signed:true
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
      DLL Characteristics:
      Time Stamp:0x64E5D0FE [Wed Aug 23 09:27:26 2023 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:5
      OS Version Minor:0
      File Version Major:5
      File Version Minor:0
      Subsystem Version Major:5
      Subsystem Version Minor:0
      Import Hash:ee94d9d14cff80538936ff9d276ecfc1

      Authenticode Signature

      Signature Valid:true
      Signature Issuer:CN=Sectigo RSA Code Signing CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB
      Signature Validation Error:The operation completed successfully
      Error Number:0
      Not Before, Not After
      • 24/03/2021 20:00:00 24/03/2024 19:59:59
      Subject Chain
      • CN="IObit CO., LTD", O="IObit CO., LTD", STREET=45 Renmin South Road, STREET="No. 605, 6th Floor, Unit 1, Building 1", L=Chengdu Shi, S=Sichuan Sheng, PostalCode=610042, C=CN
      Version:3
      Thumbprint MD5:8AD2A09EBDD6E8444414E1FFE7FC9683
      Thumbprint SHA-1:145D90AD3134C665246DC1C93CD3E2D8C69E9231
      Thumbprint SHA-256:12DBEE7AA5DBB550CEEDC6172E5C34BA577759D8926AAFF08A781552B7FABDE9
      Serial:008BA1F172FD50BA8D4C11B74FFAC8A282

      Entrypoint Preview

      Instruction
      push ebp
      mov ebp, esp
      add esp, FFFFFFC0h
      mov eax, 004D6164h
      call 00007F18C8610DD1h
      mov eax, 004D6118h
      mov dword ptr [004E7B54h], eax
      mov eax, 00000001h
      call 00007F18C86DEA31h
      call 00007F18C860D72Ch
      lea eax, dword ptr [eax+00h]
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0xef0000x13b.edata
      IMAGE_DIRECTORY_ENTRY_IMPORT0xec0000x2de2.idata
      IMAGE_DIRECTORY_ENTRY_RESOURCE0xff0000xfe00.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x1034000x4be8.rsrc
      IMAGE_DIRECTORY_ENTRY_BASERELOC0xf00000xe290.reloc
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0xec8940x704.idata
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000xd56ac0xd5800d67b70365334734c6e08bca32ea3869cFalse0.46091691671545665data6.449284035390792IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .itext0xd70000x12640x14008c4e0c59edea32510dd2fc359879747bFalse0.5447265625data5.72139447807262IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .data0xd90000xb1640xb20068a6dd0b318987d37d203aeed6677ec3False0.6231127106741573data6.693348141527325IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .bss0xe50000x64f00x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .idata0xec0000x2de20x2e00da1b477683fbb7c68c5e79625417dcb6False0.321586277173913data5.221216674467505IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .edata0xef0000x13b0x200a78efc9e9d4f3a9e4a6e52d862f95e3cFalse0.478515625data3.6140460102232423IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .reloc0xf00000xe2900xe4009ff30d8f9a6530cce81e8d9e2096ad39False0.5634594298245614data6.657552604480855IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
      .rsrc0xff0000xfe000xfe009d9c7749272b1d6e2bf5c952b3232998False0.2048474409448819data4.188120849256538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

      Resources

      NameRVASizeTypeLanguageCountryZLIB Complexity
      RT_CURSOR0xff9440x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
      RT_CURSOR0xffa780x134dataEnglishUnited States0.4642857142857143
      RT_CURSOR0xffbac0x134dataEnglishUnited States0.4805194805194805
      RT_CURSOR0xffce00x134dataEnglishUnited States0.38311688311688313
      RT_CURSOR0xffe140x134dataEnglishUnited States0.36038961038961037
      RT_CURSOR0xfff480x134dataEnglishUnited States0.4090909090909091
      RT_CURSOR0x10007c0x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4967532467532468
      RT_ICON0x1001b00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096ChineseChina0.2455440900562852
      RT_STRING0x1012580x23cdata0.40384615384615385
      RT_STRING0x1014940x3ccdata0.41975308641975306
      RT_STRING0x1018600xacdata0.7209302325581395
      RT_STRING0x10190c0x140data0.584375
      RT_STRING0x101a4c0x494data0.3796928327645051
      RT_STRING0x101ee00x494data0.3890784982935154
      RT_STRING0x1023740x2e4data0.41621621621621624
      RT_STRING0x1026580x494data0.3924914675767918
      RT_STRING0x102aec0x39cdata0.420995670995671
      RT_STRING0x102e880x2e4data0.43243243243243246
      RT_STRING0x10316c0x44cdata0.39454545454545453
      RT_STRING0x1035b80x398data0.4391304347826087
      RT_STRING0x1039500x3e4data0.35542168674698793
      RT_STRING0x103d340x2e4data0.4391891891891892
      RT_STRING0x1040180x4c4data0.3155737704918033
      RT_STRING0x1044dc0x3d4data0.3948979591836735
      RT_STRING0x1048b00x380data0.34375
      RT_STRING0x104c300x408data0.3682170542635659
      RT_STRING0x1050380x10cdata0.5410447761194029
      RT_STRING0x1051440xccdata0.6029411764705882
      RT_STRING0x1052100x234data0.5070921985815603
      RT_STRING0x1054440x3d4data0.3163265306122449
      RT_STRING0x1058180x314data0.434010152284264
      RT_STRING0x105b2c0x2c0data0.421875
      RT_RCDATA0x105dec0x82e8dataEnglishUnited States0.11261637622344235
      RT_RCDATA0x10e0d40x10data1.5
      RT_RCDATA0x10e0e40x8d4data0.595575221238938
      RT_GROUP_CURSOR0x10e9b80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
      RT_GROUP_CURSOR0x10e9cc0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
      RT_GROUP_CURSOR0x10e9e00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
      RT_GROUP_CURSOR0x10e9f40x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
      RT_GROUP_CURSOR0x10ea080x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
      RT_GROUP_CURSOR0x10ea1c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
      RT_GROUP_CURSOR0x10ea300x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
      RT_GROUP_ICON0x10ea440x14dataChineseChina1.15
      RT_VERSION0x10ea580x334dataChineseChina0.47073170731707314

      Imports

      DLLImport
      oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
      advapi32.dllRegQueryValueExW, RegOpenKeyExW, RegCloseKey
      user32.dllGetKeyboardType, LoadStringW, MessageBoxA, CharNextW
      kernel32.dllGetACP, Sleep, VirtualFree, VirtualAlloc, GetSystemInfo, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenW, lstrcpynW, LoadLibraryExW, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetCommandLineW, FreeLibrary, FindFirstFileW, FindClose, ExitProcess, ExitThread, CreateThread, CompareStringW, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle, CloseHandle
      kernel32.dllTlsSetValue, TlsGetValue, TlsFree, TlsAlloc, LocalFree, LocalAlloc
      user32.dllCreateWindowExW, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassW, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoW, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExW, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropW, SetParent, SetMenuItemInfoW, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongW, SetCapture, SetActiveWindow, SendMessageA, SendMessageW, ScrollWindow, ScreenToClient, RemovePropW, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageW, RegisterClipboardFormatW, RegisterClassW, RedrawWindow, PostQuitMessage, PostMessageW, PeekMessageA, PeekMessageW, OffsetRect, MsgWaitForMultipleObjectsEx, MsgWaitForMultipleObjects, MessageBoxW, MapWindowPoints, MapVirtualKeyW, LoadStringW, LoadKeyboardLayoutW, LoadIconW, LoadCursorW, LoadBitmapW, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsIconic, IsDialogMessageA, IsDialogMessageW, IsChild, InvalidateRect, IntersectRect, InsertMenuItemW, InsertMenuW, InflateRect, GetWindowThreadProcessId, GetWindowTextW, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropW, GetParent, GetWindow, GetMessagePos, GetMenuStringW, GetMenuState, GetMenuItemInfoW, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameW, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassLongW, GetClassInfoW, GetCapture, GetActiveWindow, FrameRect, FindWindowExW, FindWindowW, FillRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextExW, DrawTextW, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageA, DispatchMessageW, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcW, DefMDIChildProcW, DefFrameProcW, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CharUpperBuffW, CharNextW, CharLowerW, CallWindowProcW, CallNextHookEx, BeginPaint, AdjustWindowRectEx, ActivateKeyboardLayout
      msimg32.dllAlphaBlend
      gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetTextMetricsW, GetTextExtentPoint32W, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectW, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, FrameRgn, ExcludeClipRect, DeleteObject, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectW, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, BitBlt
      version.dllVerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
      kernel32.dlllstrcpyW, WritePrivateProfileStringW, WriteFile, WideCharToMultiByte, WaitForSingleObject, WaitForMultipleObjectsEx, VirtualQueryEx, VirtualQuery, VirtualAlloc, TerminateProcess, SwitchToThread, Sleep, SizeofResource, SignalObjectAndWait, SetThreadLocale, SetLastError, SetFilePointer, SetFileAttributesW, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, ReadFile, RaiseException, QueryPerformanceFrequency, QueryPerformanceCounter, PeekNamedPipe, OutputDebugStringW, MultiByteToWideChar, MulDiv, MoveFileW, LockResource, LoadResource, LoadLibraryW, LeaveCriticalSection, IsValidLocale, InitializeCriticalSection, GlobalFindAtomW, GlobalDeleteAtom, GlobalAddAtomW, GetWindowsDirectoryW, GetVersionExW, GetVersion, GetTimeZoneInformation, GetTickCount, GetThreadLocale, GetTempPathW, GetTempFileNameW, GetSystemDirectoryW, GetStdHandle, GetProcAddress, GetPrivateProfileStringW, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesW, GetExitCodeThread, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetComputerNameW, GetCPInfo, FreeResource, InterlockedIncrement, InterlockedExchangeAdd, InterlockedExchange, InterlockedDecrement, InterlockedCompareExchange, FreeLibraryAndExitThread, FreeLibrary, FormatMessageW, FindResourceW, FindNextFileW, FindFirstFileW, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumCalendarInfoW, EnterCriticalSection, DeviceIoControl, DeleteFileW, DeleteCriticalSection, CreateThread, CreateProcessW, CreatePipe, CreateFileW, CreateEventW, CreateDirectoryW, CopyFileW, CompareStringW, CloseHandle
      advapi32.dllRegQueryValueExW, RegOpenKeyExW, RegFlushKey, RegCreateKeyExW, RegCloseKey
      kernel32.dllSleep
      oleaut32.dllGetErrorInfo, GetActiveObject, SysFreeString
      ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, ProgIDFromCLSID, StringFromCLSID, CoCreateInstance, CoUninitialize, CoInitialize, IsEqualGUID
      oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetElement, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
      shell32.dllShellExecuteW
      comctl32.dllInitializeFlatSB, FlatSB_SetScrollProp, FlatSB_SetScrollPos, FlatSB_SetScrollInfo, FlatSB_GetScrollPos, FlatSB_GetScrollInfo, _TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
      shell32.dllSHGetSpecialFolderPathW
      crtdll.dllisalnum, isspace

      Exports

      NameOrdinalAddress
      ActiveApp100x4d2020
      ActiveAppSpecial90x4d3e6c
      ActiveTrial40x4d34ec
      CheckDbValue10x4cc2c4
      CheckLicenseLocatin80x4d0f14
      CheckTrialInstalled30x4cfc48
      ClearTrialData20x4d5d14
      GetLicenseType50x4d4150
      GetSurplusDays60x4d4354
      ValidateThreadLicense70x4d5e74

      Possible Origin

      Language of compilation systemCountry where language is spokenMap
      EnglishUnited States
      ChineseChina

      Network Behavior

      UDP Packets

      TimestampSource PortDest PortSource IPDest IP
      Oct 10, 2024 20:14:00.273318052 CEST53546091.1.1.1192.168.2.6

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      High Level Behavior Distribution

      Click to dive into process behavior distribution

      Behavior

      Click to jump to process

      System Behavior

      General

      Target ID:0
      Start time:14:13:39
      Start date:10/10/2024
      Path:C:\Windows\System32\loaddll32.exe
      Wow64 process (32bit):true
      Commandline:loaddll32.exe "C:\Users\user\Desktop\Register.dll"
      Imagebase:0x810000
      File size:126'464 bytes
      MD5 hash:51E6071F9CBA48E79F10C84515AAE618
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Reputation:high
      Has exited:true

      General

      Target ID:1
      Start time:14:13:39
      Start date:10/10/2024
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff66e660000
      File size:862'208 bytes
      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:2
      Start time:14:13:39
      Start date:10/10/2024
      Path:C:\Windows\SysWOW64\cmd.exe
      Wow64 process (32bit):true
      Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Register.dll",#1
      Imagebase:0x1c0000
      File size:236'544 bytes
      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:4
      Start time:14:13:39
      Start date:10/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe C:\Users\user\Desktop\Register.dll,ActiveApp
      Imagebase:0xe10000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Reputation:high
      Has exited:true

      General

      Target ID:5
      Start time:14:13:39
      Start date:10/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\Register.dll",#1
      Imagebase:0xe10000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Reputation:high
      Has exited:true

      General

      Target ID:9
      Start time:14:13:39
      Start date:10/10/2024
      Path:C:\Windows\SysWOW64\WerFault.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 644
      Imagebase:0x9d0000
      File size:483'680 bytes
      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:10
      Start time:14:13:39
      Start date:10/10/2024
      Path:C:\Windows\SysWOW64\WerFault.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 652
      Imagebase:0x9d0000
      File size:483'680 bytes
      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:12
      Start time:14:13:42
      Start date:10/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe C:\Users\user\Desktop\Register.dll,ActiveAppSpecial
      Imagebase:0xe10000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Reputation:high
      Has exited:true

      General

      Target ID:14
      Start time:14:13:42
      Start date:10/10/2024
      Path:C:\Windows\SysWOW64\WerFault.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5696 -s 644
      Imagebase:0x9d0000
      File size:483'680 bytes
      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:15
      Start time:14:13:45
      Start date:10/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe C:\Users\user\Desktop\Register.dll,ActiveTrial
      Imagebase:0xe10000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Reputation:high
      Has exited:true

      General

      Target ID:16
      Start time:14:13:48
      Start date:10/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\Register.dll",ActiveApp
      Imagebase:0xe10000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Reputation:high
      Has exited:true

      General

      Target ID:17
      Start time:14:13:48
      Start date:10/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\Register.dll",ActiveAppSpecial
      Imagebase:0xe10000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Has exited:true

      General

      Target ID:18
      Start time:14:13:48
      Start date:10/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\Register.dll",ActiveTrial
      Imagebase:0xe10000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Has exited:true

      General

      Target ID:19
      Start time:14:13:48
      Start date:10/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\Register.dll",ValidateThreadLicense
      Imagebase:0xe10000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Has exited:true

      General

      Target ID:21
      Start time:14:13:48
      Start date:10/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\Register.dll",GetSurplusDays
      Imagebase:0xe10000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Has exited:true

      General

      Target ID:23
      Start time:14:13:48
      Start date:10/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\Register.dll",GetLicenseType
      Imagebase:0xe10000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Has exited:true

      General

      Target ID:24
      Start time:14:13:48
      Start date:10/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\Register.dll",ClearTrialData
      Imagebase:0xe10000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Has exited:true

      General

      Target ID:25
      Start time:14:13:48
      Start date:10/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\Register.dll",CheckTrialInstalled
      Imagebase:0xe10000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Has exited:true

      General

      Target ID:26
      Start time:14:13:48
      Start date:10/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\Register.dll",CheckLicenseLocatin
      Imagebase:0xe10000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Has exited:true

      General

      Target ID:27
      Start time:14:13:48
      Start date:10/10/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\Register.dll",CheckDbValue
      Imagebase:0xe10000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Has exited:true

      General

      Target ID:29
      Start time:14:13:49
      Start date:10/10/2024
      Path:C:\Windows\SysWOW64\WerFault.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5388 -s 644
      Imagebase:0x9d0000
      File size:483'680 bytes
      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:true

      General

      Target ID:31
      Start time:14:13:49
      Start date:10/10/2024
      Path:C:\Windows\SysWOW64\WerFault.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 644
      Imagebase:0x9d0000
      File size:483'680 bytes
      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:true

      General

      Target ID:33
      Start time:14:13:49
      Start date:10/10/2024
      Path:C:\Windows\SysWOW64\WerFault.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7128 -s 644
      Imagebase:0x9d0000
      File size:483'680 bytes
      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:true

      General

      Target ID:34
      Start time:14:13:49
      Start date:10/10/2024
      Path:C:\Windows\SysWOW64\WerFault.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 644
      Imagebase:0x9d0000
      File size:483'680 bytes
      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Has exited:true

      Disassembly

      Reset < >

        Execution Graph

        Execution Coverage:1.2%
        Dynamic/Decrypted Code Coverage:0%
        Signature Coverage:7.5%
        Total number of Nodes:563
        Total number of Limit Nodes:38
        execution_graph 64535 48d46c MulDiv 64536 48d4a8 64535->64536 64537 48d4be 64535->64537 64599 48d428 GetDC SelectObject GetTextMetricsW ReleaseDC 64536->64599 64551 4559b8 64537->64551 64540 48d4ad 64540->64537 64600 405b1c 64540->64600 64541 48d4ca 64555 455a58 64541->64555 64546 48d4f5 64547 48d511 64546->64547 64584 455f0c 64546->64584 64552 4559be 64551->64552 64553 455a58 28 API calls 64552->64553 64554 4559d6 64553->64554 64554->64541 64556 455a65 64555->64556 64557 455a7f 64555->64557 64558 455a75 64556->64558 64559 455a6b RegCloseKey 64556->64559 64561 455cc0 64557->64561 64605 455a28 27 API calls 64558->64605 64559->64558 64562 405b1c 25 API calls 64561->64562 64563 455cea 64562->64563 64565 455d0a 64563->64565 64606 406344 25 API calls 64563->64606 64566 455d38 RegOpenKeyExW 64565->64566 64567 455d4a 64566->64567 64571 455d88 64566->64571 64568 455d76 64567->64568 64607 406080 25 API calls 64567->64607 64608 455a84 27 API calls 64568->64608 64572 455da8 RegOpenKeyExW 64571->64572 64573 455dba 64572->64573 64578 455df5 64572->64578 64574 455de6 64573->64574 64609 406080 25 API calls 64573->64609 64610 455a84 27 API calls 64574->64610 64575 455d83 64575->64546 64579 455e13 RegOpenKeyExW 64578->64579 64579->64575 64580 455e25 64579->64580 64581 455e4e 64580->64581 64611 406080 25 API calls 64580->64611 64612 455a84 27 API calls 64581->64612 64613 455ee4 64584->64613 64587 455f26 64616 405c04 64587->64616 64588 455f7c 64631 405ac8 64588->64631 64591 455f38 64621 455fbc 64591->64621 64593 455f50 64594 455f5c 64593->64594 64595 455f73 64593->64595 64629 405e44 25 API calls 64594->64629 64630 4558f0 64 API calls 64595->64630 64597 455f71 64604 455a28 27 API calls 64597->64604 64599->64540 64601 405b20 64600->64601 64602 405b50 64601->64602 64674 403080 25 API calls 64601->64674 64602->64537 64604->64547 64605->64557 64606->64565 64608->64575 64610->64575 64612->64575 64637 455e94 64613->64637 64615 455ef8 64615->64587 64615->64588 64641 406548 64616->64641 64618 405c14 64646 405030 64618->64646 64669 405b54 64621->64669 64624 456014 64624->64593 64625 455ff0 64671 412ecc 64 API calls 64625->64671 64627 45600f 64672 404788 25 API calls 64627->64672 64629->64597 64630->64597 64632 405acc 64631->64632 64634 405ae8 64631->64634 64632->64634 64635 406548 25 API calls 64632->64635 64633 405b18 64633->64597 64634->64633 64673 403080 25 API calls 64634->64673 64635->64634 64638 455ead 64637->64638 64639 455ec1 RegQueryValueExW 64638->64639 64640 455ed8 64639->64640 64640->64615 64642 406581 64641->64642 64643 40654c 64641->64643 64642->64618 64643->64642 64650 403064 64643->64650 64645 40655b 64645->64618 64647 405051 64646->64647 64648 405036 64646->64648 64647->64591 64648->64647 64668 403080 25 API calls 64648->64668 64651 40307b 64650->64651 64654 403068 64650->64654 64651->64645 64652 403072 64652->64645 64653 403199 64666 403168 25 API calls 64653->64666 64654->64652 64654->64653 64658 408458 64654->64658 64657 4031ba 64657->64645 64659 408467 64658->64659 64660 40848d TlsGetValue 64658->64660 64659->64653 64661 408472 64660->64661 64662 408497 64660->64662 64667 40838c 25 API calls 64661->64667 64662->64653 64664 408477 TlsGetValue 64665 408486 64664->64665 64665->64653 64666->64657 64667->64664 64668->64647 64670 405b58 RegQueryValueExW 64669->64670 64670->64624 64670->64625 64671->64627 64673->64633 64674->64602 64675 408434 64676 408456 64675->64676 64677 40843d 64675->64677 64681 4083fc 64677->64681 64680 40844b TlsFree 64680->64676 64682 408430 64681->64682 64683 408405 64681->64683 64682->64676 64682->64680 64683->64682 64684 40840e TlsGetValue 64683->64684 64684->64682 64685 40841d LocalFree TlsSetValue 64684->64685 64685->64682 64686 4d8238 64693 4084a4 64686->64693 64690 4d825c 64698 404e18 25 API calls 64690->64698 64694 4084af 64693->64694 64699 404ae8 64694->64699 64697 4d6118 InitializeCriticalSection 64697->64690 64700 404af7 64699->64700 64701 404afc GetCurrentThreadId 64699->64701 64700->64701 64702 404b32 64701->64702 64703 404ba5 64702->64703 64704 404e18 64702->64704 64719 404a80 64703->64719 64706 404e40 64704->64706 64707 404e2f 64704->64707 64708 404e49 GetCurrentThreadId 64706->64708 64714 404e56 64706->64714 64732 404d88 GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 64707->64732 64708->64714 64711 403128 25 API calls 64711->64714 64712 404e39 64712->64706 64714->64711 64715 404ee9 FreeLibrary 64714->64715 64716 404f11 64714->64716 64726 404a1c 64714->64726 64715->64714 64717 404f20 ExitProcess 64716->64717 64718 404f1a 64716->64718 64718->64717 64720 404ac3 64719->64720 64721 404a90 64719->64721 64720->64697 64721->64720 64733 407574 64721->64733 64737 4d80c0 64721->64737 64751 4d7ab0 64721->64751 64765 401844 64721->64765 64727 404a5b 64726->64727 64728 404a2b 64726->64728 64727->64714 64728->64727 65130 402ff8 64728->65130 65139 42cf2c GetWindowLongW DestroyWindow 64728->65139 65141 4138ec 64728->65141 64732->64712 64734 407584 GetModuleFileNameW 64733->64734 64735 4075a0 64733->64735 64769 407814 GetModuleFileNameW RegOpenKeyExW 64734->64769 64735->64721 64738 4d80da GetVersion 64737->64738 64739 4d8131 64737->64739 64790 4c4368 GetCurrentProcessId 64738->64790 64739->64721 64741 4d80ed 64819 423120 66 API calls 64741->64819 64743 4d80f7 64820 4231c0 66 API calls 64743->64820 64745 4d8101 64821 42316c 68 API calls 64745->64821 64747 4d8111 64822 42316c 68 API calls 64747->64822 64749 4d8121 64823 42316c 68 API calls 64749->64823 64752 4d7ace 64751->64752 64764 4d7b4e 64751->64764 65037 414a48 64752->65037 64764->64721 65128 4017d8 64765->65128 64767 40184c VirtualAlloc 64768 401863 64767->64768 64768->64721 64770 4078b7 64769->64770 64771 407859 RegOpenKeyExW 64769->64771 64789 407618 12 API calls 64770->64789 64771->64770 64772 407877 RegOpenKeyExW 64771->64772 64772->64770 64775 407895 RegOpenKeyExW 64772->64775 64774 4078dc RegQueryValueExW 64776 40791a RegCloseKey 64774->64776 64777 4078fc RegQueryValueExW 64774->64777 64775->64770 64778 40794f lstrcpynW GetThreadLocale GetLocaleInfoW 64775->64778 64776->64735 64777->64776 64779 407987 64778->64779 64780 407a8c 64778->64780 64779->64780 64782 407999 lstrlenW 64779->64782 64780->64735 64783 4079b3 64782->64783 64783->64780 64784 4079e9 lstrcpynW LoadLibraryExW 64783->64784 64785 407a0d 64783->64785 64784->64785 64785->64780 64786 407a29 lstrcpynW LoadLibraryExW 64785->64786 64786->64780 64787 407a51 lstrcpynW LoadLibraryExW 64786->64787 64787->64780 64789->64774 64824 40d50c 64790->64824 64793 405ac8 25 API calls 64794 4c43b1 64793->64794 64795 4c43bb GlobalAddAtomW GetCurrentThreadId 64794->64795 64796 40d50c 64 API calls 64795->64796 64797 4c43f5 64796->64797 64798 405ac8 25 API calls 64797->64798 64799 4c4402 64798->64799 64800 4c440c GlobalAddAtomW 64799->64800 64801 405b54 64800->64801 64802 4c4422 RegisterWindowMessageW 64801->64802 64827 423e34 64802->64827 64804 4c4439 64831 4c3e80 64804->64831 64806 4c4443 64861 4c3c18 64806->64861 64808 4c444f 64865 49f6f8 64808->64865 64810 4c4462 64884 4a0ab8 64810->64884 64812 4c4478 64906 4b5028 71 API calls 64812->64906 64814 4c449c GetModuleHandleW 64907 4232b8 66 API calls 64814->64907 64816 4c44c1 64818 4c44d0 64816->64818 64908 408a94 28 API calls 64816->64908 64818->64741 64819->64743 64820->64745 64821->64747 64822->64749 64823->64739 64909 40d538 64824->64909 64826 40d51b 64826->64793 64828 423e3a 64827->64828 64829 423e4f InitializeCriticalSection 64828->64829 64830 423e64 64829->64830 64830->64804 64832 4c3fed 64831->64832 64833 4c3e94 SetErrorMode 64831->64833 64832->64806 64834 4c3eb8 GetModuleHandleW 64833->64834 64835 4c3ed4 64833->64835 64926 408a94 28 API calls 64834->64926 64836 4c3fcf SetErrorMode 64835->64836 64837 4c3ee1 LoadLibraryW 64835->64837 64836->64806 64837->64836 64840 4c3efd 64837->64840 64839 4c3ecf 64839->64835 64927 408a94 28 API calls 64840->64927 64842 4c3f0d 64928 408a94 28 API calls 64842->64928 64844 4c3f22 64929 408a94 28 API calls 64844->64929 64846 4c3f37 64930 408a94 28 API calls 64846->64930 64848 4c3f4c 64931 408a94 28 API calls 64848->64931 64850 4c3f61 64932 408a94 28 API calls 64850->64932 64852 4c3f76 64933 408a94 28 API calls 64852->64933 64854 4c3f8b 64934 408a94 28 API calls 64854->64934 64856 4c3fa0 64935 408a94 28 API calls 64856->64935 64858 4c3fb5 64936 408a94 28 API calls 64858->64936 64860 4c3fca 64860->64836 64862 4c3c1e 64861->64862 64937 4c3e1c 64862->64937 64864 4c3c8c 64864->64808 64866 49f702 64865->64866 64950 42bcf0 64866->64950 64868 49f718 64954 49fb24 LoadCursorW 64868->64954 64871 49f751 64872 49f78d GetDC GetDeviceCaps ReleaseDC 64871->64872 64873 49f7c3 64872->64873 64959 487424 64873->64959 64875 49f7cf 64876 487424 27 API calls 64875->64876 64877 49f7de 64876->64877 64878 487424 27 API calls 64877->64878 64879 49f7f0 64878->64879 64880 487424 27 API calls 64879->64880 64881 49f7ff 64880->64881 64963 4a001c 64881->64963 64883 49f80c 64883->64810 64885 4a0ac7 64884->64885 64886 42bcf0 69 API calls 64885->64886 64887 4a0add 64886->64887 64888 4a0afc 64887->64888 64889 4a0ae7 OleInitialize 64887->64889 64890 487424 27 API calls 64888->64890 64889->64888 64891 4a0b40 64890->64891 64892 4a0bbf LoadIconW 64891->64892 65007 48d28c 64892->65007 64894 4a0be2 64895 4a0bfe GetModuleFileNameW 64894->64895 64896 4a0c2c 64895->64896 64897 4a0c56 CharNextW CharLowerW 64896->64897 64898 4a0c7e 64897->64898 65014 497220 64898->65014 64901 4a0ca0 65017 4a0e80 75 API calls 64901->65017 64902 4a0ca7 65018 4a32e4 25 API calls 64902->65018 64905 4a0ce6 64905->64812 64906->64814 64907->64816 64908->64818 64910 40d541 64909->64910 64912 40d5e7 64910->64912 64922 40d448 64 API calls 64910->64922 64913 40d697 64912->64913 64918 40d61f 64912->64918 64914 405c04 25 API calls 64913->64914 64919 40d695 64914->64919 64915 40d68a 64925 405e44 25 API calls 64915->64925 64916 405ac8 25 API calls 64916->64918 64918->64915 64918->64916 64923 405e44 25 API calls 64918->64923 64924 40d448 64 API calls 64918->64924 64919->64826 64922->64912 64923->64918 64924->64918 64925->64919 64926->64839 64927->64842 64928->64844 64929->64846 64930->64848 64931->64850 64932->64852 64933->64854 64934->64856 64935->64858 64936->64860 64938 4c3e2b 64937->64938 64939 4c3e24 64937->64939 64943 4c3e38 64938->64943 64944 4c3e41 64938->64944 64940 4c3e29 64939->64940 64941 4c3e56 SystemParametersInfoW 64939->64941 64942 4c3e67 SendMessageW 64939->64942 64940->64864 64941->64940 64942->64940 64948 4c3da4 6 API calls 64943->64948 64949 4c3d74 SystemParametersInfoW 64944->64949 64947 4c3e48 64947->64864 64948->64940 64949->64947 64951 42bcf7 64950->64951 64953 42bd1c 64951->64953 64985 42beb4 69 API calls 64951->64985 64953->64868 64955 49fb46 64954->64955 64956 49fb5f LoadCursorW 64955->64956 64958 49f73b GetKeyboardLayout 64955->64958 64986 49fc68 64956->64986 64958->64871 64960 48742a 64959->64960 64989 486478 64960->64989 64962 487455 64962->64875 64965 4a0036 64963->64965 64964 4a0068 SystemParametersInfoW 64966 4a007f CreateFontIndirectW 64964->64966 64967 4a0094 GetStockObject 64964->64967 64965->64964 64999 48786c 32 API calls 64966->64999 65000 48786c 32 API calls 64967->65000 64970 4a00a5 SystemParametersInfoW 64972 4a0110 64970->64972 64973 4a00c6 CreateFontIndirectW 64970->64973 64971 4a0092 64971->64970 65004 4879a0 30 API calls 64972->65004 65001 48786c 32 API calls 64973->65001 64976 4a00dc CreateFontIndirectW 65002 48786c 32 API calls 64976->65002 64977 4a011d GetStockObject 65005 48786c 32 API calls 64977->65005 64980 4a00f5 CreateFontIndirectW 65003 48786c 32 API calls 64980->65003 64981 4a0131 GetStockObject 65006 48786c 32 API calls 64981->65006 64984 4a010e 64984->64883 64985->64953 64987 403064 25 API calls 64986->64987 64988 49fc7b 64987->64988 64988->64955 64990 486493 64989->64990 64997 486460 EnterCriticalSection 64990->64997 64992 48649d 64994 403064 25 API calls 64992->64994 64996 4864fa 64992->64996 64994->64996 64995 48654b 64995->64962 64998 48646c LeaveCriticalSection 64996->64998 64997->64992 64998->64995 64999->64971 65000->64970 65001->64976 65002->64980 65003->64984 65004->64977 65005->64981 65006->64984 65008 48d2a4 65007->65008 65009 48d2a8 GetIconInfo 65008->65009 65010 48d310 65008->65010 65009->65010 65011 48d2b6 GetObjectW 65009->65011 65010->64894 65012 48d2e9 DeleteObject DeleteObject 65011->65012 65013 48d2d7 65011->65013 65012->64894 65013->65012 65019 42ce78 GetClassInfoW 65014->65019 65017->64902 65018->64905 65020 42cea8 65019->65020 65021 42ced1 65020->65021 65022 42ceb6 UnregisterClassW 65020->65022 65023 42cec7 RegisterClassW 65020->65023 65029 4093f8 65021->65029 65022->65023 65023->65021 65025 42ceff 65026 42cf1c 65025->65026 65033 42cdb0 65025->65033 65026->64901 65026->64902 65028 42cf13 SetWindowLongW 65028->65026 65036 4034d4 65029->65036 65031 40940b CreateWindowExW 65032 409445 65031->65032 65032->65025 65034 42cdc0 VirtualAlloc 65033->65034 65035 42cdee 65033->65035 65034->65035 65035->65028 65036->65031 65038 414a50 65037->65038 65038->65038 65039 414a57 IsValidLocale 65038->65039 65040 414a78 65039->65040 65041 414a7c GetThreadLocale 65039->65041 65109 412538 58 API calls 65040->65109 65041->65040 65043 414a8c 65110 412324 26 API calls 65043->65110 65045 414a9e 65046 405ac8 25 API calls 65045->65046 65047 414aa9 65046->65047 65111 412324 26 API calls 65047->65111 65049 414abe 65112 412324 26 API calls 65049->65112 65051 414adf 65113 412370 GetLocaleInfoW 65051->65113 65053 414afc 65114 412370 GetLocaleInfoW 65053->65114 65055 414b10 65115 412324 26 API calls 65055->65115 65057 414b29 65116 412370 GetLocaleInfoW 65057->65116 65059 414b46 65117 412324 26 API calls 65059->65117 65061 414b5f 65118 4127b0 28 API calls 65061->65118 65063 414b6a 65064 405ac8 25 API calls 65063->65064 65065 414b75 65064->65065 65119 412324 26 API calls 65065->65119 65067 414b8a 65120 4127b0 28 API calls 65067->65120 65069 414b95 65070 405ac8 25 API calls 65069->65070 65071 414ba0 65070->65071 65121 412370 GetLocaleInfoW 65071->65121 65073 414bb0 65122 412324 26 API calls 65073->65122 65075 414bc9 65076 405ac8 25 API calls 65075->65076 65077 414bd4 65076->65077 65123 412324 26 API calls 65077->65123 65079 414be9 65080 405ac8 25 API calls 65079->65080 65081 414bf4 65080->65081 65082 405b1c 25 API calls 65081->65082 65083 414bfe 65082->65083 65084 405b1c 25 API calls 65083->65084 65085 414c08 65084->65085 65124 412324 26 API calls 65085->65124 65087 414c1d 65088 414c2b 65087->65088 65089 414c3a 65087->65089 65090 405b1c 25 API calls 65088->65090 65091 405b1c 25 API calls 65089->65091 65092 414c38 65090->65092 65091->65092 65125 412324 26 API calls 65092->65125 65094 414c9a 65127 406080 25 API calls 65094->65127 65095 414c5c 65095->65094 65126 412324 26 API calls 65095->65126 65098 414c7f 65103 414c8d 65098->65103 65104 414c9c 65098->65104 65105 405b1c 25 API calls 65103->65105 65106 405b1c 25 API calls 65104->65106 65105->65094 65106->65094 65109->65043 65110->65045 65111->65049 65112->65051 65113->65053 65114->65055 65115->65057 65116->65059 65117->65061 65118->65063 65119->65067 65120->65069 65121->65073 65122->65075 65123->65079 65124->65087 65125->65095 65126->65098 65129 401778 65128->65129 65129->64767 65131 403001 CloseHandle 65130->65131 65132 403013 65130->65132 65131->65132 65133 403021 65132->65133 65152 402a18 VirtualQuery Sleep Sleep VirtualAlloc MessageBoxA 65132->65152 65135 403043 65133->65135 65136 40302a VirtualFree 65133->65136 65146 402f68 65135->65146 65136->65135 65140 42cf48 65139->65140 65140->64728 65142 413914 65141->65142 65143 4138f4 65141->65143 65142->64728 65144 4138f7 InterlockedCompareExchange 65143->65144 65144->65144 65145 413905 CloseHandle 65144->65145 65145->65142 65145->65144 65147 402f8d 65146->65147 65148 402f7b VirtualFree 65147->65148 65149 402f91 65147->65149 65148->65147 65149->65149 65150 402fd8 VirtualFree 65149->65150 65151 402fee 65149->65151 65150->65149 65151->64728 65152->65133 65153 430314 65154 430341 65153->65154 65155 430350 RaiseException 65154->65155 65156 430393 65155->65156 65157 405030 25 API calls 65156->65157 65158 4303a8 65157->65158 65159 4c5024 65160 4c5106 65159->65160 65161 4c5050 65159->65161 65181 4b2e80 26 API calls 65161->65181 65163 4c5070 65164 405ac8 25 API calls 65163->65164 65165 4c507b 65164->65165 65166 4c507f 65165->65166 65167 4c509a 65165->65167 65186 4b2ec8 26 API calls 65166->65186 65169 405ac8 25 API calls 65167->65169 65173 4c5098 65169->65173 65170 4c508d 65171 405ac8 25 API calls 65170->65171 65171->65173 65172 4c50e7 GetCursorPos 65182 4c51d8 65172->65182 65173->65172 65187 406274 26 API calls 65173->65187 65177 4c50cb 65188 40c498 64 API calls 65177->65188 65179 4c50d3 65189 406274 26 API calls 65179->65189 65181->65163 65183 4c5200 65182->65183 65190 4c5140 65183->65190 65186->65170 65187->65177 65188->65179 65189->65172 65204 4c4968 65190->65204 65192 4c5163 65193 405ac8 25 API calls 65192->65193 65194 4c5180 65193->65194 65195 405ac8 25 API calls 65194->65195 65196 4c518e 65195->65196 65197 4c51bf 65196->65197 65198 4c51ab 65196->65198 65211 4c58ac 66 API calls 65197->65211 65210 4c5214 74 API calls 65198->65210 65201 4c51ba 65201->65160 65202 4c51c6 65212 4c58b8 SetEvent 65202->65212 65205 4c496e 65204->65205 65213 4c09bc 65205->65213 65207 4c4983 65221 4880bc 29 API calls 65207->65221 65209 4c49bd 65209->65192 65210->65201 65211->65202 65212->65201 65214 4c09c6 65213->65214 65222 4b9170 65214->65222 65216 4c09dc 65239 488110 69 API calls 65216->65239 65218 4c09e8 65240 4b4a5c 94 API calls 65218->65240 65220 4c09f9 65220->65207 65221->65209 65223 4b9181 65222->65223 65241 4b5028 71 API calls 65223->65241 65225 4b91a5 65226 42cdb0 VirtualAlloc 65225->65226 65227 4b91b0 65226->65227 65242 487dc4 27 API calls 65227->65242 65229 4b91c2 65243 487f80 29 API calls 65229->65243 65231 4b91d4 65232 4b9205 65231->65232 65233 4b9214 65231->65233 65234 405ac8 25 API calls 65232->65234 65244 49fed8 65233->65244 65238 4b9212 65234->65238 65237 405ac8 25 API calls 65237->65238 65238->65216 65239->65218 65240->65220 65241->65225 65242->65229 65243->65231 65249 49fc94 65244->65249 65246 49fee5 65247 405ac8 25 API calls 65246->65247 65248 49feef 65247->65248 65248->65237 65250 49fcc4 65249->65250 65253 49fe11 65249->65253 65251 405ac8 25 API calls 65250->65251 65252 49fce3 GetKeyboardLayoutList 65251->65252 65252->65253 65254 49fcfa 65252->65254 65253->65246 65254->65253 65260 40d484 65254->65260 65257 49fd61 RegQueryValueExW 65258 49fde6 RegCloseKey 65257->65258 65259 49fd97 65257->65259 65258->65246 65259->65258 65261 40d4b3 RegOpenKeyExW 65260->65261 65262 40d494 65260->65262 65261->65254 65261->65257 65262->65261 65264 40d930 64 API calls 65262->65264 65264->65261 65265 425808 65267 425830 65265->65267 65266 425863 65267->65266 65269 426c9c 65267->65269 65270 426d53 65269->65270 65271 426cc5 65269->65271 65272 405b1c 25 API calls 65270->65272 65273 405b1c 25 API calls 65271->65273 65275 426d5d 65272->65275 65274 426ccf 65273->65274 65276 405b1c 25 API calls 65274->65276 65277 405b1c 25 API calls 65275->65277 65278 426cd9 65276->65278 65279 426d67 65277->65279 65280 426d3c CompareStringW 65278->65280 65281 426dca CompareStringW 65279->65281 65282 426ddc 65280->65282 65281->65282 65282->65267 65283 40274c 65284 402792 65283->65284 65287 402755 65283->65287 65285 4027b3 65284->65285 65286 40279b VirtualAlloc 65284->65286 65286->65285 65287->65284 65288 402760 Sleep 65287->65288 65289 402775 65288->65289 65289->65284 65290 402779 Sleep 65289->65290 65290->65287 65291 40828e GetSystemInfo

        Executed Functions

        Function 00407814 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 207registrystringlibraryCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • GetModuleFileNameW.KERNEL32(00000000,?,00000105,?,00000000), ref: 00407830
        • RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105,?,00000000), ref: 00407850
        • RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105,?,00000000), ref: 0040786E
        • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000), ref: 0040788C
        • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 004078AA
        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00407948,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?), ref: 004078F3
        • RegQueryValueExW.ADVAPI32(?,00407B3C,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00407948,?,80000001), ref: 00407911
        • RegCloseKey.ADVAPI32(?,0040794F,00000000,?,?,00000000,00407948,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00407942
        • lstrcpynW.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000), ref: 0040795F
        • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 0040796C
        • GetLocaleInfoW.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00407972
        • lstrlenW.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004079A0
        • lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 004079F6
        • LoadLibraryExW.KERNEL32(?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00407A06
        • lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00407A36
        • LoadLibraryExW.KERNEL32(?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00407A46
        • lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00407A75
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Openlstrcpyn$LibraryLoadLocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
        • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales
        • API String ID: 3838733197-345420546
        • Opcode ID: 500d4192f3f4e426a2eb95fc7c74454a14723a9b485bc85c23f25a13682dcbc3
        • Instruction ID: df7b2f64f77610473c608735449ab92d2de2882fab8bbccedbc06d43c0b3ff5e
        • Opcode Fuzzy Hash: 500d4192f3f4e426a2eb95fc7c74454a14723a9b485bc85c23f25a13682dcbc3
        • Instruction Fuzzy Hash: 28614571E443197AFB10D6E5CC46FEF72AC9B08704F4441B7BA00F65D1E6BCAA448B6A
        Function 0040794F Relevance: 15.1, APIs: 10, Instructions: 108stringlibrarythreadCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 151 40794f-407981 lstrcpynW GetThreadLocale GetLocaleInfoW 152 407987-40798c 151->152 153 407a8c-407a93 151->153 154 407999-4079b1 lstrlenW 152->154 155 40798e-407993 152->155 156 4079b6-4079ba 154->156 155->153 155->154 157 4079c6-4079ce 156->157 158 4079bc-4079c4 156->158 157->153 160 4079d4-4079dc 157->160 158->157 159 4079b3 158->159 159->156 161 407a0d-407a0f 160->161 162 4079de-4079e4 160->162 161->153 165 407a11-407a16 161->165 163 4079e6 162->163 164 4079e9-407a0b lstrcpynW LoadLibraryExW 162->164 163->164 164->161 165->153 166 407a18-407a24 165->166 167 407a26 166->167 168 407a29-407a4f lstrcpynW LoadLibraryExW 166->168 167->168 168->153 169 407a51-407a63 168->169 170 407a65 169->170 171 407a68-407a8a lstrcpynW LoadLibraryExW 169->171 170->171 171->153
        APIs
        • lstrcpynW.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000), ref: 0040795F
        • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 0040796C
        • GetLocaleInfoW.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00407972
        • lstrlenW.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004079A0
        • lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 004079F6
        • LoadLibraryExW.KERNEL32(?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00407A06
        • lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00407A36
        • LoadLibraryExW.KERNEL32(?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00407A46
        • lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00407A75
        • LoadLibraryExW.KERNEL32(?,00000000,00000002,-00000002,?,00000105,?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?), ref: 00407A85
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
        • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales
        • API String ID: 1599918012-345420546
        • Opcode ID: 721b4a117ea3b6873f3d4d86906d600b8069c49196d51dcd95da48f69cb588c4
        • Instruction ID: 84544b6faddad3eb6ad1ca77c7f63bd3b6cde16c802c52dd98678ec739623eb9
        • Opcode Fuzzy Hash: 721b4a117ea3b6873f3d4d86906d600b8069c49196d51dcd95da48f69cb588c4
        • Instruction Fuzzy Hash: 2831B871E0021966EB21D6E4DC49FEF62BD9B08314F4041B7A900F76C1F6BCAE444FAA
        Function 004D80C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33COMMON
        Download Yara Rule
        APIs
        • GetVersion.KERNEL32(00000000,004D813F), ref: 004D80DA
          • Part of subcall function 004C4368: GetCurrentProcessId.KERNEL32(?,00000000,004C44F3), ref: 004C4389
          • Part of subcall function 004C4368: GlobalAddAtomW.KERNEL32(00000000), ref: 004C43BC
          • Part of subcall function 004C4368: GetCurrentThreadId.KERNEL32 ref: 004C43D7
          • Part of subcall function 004C4368: GlobalAddAtomW.KERNEL32(00000000), ref: 004C440D
          • Part of subcall function 004C4368: RegisterWindowMessageW.USER32(00000000,00000000,?,?,00000000,004C44F3), ref: 004C4423
          • Part of subcall function 004C4368: GetModuleHandleW.KERNEL32(USER32,00000000,00000000,?,?,00000000,004C44F3), ref: 004C44A6
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: AtomCurrentGlobal$HandleMessageModuleProcessRegisterThreadVersionWindow
        • String ID: J
        • API String ID: 3196784325-3962827965
        • Opcode ID: efd5b1783374d5782e50a06fde42e24064fdaa86a57068f62f9870869c5b2e63
        • Instruction ID: 01757a7481c3e47eb77a1f15dea223faa87409544d0b0a5fb043de73d9a5a9d4
        • Opcode Fuzzy Hash: efd5b1783374d5782e50a06fde42e24064fdaa86a57068f62f9870869c5b2e63
        • Instruction Fuzzy Hash: A2F0FF343042444BE701EF2AFD6283A37BDF75A7887D1453AF65447676CA3CAC228A5D
        Function 0040828E Relevance: 1.5, APIs: 1, Instructions: 7COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: InfoSystem
        • String ID:
        • API String ID: 31276548-0
        • Opcode ID: 0ef9315fa0addcb004a16f9bb7b60b1bf41dd01ffd9b44470a51e98d2a209b44
        • Instruction ID: a2ad52d0e49e74ac93d16fd1bc8dcb7af829259f33293182aadfecf5cd0cac90
        • Opcode Fuzzy Hash: 0ef9315fa0addcb004a16f9bb7b60b1bf41dd01ffd9b44470a51e98d2a209b44
        • Instruction Fuzzy Hash: FFB012106084020BC604A72D4C4344F31C01A81324FC40234745CF62E2F61DC9A503EB
        Function 004C3E80 Relevance: 31.6, APIs: 4, Strings: 14, Instructions: 95libraryCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • SetErrorMode.KERNEL32(00008000), ref: 004C3E99
        • GetModuleHandleW.KERNEL32(USER32,00000000,004C3FE6,?,00008000), ref: 004C3EBD
          • Part of subcall function 00408A94: GetProcAddress.KERNEL32(00000000,?), ref: 00408AB8
        • LoadLibraryW.KERNEL32(imm32.dll,00000000,004C3FE6,?,00008000), ref: 004C3EE6
        • SetErrorMode.KERNEL32(?,004C3FED,00008000), ref: 004C3FE0
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: ErrorMode$AddressHandleLibraryLoadModuleProc
        • String ID: ImmGetCompositionStringW$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontW$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$L|N$USER32$WINNLSEnableIME$imm32.dll
        • API String ID: 380357001-891999730
        • Opcode ID: b1ec3cb565359a590017557022a06cb7bbe7b03f5ebf7f372a900d6d679cbd94
        • Instruction ID: 363e22e76900ae788d202c86b9cf52365794c0ca40d66826023f44dd51ee54f7
        • Opcode Fuzzy Hash: b1ec3cb565359a590017557022a06cb7bbe7b03f5ebf7f372a900d6d679cbd94
        • Instruction Fuzzy Hash: FA3153F5A45381AEDB41DFA1AE8AF1677A8E344705710483FB2809F6E3EA7C4940CB1C
        Function 004C4368 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 108registrythreadwindowCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • GetCurrentProcessId.KERNEL32(?,00000000,004C44F3), ref: 004C4389
        • GlobalAddAtomW.KERNEL32(00000000), ref: 004C43BC
        • GetCurrentThreadId.KERNEL32 ref: 004C43D7
        • GlobalAddAtomW.KERNEL32(00000000), ref: 004C440D
        • RegisterWindowMessageW.USER32(00000000,00000000,?,?,00000000,004C44F3), ref: 004C4423
          • Part of subcall function 00423E34: InitializeCriticalSection.KERNEL32(00420FD0,?,?,0046798C,00000000), ref: 00423E53
          • Part of subcall function 004C3E80: SetErrorMode.KERNEL32(00008000), ref: 004C3E99
          • Part of subcall function 004C3E80: GetModuleHandleW.KERNEL32(USER32,00000000,004C3FE6,?,00008000), ref: 004C3EBD
          • Part of subcall function 004C3E80: LoadLibraryW.KERNEL32(imm32.dll,00000000,004C3FE6,?,00008000), ref: 004C3EE6
          • Part of subcall function 004C3E80: SetErrorMode.KERNEL32(?,004C3FED,00008000), ref: 004C3FE0
          • Part of subcall function 0049F6F8: GetKeyboardLayout.USER32(00000000), ref: 0049F73D
          • Part of subcall function 0049F6F8: GetDC.USER32(00000000), ref: 0049F792
          • Part of subcall function 0049F6F8: GetDeviceCaps.GDI32(00000000,0000005A), ref: 0049F79C
          • Part of subcall function 0049F6F8: ReleaseDC.USER32(00000000,00000000), ref: 0049F7A7
          • Part of subcall function 004A0AB8: OleInitialize.OLE32(00000000), ref: 004A0AE9
          • Part of subcall function 004A0AB8: LoadIconW.USER32(00000000,MAINICON), ref: 004A0BD4
          • Part of subcall function 004A0AB8: GetModuleFileNameW.KERNEL32(00000000,?,00000100,00000000,MAINICON), ref: 004A0C18
        • GetModuleHandleW.KERNEL32(USER32,00000000,00000000,?,?,00000000,004C44F3), ref: 004C44A6
          • Part of subcall function 00408A94: GetProcAddress.KERNEL32(00000000,?), ref: 00408AB8
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Module$AtomCurrentErrorGlobalHandleInitializeLoadMode$AddressCapsCriticalDeviceFileIconKeyboardLayoutLibraryMessageNameProcProcessRegisterReleaseSectionThreadWindow
        • String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
        • API String ID: 2902964639-1126952177
        • Opcode ID: 15e94844adeafbbdbdc272b8b994b048eaf8667c0d73c1db01582b9adbb10e82
        • Instruction ID: 488db71c8d726a2e9866f244600e5eb894141720428c7692eb7cc5ec6f3ba09e
        • Opcode Fuzzy Hash: 15e94844adeafbbdbdc272b8b994b048eaf8667c0d73c1db01582b9adbb10e82
        • Instruction Fuzzy Hash: F3415074A002459BCB41EFB9E982A9E77B5EB55308B50457FF400EB3A3DB3C69048B5D
        Function 004A0AB8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 150comwindowCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • OleInitialize.OLE32(00000000), ref: 004A0AE9
        • LoadIconW.USER32(00000000,MAINICON), ref: 004A0BD4
        • GetModuleFileNameW.KERNEL32(00000000,?,00000100,00000000,MAINICON), ref: 004A0C18
        • CharNextW.USER32(?,00000000,?,00000100,00000000,MAINICON), ref: 004A0C5D
        • CharLowerW.USER32(00000000,?,00000000,?,00000100,00000000,MAINICON), ref: 004A0C63
          • Part of subcall function 004A0E80: GetClassInfoW.USER32(00400000,004A0A9C,?), ref: 004A0EE2
          • Part of subcall function 004A0E80: RegisterClassW.USER32(004E344C), ref: 004A0EFA
          • Part of subcall function 004A0E80: SetWindowLongW.USER32(?,000000FC,?), ref: 004A0F9A
          • Part of subcall function 004A0E80: SendMessageW.USER32(?,00000080,00000001,00000000), ref: 004A0FBF
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: CharClass$FileIconInfoInitializeLoadLongLowerMessageModuleNameNextRegisterSendWindow
        • String ID: 8PN$@PN$MAINICON$TbH
        • API String ID: 896494604-1834456522
        • Opcode ID: 271b1d32eff5edf4237fe094fc8b38156d4f290e78266b3748cb3aca1ae4f9c6
        • Instruction ID: 94b55644650267ad0994bdaec0ad4f25fb40503fc93284be06ae06ad02613ab9
        • Opcode Fuzzy Hash: 271b1d32eff5edf4237fe094fc8b38156d4f290e78266b3748cb3aca1ae4f9c6
        • Instruction Fuzzy Hash: A6613F706043848FD751DF69C9C9B863BE4AF15308F4440BAE848DF397D7B99948CB69
        Function 00414A48 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 212threadCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • IsValidLocale.KERNEL32(?,00000001,00000000,00414D0E,?,?,?,?,00000000,00000000), ref: 00414A6F
        • GetThreadLocale.KERNEL32(?,00000001,00000000,00414D0E,?,?,?,?,00000000,00000000), ref: 00414A7C
          • Part of subcall function 00412370: GetLocaleInfoW.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00414710,00000000,0041493A,?,?,00000000,00000000), ref: 00412383
          • Part of subcall function 00412324: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00412342
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Locale$Info$ThreadValid
        • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
        • API String ID: 233154393-2493093252
        • Opcode ID: e144f7fff5f9a3d744e6d24209b038e9b3f31150fb9d269a7cffc4059d964cb2
        • Instruction ID: a5f6a48efb51da4af733d622893e4eb31ae066812828113a4e1f6162f8c36b1b
        • Opcode Fuzzy Hash: e144f7fff5f9a3d744e6d24209b038e9b3f31150fb9d269a7cffc4059d964cb2
        • Instruction Fuzzy Hash: D67160307002099BDB11EBB5D981ADFB3B6EF88304F50943BB511E7686DA7CED468758
        Function 0049FC94 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 126registryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 262 49fc94-49fcbe 263 49fe22-49fe40 call 405ab8 262->263 264 49fcc4-49fcf4 call 426e08 call 405ac8 GetKeyboardLayoutList 262->264 271 49fcfa-49fd04 264->271 272 49fe11-49fe1d call 426bf4 264->272 273 49fd07-49fd13 call 4c42b4 271->273 272->263 277 49fd19-49fd5b call 40d484 RegOpenKeyExW 273->277 278 49fe04-49fe0b 273->278 277->278 281 49fd61-49fd95 RegQueryValueExW 277->281 278->272 278->273 282 49fd97-49fdce call 405cc8 281->282 283 49fde6-49fdfc RegCloseKey 281->283 282->283 287 49fdd0-49fde1 call 405cc8 282->287 287->283
        APIs
        • GetKeyboardLayoutList.USER32(00000040,?,00000000,0049FE41,?,00000000,?,0049FEE5,00000000,?,004B9223), ref: 0049FCEC
        • RegOpenKeyExW.ADVAPI32(80000002,00000000), ref: 0049FD54
        • RegQueryValueExW.ADVAPI32(?,layout text,00000000,00000000,?,00000200,00000000,0049FDFD,?,80000002,00000000), ref: 0049FD8E
        • RegCloseKey.ADVAPI32(?,0049FE04,00000000,?,00000200,00000000,0049FDFD,?,80000002,00000000), ref: 0049FDF7
        Strings
        • layout text, xrefs: 0049FD85
        • System\CurrentControlSet\Control\Keyboard Layouts\%.8x, xrefs: 0049FD3E
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: CloseKeyboardLayoutListOpenQueryValue
        • String ID: System\CurrentControlSet\Control\Keyboard Layouts\%.8x$layout text
        • API String ID: 1703357764-2652665750
        • Opcode ID: 685eb142b6a9cbb1d1f66b527d3b4b5acb2a75a6457c23e8d677c7cf40820bf7
        • Instruction ID: 72c0d8b78966675bfcc32a8bf9e70a0532fac2d52a62bfbb3d7d50cd100e1aa0
        • Opcode Fuzzy Hash: 685eb142b6a9cbb1d1f66b527d3b4b5acb2a75a6457c23e8d677c7cf40820bf7
        • Instruction Fuzzy Hash: 37413A74A002099FDF11DB55C981F9EBBF9EB48304FA040BAE904E7352D778AE04CB69
        Function 004079B5 Relevance: 9.1, APIs: 6, Instructions: 81librarystringCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 289 4079b5-4079ba 290 4079c6-4079ce 289->290 291 4079bc-4079c4 289->291 293 4079d4-4079dc 290->293 294 407a8c-407a93 290->294 291->290 292 4079b3-4079ba 291->292 292->290 292->291 295 407a0d-407a0f 293->295 296 4079de-4079e4 293->296 295->294 300 407a11-407a16 295->300 298 4079e6 296->298 299 4079e9-407a0b lstrcpynW LoadLibraryExW 296->299 298->299 299->295 300->294 301 407a18-407a24 300->301 302 407a26 301->302 303 407a29-407a4f lstrcpynW LoadLibraryExW 301->303 302->303 303->294 304 407a51-407a63 303->304 305 407a65 304->305 306 407a68-407a8a lstrcpynW LoadLibraryExW 304->306 305->306 306->294
        APIs
        • lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 004079F6
        • LoadLibraryExW.KERNEL32(?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00407A06
        • lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00407A36
        • LoadLibraryExW.KERNEL32(?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00407A46
        • lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00407A75
        • LoadLibraryExW.KERNEL32(?,00000000,00000002,-00000002,?,00000105,?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?), ref: 00407A85
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: LibraryLoadlstrcpyn
        • String ID:
        • API String ID: 4087624111-0
        • Opcode ID: ab8818e025a55ee8e45b34d9a85fef4f984031b212bd8edc2354dcdfef0788af
        • Instruction ID: 5ac6ca9e8965384e7114ab991b92e9f90bd8394330b36e3c640473becc844f08
        • Opcode Fuzzy Hash: ab8818e025a55ee8e45b34d9a85fef4f984031b212bd8edc2354dcdfef0788af
        • Instruction Fuzzy Hash: 9721B372F0021926EB219AB4CC49BEF63AD9B48350F4441B2E900F36C5F67CEE444BA6
        Function 0048D46C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 307 48d46c-48d4a6 MulDiv 308 48d4a8-48d4af call 48d428 307->308 309 48d4be-48d4f7 call 4559b8 call 455a58 call 455cc0 307->309 308->309 314 48d4b1-48d4b9 call 405b1c 308->314 320 48d4f9-48d504 call 455f0c 309->320 321 48d511-48d526 call 403dac 309->321 314->309 324 48d509-48d50c call 455a28 320->324 324->321
        APIs
        • MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0048D492
          • Part of subcall function 0048D428: GetDC.USER32(00000000), ref: 0048D431
          • Part of subcall function 0048D428: SelectObject.GDI32(00000000,058A00B4), ref: 0048D443
          • Part of subcall function 0048D428: GetTextMetricsW.GDI32(00000000), ref: 0048D44E
          • Part of subcall function 0048D428: ReleaseDC.USER32(00000000,00000000), ref: 0048D45F
        Strings
        • Tahoma, xrefs: 0048D4B4
        • MS Shell Dlg 2, xrefs: 0048D4FC
        • SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 0048D4E8
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: MetricsObjectReleaseSelectText
        • String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
        • API String ID: 2013942131-1011973972
        • Opcode ID: 1deb0ebd453dd0459b1c663e2c71c7c6e00c548da896f0cab4252f1318124a93
        • Instruction ID: b741e2279395ff2e5182d28255e2c421c77c5749542e274d6136cd036d57fee6
        • Opcode Fuzzy Hash: 1deb0ebd453dd0459b1c663e2c71c7c6e00c548da896f0cab4252f1318124a93
        • Instruction Fuzzy Hash: 50118E30A01608AFC701FF65DC5296E7BB5EB89718FA14877F800A7792D739AE048B1C
        Function 00404AE8 Relevance: 6.2, APIs: 4, Instructions: 158threadCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 327 404ae8-404af5 328 404af7 327->328 329 404afc-404b30 GetCurrentThreadId 327->329 328->329 330 404b32 329->330 331 404b34-404b60 call 4049d4 329->331 330->331 334 404b62-404b64 331->334 335 404b69-404b70 331->335 334->335 336 404b66 334->336 337 404b72-404b75 335->337 338 404b7a-404b80 335->338 336->335 337->338 339 404b82 338->339 340 404b85-404b8c 338->340 339->340 341 404b9b-404b9f 340->341 342 404b8e-404b95 340->342 343 404ba5 call 404a80 341->343 344 404e18-404e2d 341->344 342->341 350 404baa 343->350 346 404e40-404e47 344->346 347 404e2f-404e3b call 404cf0 call 404d88 344->347 348 404e49-404e54 GetCurrentThreadId 346->348 349 404e6a-404e6e 346->349 347->346 348->349 352 404e56-404e65 call 4049f4 call 404d5c 348->352 353 404e70-404e73 349->353 354 404e84-404e88 349->354 352->349 353->354 357 404e75-404e82 353->357 358 404e98-404ea1 call 403128 354->358 359 404e8a-404e91 354->359 357->354 368 404ea3-404eb3 call 403dac call 403128 358->368 369 404eb5 call 404a1c 358->369 359->358 362 404e93-404e95 359->362 362->358 368->369 373 404eba-404ebe 369->373 375 404ec0-404ec7 373->375 376 404ec9-404ece 373->376 375->376 378 404eef-404efa call 4049f4 375->378 376->378 379 404ed0-404ee3 call 407c40 376->379 384 404efc 378->384 385 404eff-404f03 378->385 379->378 386 404ee5-404ee7 379->386 384->385 387 404f05-404f07 call 404d5c 385->387 388 404f0c-404f0f 385->388 386->378 389 404ee9-404eea FreeLibrary 386->389 387->388 391 404f11-404f18 388->391 392 404f2b-404f3a 388->392 389->378 393 404f20-404f26 ExitProcess 391->393 394 404f1a 391->394 392->354 394->393
        APIs
        • GetCurrentThreadId.KERNEL32 ref: 00404B1F
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: CurrentThread
        • String ID:
        • API String ID: 2882836952-0
        • Opcode ID: 7c745618e3b6b7e3c84140a1cc68fa399c7bb0a091d078ed40c32aed6c8133b6
        • Instruction ID: c68ce5c85e8e450121dc820ed95f9e57b7ef639d5be5b0cf549b3a1641ab74b6
        • Opcode Fuzzy Hash: 7c745618e3b6b7e3c84140a1cc68fa399c7bb0a091d078ed40c32aed6c8133b6
        • Instruction Fuzzy Hash: 37516DB06002449FDB24EF69D48475A77A4BB88328F14457FEA05AB292D77CED80CB9D
        Function 0042CE78 Relevance: 6.1, APIs: 4, Instructions: 59registryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 395 42ce78-42cea6 GetClassInfoW 396 42ceb2-42ceb4 395->396 397 42cea8-42ceb0 395->397 399 42ceb6-42cec2 UnregisterClassW 396->399 400 42cec7-42cecc RegisterClassW 396->400 397->396 398 42ced1-42cf06 call 4093f8 397->398 403 42cf08-42cf0e call 42cdb0 398->403 404 42cf1c-42cf22 398->404 399->400 400->398 406 42cf13-42cf17 SetWindowLongW 403->406 406->404
        APIs
        • GetClassInfoW.USER32(00400000,0042CE5C,?), ref: 0042CE99
        • UnregisterClassW.USER32(0042CE5C,00400000), ref: 0042CEC2
        • RegisterClassW.USER32(004D9D9C), ref: 0042CECC
        • SetWindowLongW.USER32(00000000,000000FC,00000000), ref: 0042CF17
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Class$InfoLongRegisterUnregisterWindow
        • String ID:
        • API String ID: 4025006896-0
        • Opcode ID: 6dde7edaefd55bdd9afec60d328267539526cd3643666fc791a003a735848c11
        • Instruction ID: 819faa140f1add904aba23483a0426c3386c7d3aa52e1ccc5eaded36d916c81b
        • Opcode Fuzzy Hash: 6dde7edaefd55bdd9afec60d328267539526cd3643666fc791a003a735848c11
        • Instruction Fuzzy Hash: DE0100717041046ACB50ABA9ECD1F6F376AB708314F54453BF954E73D2D635AD408758
        Function 00455FBC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47registryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 407 455fbc-455fee call 405b54 RegQueryValueExW 410 456014-45602c call 455990 407->410 411 455ff0-45600f call 412ecc call 404788 407->411 411->410
        APIs
        • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,?,?,00000000), ref: 00455FE7
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: QueryValue
        • String ID: InstallLocation$`XE
        • API String ID: 3660427363-1060252270
        • Opcode ID: 52a9247b03dc05966bf407c75f9daa5717b453c41fb74cf7a942edf2af81cd1f
        • Instruction ID: 2e81a3a570a130c2392b2f380bbe0421837a438b5cb8e3d38c782731012cd6bf
        • Opcode Fuzzy Hash: 52a9247b03dc05966bf407c75f9daa5717b453c41fb74cf7a942edf2af81cd1f
        • Instruction Fuzzy Hash: 82012176600208ABD700EE99DC81A9AB7ACDB45314F00816AFD14DB352D6759E448BA5
        Function 0049FB24 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 417 49fb24-49fb41 LoadCursorW 418 49fb46-49fb49 417->418 419 49fb4b-49fb4e 418->419 420 49fb50-49fb53 418->420 419->420 421 49fb55-49fb5b 419->421 420->421 422 49fb5d 420->422 423 49fb5f-49fb7a LoadCursorW call 49fc68 421->423 422->423 423->418 426 49fb7c-49fb80 423->426
        APIs
        • LoadCursorW.USER32(00000000,00007F00), ref: 0049FB31
        • LoadCursorW.USER32(00000000,00000000), ref: 0049FB63
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: CursorLoad
        • String ID: 3N
        • API String ID: 3238433803-2168364347
        • Opcode ID: 454eb69b7fa905ff21c8c73c97dc5099a9daec728a0f2fa1944e5fa7f0942d08
        • Instruction ID: 1a2071ff0d4d260c5d151b197ca9503db8e0b3940d429ea436de1c192c05c888
        • Opcode Fuzzy Hash: 454eb69b7fa905ff21c8c73c97dc5099a9daec728a0f2fa1944e5fa7f0942d08
        • Instruction Fuzzy Hash: FBF08221B042455ADE201D3E9CE4E6AB6549B86379F20037BFA3ADB3D2C63E3C095259
        Function 00455CC0 Relevance: 4.6, APIs: 3, Instructions: 144registryCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00000200,?,00000000,00455E71,?,?,?,00000000), ref: 00455D39
        • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00000200,?,?,00000000,00000000,00000000,00000200,?,00000000,00455E71), ref: 00455DA9
        • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00000200,?,00000000,00000000,00000000,00000000,00000200,?,?,00000000,00000000,00000000,00000200), ref: 00455E14
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Open
        • String ID:
        • API String ID: 71445658-0
        • Opcode ID: 5c99e64d9ac875954756ed6435d01a05ca2fe1650ad07db8ac1f5e97718b33f2
        • Instruction ID: 7eb8e3fa54d4dfee1b8c01da266d2d295de670e3b5851d55b12553ac02ff90dc
        • Opcode Fuzzy Hash: 5c99e64d9ac875954756ed6435d01a05ca2fe1650ad07db8ac1f5e97718b33f2
        • Instruction Fuzzy Hash: E6418431A00648AFDB11DBA5C952BAFB7FAAF44304F14447AE845E3282D739AF09D748
        Function 00404E10 Relevance: 4.6, APIs: 3, Instructions: 94threadCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 469 404e10-404e2d 471 404e40-404e47 469->471 472 404e2f-404e3b call 404cf0 call 404d88 469->472 473 404e49-404e54 GetCurrentThreadId 471->473 474 404e6a-404e6e 471->474 472->471 473->474 476 404e56-404e65 call 4049f4 call 404d5c 473->476 477 404e70-404e73 474->477 478 404e84-404e88 474->478 476->474 477->478 481 404e75-404e82 477->481 482 404e98-404ea1 call 403128 478->482 483 404e8a-404e91 478->483 481->478 492 404ea3-404eb3 call 403dac call 403128 482->492 493 404eb5-404ebe call 404a1c 482->493 483->482 486 404e93-404e95 483->486 486->482 492->493 499 404ec0-404ec7 493->499 500 404ec9-404ece 493->500 499->500 502 404eef-404efa call 4049f4 499->502 500->502 503 404ed0-404ee3 call 407c40 500->503 508 404efc 502->508 509 404eff-404f03 502->509 503->502 510 404ee5-404ee7 503->510 508->509 511 404f05-404f07 call 404d5c 509->511 512 404f0c-404f0f 509->512 510->502 513 404ee9-404eea FreeLibrary 510->513 511->512 515 404f11-404f18 512->515 516 404f2b-404f3a 512->516 513->502 517 404f20-404f26 ExitProcess 515->517 518 404f1a 515->518 516->478 518->517
        APIs
        • GetCurrentThreadId.KERNEL32 ref: 00404E49
        • FreeLibrary.KERNEL32(?,?,00000000,?,00000001,00404F4E,00403173,004031BA,?,?,?,?,00000000,004CC2EF,00000000,004CC8C5), ref: 00404EEA
        • ExitProcess.KERNEL32(00000000,?,00000000,?,00000001,00404F4E,00403173,004031BA,?,?,?,?,00000000,004CC2EF,00000000,004CC8C5), ref: 00404F26
          • Part of subcall function 00404D88: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00404E39,?,00000000,?,00000001,00404F4E,00403173,004031BA,?,?), ref: 00404DC1
          • Part of subcall function 00404D88: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00404E39,?,00000000,?,00000001,00404F4E,00403173,004031BA,?), ref: 00404DC7
          • Part of subcall function 00404D88: GetStdHandle.KERNEL32(000000F5,00404E14,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00404E39,?,00000000), ref: 00404DDC
          • Part of subcall function 00404D88: WriteFile.KERNEL32(00000000,000000F5,00404E14,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00404E39,?,00000000), ref: 00404DE2
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
        • String ID:
        • API String ID: 3490077880-0
        • Opcode ID: 3a510c3d8eac600e3ed01f950aa1dcfbaa33a251efc81b8e0ab84cc41c3c1934
        • Instruction ID: c7c54e6acb995d1982034f90c910905c770fa1ecdb0f9c6ce7186561b57da557
        • Opcode Fuzzy Hash: 3a510c3d8eac600e3ed01f950aa1dcfbaa33a251efc81b8e0ab84cc41c3c1934
        • Instruction Fuzzy Hash: 46317CB06007819BDB21AB6AD44431B77E4BB85319F14093FEA45A72D2D77CAC84C79D
        Function 00404E14 Relevance: 4.6, APIs: 3, Instructions: 92threadCOMMON
        Download Yara Rule
        APIs
        • GetCurrentThreadId.KERNEL32 ref: 00404E49
        • FreeLibrary.KERNEL32(?,?,00000000,?,00000001,00404F4E,00403173,004031BA,?,?,?,?,00000000,004CC2EF,00000000,004CC8C5), ref: 00404EEA
        • ExitProcess.KERNEL32(00000000,?,00000000,?,00000001,00404F4E,00403173,004031BA,?,?,?,?,00000000,004CC2EF,00000000,004CC8C5), ref: 00404F26
          • Part of subcall function 00404D88: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00404E39,?,00000000,?,00000001,00404F4E,00403173,004031BA,?,?), ref: 00404DC1
          • Part of subcall function 00404D88: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00404E39,?,00000000,?,00000001,00404F4E,00403173,004031BA,?), ref: 00404DC7
          • Part of subcall function 00404D88: GetStdHandle.KERNEL32(000000F5,00404E14,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00404E39,?,00000000), ref: 00404DDC
          • Part of subcall function 00404D88: WriteFile.KERNEL32(00000000,000000F5,00404E14,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00404E39,?,00000000), ref: 00404DE2
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
        • String ID:
        • API String ID: 3490077880-0
        • Opcode ID: c9f10abeb9beff64c4f3664fc6e53b21f3131cbf94bae428dbdfaea60875fd3f
        • Instruction ID: 0be002a84211980aad116d29880896150f66676622047af6f2d7b76887e8cc9e
        • Opcode Fuzzy Hash: c9f10abeb9beff64c4f3664fc6e53b21f3131cbf94bae428dbdfaea60875fd3f
        • Instruction Fuzzy Hash: 3D317CB06007419BDB31AB6AD44431B77E4BB84329F14093FEA45A72D2D77CAC84C79D
        Function 00404E18 Relevance: 4.6, APIs: 3, Instructions: 92threadCOMMON
        Download Yara Rule
        APIs
        • GetCurrentThreadId.KERNEL32 ref: 00404E49
        • FreeLibrary.KERNEL32(?,?,00000000,?,00000001,00404F4E,00403173,004031BA,?,?,?,?,00000000,004CC2EF,00000000,004CC8C5), ref: 00404EEA
        • ExitProcess.KERNEL32(00000000,?,00000000,?,00000001,00404F4E,00403173,004031BA,?,?,?,?,00000000,004CC2EF,00000000,004CC8C5), ref: 00404F26
          • Part of subcall function 00404D88: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00404E39,?,00000000,?,00000001,00404F4E,00403173,004031BA,?,?), ref: 00404DC1
          • Part of subcall function 00404D88: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00404E39,?,00000000,?,00000001,00404F4E,00403173,004031BA,?), ref: 00404DC7
          • Part of subcall function 00404D88: GetStdHandle.KERNEL32(000000F5,00404E14,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00404E39,?,00000000), ref: 00404DDC
          • Part of subcall function 00404D88: WriteFile.KERNEL32(00000000,000000F5,00404E14,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00404E39,?,00000000), ref: 00404DE2
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
        • String ID:
        • API String ID: 3490077880-0
        • Opcode ID: 0e0c1b54ca9e053ead282132443379d6df272fa166be396e3c3a4253a96b82fd
        • Instruction ID: be900ea35cb96547b2be9896443e0edb1bb9352df2e657ef9c7657c70b0bcc75
        • Opcode Fuzzy Hash: 0e0c1b54ca9e053ead282132443379d6df272fa166be396e3c3a4253a96b82fd
        • Instruction Fuzzy Hash: 38317AB06007419BDB31AB6AD84432B77E4BB84329F14093FEA45A72D2D77CAC84C79D
        Function 00402F68 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 55COMMON
        Download Yara Rule
        APIs
        • VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,00403048,0040831C,00000000,0040833E), ref: 00402F86
        • VirtualFree.KERNEL32(004E7AD0,00000000,00008000,?,00000000,00008000,?,?,?,?,00403048,0040831C,00000000,0040833E), ref: 00402FE3
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: FreeVirtual
        • String ID: ,ZN
        • API String ID: 1263568516-522633183
        • Opcode ID: 60d20abf055a17ad645a1884a6d839c4a8181165956ad31abb4e6e2b95bbe60b
        • Instruction ID: 64ade28bec2072259d7986017751c429aaaa68e194364b5b833737e77676105c
        • Opcode Fuzzy Hash: 60d20abf055a17ad645a1884a6d839c4a8181165956ad31abb4e6e2b95bbe60b
        • Instruction Fuzzy Hash: 181161713006019BC7149F059A84B26BAA5EB84754F29C07EF209AF3D2D6B8EC02DB58
        Function 00401844 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 38memoryCOMMON
        Download Yara Rule
        APIs
        • VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,00401E53,?,00401B26), ref: 0040185A
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: AllocVirtual
        • String ID: ,ZN$,ZN
        • API String ID: 4275171209-277880715
        • Opcode ID: 3b95f647205e982edb36745675ad3542bea169b2280bb8a893d17a7c88b328cf
        • Instruction ID: de1504ff1474c9a49c600275acd639b721de49a4ecbb0d66a55633acd36d1602
        • Opcode Fuzzy Hash: 3b95f647205e982edb36745675ad3542bea169b2280bb8a893d17a7c88b328cf
        • Instruction Fuzzy Hash: B6F04FF1B117404BDB149F799DC17167AD6B78930CF10823EE509DFBA9E77484018708
        Function 0040274C Relevance: 3.8, APIs: 3, Instructions: 32sleepmemoryCOMMON
        Download Yara Rule
        APIs
        • Sleep.KERNEL32(00000000,00402816,?,?,?,004028A9), ref: 00402762
        • Sleep.KERNEL32(0000000A,00000000,00402816,?,?,?,004028A9), ref: 0040277B
        • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,00402816,?,?,?,004028A9), ref: 004027A9
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Sleep$AllocVirtual
        • String ID:
        • API String ID: 3510833457-0
        • Opcode ID: 23a1573e0544ad60a2eb7342b4b371c819cc43349ec3640cc67e0e4135d412cf
        • Instruction ID: 68f347ffa438d19a7863e3948cb3eb8e35cb458c138dde4e43f55bbedbf88d93
        • Opcode Fuzzy Hash: 23a1573e0544ad60a2eb7342b4b371c819cc43349ec3640cc67e0e4135d412cf
        • Instruction Fuzzy Hash: ADF05824A8838065EF20B7316E8A75B228097117ADF10047BF6423F2E3C7FC0589820E
        Function 00455E90 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37registryCOMMON
        Download Yara Rule
        APIs
        • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00455EF8,?,InstallLocation,?,InstallLocation,?,00455EF8), ref: 00455EC6
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: QueryValue
        • String ID: InstallLocation
        • API String ID: 3660427363-779285727
        • Opcode ID: 2297c62739d228c3ad2dd79bc23fc9af415a6b3fa80245ffa2b0c02291cef3a9
        • Instruction ID: 339418a17dea5f17fa901b5cdf8604e0a36cfb6031989b344c9d5cc35275aaae
        • Opcode Fuzzy Hash: 2297c62739d228c3ad2dd79bc23fc9af415a6b3fa80245ffa2b0c02291cef3a9
        • Instruction Fuzzy Hash: EBF05E623092446BD704EA6D9C41BAB7B9C9B85314F04807FF588C7682DA24D9088369
        Function 00455E94 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36registryCOMMON
        Download Yara Rule
        APIs
        • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00455EF8,?,InstallLocation,?,InstallLocation,?,00455EF8), ref: 00455EC6
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: QueryValue
        • String ID: InstallLocation
        • API String ID: 3660427363-779285727
        • Opcode ID: 29368faf28512232a31da5a9f275ec1ddbb373fdef311237ef5867f50f5e29dc
        • Instruction ID: 6b10f4f9ec51a46b811b7a63492c64e8c85db4dfc0d0eb82bccbc1d05a0f7fca
        • Opcode Fuzzy Hash: 29368faf28512232a31da5a9f275ec1ddbb373fdef311237ef5867f50f5e29dc
        • Instruction Fuzzy Hash: C1F030623095046BE714EA6E9D41FAB7BDCDB84355F00843FF548C7681DA25DD088375
        Function 00426C9C Relevance: 3.1, APIs: 2, Instructions: 126COMMON
        Download Yara Rule
        APIs
        • CompareStringW.KERNEL32(00000400,00000000,00000000,?,00000000,?), ref: 00426D44
        • CompareStringW.KERNEL32(00000400,00000001,00000000,?,00000000,?), ref: 00426DD2
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: CompareString
        • String ID:
        • API String ID: 1825529933-0
        • Opcode ID: 86d1ad3d5bc14e5a3b6ff7cea29ab51c09b72f9fe867fc84c2e42b7fc86bb840
        • Instruction ID: 1bce3101b33b97643a0eb353b1ecb527c83228c91fff1d79e3d3d4158c065343
        • Opcode Fuzzy Hash: 86d1ad3d5bc14e5a3b6ff7cea29ab51c09b72f9fe867fc84c2e42b7fc86bb840
        • Instruction Fuzzy Hash: 7541B030B10629ABDB11EA75DC81B9F77B9EB44304F914076E900BB385DAB8EE458A58
        Function 004138EC Relevance: 3.0, APIs: 2, Instructions: 22COMMON
        Download Yara Rule
        APIs
        • InterlockedCompareExchange.KERNEL32(004E7CC0,00000001,00000000), ref: 004138FC
        • CloseHandle.KERNEL32(00000000,004E7CC0,00000001,00000000,?,004E7DC4,0041394C,004E7DC4,00000000,?,00416CB6,00000000,00416E09), ref: 00413909
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: CloseCompareExchangeHandleInterlocked
        • String ID:
        • API String ID: 190309047-0
        • Opcode ID: 3bbec4778a91aedce7472e5aa3d558aeb313e082580421108cd454a49d7ded8a
        • Instruction ID: e54bd33386a032dc7774e809027da82d755ded60fd501a02c9747f3c79182234
        • Opcode Fuzzy Hash: 3bbec4778a91aedce7472e5aa3d558aeb313e082580421108cd454a49d7ded8a
        • Instruction Fuzzy Hash: B8D0A7F2B6172123EA31366D0DC2FB7418C8B4479AF004027BE50FA282D6ACCD4002BC
        Function 0042CF2C Relevance: 3.0, APIs: 2, Instructions: 16COMMON
        Download Yara Rule
        APIs
        • GetWindowLongW.USER32(00000000,000000FC), ref: 0042CF33
        • DestroyWindow.USER32(00000000,00000000,000000FC,?,00000000,004B3243,00000000,004B442F,00000000,004B465B,?,00000000,004B46CD), ref: 0042CF3B
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Window$DestroyLong
        • String ID:
        • API String ID: 2871862000-0
        • Opcode ID: 7431ecd0ede584e7bfedf30e914707dcbfa860c0608cedf6fbb4df61a3470ec6
        • Instruction ID: 43ee0e9654e4ebe9e0edbe1a5bc298a8662444e6da4e27b5bc3ae55f0d7ba048
        • Opcode Fuzzy Hash: 7431ecd0ede584e7bfedf30e914707dcbfa860c0608cedf6fbb4df61a3470ec6
        • Instruction Fuzzy Hash: 0BC0801131253215D531327D2DC18BF014D8C452B4751037FF550E51C3CE3D0D4102DD
        Function 00402FF8 Relevance: 2.5, APIs: 2, Instructions: 21COMMON
        Download Yara Rule
        APIs
        • CloseHandle.KERNEL32(00000000,0040831C,00000000,0040833E), ref: 00403007
        • VirtualFree.KERNEL32(00000000,00000000,00008000,0040831C,00000000,0040833E), ref: 00403037
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: CloseFreeHandleVirtual
        • String ID:
        • API String ID: 2443081362-0
        • Opcode ID: c451ce46beba0515f857010a0ef1d65deec6d602ce3159fc372c08066ee37b42
        • Instruction ID: b68f04d5c8c7ca231670352096a3bcd79d5a6461fe98b54050ce13139f421483
        • Opcode Fuzzy Hash: c451ce46beba0515f857010a0ef1d65deec6d602ce3159fc372c08066ee37b42
        • Instruction Fuzzy Hash: 3CE0E5749082809ADB60EB75AC8974B26D8E704359F14047AA101AA9E3D7BC47C4CB0C
        Function 00455CBC Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
        Download Yara Rule
        APIs
        • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00000200,?,00000000,00455E71,?,?,?,00000000), ref: 00455D39
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Open
        • String ID:
        • API String ID: 71445658-0
        • Opcode ID: 2f440508c5680e4cfa5d6386d9114472fc9e0cd71971e58d01c444e0fd6f812e
        • Instruction ID: a4ae3f5a1a4ed38312c9ca041c1909ea04a79e3b6359ff122a38a6224e6f66cd
        • Opcode Fuzzy Hash: 2f440508c5680e4cfa5d6386d9114472fc9e0cd71971e58d01c444e0fd6f812e
        • Instruction Fuzzy Hash: 3621C731A04A44AFDB11DB65C862BAEB7F9DB44304F14407AE845E3683D63D9F09D748
        Function 00430314 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
        Download Yara Rule
        APIs
        • RaiseException.KERNEL32(406D1388,00000000,00000004,00001000,00000000,00430389,?,00000000,004303A9), ref: 0043037A
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: ExceptionRaise
        • String ID:
        • API String ID: 3997070919-0
        • Opcode ID: aaa21181d0cd41feac223646c09e8e3ebaa914546c0ee4c35471368cf147714f
        • Instruction ID: 2edde985e47b0314ced98806a66aa516f40345392f25052c84e6695f70a2a573
        • Opcode Fuzzy Hash: aaa21181d0cd41feac223646c09e8e3ebaa914546c0ee4c35471368cf147714f
        • Instruction Fuzzy Hash: 8C018071614608AFE711DFA5DC22A5FBBFCEB89710F61457AF804E26D0E6785E008A68
        Function 004093F6 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
        Download Yara Rule
        APIs
        • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409437
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: CreateWindow
        • String ID:
        • API String ID: 716092398-0
        • Opcode ID: 5d79dc1d150812a74f68fa7706fa2beab0d892f6ba99adc312daa151b57a2822
        • Instruction ID: 98720d54b23087314b148b8a69a058bdf383c0a3bb0f14c0e4776b0a0ff7c045
        • Opcode Fuzzy Hash: 5d79dc1d150812a74f68fa7706fa2beab0d892f6ba99adc312daa151b57a2822
        • Instruction Fuzzy Hash: 9FF074B2704158BF9B84DE9EDC81D9B77ECEB4C264B054169BA0CD7241D634ED108BA4
        Function 004093F8 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
        Download Yara Rule
        APIs
        • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409437
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: CreateWindow
        • String ID:
        • API String ID: 716092398-0
        • Opcode ID: c8a3575097422ecc91b89690a66d94928a93d395be7ff5566125bd86243a52f9
        • Instruction ID: a8eb29dffa521f169027adbe36a3955fa50e3f1e7fcc5986cd68263037f3546d
        • Opcode Fuzzy Hash: c8a3575097422ecc91b89690a66d94928a93d395be7ff5566125bd86243a52f9
        • Instruction Fuzzy Hash: 3CF074B2604158BF8B84DE9EDC81D9B77ECEB4C264B054169BA0CD7241D634ED108BA4
        Function 00407574 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
        Download Yara Rule
        APIs
        • GetModuleFileNameW.KERNEL32(?,?,0000020A), ref: 00407592
          • Part of subcall function 00407814: GetModuleFileNameW.KERNEL32(00000000,?,00000105,?,00000000), ref: 00407830
          • Part of subcall function 00407814: RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105,?,00000000), ref: 00407850
          • Part of subcall function 00407814: RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105,?,00000000), ref: 0040786E
          • Part of subcall function 00407814: RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000), ref: 0040788C
          • Part of subcall function 00407814: RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 004078AA
          • Part of subcall function 00407814: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00407948,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?), ref: 004078F3
          • Part of subcall function 00407814: RegQueryValueExW.ADVAPI32(?,00407B3C,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00407948,?,80000001), ref: 00407911
          • Part of subcall function 00407814: RegCloseKey.ADVAPI32(?,0040794F,00000000,?,?,00000000,00407948,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00407942
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Open$FileModuleNameQueryValue$Close
        • String ID:
        • API String ID: 2796650324-0
        • Opcode ID: d2b5520c25cc607b631faaef4382f4f52f25dc6b420cd36ee7423438a50a4f0b
        • Instruction ID: 15bc9e0eae040b997de83f91aae6423356b4c95741ec3523426e05a1fedf3b8f
        • Opcode Fuzzy Hash: d2b5520c25cc607b631faaef4382f4f52f25dc6b420cd36ee7423438a50a4f0b
        • Instruction Fuzzy Hash: 58E0C971A05310AFDB14EE58C8C5A473798AB48754F0449A6AD28DF386D379D91087E6
        Function 00408434 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 004083FC: TlsGetValue.KERNEL32(00000011), ref: 00408414
          • Part of subcall function 004083FC: LocalFree.KERNEL32(00000000,00000011), ref: 0040841E
          • Part of subcall function 004083FC: TlsSetValue.KERNEL32(00000011,00000000,00000000,00000011), ref: 0040842B
        • TlsFree.KERNEL32(00000011), ref: 00408451
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: FreeValue$Local
        • String ID:
        • API String ID: 2930853931-0
        • Opcode ID: 99232574cc78b752e027a03fd78bf1ec8929b228a358dcf73fb4725d1f82c4cf
        • Instruction ID: b05da07eb0eb64a267477ff6b02b43038b3143724809bb641178b77eeec8c2e1
        • Opcode Fuzzy Hash: 99232574cc78b752e027a03fd78bf1ec8929b228a358dcf73fb4725d1f82c4cf
        • Instruction Fuzzy Hash: 2CC01220100202C6EE207BAE8A1560A2308A750328B88863F28A0F21E3EE3C8802CA1C
        Function 0042CDB0 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
        Download Yara Rule
        APIs
        • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0042CDCE
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: AllocVirtual
        • String ID:
        • API String ID: 4275171209-0
        • Opcode ID: e9a9ebc85c4420921d348b36584d1a19baf88346eb3c1ad9c9815b67b63e27e5
        • Instruction ID: 20e24bef9e3a4877ae098f34533155ea9661877811daeba9fbce7bb77a1ed721
        • Opcode Fuzzy Hash: e9a9ebc85c4420921d348b36584d1a19baf88346eb3c1ad9c9815b67b63e27e5
        • Instruction Fuzzy Hash: 801148342403159BD710DF19D8C1B8ABBE5EF88750F50C57AE9989F385D374E9018BA8

        Non-executed Functions

        Function 0048A650 Relevance: 48.5, APIs: 32, Instructions: 500windowCOMMON
        Download Yara Rule
        APIs
        • GetObjectW.GDI32(00000000,00000054,?), ref: 0048A6D0
        • GetDC.USER32(00000000), ref: 0048A6E1
        • CreateCompatibleDC.GDI32(00000000), ref: 0048A6F2
        • CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 0048A73E
        • CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 0048A762
        • SelectObject.GDI32(?,?), ref: 0048A9BF
        • SelectPalette.GDI32(?,00000000,00000000), ref: 0048A9FF
        • RealizePalette.GDI32(?), ref: 0048AA0B
        • SetTextColor.GDI32(?,00000000), ref: 0048AA74
        • SetBkColor.GDI32(?,00000000), ref: 0048AA8E
        • SetDIBColorTable.GDI32(?,00000000,00000002,?,?,00000000,?,00000000,00000000,0048AC1C,?,00000000,0048AC3E,?,00000000,0048AC4F), ref: 0048AAD6
        • FillRect.USER32(?,?,00000000), ref: 0048AA5C
          • Part of subcall function 00486F88: GetSysColor.USER32(?), ref: 00486F92
        • PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 0048AAF8
        • CreateCompatibleDC.GDI32(00000028), ref: 0048AB0B
        • SelectObject.GDI32(?,00000000), ref: 0048AB2E
        • SelectPalette.GDI32(?,00000000,00000000), ref: 0048AB4A
        • RealizePalette.GDI32(?), ref: 0048AB55
        • SetTextColor.GDI32(?,00000000), ref: 0048AB73
        • SetBkColor.GDI32(?,00000000), ref: 0048AB8D
        • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0048ABB5
        • SelectPalette.GDI32(?,00000000,000000FF), ref: 0048ABC7
        • SelectObject.GDI32(?,00000000), ref: 0048ABD1
        • DeleteDC.GDI32(?), ref: 0048ABEC
          • Part of subcall function 00487FD4: CreateBrushIndirect.GDI32(?), ref: 0048807F
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: ColorSelect$CreatePalette$Object$Compatible$BitmapRealizeText$BrushDeleteFillIndirectRectTable
        • String ID:
        • API String ID: 1299887459-0
        • Opcode ID: d9ef63fb8eda87f685283ca61620ccd7fe30511c057957162ffa7f6dcb87f907
        • Instruction ID: 6321934a5e207ae3ae0188a01910f80ad8e223b80b434cc0de2626c507efdeee
        • Opcode Fuzzy Hash: d9ef63fb8eda87f685283ca61620ccd7fe30511c057957162ffa7f6dcb87f907
        • Instruction Fuzzy Hash: 75120F71A00208AFDB00EF99C985F9E77B8EF08314F15896AF918EB291C778ED51CB55
        Function 004D4700 Relevance: 39.4, APIs: 3, Strings: 19, Instructions: 883librarywindowCOMMON
        Download Yara Rule
        APIs
        • GetModuleFileNameW.KERNEL32(00400000,?,00000104,00000000,004D47A4), ref: 004D4770
        • PostMessageW.USER32(00000000,0000052C,00000001,00000000), ref: 004D4788
        • LoadLibraryW.KERNEL32(00000000,00000000,004D588C,?,00000000,004D47A4), ref: 004D4809
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: FileLibraryLoadMessageModuleNamePost
        • String ID: &cpu=$&disk=$(RequestList[0]=-1) or (RequestList[0]=-5)$-$:$DaoBan$Expried$Keep-Alive$Mozilla/5.0 (Windows NT 6.1; rv:28.0) Firefox/28.0$None$OverSeat$Pro$Register.dll$application/x-www-form-urlencoded$code=$mm/dd/yyyy hh:mm:ss$s_Content1=$text/html, application/xhtml+xml, */*$yyyy-mm-dd
        • API String ID: 3562336805-735673237
        • Opcode ID: 360ee3b0256814032cba9cdf031808143b04180424c7c88e0ed4493425aa5d45
        • Instruction ID: c6869e601df7c26c9bc7baac1503f3c41409a318b3e9e783e3ebfdfaaa4309c8
        • Opcode Fuzzy Hash: 360ee3b0256814032cba9cdf031808143b04180424c7c88e0ed4493425aa5d45
        • Instruction Fuzzy Hash: 2B822134A006198BDB21EB55CC91B9DB3B5FF48308F5080F6E408A7796DB38AE85DF59
        Function 00484FE8 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 221pipeCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00484824: OutputDebugStringW.KERNEL32(00000000,?,00000000,00484AB8,?,00000000,00484AF1,?,?,?,?,00000006,00000000,00000000), ref: 00484933
        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0048509E
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: CreateDebugOutputPipeString
        • String ID: A$D$cmd.exe /k ping
        • API String ID: 1172444661-226192315
        • Opcode ID: 637f302a85db514f90bdbd9d365860c86db2dddbc23556976f21a4a30036ff98
        • Instruction ID: fc9a1415fd0955bb89a07bec7805042ec8be1484c3c6c14ef68dc9a06b8892e7
        • Opcode Fuzzy Hash: 637f302a85db514f90bdbd9d365860c86db2dddbc23556976f21a4a30036ff98
        • Instruction Fuzzy Hash: 53814071A046099EDB10FBA5CD45B9EB7B8EB48304F2049ABE504F7281DF789E01CF69
        Function 00407618 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 152stringlibraryfileCOMMON
        Download Yara Rule
        APIs
        • GetModuleHandleW.KERNEL32(kernel32.dll,00420A28,?,00000000), ref: 00407635
        • GetProcAddress.KERNEL32(?,GetLongPathNameW), ref: 0040764C
        • lstrcpynW.KERNEL32(?,?,?), ref: 0040767C
        • lstrcpynW.KERNEL32(?,?,?,kernel32.dll,00420A28,?,00000000), ref: 004076EB
        • lstrcpynW.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,00420A28,?,00000000), ref: 00407733
        • FindFirstFileW.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,00420A28,?,00000000), ref: 00407746
        • FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,00420A28,?,00000000), ref: 0040775C
        • lstrlenW.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,00420A28,?,00000000), ref: 00407768
        • lstrcpynW.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,00420A28,?), ref: 004077A4
        • lstrlenW.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,00420A28), ref: 004077B0
        • lstrcpynW.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 004077D3
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
        • String ID: GetLongPathNameW$\$kernel32.dll
        • API String ID: 3245196872-3908791685
        • Opcode ID: d7d111a059713bf4eda24ac3aa40c7b5e1bb4d21e36ca2d85ce569ab9031eb31
        • Instruction ID: f2b674abe2ba20a150e79b47893a8681c7c64638fb5bd3151d35c61cd4aafac2
        • Opcode Fuzzy Hash: d7d111a059713bf4eda24ac3aa40c7b5e1bb4d21e36ca2d85ce569ab9031eb31
        • Instruction Fuzzy Hash: 23518272D046189BDB10EBA8CC85AEE73FCAB04350F1445B6A905F7691E778BE408B5A
        Function 004D2020 Relevance: 22.2, Strings: 17, Instructions: 925COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: AttributesFileInitializeLocalTime
        • String ID: &ck=1$&cpu=$&disk=$(RequestList[0]=-1) or (RequestList[0]=-5)$DaoBan$Expried$Keep-Alive$Mozilla/5.0 (Windows NT 6.1; rv:28.0) Firefox/28.0$N/A$None$OverSeat$Pro$RequestList=$application/x-www-form-urlencoded$code=$s_Content=$text/html, application/xhtml+xml, */*
        • API String ID: 2084514100-3668942028
        • Opcode ID: ff4558773dd6bf5b497a9574664228c23b4d1c66000e8c719f3277769ecc0d23
        • Instruction ID: a5daee07745bf406d48188aceabfd4615d2a8534ba6b104f25652510b7539f10
        • Opcode Fuzzy Hash: ff4558773dd6bf5b497a9574664228c23b4d1c66000e8c719f3277769ecc0d23
        • Instruction Fuzzy Hash: A992E034A001089BDB10EF59C891B9DB7B1FF48318F54C1A6F818AB396DB39AE45CF59
        Function 004BED60 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90windowCOMMON
        Download Yara Rule
        APIs
        • IsIconic.USER32(?), ref: 004BED6F
        • GetWindowPlacement.USER32(?,0000002C), ref: 004BED8C
        • GetWindowRect.USER32(?,?), ref: 004BEDAB
        • GetWindowLongW.USER32(?,000000F0), ref: 004BEDB9
        • GetWindowLongW.USER32(?,000000F8), ref: 004BEDD2
        • GetWindowLongW.USER32(00000000,000000EC), ref: 004BEDE0
        • ScreenToClient.USER32(00000000), ref: 004BEE10
        • ScreenToClient.USER32(00000000), ref: 004BEE35
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Window$Long$ClientScreen$IconicPlacementRect
        • String ID: ,
        • API String ID: 1823113212-3772416878
        • Opcode ID: 54e5411ac4d1231112c913961141d8655a205c32bf1127ab81a5b0bc7eeb1232
        • Instruction ID: c7173f946874bfd70d87507649719b056ae5bdfab5a7580695f540a1b111c5ec
        • Opcode Fuzzy Hash: 54e5411ac4d1231112c913961141d8655a205c32bf1127ab81a5b0bc7eeb1232
        • Instruction Fuzzy Hash: 2C31C9B5609702AFC741DF6DC484A8FBBE8EF88350F14892EB998DB351D734D8448B66
        Function 004C7378 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 181fileCOMMON
        Download Yara Rule
        APIs
        • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000003,00000000,00000000,?,00000000,004C75CD,?,?,?,?,?,004CA631), ref: 004C740F
        • GetLastError.KERNEL32(?,C0000000,00000007,00000000,00000003,00000000,00000000,?,00000000,004C75CD,?,?,?,?,?,004CA631), ref: 004C741D
        • DeviceIoControl.KERNEL32(000000FF,00074080,00000000,00000000,?,00000018,00000000,00000000), ref: 004C748A
        • GetLastError.KERNEL32(00000000,004C759D,?,?,C0000000,00000007,00000000,00000003,00000000,00000000,?,00000000,004C75CD), ref: 004C7493
        • CloseHandle.KERNEL32(000000FF,004C75A4,004C759D,?,?,C0000000,00000007,00000000,00000003,00000000,00000000,?,00000000,004C75CD), ref: 004C7597
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: ErrorLast$CloseControlCreateDeviceFileHandle
        • String ID: \\.\PhysicalDrive%d
        • API String ID: 1177325624-2935326385
        • Opcode ID: c0482c1a8153f0e179d86a96c87d7629724f06956751fa613ef7157410885793
        • Instruction ID: bba0966b8e81fe5bcff8f46d1acefcc068ad42b9a10d3efaf7f5fc5dd5b145ad
        • Opcode Fuzzy Hash: c0482c1a8153f0e179d86a96c87d7629724f06956751fa613ef7157410885793
        • Instruction Fuzzy Hash: 07618474A04218AFDB50DF65CC41FAEB7B9EB88714F5044BEB508E3681DA389E44CF59
        Function 00499A24 Relevance: 12.4, APIs: 8, Instructions: 381windowCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: RestoreSave$FocusIconicWindow
        • String ID:
        • API String ID: 1400084646-0
        • Opcode ID: 583a10e75f26a93a762f26665fa86cd0a7490dc8408021ac43ff7dac9a75fa93
        • Instruction ID: 4d1aa48dba98c79f1140ee898be312b4124a1550ad50b543197c56b43dbb0cb0
        • Opcode Fuzzy Hash: 583a10e75f26a93a762f26665fa86cd0a7490dc8408021ac43ff7dac9a75fa93
        • Instruction Fuzzy Hash: C9E17D30A042049FDF15DF6DC986AAEBBE5EB44304F1545BBE404DB756CB78AE40CB98
        Function 00496DD8 Relevance: 12.1, APIs: 8, Instructions: 71windowCOMMON
        Download Yara Rule
        APIs
        • GetWindowLongW.USER32(?,000000EC), ref: 00496DE6
        • IsIconic.USER32(?), ref: 00496E14
        • IsWindowVisible.USER32(?), ref: 00496E24
        • ShowWindow.USER32(?,00000000,?,?,?,000000EC,00000001,?,?,00000000,004A1619,?,?,?,004A17AF,00000000), ref: 00496E41
        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00496E54
        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00496E65
        • ShowWindow.USER32(?,00000006,?,000000EC,00000000,?,?,?,000000EC,00000001,?,?,00000000,004A1619), ref: 00496E85
        • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,?,?,000000EC,00000001,?,?,00000000,004A1619), ref: 00496E8F
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Window$LongShow$IconicVisible
        • String ID:
        • API String ID: 3484284227-0
        • Opcode ID: f486eb1f0e8aee1c5efc9ed415bbe8db03c6e016de86be8dd2baedf350856df3
        • Instruction ID: ca95bb8bb0818ea5a90282b5e38d4bf22da05f14513b66965b8ba9bba351b6b4
        • Opcode Fuzzy Hash: f486eb1f0e8aee1c5efc9ed415bbe8db03c6e016de86be8dd2baedf350856df3
        • Instruction Fuzzy Hash: ED11E60524D79025DF2232264C02FAF2E984FC7318F19463FF8D4A11C3C23D4905822F
        Function 004AB5D0 Relevance: 10.9, APIs: 7, Instructions: 415COMMON
        Download Yara Rule
        APIs
        • SaveDC.GDI32(?), ref: 004AB8A0
        • RestoreDC.GDI32(?,?), ref: 004AB914
        • GetWindowDC.USER32(?,00000000,004ABB22), ref: 004AB98E
        • SaveDC.GDI32(?), ref: 004AB9C5
        • RestoreDC.GDI32(?,?), ref: 004ABA50
        • DefWindowProcW.USER32(?,?,?,?,00000000,004ABB22), ref: 004ABB04
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: RestoreSaveWindow$Proc
        • String ID:
        • API String ID: 1975259465-0
        • Opcode ID: b0d897ef777358d9d8a85d196c2d1809446aa99833d3ffa7a7ea1fcd05aa5c54
        • Instruction ID: 18256cceddf1e8ed75d6d9bc5e2c99ab8c56aa32022ef838ee28643ebdd135b7
        • Opcode Fuzzy Hash: b0d897ef777358d9d8a85d196c2d1809446aa99833d3ffa7a7ea1fcd05aa5c54
        • Instruction Fuzzy Hash: B7F15E34A006459FCB10DF6AC5819AEF7F5FF69304B60866AE801A7362D738ED41CB99
        Function 004C764C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 166fileCOMMON
        Download Yara Rule
        APIs
        • CreateFileW.KERNEL32(?,00000000,00000003,00000000,00000003,00000000,00000000), ref: 004C76F0
        • GetLastError.KERNEL32(?,00000000,00000003,00000000,00000003,00000000,00000000), ref: 004C76FC
        • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00002710,?,00000000), ref: 004C7782
        • GetLastError.KERNEL32(00000000,002D1400,?,0000000C,?,00002710,?,00000000,?,00000000,00000003,00000000,00000003,00000000,00000000), ref: 004C781C
        • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,002D1400,?,0000000C,?,00002710,?,00000000,?,00000000,00000003,00000000,00000003), ref: 004C7843
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: ErrorLast$CloseControlCreateDeviceFileHandle
        • String ID: \\.\PhysicalDrive%d
        • API String ID: 1177325624-2935326385
        • Opcode ID: e445b6121fcde5571b445fc1e101debbd38c977cbbabe62c6e2b89ad556c2414
        • Instruction ID: 90e68ab612a092c82b2f8a928bf183565ba8cfef8866bcc2dc7fc7d3850c149d
        • Opcode Fuzzy Hash: e445b6121fcde5571b445fc1e101debbd38c977cbbabe62c6e2b89ad556c2414
        • Instruction Fuzzy Hash: 16516274A05118ABDB50EB69CC85F9E77B9EF48304F5081BBB508E7281DB389F448F68
        Function 004BE398 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83windowCOMMON
        Download Yara Rule
        APIs
        • IsIconic.USER32(?), ref: 004BE3D7
        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 004BE3F5
        • GetWindowPlacement.USER32(?,0000002C), ref: 004BE42B
        • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 004BE44F
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Window$Placement$Iconic
        • String ID: ,
        • API String ID: 568898626-3772416878
        • Opcode ID: 4e6e4ef97e99ef16ee460287f45b08c1578ad03f4d2ea65ef27bb564f1b4a047
        • Instruction ID: 5d4e0461e67527e3e1f8b298f42a18f5d16419f86d2eb7804103e1a06a5a5d6e
        • Opcode Fuzzy Hash: 4e6e4ef97e99ef16ee460287f45b08c1578ad03f4d2ea65ef27bb564f1b4a047
        • Instruction Fuzzy Hash: 8321F871600204ABCB54EF6EC8C59CE77E9AF49314F04946AFE18EF346D679EC048BA5
        Function 00490074 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: AddressProc
        • String ID: MonitorFromWindow
        • API String ID: 190572456-2842599566
        • Opcode ID: 83aca5a9695eadc929b4d4a5ed6d77c9f91f381b9bebc0cb1ef110b99310690a
        • Instruction ID: cafcb5095a8310dc163b16c7fae9225561532fe0018daeddf9dab4be1aa80a6e
        • Opcode Fuzzy Hash: 83aca5a9695eadc929b4d4a5ed6d77c9f91f381b9bebc0cb1ef110b99310690a
        • Instruction Fuzzy Hash: FB01AD31604108AEDB00EA95AC86EFF779CDB09304B44403BFE10AB252D72D9E0187FE
        Function 004764C8 Relevance: 5.5, Strings: 4, Instructions: 469COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID:
        • String ID: L\G$\\G$d\G$l\G
        • API String ID: 0-3873718168
        • Opcode ID: 54e3ea0683f1e7f93f9231319c3f6074d787fe2719b2e6590999e2ca452a77ae
        • Instruction ID: 089e9659be4057792b862338495528b37df14adf5790562bfa31c3277bc7f1c6
        • Opcode Fuzzy Hash: 54e3ea0683f1e7f93f9231319c3f6074d787fe2719b2e6590999e2ca452a77ae
        • Instruction Fuzzy Hash: 53124E74A00608DFCB14DF59C585A9DBBF2FF49314F1180AAE908AB362D739AE85CF54
        Function 004A0790 Relevance: 4.5, APIs: 3, Instructions: 33synchronizationthreadCOMMON
        Download Yara Rule
        APIs
        • GetCurrentThreadId.KERNEL32 ref: 004A079C
        • GetCursorPos.USER32(?), ref: 004A07B9
        • WaitForSingleObject.KERNEL32(00000000,00000064), ref: 004A07D9
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: CurrentCursorObjectSingleThreadWait
        • String ID:
        • API String ID: 1359611202-0
        • Opcode ID: 51017a21f9eca692c9b1b9694f3d144a7a9420b37f430b151b8687ee28102974
        • Instruction ID: e27a2bea5176eada0296fbc7324c9ae7d73286eb83bbc34b2ddea4703df65b40
        • Opcode Fuzzy Hash: 51017a21f9eca692c9b1b9694f3d144a7a9420b37f430b151b8687ee28102974
        • Instruction Fuzzy Hash: 66F08935504305EEDB14EB5AD8C6B8A33D8DB26314F50003BE9009A5D3EB7DA980CF5D
        Function 004BDA28 Relevance: 3.1, APIs: 2, Instructions: 64windowCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: CaptureIconic
        • String ID:
        • API String ID: 2277910766-0
        • Opcode ID: 65e26b75aab1b3f8296705f8153952d862a10a817d8d9fa918ed972dbef8d6d6
        • Instruction ID: 0b8e97e7156bbca95052428a4882d5223e002c5da76b7ea57da98cb6fa4ed27f
        • Opcode Fuzzy Hash: 65e26b75aab1b3f8296705f8153952d862a10a817d8d9fa918ed972dbef8d6d6
        • Instruction Fuzzy Hash: 4011B271F186059BDB20EF9CC885AEA73E4EF48314B2441F6E800CB352E778ED019768
        Function 00488AAC Relevance: 3.0, APIs: 2, Instructions: 46windowCOMMON
        Download Yara Rule
        APIs
        • GetLastError.KERNEL32(00000000,00488B48), ref: 00488ACC
        • FormatMessageW.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00488B48), ref: 00488AF2
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: ErrorFormatLastMessage
        • String ID:
        • API String ID: 3479602957-0
        • Opcode ID: 4191f8acc4e5dff7b2a3aefa38dc28aecea71e53a9cd80b042bd8e59e6f196b5
        • Instruction ID: a6437b926986101ed2d9a61e6e9f820b192c03b7ba3f47c901de0d256cb0cfde
        • Opcode Fuzzy Hash: 4191f8acc4e5dff7b2a3aefa38dc28aecea71e53a9cd80b042bd8e59e6f196b5
        • Instruction Fuzzy Hash: 230188B03047495AE721BA618D42B9A72A8DB44704F9148BFB614E62C2EFB86D408B1D
        Function 0040CB84 Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
        Download Yara Rule
        APIs
        • FindFirstFileW.KERNEL32(00000000,?,?,00000000,?,004778CB,00000000,00477A1E), ref: 0040CB9F
        • GetLastError.KERNEL32(00000000,?,?,00000000,?,004778CB,00000000,00477A1E), ref: 0040CBC4
          • Part of subcall function 0040CB00: FileTimeToLocalFileTime.KERNEL32(?), ref: 0040CB30
          • Part of subcall function 0040CB00: FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0040CB3F
          • Part of subcall function 0040CBF8: FindClose.KERNEL32(?,?,0040CBC2,00000000,?,?,00000000,?,004778CB,00000000,00477A1E), ref: 0040CC04
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: FileTime$Find$CloseDateErrorFirstLastLocal
        • String ID:
        • API String ID: 976985129-0
        • Opcode ID: 84d9f8265b2e6fa49e5ca1566902987135e594072d5a913756a8319c6ee07ede
        • Instruction ID: aa08f9d71a5a22c72c2484e34291aeda6fa1b63c484c2b0374f578f44379026d
        • Opcode Fuzzy Hash: 84d9f8265b2e6fa49e5ca1566902987135e594072d5a913756a8319c6ee07ede
        • Instruction Fuzzy Hash: 26E030A370152087C714BB6E68C256A71A85A44368319077FF964FB3C6D93CDC0647D8
        Function 0040C904 Relevance: 3.0, APIs: 2, Instructions: 23fileCOMMON
        Download Yara Rule
        APIs
        • FindFirstFileW.KERNEL32(00000000,?,00000000,?,0040C97F,00000000,00000000,00000000,004CFDFB,00000000,?,00000023,00000000,00000000,004CFE86), ref: 0040C91F
        • FindClose.KERNEL32(00000000,00000000,?,00000000,?,0040C97F,00000000,00000000,00000000,004CFDFB,00000000,?,00000023,00000000,00000000,004CFE86), ref: 0040C92A
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Find$CloseFileFirst
        • String ID:
        • API String ID: 2295610775-0
        • Opcode ID: 3f6f0342466c5476ee9348028e8cfe97e8cbe05f4c2d99ee5570afda01b1b5e5
        • Instruction ID: 56a5281f17e0d17e802518945a06d60c7486b5f1ffe8e71604fca62cd83e1e95
        • Opcode Fuzzy Hash: 3f6f0342466c5476ee9348028e8cfe97e8cbe05f4c2d99ee5570afda01b1b5e5
        • Instruction Fuzzy Hash: A5E0CDA250460812CB1075B90CC9B6B738C5B04328F040BBB7D5CF21D2EB3C955400ED
        Function 004B76AC Relevance: 1.7, APIs: 1, Instructions: 203COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: c0b0f3294f3176a4c0f0dc6eb2c3485b6ac409d5abf40ce87c7c6f094c7ddd04
        • Instruction ID: 8c3a9305beef39df11162472b135feed8bd7c0b84f45f5c76999fb3249afc7ea
        • Opcode Fuzzy Hash: c0b0f3294f3176a4c0f0dc6eb2c3485b6ac409d5abf40ce87c7c6f094c7ddd04
        • Instruction Fuzzy Hash: B581B3706082448BDB11DF29C588BEEB7E5AF85304F58416BE441EB3A2C77CDD45CBA9
        Function 00430F78 Relevance: 1.6, APIs: 1, Instructions: 96timeCOMMON
        Download Yara Rule
        APIs
        • GetTimeZoneInformation.KERNEL32(?,00000000,004310A4), ref: 00430FA6
          • Part of subcall function 0040821C: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 00408261
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: InformationLoadStringTimeZone
        • String ID:
        • API String ID: 2315373741-0
        • Opcode ID: f914410f037be8aa14292be6e9371e7e357526689cda4e574ebf29ef6be5186f
        • Instruction ID: 5b4651037b8c11c34a7643a3285352e32427da960fba82cbc9c833a3f0e74f61
        • Opcode Fuzzy Hash: f914410f037be8aa14292be6e9371e7e357526689cda4e574ebf29ef6be5186f
        • Instruction Fuzzy Hash: 6731F730A002148BDB14EB65DC81B69B3BAAB4C304F1451BFE549E36A1DB389E818B1A
        Function 0040CF02 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
        Download Yara Rule
        APIs
        • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?), ref: 0040CF25
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: DiskFreeSpace
        • String ID:
        • API String ID: 1705453755-0
        • Opcode ID: 3216e17ed02fc72a2af25acb228b16132876c1ea2ddac7d909356e49131db105
        • Instruction ID: 37f47f218f1add85cd5d470a67e224576d7e370b399137a1e948b3d7bdcbc95c
        • Opcode Fuzzy Hash: 3216e17ed02fc72a2af25acb228b16132876c1ea2ddac7d909356e49131db105
        • Instruction Fuzzy Hash: FC1100B5A00209AFDB00DF99C8819AFB7F9EFC8304B14C56AA419E7250E6319E01CBA0
        Function 0048DEB0 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
        Download Yara Rule
        APIs
        • CoCreateInstance.OLE32(?,00000000,00000005,0048DFA0,00000000,00000000,0048DF0B,?,00000000,0048DF90), ref: 0048DEF7
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: CreateInstance
        • String ID:
        • API String ID: 542301482-0
        • Opcode ID: 47a4fce4741e063a2dea02ea348e3449441aeb565631378706d45a30e8941d1e
        • Instruction ID: c9b8455b27cbc2035c4e39895f569c7f0f1801a0483c974533f54a4fdf2cf610
        • Opcode Fuzzy Hash: 47a4fce4741e063a2dea02ea348e3449441aeb565631378706d45a30e8941d1e
        • Instruction Fuzzy Hash: AE01D470E08B046EE705AF659C52E6EBBACD749714F61487BF601E26C0E63C59009A2C
        Function 00412324 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
        Download Yara Rule
        APIs
        • GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00412342
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: InfoLocale
        • String ID:
        • API String ID: 2299586839-0
        • Opcode ID: 34c37a91212972fb239907a40617686586c0641d0642d68803079b0e1b988209
        • Instruction ID: fb9f1c74da5fba268bc1271a0b5c4ba1b9d2b1e8cdcfae00537b133d09adddb2
        • Opcode Fuzzy Hash: 34c37a91212972fb239907a40617686586c0641d0642d68803079b0e1b988209
        • Instruction Fuzzy Hash: 6BE0923170031817E714A5699DC6AEB725CE748310F00017FBE19D7383EDB89E514AE9
        Function 00412322 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
        Download Yara Rule
        APIs
        • GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00412342
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: InfoLocale
        • String ID:
        • API String ID: 2299586839-0
        • Opcode ID: 7412c480c00e2cb75f8cd3f5caa920f481d1270afb27392c702c864e1033a28a
        • Instruction ID: f0b4aa490ebfc81cc631db9400f7d563079380d50eb7477535b90c9ce458ed88
        • Opcode Fuzzy Hash: 7412c480c00e2cb75f8cd3f5caa920f481d1270afb27392c702c864e1033a28a
        • Instruction Fuzzy Hash: 9FE0DF327003082AE71495688D8AAF7725CE748310F00017FBE29D6382EDB89E904AE8
        Function 00412370 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
        Download Yara Rule
        APIs
        • GetLocaleInfoW.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00414710,00000000,0041493A,?,?,00000000,00000000), ref: 00412383
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: InfoLocale
        • String ID:
        • API String ID: 2299586839-0
        • Opcode ID: 947d4e56591dfeae468df0432d1ec0218444247efd9ee1fdd612a9471200f141
        • Instruction ID: 3b9a5f590f994ad4dece79de95231c72918d5ccf2e0e08496214b09dba198952
        • Opcode Fuzzy Hash: 947d4e56591dfeae468df0432d1ec0218444247efd9ee1fdd612a9471200f141
        • Instruction Fuzzy Hash: 0DD097B23082303AE210812B2E40EBB07CCCBC5371F00483BBE88C2202E668CC01C374
        Function 0040F2D4 Relevance: 1.5, APIs: 1, Instructions: 22timeCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: LocalTime
        • String ID:
        • API String ID: 481472006-0
        • Opcode ID: 420322265d05983263c60edde9e0c4d25429fc1edca32a1299e870927aba28cd
        • Instruction ID: fd22a814f1c8f36785e20d8c99b41c6982756cc092998c8702cf5361a1be422c
        • Opcode Fuzzy Hash: 420322265d05983263c60edde9e0c4d25429fc1edca32a1299e870927aba28cd
        • Instruction Fuzzy Hash: 37E0456040D622E5C254EF56D44143EF7E5AED8B42F408C6EF8D4501D5EB39C5E8D367
        Function 00496D58 Relevance: 1.5, APIs: 1, Instructions: 11windowCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Iconic
        • String ID:
        • API String ID: 110040809-0
        • Opcode ID: 926b9026f5d7a4437998e2bf576265353881867096bc75fdcac0e819369e324b
        • Instruction ID: faf11d0400f01ed4e42fa31ed726dce796801c432f2e0aebb638140923ca398c
        • Opcode Fuzzy Hash: 926b9026f5d7a4437998e2bf576265353881867096bc75fdcac0e819369e324b
        • Instruction Fuzzy Hash: 56C01270A142408BDB01E734C8D9AC63767B744301FD507F7D4048A023C37898444698
        Function 00475914 Relevance: 1.5, Strings: 1, Instructions: 222COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID:
        • String ID: LpB
        • API String ID: 0-825029884
        • Opcode ID: 2f04e2aaeb688ce332a44c1e4f2433e219b320b3bcc56b84d3376aba1cd5f411
        • Instruction ID: 07b84a84e19f52114870abd1fd6c1909ffb0bb5ee17e12780eb15ba2ca6b32f7
        • Opcode Fuzzy Hash: 2f04e2aaeb688ce332a44c1e4f2433e219b320b3bcc56b84d3376aba1cd5f411
        • Instruction Fuzzy Hash: 79815D73D104374BEB628EA88C443A16392AFCC3DEF5B46B0ED05BB646C938BD5186C0
        Function 00475660 Relevance: 1.4, Strings: 1, Instructions: 190COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID:
        • String ID: LpB
        • API String ID: 0-825029884
        • Opcode ID: cc8df9e7eda42b814345f637cacc4ed46797d903377d6d7c16bf8b99d8c442f1
        • Instruction ID: 68913ba686b48859e3ac16fac4761765169a9d8df4953ed76ae20299b1e13dde
        • Opcode Fuzzy Hash: cc8df9e7eda42b814345f637cacc4ed46797d903377d6d7c16bf8b99d8c442f1
        • Instruction Fuzzy Hash: 26712873D204775BEB609EA888443617392EFC9358F9F46B0CE09BF646C634BD5296C1
        Function 0047540C Relevance: 1.4, Strings: 1, Instructions: 122COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID:
        • String ID: LpB
        • API String ID: 0-825029884
        • Opcode ID: 32154cc48de87b7e5e8aa8ba24d159dd17f8d825625490f9efe5abced1ba0aa3
        • Instruction ID: 745940d6a7421408714d72f1f0d91edd69bbe5edebfc2d4985489d4fe2cd495b
        • Opcode Fuzzy Hash: 32154cc48de87b7e5e8aa8ba24d159dd17f8d825625490f9efe5abced1ba0aa3
        • Instruction Fuzzy Hash: 64314522789A8203D32C8E6E6CE02F75AD38FC521822DD47D9CDEC7746D89EA41A5158
        Function 0047C5B8 Relevance: .8, Instructions: 789COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 8ecd3614fed14ca2677e30554c8d81c4c5e36c00c405be94db2eddaa6ff3cd03
        • Instruction ID: fdde6167f4e11dec0eb64000addb45ed2dcc85027a8bcd4e7efcf301c35a70f4
        • Opcode Fuzzy Hash: 8ecd3614fed14ca2677e30554c8d81c4c5e36c00c405be94db2eddaa6ff3cd03
        • Instruction Fuzzy Hash: E572021418E2E00AD71B473654F8BF5AFE55F6B219F4E46FE98D90F2A3C1180358EB25
        Function 0042F58C Relevance: .4, Instructions: 363COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e68f45b8f7621cdc81a61e55dd7f4da3251d210edadbd159a8b8bf7fa0789545
        • Instruction ID: 7c57eb2e768a11242ecdee91437a3af7dc015f51f8685e737fa55f805aa2eddd
        • Opcode Fuzzy Hash: e68f45b8f7621cdc81a61e55dd7f4da3251d210edadbd159a8b8bf7fa0789545
        • Instruction Fuzzy Hash: ACD17170F001199BDB10EBA9E5417AEB7B6AF84304FE4813BE401A7385D73C9D4A875D
        Function 00470008 Relevance: .3, Instructions: 338COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: ec2995152d3773c0cafca3f05de13001bdf2af42aaa7c8c13dcc65a9c290bcd2
        • Instruction ID: b568e8965d51d936e417c824afc13b8a0e18b49c266a48c387b2ee30c52ffe67
        • Opcode Fuzzy Hash: ec2995152d3773c0cafca3f05de13001bdf2af42aaa7c8c13dcc65a9c290bcd2
        • Instruction Fuzzy Hash: FFD15E35601640CBCB29DE28D5C47A777A1FB55310F1486AADC9A8F38BC738D846CBA6
        Function 004024C0 Relevance: .1, Instructions: 94COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
        • Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
        • Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
        • Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290
        Function 00406D9C Relevance: .1, Instructions: 64COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: d17ffc1b7c175c9f3f133bcf490b3ef334a0cf6f2a578ee1034f9dfeca47056c
        • Instruction ID: b064f1b3415c9351f41b4a0e47c6b8c9fa3c36d0bb1fd5dd501b559f08029e12
        • Opcode Fuzzy Hash: d17ffc1b7c175c9f3f133bcf490b3ef334a0cf6f2a578ee1034f9dfeca47056c
        • Instruction Fuzzy Hash: 06019B327057210B874CDD7ECD9952AB6D3AFD8510F09C73D9589D76C4DD318C1AC686
        Function 004CA434 Relevance: .0, Instructions: 15COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 7a0bd25c9c33daeff3bf8db6319e05cb223bee929aaa0eaae762b07ab4e622c7
        • Instruction ID: 7950c6967f86c9e8722d6aeb2d1fcf1b067c89623ef924b72e20bee896cc1a60
        • Opcode Fuzzy Hash: 7a0bd25c9c33daeff3bf8db6319e05cb223bee929aaa0eaae762b07ab4e622c7
        • Instruction Fuzzy Hash: E8C0927AB018003B730A859DECC0812D3EFDBEC061324813AB300C7BB2C212EC0A0123
        Function 004089F2 Relevance: .0, Instructions: 2COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 6ab3165fc5902a1748a6be7b8ef00156658869290e21e94630157825a4fafb7e
        • Instruction ID: cebba78ecad86c3759c97417080e2e1af08517f0c89c3b80ba2f050f602998d2
        • Opcode Fuzzy Hash: 6ab3165fc5902a1748a6be7b8ef00156658869290e21e94630157825a4fafb7e
        • Instruction Fuzzy Hash:
        Function 0048F2C4 Relevance: 86.0, APIs: 1, Strings: 48, Instructions: 268libraryCOMMON
        Download Yara Rule
        APIs
        • LoadLibraryW.KERNEL32(uxtheme.dll,00000000,0048F676), ref: 0048F2F9
          • Part of subcall function 00408A94: GetProcAddress.KERNEL32(00000000,?), ref: 00408AB8
          • Part of subcall function 00408A94: GetProcAddress.KERNEL32(00000000,00000000), ref: 00408ADA
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: AddressProc$LibraryLoad
        • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundExtent$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
        • API String ID: 2238633743-1748089680
        • Opcode ID: 187df02b06c548eaf988eb9952c75c812548da6fb832dbe92318c3edd329b07d
        • Instruction ID: 26beca7ca8fcc2098c5f34ba191b4d88d65d21a4254215378b52510d44da9c77
        • Opcode Fuzzy Hash: 187df02b06c548eaf988eb9952c75c812548da6fb832dbe92318c3edd329b07d
        • Instruction Fuzzy Hash: E1A1F0B0A05691AFDF00FBA5D9C6A2E37A4EF0970031009BBB580DF695EB789805CF5D
        Function 00417534 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
        Download Yara Rule
        APIs
        • GetModuleHandleW.KERNEL32(oleaut32.dll), ref: 0041753D
          • Part of subcall function 00417508: GetProcAddress.KERNEL32(00000000), ref: 00417521
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: AddressHandleModuleProc
        • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
        • API String ID: 1646373207-1918263038
        • Opcode ID: 7d74fa0fa542dd6a90115ec814fdc6afdb47c90297310b54933d19200431db80
        • Instruction ID: c7086d84d78b30961cf965b4812dcb75fb6d125a852e24fab665e357e8c97dd9
        • Opcode Fuzzy Hash: 7d74fa0fa542dd6a90115ec814fdc6afdb47c90297310b54933d19200431db80
        • Instruction Fuzzy Hash: 3241F77169C3486A9305AB6EAC418E67BBED7447147A0C07FB4148BBC6DB38BDC1862D
        Function 004CBA7C Relevance: 38.9, APIs: 3, Strings: 19, Instructions: 398fileCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0040C944: GetFileAttributesW.KERNEL32(00000000,00000000,00000000,004CFDFB,00000000,?,00000023,00000000,00000000,004CFE86), ref: 0040C950
        • DeleteFileW.KERNEL32(00000000,00000000,004CBFFD,?,00000000,004CC040,?,?,?,00000000,0000000C,00000000,00000000), ref: 004CBC54
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: File$AttributesDelete
        • String ID: Backups.dat$Code$ExpDate$Expried$FingerPrint$LastCheckTime$LastServerDate$LastValidate$LeftDays$LicenseType$License\$OverSeat$Register.ini$Seat$Tag$license$license.dat$main$registercm-2013
        • API String ID: 2910425767-3901113137
        • Opcode ID: 81e008b5915434d74932a53c878c8fc3876c47dc80ca27d4fb7d399862ea9377
        • Instruction ID: eea1452e1ddb545e4d386a193ce17c70eb33f91d8a31fd686b54018faf68b9ff
        • Opcode Fuzzy Hash: 81e008b5915434d74932a53c878c8fc3876c47dc80ca27d4fb7d399862ea9377
        • Instruction Fuzzy Hash: B7F1E074A00209DFDB40EF95C991E9EB7B5EF45308F50817AE504BB396CB38AE458B58
        Function 00488D04 Relevance: 37.7, APIs: 25, Instructions: 245windowCOMMON
        Download Yara Rule
        APIs
        • CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00488D47
        • SelectObject.GDI32(?,?), ref: 00488D5C
        • MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,CCAA0029,00000000,00488DCC,?,?), ref: 00488DA0
        • SelectObject.GDI32(?,?), ref: 00488DBA
        • DeleteObject.GDI32(?), ref: 00488DC6
        • CreateCompatibleDC.GDI32(00000000), ref: 00488DDA
        • CreateCompatibleBitmap.GDI32(?,?,?), ref: 00488DFB
        • SelectObject.GDI32(?,?), ref: 00488E10
        • SelectPalette.GDI32(?,38080D9C,00000000), ref: 00488E24
        • SelectPalette.GDI32(?,?,00000000), ref: 00488E36
        • SelectPalette.GDI32(?,00000000,000000FF), ref: 00488E4B
        • SelectPalette.GDI32(?,38080D9C,000000FF), ref: 00488E61
        • RealizePalette.GDI32(?), ref: 00488E6D
        • StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00488E8F
        • StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 00488EB1
        • SetTextColor.GDI32(?,00000000), ref: 00488EB9
        • SetBkColor.GDI32(?,00FFFFFF), ref: 00488EC7
        • StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 00488EF3
        • StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00488F18
        • SetTextColor.GDI32(?,?), ref: 00488F22
        • SetBkColor.GDI32(?,?), ref: 00488F2C
        • SelectObject.GDI32(?,00000000), ref: 00488F3F
        • DeleteObject.GDI32(?), ref: 00488F48
        • SelectPalette.GDI32(?,00000000,00000000), ref: 00488F6A
        • DeleteDC.GDI32(?), ref: 00488F73
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Select$ObjectPalette$ColorStretch$CompatibleCreateDelete$BitmapText$MaskRealize
        • String ID:
        • API String ID: 3976802218-0
        • Opcode ID: 83face600e95b1db92ee050226cf0949d7f6bac1d52ec5d9064765206e6bf5b2
        • Instruction ID: afe38d66815507dd39c3d985836d01f551c8b4be3d14fe105cef71fc62ec9e8d
        • Opcode Fuzzy Hash: 83face600e95b1db92ee050226cf0949d7f6bac1d52ec5d9064765206e6bf5b2
        • Instruction Fuzzy Hash: 738196B2A00209AFDB50EE99CD85EAF77FCEB0D754F540569F618E7281C638AD008B64
        Function 0048AD18 Relevance: 31.7, APIs: 21, Instructions: 194windowCOMMON
        Download Yara Rule
        APIs
        • GetObjectW.GDI32(?,00000054,?), ref: 0048AD3B
        • GetDC.USER32(00000000), ref: 0048AD69
        • CreateCompatibleDC.GDI32(?), ref: 0048AD7A
        • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0048AD95
        • SelectObject.GDI32(?,00000000), ref: 0048ADAF
        • PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 0048ADD1
        • CreateCompatibleDC.GDI32(?), ref: 0048ADDF
        • SelectObject.GDI32(?), ref: 0048AE27
        • SelectPalette.GDI32(?,?,00000000), ref: 0048AE3A
        • RealizePalette.GDI32(?), ref: 0048AE43
        • SelectPalette.GDI32(?,?,00000000), ref: 0048AE4F
        • RealizePalette.GDI32(?), ref: 0048AE58
        • SetBkColor.GDI32(?), ref: 0048AE62
        • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0048AE86
        • SetBkColor.GDI32(?,00000000), ref: 0048AE90
        • SelectObject.GDI32(?,00000000), ref: 0048AEA3
        • DeleteObject.GDI32 ref: 0048AEAF
        • DeleteDC.GDI32(?), ref: 0048AEC5
        • SelectObject.GDI32(?,00000000), ref: 0048AEE0
        • DeleteDC.GDI32(00000000), ref: 0048AEFC
        • ReleaseDC.USER32(00000000,00000000), ref: 0048AF0D
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: ObjectSelect$Palette$CreateDelete$ColorCompatibleRealize$BitmapRelease
        • String ID:
        • API String ID: 332224125-0
        • Opcode ID: 2cac4a80aba9dfe0c8de1a4a82a75e73e04a52e05a089e6a3579aa00ad204c2d
        • Instruction ID: 9c06c7dda7fcfc5ad6c4421aa6e65aa7861f55791373c489131cca595259fe26
        • Opcode Fuzzy Hash: 2cac4a80aba9dfe0c8de1a4a82a75e73e04a52e05a089e6a3579aa00ad204c2d
        • Instruction Fuzzy Hash: A5512371E40315ABEB10EBE9CC45FAFB7BCAB08704F104C6BB614F7281DAB899508B55
        Function 004CB168 Relevance: 30.0, APIs: 1, Strings: 16, Instructions: 290COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID:
        • String ID: Code$ExpDate$Expried$FingerPrint$LastServerDate$LastValidate$LicenseDir$LicenseType$OverSeat$Random$Register.ini$Seat$license$main$registercm-2013$temp.dat
        • API String ID: 0-2637983748
        • Opcode ID: 66eb7d1761eca98bc82b11bc9c42932db23c991429f14d29c9c36317cb916755
        • Instruction ID: 33a7efb123719fd28a3dd8b95e7c71bd9d3de02028391c13461883df6478f167
        • Opcode Fuzzy Hash: 66eb7d1761eca98bc82b11bc9c42932db23c991429f14d29c9c36317cb916755
        • Instruction Fuzzy Hash: B7B13F347006099FD740EF69C852B9EB7B9EF88308F50847EE415AB791DB38AD058B99
        Function 0048BF88 Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 352windowCOMMON
        Download Yara Rule
        APIs
        • GetDC.USER32(00000000), ref: 0048C1F8
        • CreateCompatibleDC.GDI32(00000001), ref: 0048C25D
        • CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 0048C272
        • SelectObject.GDI32(?,00000000), ref: 0048C27C
        • SelectPalette.GDI32(?,?,00000000), ref: 0048C2AC
        • RealizePalette.GDI32(?), ref: 0048C2B8
        • CreateDIBitmap.GDI32(?,?,00000004,00000000,?,00000000), ref: 0048C2DC
        • GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,0048C335,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 0048C2EA
        • SelectPalette.GDI32(?,00000000,000000FF), ref: 0048C31C
        • SelectObject.GDI32(?,?), ref: 0048C329
        • DeleteObject.GDI32(00000000), ref: 0048C32F
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Select$CreateObjectPalette$BitmapCompatible$DeleteErrorLastRealize
        • String ID: ($BM
        • API String ID: 2831685396-2980357723
        • Opcode ID: 0a326a0086bfd0f7f4c036cbe16f72becbfdc3d936293e33abea5b6d97865bf3
        • Instruction ID: f2512e28001eff2267587767504b78afe621ae4d9fc00ae5c1a228c8830c2ac2
        • Opcode Fuzzy Hash: 0a326a0086bfd0f7f4c036cbe16f72becbfdc3d936293e33abea5b6d97865bf3
        • Instruction Fuzzy Hash: 92D13070A002189FDF14EFA9C885AAEBBF5FF49304F14846AF904E7395D7389941CB69
        Function 0049D9D4 Relevance: 23.2, APIs: 12, Strings: 1, Instructions: 474COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: LoadString
        • String ID: TVI
        • API String ID: 2948472770-1997888664
        • Opcode ID: 2ba87a619d2595b7eeda14a5f1e9bf5be9d789d22926bd3d65133d7928b9c6ee
        • Instruction ID: 00ade9b86a7784bfe93b308d5dbaac5f2d7195dda20df1c3ceee83e8e468aced
        • Opcode Fuzzy Hash: 2ba87a619d2595b7eeda14a5f1e9bf5be9d789d22926bd3d65133d7928b9c6ee
        • Instruction Fuzzy Hash: 8B124B35E00244EFDF11DBA9C9C5B9E7BF4AB08304F5501B6E904EB3A2D779AE419B48
        Function 0048B500 Relevance: 22.8, APIs: 15, Instructions: 253windowCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0048BD00: GetDC.USER32(00000000), ref: 0048BD56
          • Part of subcall function 0048BD00: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0048BD6B
          • Part of subcall function 0048BD00: GetDeviceCaps.GDI32(00000000,0000000E), ref: 0048BD75
          • Part of subcall function 0048BD00: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,0048A3B3,00000000,0048A43F), ref: 0048BD99
          • Part of subcall function 0048BD00: ReleaseDC.USER32(00000000,00000000), ref: 0048BDA4
        • SelectPalette.GDI32(?,?,000000FF), ref: 0048B543
        • RealizePalette.GDI32(?), ref: 0048B552
        • GetDeviceCaps.GDI32(?,0000000C), ref: 0048B564
        • GetDeviceCaps.GDI32(?,0000000E), ref: 0048B573
        • GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 0048B5A6
        • SetStretchBltMode.GDI32(?,00000004), ref: 0048B5B4
        • SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 0048B5CC
        • SetStretchBltMode.GDI32(00000000,00000003), ref: 0048B5E9
        • CreateCompatibleDC.GDI32(00000000), ref: 0048B64A
        • SelectObject.GDI32(?,?), ref: 0048B65F
        • SelectObject.GDI32(?,00000000), ref: 0048B6BE
        • DeleteDC.GDI32(00000000), ref: 0048B6CD
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: CapsDevice$PaletteSelect$BrushCreateModeObjectStretch$CompatibleDeleteHalftoneRealizeRelease
        • String ID:
        • API String ID: 2414602066-0
        • Opcode ID: 11a5c63dcc666d555219aa18cd50f05cf95811c2cd1f03427ac667ad4593409f
        • Instruction ID: 4ea75079db86eeafe748e51e91bc2ce4348301661d69cb1802e1ce5bd15a8252
        • Opcode Fuzzy Hash: 11a5c63dcc666d555219aa18cd50f05cf95811c2cd1f03427ac667ad4593409f
        • Instruction Fuzzy Hash: 56910D75A04245AFDB50EBADC985F5EBBF8EF08304F14496AF548E7281D738E940CBA4
        Function 0048B254 Relevance: 22.8, APIs: 15, Instructions: 252windowCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0048BD00: GetDC.USER32(00000000), ref: 0048BD56
          • Part of subcall function 0048BD00: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0048BD6B
          • Part of subcall function 0048BD00: GetDeviceCaps.GDI32(00000000,0000000E), ref: 0048BD75
          • Part of subcall function 0048BD00: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,0048A3B3,00000000,0048A43F), ref: 0048BD99
          • Part of subcall function 0048BD00: ReleaseDC.USER32(00000000,00000000), ref: 0048BDA4
        • SelectPalette.GDI32(?,?,000000FF), ref: 0048B297
        • RealizePalette.GDI32(?), ref: 0048B2A6
        • GetDeviceCaps.GDI32(?,0000000C), ref: 0048B2B8
        • GetDeviceCaps.GDI32(?,0000000E), ref: 0048B2C7
        • GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 0048B2FA
        • SetStretchBltMode.GDI32(?,00000004), ref: 0048B308
        • SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 0048B320
        • SetStretchBltMode.GDI32(00000000,00000003), ref: 0048B33D
        • CreateCompatibleDC.GDI32(00000000), ref: 0048B39E
        • SelectObject.GDI32(?,?), ref: 0048B3B3
        • SelectObject.GDI32(?,00000000), ref: 0048B412
        • DeleteDC.GDI32(00000000), ref: 0048B421
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: CapsDevice$PaletteSelect$BrushCreateModeObjectStretch$CompatibleDeleteHalftoneRealizeRelease
        • String ID:
        • API String ID: 2414602066-0
        • Opcode ID: 02695f0c5804b680e8bf96489d561046dfd432ab049a8968246fd0b6e0f79cf7
        • Instruction ID: 16b87fca996e456d442e38dc50db067db372b3eea94fbb4a62e43ac1f1d69196
        • Opcode Fuzzy Hash: 02695f0c5804b680e8bf96489d561046dfd432ab049a8968246fd0b6e0f79cf7
        • Instruction Fuzzy Hash: BB91EA71A00605AFDB50EBADC986F5EB7E8EF08704F148969F548E7292D738ED00CB94
        Function 00488B64 Relevance: 21.1, APIs: 14, Instructions: 131windowCOMMON
        Download Yara Rule
        APIs
        • CreateCompatibleDC.GDI32(00000000), ref: 00488B7B
        • CreateCompatibleDC.GDI32(00000000), ref: 00488B85
        • GetObjectW.GDI32(?,00000018,?), ref: 00488BA5
        • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00488BBC
        • GetDC.USER32(00000000), ref: 00488BC8
        • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00488BF5
        • ReleaseDC.USER32(00000000,00000000), ref: 00488C1B
        • SelectObject.GDI32(?,?), ref: 00488C36
        • SelectObject.GDI32(?,00000000), ref: 00488C45
        • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 00488C71
        • SelectObject.GDI32(?,00000000), ref: 00488C7F
        • SelectObject.GDI32(?,00000000), ref: 00488C8D
        • DeleteDC.GDI32(?), ref: 00488CA3
        • DeleteDC.GDI32(?), ref: 00488CAC
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
        • String ID:
        • API String ID: 644427674-0
        • Opcode ID: 806c24bca244e504280a82ee2c76bef609dce8e1bcbfd4a444282ea8ac8f3065
        • Instruction ID: 0d4f64c06a186f71b404dd2d53cb844b4a2c14f9f2be506dfc0bb3639ce36d1d
        • Opcode Fuzzy Hash: 806c24bca244e504280a82ee2c76bef609dce8e1bcbfd4a444282ea8ac8f3065
        • Instruction Fuzzy Hash: 3F411F71E00209AFEB50EBE9CD42FAFB7BCEB09704F50486EB604F7281CA7859008764
        Function 004A173C Relevance: 19.9, APIs: 13, Instructions: 429COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: f955eac85e4d80bcc9fac75ac4ef00d8a4cbc81919ba420b6230188277531ad3
        • Instruction ID: 1b441663d77bed767848bba8963e0e1720fa250bcef5a82c562cac141473f366
        • Opcode Fuzzy Hash: f955eac85e4d80bcc9fac75ac4ef00d8a4cbc81919ba420b6230188277531ad3
        • Instruction Fuzzy Hash: 56F16D34A00204DFDB10DFA9C585A9EB7F5AF2A314F1441ABE805AB372D738AE41DB48
        Function 004BF904 Relevance: 19.7, APIs: 13, Instructions: 248COMMON
        Download Yara Rule
        APIs
        • GetWindowDC.USER32(00000000), ref: 004BF938
        • GetClientRect.USER32(00000000,?), ref: 004BF95B
        • GetWindowRect.USER32(00000000,?), ref: 004BF96D
        • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004BF983
        • ExcludeClipRect.GDI32(?,?,?,?,?,00000000,00000000,?,00000002,00000000,?,00000000,?,00000000,004BFBAF), ref: 004BF9AE
        • InflateRect.USER32(?,00000000,00000000), ref: 004BF9CC
        • GetWindowLongW.USER32(00000000,000000F0), ref: 004BF9E6
        • DrawEdge.USER32(?,?,?,00000008), ref: 004BFAE9
        • IntersectClipRect.GDI32(?,?,?,?,?), ref: 004BFB02
        • GetRgnBox.GDI32(?,?), ref: 004BFB38
        • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004BFB4E
        • FillRect.USER32(?,?,00000000), ref: 004BFB8A
        • ReleaseDC.USER32(00000000,?), ref: 004BFBA9
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Rect$Window$ClipPoints$ClientDrawEdgeExcludeFillInflateIntersectLongRelease
        • String ID:
        • API String ID: 2031318930-0
        • Opcode ID: 02c7d6aaa28a1b506deb8fc21d6ff8e673a458d009f6e1a774e9b371f0e32949
        • Instruction ID: 92102b26dbb23526907a45db69a961f474fb8d5f32ad96d4ab9a02b8ec3d4bb9
        • Opcode Fuzzy Hash: 02c7d6aaa28a1b506deb8fc21d6ff8e673a458d009f6e1a774e9b371f0e32949
        • Instruction Fuzzy Hash: 14A14271E04108AFDB05DB99C885EDEB7F9AF49304F1440AAF558FB292C738AE05CB64
        Function 004D0428 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 158COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00403408: GetModuleFileNameW.KERNEL32(00000000,?,00000105,?,00000000,?,004CAC74,00000000,004CAD63,?,?,?,00000000,00000000,?,004D0F84), ref: 0040342E
          • Part of subcall function 0040C944: GetFileAttributesW.KERNEL32(00000000,00000000,00000000,004CFDFB,00000000,?,00000023,00000000,00000000,004CFE86), ref: 0040C950
        • OutputDebugStringW.KERNEL32(IsUseAPI,?,00000000,004D06A6,?,?,?,?), ref: 004D063E
        • OutputDebugStringW.KERNEL32(IsUseWMI,?,00000000,004D06A6,?,?,?,?), ref: 004D064E
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: DebugFileOutputString$AttributesModuleName
        • String ID: "M$Code$IsUseAPI$IsUseWMI$N/A$Tag$license$main$registercm-2013
        • API String ID: 3707199777-817946996
        • Opcode ID: e05e54a569128ee4c4a0affdb839a15c12a1d99a30f93da555ea350bf67471a0
        • Instruction ID: 14384b7ee3e773b67e7ec7a3f2f7b99a5c868776b16f49bf8a219aaa44701a28
        • Opcode Fuzzy Hash: e05e54a569128ee4c4a0affdb839a15c12a1d99a30f93da555ea350bf67471a0
        • Instruction Fuzzy Hash: 5B516270A042059FDB04DF99D8A1B9EBBF5EB88304F10857BE504A7791DB38A945CF6C
        Function 004A0E80 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 131windowregistryCOMMON
        Download Yara Rule
        APIs
        • GetClassInfoW.USER32(00400000,004A0A9C,?), ref: 004A0EE2
        • RegisterClassW.USER32(004E344C), ref: 004A0EFA
          • Part of subcall function 0040821C: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 00408261
        • SetWindowLongW.USER32(?,000000FC,?), ref: 004A0F9A
        • SendMessageW.USER32(?,00000080,00000001,00000000), ref: 004A0FBF
        • SetClassLongW.USER32(?,000000F2,00000000), ref: 004A0FD5
        • GetSystemMenu.USER32(?,00000000,?,000000FC,?), ref: 004A0FE3
        • DeleteMenu.USER32(00000000,0000F030,00000000,?,00000000,?,000000FC,?), ref: 004A0FF2
        • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,?,00000000,?,000000FC,?), ref: 004A0FFF
        • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,?,00000000,?,000000FC,?), ref: 004A1016
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Menu$ClassDelete$Long$InfoLoadMessageRegisterSendStringSystemWindow
        • String ID: TPN$pSH
        • API String ID: 2334458219-864774921
        • Opcode ID: 94ed9bf4f317dac9d07c381cb2d05b08d694bca29ad0791b5100615f7065b0b3
        • Instruction ID: 4d184f11ec7fdd6884dcd6e037d8254d8e48218c0c86b7b5b9e00d0bd4eebe3c
        • Opcode Fuzzy Hash: 94ed9bf4f317dac9d07c381cb2d05b08d694bca29ad0791b5100615f7065b0b3
        • Instruction Fuzzy Hash: 624164706442406FEB11EF79DCC5FA633A8AB19704F54457AF944EF2D3CA79AC408728
        Function 00412C68 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 97filewindowCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00412A7C: VirtualQuery.KERNEL32(?,?,0000001C,00000000,00412C28), ref: 00412AAF
          • Part of subcall function 00412A7C: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 00412AD3
          • Part of subcall function 00412A7C: GetModuleFileNameW.KERNEL32(00400000,?,00000105), ref: 00412AEE
          • Part of subcall function 00412A7C: LoadStringW.USER32(00000000,0000FFE9,?,00000100), ref: 00412B89
        • WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,00000000,00000000,00000000,00000000,00000400,00000000,00412D8D), ref: 00412CC9
        • WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00412CFC
        • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00412D0E
        • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00412D14
        • GetStdHandle.KERNEL32(000000F4,00412DA8,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?), ref: 00412D28
        • WriteFile.KERNEL32(00000000,000000F4,00412DA8,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000), ref: 00412D2E
        • LoadStringW.USER32(00000000,0000FFEA,?,00000040), ref: 00412D52
        • MessageBoxW.USER32(00000000,?,?,00002010), ref: 00412D6C
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: File$ByteCharHandleLoadModuleMultiNameStringWideWrite$MessageQueryVirtual
        • String ID: ,SN$H,A$TPN
        • API String ID: 135118572-3547145698
        • Opcode ID: bd625d9b98a0a7a06df433bf5e0f93d5420eff34eaa205febc43da7335612ba6
        • Instruction ID: 5f1650f25f6c9bc125e37627f5d62d57eca79b4502ee9af04add75c0f3de8bee
        • Opcode Fuzzy Hash: bd625d9b98a0a7a06df433bf5e0f93d5420eff34eaa205febc43da7335612ba6
        • Instruction Fuzzy Hash: 8331B5B1644204BEE714DBA4DD82FEA77ACEB04704F5040BAB644F71D2DEB46E40876D
        Function 00409450 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61windowregistryCOMMON
        Download Yara Rule
        APIs
        • FindWindowW.USER32(MouseZ,Magellan MSWHEEL), ref: 00409468
        • RegisterWindowMessageW.USER32(MSWHEEL_ROLLMSG), ref: 00409474
        • RegisterWindowMessageW.USER32(MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG), ref: 00409483
        • RegisterWindowMessageW.USER32(MSH_SCROLL_LINES_MSG,MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG), ref: 0040948F
        • SendMessageW.USER32(00000000,00000000,00000000,00000000), ref: 004094A7
        • SendMessageW.USER32(00000000,?,00000000,00000000), ref: 004094CB
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Message$Window$Register$Send$Find
        • String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
        • API String ID: 3569030445-3736581797
        • Opcode ID: 2751fb53e279f2334aca41324726efc0be691bd30645f4d3afd637d7b5a27103
        • Instruction ID: cd1048737af0da3b37f397480d1dfc979b9146f9204238d19d497a535efaeb4d
        • Opcode Fuzzy Hash: 2751fb53e279f2334aca41324726efc0be691bd30645f4d3afd637d7b5a27103
        • Instruction Fuzzy Hash: 141121B1245305BFE7119FA6CC41B6BB7A8EF45714F24447AF940AB2C2D6B85C41CB98
        Function 004BC678 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 192COMMON
        Download Yara Rule
        APIs
        • BeginPaint.USER32(00000000,?), ref: 004BC6E4
          • Part of subcall function 004BBEF8: BeginPaint.USER32(00000000,?), ref: 004BBF23
          • Part of subcall function 004BBEF8: EndPaint.USER32(00000000,?,004BC05E), ref: 004BC051
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Paint$Begin
        • String ID: TVI
        • API String ID: 3787552996-1997888664
        • Opcode ID: 2ba2ff30430d528bc6185053cea646927cdbe01c2b51c160db21efe227a4b8e1
        • Instruction ID: 521d90b6e051d4fefd3c2027ddc2799d3b7b339b6042634e78cb49c1a045784c
        • Opcode Fuzzy Hash: 2ba2ff30430d528bc6185053cea646927cdbe01c2b51c160db21efe227a4b8e1
        • Instruction Fuzzy Hash: 50611271A00508AFDB05EFA9C991EEEBBF9EB49704F10447AF504E7691DB389E01CB64
        Function 0049049C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109COMMON
        Download Yara Rule
        APIs
        • EnumDisplayMonitors.USER32(?,?,?,?), ref: 004904D5
        • GetSystemMetrics.USER32(00000000), ref: 004904FA
        • GetSystemMetrics.USER32(00000001), ref: 00490505
        • GetClipBox.GDI32(?,?), ref: 00490517
        • GetDCOrgEx.GDI32(?,?), ref: 00490524
        • OffsetRect.USER32(?,?,?), ref: 0049053D
        • IntersectRect.USER32(?,?,?), ref: 0049054E
        • IntersectRect.USER32(?,?,?), ref: 00490564
          • Part of subcall function 0048FE14: GetProcAddress.KERNEL32(76910000,00000000), ref: 0048FEB0
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Rect$IntersectMetricsSystem$AddressClipDisplayEnumMonitorsOffsetProc
        • String ID: EnumDisplayMonitors
        • API String ID: 362875416-2491903729
        • Opcode ID: e8bb12f0c525c1eda4cc895c968282a0e876e650603c79ce9be44681508c2962
        • Instruction ID: 57c5c6e81dc5889973ec9ba1f7259f7de1f8324325462771828850b1773c8b4b
        • Opcode Fuzzy Hash: e8bb12f0c525c1eda4cc895c968282a0e876e650603c79ce9be44681508c2962
        • Instruction Fuzzy Hash: 9C311A72A01209AEDF10DAA589859EF7BACAF49310F01453BED25E6241E738D9048FA9
        Function 004ACE6C Relevance: 16.6, APIs: 11, Instructions: 138COMMON
        Download Yara Rule
        APIs
        • GetWindowLongW.USER32(00000000,000000EC), ref: 004ACE87
        • GetWindowRect.USER32(00000000,?), ref: 004ACEA2
        • GetWindowDC.USER32(00000000,00000000,?,00000000,000000EC), ref: 004ACEC2
        • GetWindowLongW.USER32(00000000,000000F0), ref: 004ACEF3
        • GetSystemMetrics.USER32(00000002), ref: 004ACF08
        • GetSystemMetrics.USER32(00000003), ref: 004ACF11
        • InflateRect.USER32(?,000000FE,000000FE), ref: 004ACF20
        • GetSysColorBrush.USER32(0000000F), ref: 004ACF4D
        • FillRect.USER32(?,?,00000000), ref: 004ACF5B
        • ExcludeClipRect.GDI32(?,?,?,?,?,00000000,004ACFC2,?,00000000,00000000,?,00000000,000000EC), ref: 004ACF80
        • ReleaseDC.USER32(00000000,?), ref: 004ACFBC
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: RectWindow$LongMetricsSystem$BrushClipColorExcludeFillInflateRelease
        • String ID:
        • API String ID: 3669760922-0
        • Opcode ID: b5738dbbcc0f1cd0d5242e9a3d5f1a400d39b79b6864938cfc952bd8b563022a
        • Instruction ID: 9d66d09ac220f92a828ffefec6c85cf72b1476fc86ef9c1ce5c1d03d2131d1fe
        • Opcode Fuzzy Hash: b5738dbbcc0f1cd0d5242e9a3d5f1a400d39b79b6864938cfc952bd8b563022a
        • Instruction Fuzzy Hash: E6413371A00109AFDB01EAA9CD86DDFB7BDAF49314F14056AF504F7282DA38AE018768
        Function 004B29AC Relevance: 16.6, APIs: 11, Instructions: 91COMMON
        Download Yara Rule
        APIs
        • IsWindowUnicode.USER32(?), ref: 004B29C6
        • SetWindowLongW.USER32(?,000000FC,?), ref: 004B29E1
        • GetWindowLongW.USER32(?,000000F0), ref: 004B29EC
        • GetWindowLongW.USER32(?,000000F4), ref: 004B29FE
        • SetWindowLongW.USER32(?,000000F4,?), ref: 004B2A11
        • SetWindowLongW.USER32(?,000000FC,?), ref: 004B2A2A
        • GetWindowLongW.USER32(?,000000F0), ref: 004B2A35
        • GetWindowLongW.USER32(?,000000F4), ref: 004B2A47
        • SetWindowLongW.USER32(?,000000F4,?), ref: 004B2A5A
        • SetPropW.USER32(?,00000000,00000000), ref: 004B2A71
        • SetPropW.USER32(?,00000000,00000000), ref: 004B2A88
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Window$Long$Prop$Unicode
        • String ID:
        • API String ID: 1693715928-0
        • Opcode ID: 4468226d433bd0301ec60c2119b2e5561746ce2c39e429a74cfa05bbb2f96cb0
        • Instruction ID: 1b991acb374edd193739c1baab8095eac5f2689447c292df2641d94bbf1cb7d5
        • Opcode Fuzzy Hash: 4468226d433bd0301ec60c2119b2e5561746ce2c39e429a74cfa05bbb2f96cb0
        • Instruction Fuzzy Hash: 3E31EE75600145BBDF10DFA9DC88DDA37A8AB0D365F108626BD18DF2E2D638DD40CB68
        Function 004AD9D4 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 170windowCOMMON
        Download Yara Rule
        APIs
        • ImageList_DrawEx.COMCTL32(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,?), ref: 004ADA33
        • ImageList_DrawEx.COMCTL32(00000000,?,00000000,00000000,00000000,00000000,00000000,000000FF,00000000,00000000), ref: 004ADAD4
        • SetTextColor.GDI32(00000000,00FFFFFF), ref: 004ADB21
        • SetBkColor.GDI32(00000000,00000000), ref: 004ADB29
        • BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 004ADB4E
          • Part of subcall function 004AD9AC: ImageList_GetBkColor.COMCTL32(00000000,?,004ADA0D,00000000,?), ref: 004AD9C2
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: ColorImageList_$Draw$Text
        • String ID: `H
        • API String ID: 2027629008-4190844569
        • Opcode ID: 37303f34c8bdad51dbcec38365a04466ab4b49959a5f10a74d41b25400b7a855
        • Instruction ID: 317df277f8f19346671695372b23265649f4c340855b0f1742a9eb3b6d830ca9
        • Opcode Fuzzy Hash: 37303f34c8bdad51dbcec38365a04466ab4b49959a5f10a74d41b25400b7a855
        • Instruction Fuzzy Hash: DF51F9716002046BDB40FF69CD82F9E37ACAF19314F50156AFA14EB286CA78EC4597A9
        Function 00412C5B Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 106filewindowCOMMON
        Download Yara Rule
        APIs
        • WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,00000000,00000000,00000000,00000000,00000400,00000000,00412D8D), ref: 00412CC9
        • WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00412CFC
        • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00412D0E
        • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00412D14
        • GetStdHandle.KERNEL32(000000F4,00412DA8,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?), ref: 00412D28
        • WriteFile.KERNEL32(00000000,000000F4,00412DA8,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000), ref: 00412D2E
          • Part of subcall function 00412A7C: VirtualQuery.KERNEL32(?,?,0000001C,00000000,00412C28), ref: 00412AAF
          • Part of subcall function 00412A7C: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 00412AD3
          • Part of subcall function 00412A7C: GetModuleFileNameW.KERNEL32(00400000,?,00000105), ref: 00412AEE
          • Part of subcall function 00412A7C: LoadStringW.USER32(00000000,0000FFE9,?,00000100), ref: 00412B89
        • LoadStringW.USER32(00000000,0000FFEA,?,00000040), ref: 00412D52
        • MessageBoxW.USER32(00000000,?,?,00002010), ref: 00412D6C
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: File$ByteCharHandleLoadModuleMultiNameStringWideWrite$MessageQueryVirtual
        • String ID: ,SN$H,A$TPN
        • API String ID: 135118572-3547145698
        • Opcode ID: db3e0638e0213f5a4969752519b4c06d43779a39d126e93f5c2d26995e497777
        • Instruction ID: a36de6f8be41258c96cc5c656c11b188c82894e7e72865433a7f9b0660e6e264
        • Opcode Fuzzy Hash: db3e0638e0213f5a4969752519b4c06d43779a39d126e93f5c2d26995e497777
        • Instruction Fuzzy Hash: 4731C671644204BFE714EB60DE42FEE77ACDB05714F6041BAB600E61D2DAB86E50876C
        Function 004BC094 Relevance: 15.2, APIs: 10, Instructions: 231windowCOMMON
        Download Yara Rule
        APIs
        • RectVisible.GDI32(?,?), ref: 004BC1AC
        • SaveDC.GDI32(?), ref: 004BC1CF
        • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004BC20F
        • RestoreDC.GDI32(?,004BC057), ref: 004BC23B
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Rect$ClipIntersectRestoreSaveVisible
        • String ID:
        • API String ID: 1976014923-0
        • Opcode ID: 4711b357fb44512edd3753a216ceebd1bc243029991c4cab82e4a262f956564f
        • Instruction ID: edd7c5e8bcd210b53009ec5bb4c341e7fa5cd51bf2157b51580f2b1c48bcb3da
        • Opcode Fuzzy Hash: 4711b357fb44512edd3753a216ceebd1bc243029991c4cab82e4a262f956564f
        • Instruction Fuzzy Hash: 8091D570A042489FDB04DF99C5C5BEEBBF4AF48304F1440AAE944AB392D779ED81CB64
        Function 004BC420 Relevance: 15.2, APIs: 10, Instructions: 197COMMON
        Download Yara Rule
        APIs
        • SaveDC.GDI32(?), ref: 004BC43D
          • Part of subcall function 004B47BC: GetWindowOrgEx.GDI32(?), ref: 004B47CA
          • Part of subcall function 004B47BC: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 004B47E0
        • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004BC476
        • GetWindowLongW.USER32(00000000,000000EC), ref: 004BC48A
        • GetWindowLongW.USER32(00000000,000000F0), ref: 004BC4AB
        • SetRect.USER32(00000010,00000000,00000000,?,?), ref: 004BC50B
        • IntersectClipRect.GDI32(?,00000000,00000000,00000010,?), ref: 004BC57B
          • Part of subcall function 004BC374: SaveDC.GDI32(?), ref: 004BC384
          • Part of subcall function 004BC374: ExcludeClipRect.GDI32(?,?,?,?,?,00000000,004BC408,?,?), ref: 004BC3C5
          • Part of subcall function 004BC374: RestoreDC.GDI32(?,?), ref: 004BC402
        • SetRect.USER32(?,00000000,00000000,?,?), ref: 004BC59C
        • DrawEdge.USER32(?,?,00000000,00000000), ref: 004BC5AB
        • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004BC5D4
        • RestoreDC.GDI32(?,?), ref: 004BC653
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Rect$ClipWindow$Intersect$LongRestoreSave$DrawEdgeExclude
        • String ID:
        • API String ID: 3997055466-0
        • Opcode ID: 03ce09718371efd3715800d22b17bcbfbb2050d87704dc706779f2e904746545
        • Instruction ID: 7d1e804c4187e36a224897998dd1483f9712322017a5392542c9d1a1fa5538ca
        • Opcode Fuzzy Hash: 03ce09718371efd3715800d22b17bcbfbb2050d87704dc706779f2e904746545
        • Instruction Fuzzy Hash: 3B71DE75A00209AFDB10DB99C9C5FDEB7F9AF49304F104196B914A7392CB38AE41DB64
        Function 0049E3D0 Relevance: 15.2, APIs: 10, Instructions: 163windowCOMMON
        Download Yara Rule
        APIs
        • GetCapture.USER32 ref: 0049E441
        • GetCapture.USER32 ref: 0049E450
        • SendMessageW.USER32(00000000,0000001F,00000000,00000000), ref: 0049E456
        • ReleaseCapture.USER32 ref: 0049E45B
        • GetActiveWindow.USER32 ref: 0049E478
        • IsWindow.USER32(00000000), ref: 0049E4BE
        • GetActiveWindow.USER32 ref: 0049E4C7
        • SendMessageW.USER32(00000000,0000B000,00000000,00000000), ref: 0049E55D
        • SendMessageW.USER32(00000000,0000B001,00000000,00000000), ref: 0049E5CA
        • GetActiveWindow.USER32 ref: 0049E5D9
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Window$ActiveCaptureMessageSend$Release
        • String ID:
        • API String ID: 3054343883-0
        • Opcode ID: 79d3162e025b625b3f2c58657d4003ff1c57b1e361c36933f21b9f7315f7daaa
        • Instruction ID: d77e2d3a7c7f4e4bf64f19aba89d1aec0ad0ec67f739e26fd3bc6e7c4c82ad79
        • Opcode Fuzzy Hash: 79d3162e025b625b3f2c58657d4003ff1c57b1e361c36933f21b9f7315f7daaa
        • Instruction Fuzzy Hash: 0B615270A00244EFDB11EF66C986B9E7BF5EF45704F5544BAF400AB2A2DB789D40DB48
        Function 0049A74C Relevance: 15.1, APIs: 10, Instructions: 133windowCOMMON
        Download Yara Rule
        APIs
        • GetWindowLongW.USER32(00000000,000000F0), ref: 0049A7BD
        • GetWindowLongW.USER32(00000000,000000EC), ref: 0049A7CF
        • GetClassLongW.USER32(00000000,000000E6), ref: 0049A7E2
        • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0049A822
        • SetWindowLongW.USER32(00000000,000000EC,?), ref: 0049A836
        • SetClassLongW.USER32(00000000,000000E6,?), ref: 0049A84A
        • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0049A884
        • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0049A89C
        • GetSystemMenu.USER32(00000000,000000FF,00000000,000000EC,?,00000000,000000F0,00000000,?,00000000,000000EC,00000000,000000F0), ref: 0049A8AB
        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037,00000000,000000EC,?,00000000,000000F0,00000000,?,00000000,000000EC), ref: 0049A8D4
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Long$Window$ClassMessageSend$MenuSystem
        • String ID:
        • API String ID: 494549727-0
        • Opcode ID: e15f2f2472d57cefc9bbcae6fec14d07a6f342ad341ab193849953bb45b14a00
        • Instruction ID: f389430844721380c32f264ae6b3fd6fb1bf9ddb1f05504a93a2a8840b66e5e0
        • Opcode Fuzzy Hash: e15f2f2472d57cefc9bbcae6fec14d07a6f342ad341ab193849953bb45b14a00
        • Instruction Fuzzy Hash: 3741D86070420166DA01B77E8C4ABFF6E5D6FC5308F18466AB454AB2D3CA7CDC16D39B
        Function 0042DE58 Relevance: 15.1, APIs: 10, Instructions: 89synchronizationthreadCOMMON
        Download Yara Rule
        APIs
        • GetCurrentThreadId.KERNEL32 ref: 0042DE68
        • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0042DE89
        • InterlockedExchangeAdd.KERNEL32(?,?), ref: 0042DEBD
        • LeaveCriticalSection.KERNEL32(?,00000000,0042DF39,?,00000000,00000000,00000000,00000000), ref: 0042DEC3
        • WaitForSingleObject.KERNEL32(?,?,?,00000000,0042DF39,?,00000000,00000000,00000000,00000000), ref: 0042DED0
        • SetLastError.KERNEL32(000005B4,?,?,?,00000000,0042DF39,?,00000000,00000000,00000000,00000000), ref: 0042DEEA
        • SetLastError.KERNEL32(00000000,?,?,?,00000000,0042DF39,?,00000000,00000000,00000000,00000000), ref: 0042DEFD
        • EnterCriticalSection.KERNEL32(?,?,?,?,00000000,0042DF39,?,00000000,00000000,00000000,00000000), ref: 0042DF03
        • InterlockedExchangeAdd.KERNEL32(?,?), ref: 0042DF1A
        • CloseHandle.KERNEL32(?,0042DF44,?,?,?,00000000,0042DF39,?,00000000,00000000,00000000,00000000), ref: 0042DF33
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: CriticalErrorExchangeInterlockedLastSection$CloseCreateCurrentEnterEventHandleLeaveObjectSingleThreadWait
        • String ID:
        • API String ID: 3135347424-0
        • Opcode ID: 7d539f6c2c1237d247d0c10607fbf304c6210fbb690f8278d3b04c00472e80ef
        • Instruction ID: 61575e172f3a7f3c7ab0ddb9c477ef1ad7a5c290e3402839519c7c4a618876ad
        • Opcode Fuzzy Hash: 7d539f6c2c1237d247d0c10607fbf304c6210fbb690f8278d3b04c00472e80ef
        • Instruction Fuzzy Hash: 6E21EB71F04254AADF10EBA5DD42B6EB7F8DB04304F5584ABF944EB282CA7C9900877E
        Function 0049CCA8 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON
        Download Yara Rule
        APIs
        • GetSystemMenu.USER32(00000000,00000000), ref: 0049CCF3
        • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 0049CD11
        • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0049CD1E
        • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0049CD2B
        • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0049CD38
        • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 0049CD45
        • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 0049CD52
        • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 0049CD5F
        • EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 0049CD7D
        • EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 0049CD99
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Menu$Delete$EnableItem$System
        • String ID:
        • API String ID: 3985193851-0
        • Opcode ID: 00c915f5e46cb1f40671114be2c3a96ae1e70554b11399ee766d8acd6fa921a7
        • Instruction ID: d95e9002f4c886db997a1fcb8ed6ae53c8e1023d2f581d7934c89cfc23cbc06a
        • Opcode Fuzzy Hash: 00c915f5e46cb1f40671114be2c3a96ae1e70554b11399ee766d8acd6fa921a7
        • Instruction Fuzzy Hash: 6F2150743853057AEB20DA35CECEF997FD95B04B48F1440B9B6887F2D3CAB8A940965C
        Function 004CF8C8 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 164COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00455A58: RegCloseKey.ADVAPI32(10C80000,004558D4,00000001,004559D6,00000000,?,004CFCB3,00000000,004CFD34,?,00000000,004CFE86), ref: 00455A6C
          • Part of subcall function 00455B98: RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00455C9D,?,00000000,00000000), ref: 00455C12
        • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000023,00000000,00000000,004CFAFB,?,?,?,?,?,004D3524,00000000,004D388C), ref: 004CF9B7
          • Part of subcall function 00403468: QueryPerformanceCounter.KERNEL32 ref: 0040346C
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: CloseCounterFolderOpenPathPerformanceQuerySpecial
        • String ID: .ShellClassInfo$480EA5B8931F267E4A7558F0111B5F71$CLSID$LocalDB6Flag$c$desktop.ini${E0224FF9-7AE3-4F9E-991A-2F004F7E3952}
        • API String ID: 2104657973-3525347970
        • Opcode ID: d9620ec36ac6bfd394fec85f9e1292dc4aa91dd649f043d67b4769e6a23abc2c
        • Instruction ID: b7d9b331e1561564fc754e9eb3742f6794eff5ded8a699b3b1204317578cc6a4
        • Opcode Fuzzy Hash: d9620ec36ac6bfd394fec85f9e1292dc4aa91dd649f043d67b4769e6a23abc2c
        • Instruction Fuzzy Hash: EC5186747006089FD750EF65D892B9EB7B5EB48304F6044BEF805A7382D73DAE098B58
        Function 0042B9EC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 119synchronizationthreadCOMMON
        Download Yara Rule
        APIs
        • GetCurrentThreadId.KERNEL32 ref: 0042B9F9
        • CreateEventW.KERNEL32(00000000,000000FF,00000000,00000000), ref: 0042BA6B
        • EnterCriticalSection.KERNEL32(004E9E74,00000000,0042BB89), ref: 0042BA93
        • LeaveCriticalSection.KERNEL32(004E9E74,00000000,0042BB62,?,004E9E74,00000000,0042BB89), ref: 0042BB0A
        • WaitForSingleObject.KERNEL32(?,000000FF,00000000,0042BB43,?,004E9E74,00000000,0042BB62,?,004E9E74,00000000,0042BB89), ref: 0042BB26
        • EnterCriticalSection.KERNEL32(004E9E74,0042BB4A,0042BB43,?,004E9E74,00000000,0042BB62,?,004E9E74,00000000,0042BB89), ref: 0042BB3D
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: CriticalSection$Enter$CreateCurrentEventLeaveObjectSingleThreadWait
        • String ID: <PN
        • API String ID: 1504017990-4193252389
        • Opcode ID: 616336ac9c0020fbb9fde4e4a9b5b22c73cab5ac8feaa022cf873af4986cfa76
        • Instruction ID: 9443b20aeeab2f96d9992d8a114789c949be5aed6358a9623936e7c11f1a5130
        • Opcode Fuzzy Hash: 616336ac9c0020fbb9fde4e4a9b5b22c73cab5ac8feaa022cf873af4986cfa76
        • Instruction Fuzzy Hash: 8741B030B04254EFD710DF69E892E59BBF1EB09300F9581A7E850977E5C778AD00DB99
        Function 004B5EB4 Relevance: 13.7, APIs: 9, Instructions: 154COMMON
        Download Yara Rule
        APIs
        • MulDiv.KERNEL32(?,?,?), ref: 004B5EEF
        • MulDiv.KERNEL32(?,?,?), ref: 004B5F09
        • MulDiv.KERNEL32(?,?,?), ref: 004B5F37
        • MulDiv.KERNEL32(?,?,?), ref: 004B5F4D
        • MulDiv.KERNEL32(?,?,?), ref: 004B5F7B
        • MulDiv.KERNEL32(?,?,?), ref: 004B5F93
          • Part of subcall function 00487984: MulDiv.KERNEL32(00000000,00000048,?), ref: 00487995
        • MulDiv.KERNEL32(?), ref: 004B5FF6
        • MulDiv.KERNEL32(?), ref: 004B6020
        • MulDiv.KERNEL32(00000000), ref: 004B6046
          • Part of subcall function 004879A0: MulDiv.KERNEL32(00000000,?,00000048), ref: 004879AD
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 52e440e2166533400f631bb549aa738d13d6b1e629f2cd9525d1c0b661bcf21f
        • Instruction ID: b73c9c362ea31a7355c4f49cfcde276da3c920a503d20eb8009e7b59bffb299d
        • Opcode Fuzzy Hash: 52e440e2166533400f631bb549aa738d13d6b1e629f2cd9525d1c0b661bcf21f
        • Instruction Fuzzy Hash: 4E5162B1604B50AFC310EB6AC885BABF7F9AF85344F04482EB5D5C7351CA79E9408B29
        Function 004B6E8C Relevance: 13.6, APIs: 9, Instructions: 122windowCOMMON
        Download Yara Rule
        APIs
        • GetDesktopWindow.USER32 ref: 004B6EC3
        • GetDCEx.USER32(?,00000000,00000402), ref: 004B6ED6
        • SelectObject.GDI32(?,00000000), ref: 004B6EF9
        • PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004B6F1F
        • PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 004B6F41
        • PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004B6F60
        • PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 004B6F7A
        • SelectObject.GDI32(?,?), ref: 004B6F87
        • ReleaseDC.USER32(?,?), ref: 004B6FA1
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: ObjectSelect$DesktopReleaseWindow
        • String ID:
        • API String ID: 1187665388-0
        • Opcode ID: 5cdf7d3ffd94fadfd483eef8bb959c6d7f91a87d1f479697a81bdf5d5fed3883
        • Instruction ID: 004ff0a56827d61eb5354df34c93af9adc4b10ca797a72ec412b59e6fee2582d
        • Opcode Fuzzy Hash: 5cdf7d3ffd94fadfd483eef8bb959c6d7f91a87d1f479697a81bdf5d5fed3883
        • Instruction Fuzzy Hash: 3F31F9B6A00619AFDB00DEEDCD85EEFBBBDAF09704B414469B504F7241C679AD048BA4
        Function 004A001C Relevance: 13.6, APIs: 9, Instructions: 106COMMON
        Download Yara Rule
        APIs
        • SystemParametersInfoW.USER32(0000001F,0000005C,?,00000000), ref: 004A0076
        • CreateFontIndirectW.GDI32(?), ref: 004A0083
        • GetStockObject.GDI32(0000000D), ref: 004A0096
          • Part of subcall function 004879A0: MulDiv.KERNEL32(00000000,?,00000048), ref: 004879AD
        • SystemParametersInfoW.USER32(00000029,00000000,?,00000000), ref: 004A00BD
        • CreateFontIndirectW.GDI32(?), ref: 004A00CD
        • CreateFontIndirectW.GDI32(?), ref: 004A00E3
        • CreateFontIndirectW.GDI32(?), ref: 004A00FC
        • GetStockObject.GDI32(0000000D), ref: 004A011F
        • GetStockObject.GDI32(0000000D), ref: 004A0133
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: CreateFontIndirect$ObjectStock$InfoParametersSystem
        • String ID:
        • API String ID: 2565622021-0
        • Opcode ID: 0776fa03f8224b8544b5a1109ace03f530f5b004912077ae6826c52b1357f9a5
        • Instruction ID: 54dedf420582d4181b2da3adfe7c2d59a034c96846d72afcee8b2e84bfb7a7c6
        • Opcode Fuzzy Hash: 0776fa03f8224b8544b5a1109ace03f530f5b004912077ae6826c52b1357f9a5
        • Instruction Fuzzy Hash: 8841B3306042049BDB50FB6ADD9AB9E37E4AF49304F50447BB908DB397DA78DC04CB68
        Function 004A5DFC Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 217windowCOMMON
        Download Yara Rule
        APIs
        • InsertMenuItemW.USER32(?,000000FF,000000FF,00000030), ref: 004A6012
          • Part of subcall function 004A6388: CreateMenu.USER32 ref: 004A63B3
        • GetVersion.KERNEL32(00000000,004A60C4), ref: 004A5E99
          • Part of subcall function 004A6388: CreatePopupMenu.USER32 ref: 004A63A6
        • InsertMenuW.USER32(?,000000FF,00000000,00000000,00000000), ref: 004A6085
        • InsertMenuW.USER32(?,000000FF,00000000,?,00000000), ref: 004A60A1
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Menu$Insert$Create$ItemPopupVersion
        • String ID: ,$?$`KJ
        • API String ID: 2359071979-3359517160
        • Opcode ID: 66727b5b979415396753331197a3c814777cd3031c22b8e2df5bb4afda21a7b6
        • Instruction ID: f2a88a99ef0e44ff95a4f8c9f36d06a887f2fbadaa59b62f82584f3536064026
        • Opcode Fuzzy Hash: 66727b5b979415396753331197a3c814777cd3031c22b8e2df5bb4afda21a7b6
        • Instruction Fuzzy Hash: 7F81E230A00685AFDB11EF69CA80AAEB7F5BB16304F18416BF550D7792D338EE51CB58
        Function 0041465C Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 203threadCOMMON
        Download Yara Rule
        APIs
        • GetThreadLocale.KERNEL32(00000000,0041493A,?,?,00000000,00000000), ref: 00414692
          • Part of subcall function 00412324: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00412342
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Locale$InfoThread
        • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
        • API String ID: 4232894706-2493093252
        • Opcode ID: 7db61faeaae01e81919bcb269c75940e3a4b504abe6a49e8dde41969325aa69c
        • Instruction ID: 703be39ab42d4fa64003ac936c2f4343490b4c6daea84c8ec6e43df52901141d
        • Opcode Fuzzy Hash: 7db61faeaae01e81919bcb269c75940e3a4b504abe6a49e8dde41969325aa69c
        • Instruction Fuzzy Hash: AA717F747101889BDB01FBB5D891ADF76B6EB88308F50943BB511AB286DA3CE945871C
        Function 004D5E74 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 184windowCOMMON
        Download Yara Rule
        APIs
        • CloseHandle.KERNEL32(00000000,?,00000000,?,?,?,00000000,004D60AB,?,00000000,004D60EF,?,?,?,?,00000000), ref: 004D5F75
        • GetSurplusDays.REGISTER(?,?,?,00000000,004D60AB,?,00000000,004D60EF,?,?,?,?,00000000,00000000), ref: 004D5F80
        • CloseHandle.KERNEL32(00000000,?,00000000,?,?,?,?,00000000,004D60AB,?,00000000,004D60EF), ref: 004D602C
        • CloseHandle.KERNEL32(00000000,?,00000000,?,?,?,?,00000000,004D60AB,?,00000000,004D60EF), ref: 004D5FD3
          • Part of subcall function 00404FB4: CreateThread.KERNEL32(00000000,?,00404F7C,00000000,FFFFFFFF,?), ref: 00405004
        • CloseHandle.KERNEL32(00000000,?,00000000,?,?,?,00000000,004D60AB,?,00000000,004D60EF,?,?,?,?,00000000), ref: 004D6084
        • PostMessageW.USER32(?,0000052C,00000001,00000000), ref: 004D609C
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: CloseHandle$CreateDaysMessagePostSurplusThread
        • String ID: N/A
        • API String ID: 3316436020-2525114547
        • Opcode ID: a72685a93e1b5ec3e1503d422eed0986c1f65ab78c991998825072a421967211
        • Instruction ID: 88261e82a986a4890467b88b601cefeac56fdcad105a1dc9e58ecde1798e09e6
        • Opcode Fuzzy Hash: a72685a93e1b5ec3e1503d422eed0986c1f65ab78c991998825072a421967211
        • Instruction Fuzzy Hash: D161B830A103099FEB04EFA5C8A1B9F77A9EB85318F51853FE804A73C5DA3C59058B65
        Function 004CFC48 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 167COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00455A58: RegCloseKey.ADVAPI32(10C80000,004558D4,00000001,004559D6,00000000,?,004CFCB3,00000000,004CFD34,?,00000000,004CFE86), ref: 00455A6C
          • Part of subcall function 00455B98: RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00455C9D,?,00000000,00000000), ref: 00455C12
        • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000023,00000000,00000000,004CFE86), ref: 004CFD55
          • Part of subcall function 004560D8: RegCloseKey.ADVAPI32(00000000,00000000,0045613D,?,00000000), ref: 0045611B
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Close$FolderOpenPathSpecial
        • String ID: .ShellClassInfo$480EA5B8931F267E4A7558F0111B5F71$CLSID$LocalDB6Flag$desktop.ini${E0224FF9-7AE3-4F9E-991A-2F004F7E3952}
        • API String ID: 3637076197-677811820
        • Opcode ID: 6fb5abf29e028827cf002bbc1bac85e9345faf49b050de88e90be8ce0b1fca4b
        • Instruction ID: 918b3a06a32e50c9a49e35c309e01d572dd1ce78479d26214e5ea295d5129353
        • Opcode Fuzzy Hash: 6fb5abf29e028827cf002bbc1bac85e9345faf49b050de88e90be8ce0b1fca4b
        • Instruction Fuzzy Hash: FB5151346002089FDB50EF65D991B9E77F6EB49304F6044BAE805E7392D73C9E498B58
        Function 004BA9B8 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134registryCOMMON
        Download Yara Rule
        APIs
        • GetClassInfoW.USER32(?,?,?), ref: 004BAA88
        • UnregisterClassW.USER32(?,?), ref: 004BAAB3
        • RegisterClassW.USER32(?), ref: 004BAAD2
        • GetWindowLongW.USER32(00000000,000000F0), ref: 004BAB0E
        • GetWindowLongW.USER32(00000000,000000F4), ref: 004BAB23
        • SetWindowLongW.USER32(00000000,000000F4,00000000), ref: 004BAB36
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: ClassLongWindow$InfoRegisterUnregister
        • String ID: @
        • API String ID: 717780171-2766056989
        • Opcode ID: e2b5cbae2bd71b14f27f86a1545d9164307eb182d6ff9745fb27e2ddd699fd6e
        • Instruction ID: fd71a725764761384c1fc39b46d662ef39ab567b2811f4546cfa6bbce731f075
        • Opcode Fuzzy Hash: e2b5cbae2bd71b14f27f86a1545d9164307eb182d6ff9745fb27e2ddd699fd6e
        • Instruction Fuzzy Hash: A451C3306003149FDB20EB69CC85BDA73E8AF09308F1045BAE459E7282DB78AD44CF69
        Function 0042B428 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 119threadCOMMON
        Download Yara Rule
        APIs
        • GetCurrentThreadId.KERNEL32 ref: 0042B433
        • GetCurrentThreadId.KERNEL32 ref: 0042B442
          • Part of subcall function 0042B3DC: ResetEvent.KERNEL32(000001FC,0042B47D), ref: 0042B3E2
        • EnterCriticalSection.KERNEL32(004E9E74), ref: 0042B487
        • InterlockedExchange.KERNEL32(004D9D94,?), ref: 0042B4A3
        • LeaveCriticalSection.KERNEL32(004E9E74,00000000,0042B5EB,?,004D9D94,?,00000000,0042B60A,?,004E9E74), ref: 0042B4FC
        • EnterCriticalSection.KERNEL32(004E9E74,0042B594,004E9E74,00000000,0042B5EB,?,004D9D94,?,00000000,0042B60A,?,004E9E74), ref: 0042B587
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: CriticalSection$CurrentEnterThread$EventExchangeInterlockedLeaveReset
        • String ID: <PN
        • API String ID: 2189153385-4193252389
        • Opcode ID: f5b8661bba5d1c6233b8f32775328d542a66d944e60efaead852df78887e76b8
        • Instruction ID: 2107f9235c6b9ec34adea447ff4df02b38e2c1a540b9846fbd6970f2cb29fff4
        • Opcode Fuzzy Hash: f5b8661bba5d1c6233b8f32775328d542a66d944e60efaead852df78887e76b8
        • Instruction Fuzzy Hash: 7741C430B04754AFD711EF65E891A6AB7F4EF09704F9144ABF8009B292D77C9D40CA69
        Function 004901CC Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68stringCOMMON
        Download Yara Rule
        APIs
        • GetMonitorInfoA.USER32(?,?), ref: 004901FD
        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00490224
        • GetSystemMetrics.USER32(00000000), ref: 00490239
        • GetSystemMetrics.USER32(00000001), ref: 00490244
        • lstrcpyW.KERNEL32(?,DISPLAY), ref: 0049026E
          • Part of subcall function 0048FE14: GetProcAddress.KERNEL32(76910000,00000000), ref: 0048FEB0
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: System$InfoMetrics$AddressMonitorParametersProclstrcpy
        • String ID: DISPLAY$GetMonitorInfoW
        • API String ID: 1539801207-2774842281
        • Opcode ID: b3346cdbbea97296fafb614ebb99dd31dc4b8424575365dbf47f9a79a48e9c2e
        • Instruction ID: 06bd93b746cdcf1361913523d4f0f7ee7063f646e40f37399ca4edfcc83fdf0b
        • Opcode Fuzzy Hash: b3346cdbbea97296fafb614ebb99dd31dc4b8424575365dbf47f9a79a48e9c2e
        • Instruction Fuzzy Hash: 5811EE31600319AFDB208F619C89BA7BBE8EB45310F00053AEC55DB281D7B4AC04CBA8
        Function 00404D88 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
        Download Yara Rule
        APIs
        • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00404E39,?,00000000,?,00000001,00404F4E,00403173,004031BA,?,?), ref: 00404DC1
        • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00404E39,?,00000000,?,00000001,00404F4E,00403173,004031BA,?), ref: 00404DC7
        • GetStdHandle.KERNEL32(000000F5,00404E14,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00404E39,?,00000000), ref: 00404DDC
        • WriteFile.KERNEL32(00000000,000000F5,00404E14,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00404E39,?,00000000), ref: 00404DE2
        • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404E00
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: FileHandleWrite$Message
        • String ID: Error$Runtime error at 00000000
        • API String ID: 1570097196-2970929446
        • Opcode ID: b9e09fdfad5755abd85d3238de91445b1049d583da806ad37d3decfb01c1f777
        • Instruction ID: 58daa97144d4e482d55ab461567c7ad963b218e1f466acc67ee02093c53baa81
        • Opcode Fuzzy Hash: b9e09fdfad5755abd85d3238de91445b1049d583da806ad37d3decfb01c1f777
        • Instruction Fuzzy Hash: 38F096A069138075E61067505C96FDA22985790F69F60437FF720F85E296FC48C4825D
        Function 00401EDC Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON
        Download Yara Rule
        APIs
        • Sleep.KERNEL32(00000000,?,?,00000000,00401B4E), ref: 00401F72
        • Sleep.KERNEL32(0000000A,00000000,?,?,00000000,00401B4E), ref: 00401F8C
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Sleep
        • String ID:
        • API String ID: 3472027048-0
        • Opcode ID: 314a72f93048f83d1a659beb3255e95dce3be56a53dbe10d1351c67a8c16f605
        • Instruction ID: 6fc1c855a53b7638fdfde927724344da7cf1f9963f1eb0829b047a052f8b6f15
        • Opcode Fuzzy Hash: 314a72f93048f83d1a659beb3255e95dce3be56a53dbe10d1351c67a8c16f605
        • Instruction Fuzzy Hash: E571E2716043408FD7159B29C9C5B2ABBD4AF85318F18827FE548AB3F2D7B88845CB5A
        Function 004A249C Relevance: 12.1, APIs: 8, Instructions: 118windowCOMMON
        Download Yara Rule
        APIs
        • PeekMessageW.USER32(?,00000000,00000200,0000020A,00000001), ref: 004A24B8
        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 004A24D0
        • IsWindowUnicode.USER32 ref: 004A24E4
        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004A250B
        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004A2521
        • TranslateMessage.USER32 ref: 004A25AC
        • DispatchMessageW.USER32 ref: 004A25B9
        • DispatchMessageA.USER32 ref: 004A25C1
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Message$Peek$Dispatch$TranslateUnicodeWindow
        • String ID:
        • API String ID: 2190272339-0
        • Opcode ID: 48f97378b78c14c74323410bce683d8bf4758b4eea33bf99aca62540bcb3225f
        • Instruction ID: cba9e3adfee8f4ee34f356098a068f1c77d621b207720d1cb9339dacf5a96f26
        • Opcode Fuzzy Hash: 48f97378b78c14c74323410bce683d8bf4758b4eea33bf99aca62540bcb3225f
        • Instruction Fuzzy Hash: DF31062074434035EA31362D0E52BAF66C52FB3B09F14495FF9C0672C2DBED9946A26E
        Function 004A2250 Relevance: 12.1, APIs: 8, Instructions: 99windowthreadCOMMON
        Download Yara Rule
        APIs
        • GetCapture.USER32 ref: 004A2276
        • IsWindowUnicode.USER32(00000000), ref: 004A22B9
        • SendMessageW.USER32(00000000,-0000BBEE,00000000,?), ref: 004A22D4
        • SendMessageA.USER32(00000000,-0000BBEE,00000000,?), ref: 004A22F3
        • GetWindowThreadProcessId.USER32(00000000), ref: 004A2302
        • GetWindowThreadProcessId.USER32(?,?), ref: 004A2313
        • SendMessageW.USER32(00000000,-0000BBEE,00000000,?), ref: 004A2333
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: MessageSendWindow$ProcessThread$CaptureUnicode
        • String ID:
        • API String ID: 1994056952-0
        • Opcode ID: 3be9a4472b7b608821ad60ad63960da6291405b125ad3e8e3dbe75b5b2c28e47
        • Instruction ID: 38ad978151c65801440ae158faef9e7502875018ee650d9953c2c5dbb78d0894
        • Opcode Fuzzy Hash: 3be9a4472b7b608821ad60ad63960da6291405b125ad3e8e3dbe75b5b2c28e47
        • Instruction Fuzzy Hash: F02171712046096FD620EA6DCE40FAB73DC9F27314B14446AFD59D7742DAACFC009769
        Function 0048909C Relevance: 12.1, APIs: 8, Instructions: 79windowCOMMON
        Download Yara Rule
        APIs
        • GetDC.USER32(00000000), ref: 004890CA
        • GetDeviceCaps.GDI32(?,00000068), ref: 004890E6
        • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 00489105
        • GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 00489129
        • GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 00489147
        • GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 0048915B
        • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0048917B
        • ReleaseDC.USER32(00000000,?), ref: 00489193
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: EntriesPaletteSystem$CapsDeviceRelease
        • String ID:
        • API String ID: 1781840570-0
        • Opcode ID: fe0e8d78f6ecdd54a0bad73cefd17c22b87c54ed4f4ba74fed2dc700dd139e2c
        • Instruction ID: 3516ea628146eee330a9369aa4bc06b9763796a3649f7be477acb381c09ca2d3
        • Opcode Fuzzy Hash: fe0e8d78f6ecdd54a0bad73cefd17c22b87c54ed4f4ba74fed2dc700dd139e2c
        • Instruction Fuzzy Hash: 4621A6B1A00609FAEB10DBA5CD85FAE73ACEB08704F5005AAF704F61C1D6789E409B28
        Function 004020D4 Relevance: 10.9, APIs: 7, Instructions: 407COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 025845d9d61e1786f5c57a6eea5e24909f272c0f2c8c373da7e2e6127155694b
        • Instruction ID: 6af61f43e6ce22b0e372bb51e11ebd2a254c7ec7893bdc80cc56d31e5a5c430a
        • Opcode Fuzzy Hash: 025845d9d61e1786f5c57a6eea5e24909f272c0f2c8c373da7e2e6127155694b
        • Instruction Fuzzy Hash: 42C126727006000BD714AABD9DC976EB3869BC5325F18827FE614EB3E6DABCDC458748
        Function 004C0320 Relevance: 10.7, APIs: 7, Instructions: 224COMMON
        Download Yara Rule
        APIs
        • SetWindowPos.USER32(00000000,000000FF,?,?,?,?,00000010,00000000,004C05BD), ref: 004C04B5
        • GetTickCount.KERNEL32 ref: 004C04BA
        • SystemParametersInfoW.USER32(00001016,00000000,?,00000000), ref: 004C0519
        • SystemParametersInfoW.USER32(00001018,00000000,00000000,00000000), ref: 004C0531
        • AnimateWindow.USER32(00000000,00000064,?), ref: 004C0576
        • ShowWindow.USER32(00000000,00000004,00000000,000000FF,?,?,?,?,00000010,00000000,004C05BD), ref: 004C0587
        • GetTickCount.KERNEL32 ref: 004C05A4
          • Part of subcall function 004C3D0C: GetCursorPos.USER32(?), ref: 004C3D10
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Window$CountInfoParametersSystemTick$AnimateCursorShow
        • String ID:
        • API String ID: 3024527889-0
        • Opcode ID: 2e1b5785c6f29ee98f1f18f9c666b4af444c511921d1fda1ed7e6c78754100a6
        • Instruction ID: 6420fddc959929e084193d73c747eb83de9cd798c4af6887e3c82209ff5dd4c1
        • Opcode Fuzzy Hash: 2e1b5785c6f29ee98f1f18f9c666b4af444c511921d1fda1ed7e6c78754100a6
        • Instruction Fuzzy Hash: C0812874A00204AFDB50EF69C885A9EBBF5AF48304F20457AF545EB362DA38ED45CB18
        Function 004A27FC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138windowCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 004A3CAC: GetActiveWindow.USER32 ref: 004A3CD3
          • Part of subcall function 004A3CAC: GetLastActivePopup.USER32(?), ref: 004A3CE8
        • GetWindowRect.USER32(?,?), ref: 004A2887
        • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,?), ref: 004A28C2
        • MessageBoxW.USER32(00000000,?,?,?), ref: 004A2901
        • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,004A297A,?,00000000,004A2973), ref: 004A2954
        • SetActiveWindow.USER32(00000000,004A297A,?,00000000,004A2973), ref: 004A2965
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Window$Active$LastMessagePopupRect
        • String ID: (
        • API String ID: 3456420849-3887548279
        • Opcode ID: b54ef6d9c2f5a319b265a65c06451acfe832705281246b21c71696d747f4bf64
        • Instruction ID: e56f9b25b62bcb337546f0062eeb499b2f8fa45af8f81344d3d74f0843275989
        • Opcode Fuzzy Hash: b54ef6d9c2f5a319b265a65c06451acfe832705281246b21c71696d747f4bf64
        • Instruction Fuzzy Hash: A3512A75E00208AFDB04DBA8CD85FAEB7F9FB49700F544569F504EB392D678AD008B54
        Function 004A1414 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 107COMMON
        Download Yara Rule
        APIs
        • EnumWindows.USER32(004A1320,00000000), ref: 004A144B
        • ShowWindow.USER32(?,00000000,004A1320,00000000), ref: 004A1482
        • ShowOwnedPopups.USER32(00000000,?), ref: 004A14B1
        • ShowWindow.USER32(?,00000005), ref: 004A1519
        • ShowOwnedPopups.USER32(00000000,?), ref: 004A1548
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Show$OwnedPopupsWindow$EnumWindows
        • String ID: ,lI
        • API String ID: 315437064-140425993
        • Opcode ID: c90e21120917fdab337e5d11d681d5c718c0c6c4e64063d37c73997faa584f6e
        • Instruction ID: 6f0f4a5057f1e2efaac6161588a3c624fa5c3ed1e47d2534e77243f67036fdd6
        • Opcode Fuzzy Hash: c90e21120917fdab337e5d11d681d5c718c0c6c4e64063d37c73997faa584f6e
        • Instruction Fuzzy Hash: 41416A71A006009FE720DB3CC885F9673E6ABA5329F45063BE559972F2C738AC85CB58
        Function 004AABD4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 85windowCOMMON
        Download Yara Rule
        APIs
        • GetMenuItemInfoW.USER32(00000000,00000000,000000FF,?), ref: 004AAC55
        • SetMenuItemInfoW.USER32(00000000,00000000,000000FF,?), ref: 004AACAD
        • DrawMenuBar.USER32(00000000), ref: 004AACBA
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Menu$InfoItem$Draw
        • String ID: ,$L|N$P
        • API String ID: 3227129158-1428255042
        • Opcode ID: 21c4fc5721ee024aac96c84a97faaa3fe2c818a108471e38b5b2f2ad5ea075ba
        • Instruction ID: 6e48032f36651ba2e3fac002ce0a03034c2e44466208ea9b874b4f43bb8a4c85
        • Opcode Fuzzy Hash: 21c4fc5721ee024aac96c84a97faaa3fe2c818a108471e38b5b2f2ad5ea075ba
        • Instruction Fuzzy Hash: AE21E130A102089FEB11DF68DC84BAAB7A8EB56324F50417AF410EB3D1D73CC854DB9A
        Function 004AE578 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 80COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 004139E0: GetFileVersionInfoSizeW.VERSION(00000000,?,00000000,00413AB6), ref: 00413A22
          • Part of subcall function 004139E0: GetFileVersionInfoW.VERSION(00000000,?,00000000,?,00000000,00413A99,?,00000000,?,00000000,00413AB6), ref: 00413A57
          • Part of subcall function 004139E0: VerQueryValueW.VERSION(?,00413AC8,?,?,00000000,?,00000000,?,00000000,00413A99,?,00000000,?,00000000,00413AB6), ref: 00413A71
        • GetModuleHandleW.KERNEL32(comctl32.dll), ref: 004AE5AC
          • Part of subcall function 00408A94: GetProcAddress.KERNEL32(00000000,?), ref: 00408AB8
        • ImageList_Write.COMCTL32(00000000,?,00000000,004AE672), ref: 004AE63C
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: FileInfoVersion$AddressHandleImageList_ModuleProcQuerySizeValueWrite
        • String ID: ImageList_WriteEx$`SH$comctl32.dll$comctl32.dll
        • API String ID: 4063495462-250629128
        • Opcode ID: e009e52c67d60169b3d9b6b7f447eaceb6830053d7bc7bf31a8393b1f395dd1a
        • Instruction ID: a0754209a3d69aa0463abc22eda53a6ffd85aade6d676af5151b993cd0e530a6
        • Opcode Fuzzy Hash: e009e52c67d60169b3d9b6b7f447eaceb6830053d7bc7bf31a8393b1f395dd1a
        • Instruction Fuzzy Hash: 31218170700200ABD710AF779D86B2B36A8DB7A718B91053BF414DB6A3DB789D409A6D
        Function 004A6254 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID:
        • String ID: `KJ
        • API String ID: 0-840051826
        • Opcode ID: f9c29d5cd35f1795b8a5ced0a22ee56ec0085fb424377a8b88c1b06880a06096
        • Instruction ID: 35da3c995cd61e8b09fc1ac05cade9ba3610a21798c0b9262c7fbbea5ce5136b
        • Opcode Fuzzy Hash: f9c29d5cd35f1795b8a5ced0a22ee56ec0085fb424377a8b88c1b06880a06096
        • Instruction Fuzzy Hash: AC116021B453495AEF206A3A4805B9B27985FB3749F0E40AFBC449B287CA7DCC07879C
        Function 004C9054 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 74COMMON
        Download Yara Rule
        APIs
        • CoInitialize.OLE32(00000000), ref: 004C9072
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Initialize
        • String ID: SerialNumber$Tag$TzL$Win32_PhysicalMedia$\\.\PHYSICALDRIVE0$root\CIMV2
        • API String ID: 2538663250-1504190909
        • Opcode ID: 1bef88409bab9020cb0a40f889bdb0de57cb004ac3a20baa140397ed5cba40ab
        • Instruction ID: 7c6a12469fedc05b3dc7b0522fcedab9dd942989ca73d564de460bda4b887fdd
        • Opcode Fuzzy Hash: 1bef88409bab9020cb0a40f889bdb0de57cb004ac3a20baa140397ed5cba40ab
        • Instruction Fuzzy Hash: 57218739614109BFE784DA56CC4BFAFB7B9EB84704F65847FB401E3281DA789E018658
        Function 004902BC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68stringCOMMON
        Download Yara Rule
        APIs
        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00490314
        • GetSystemMetrics.USER32(00000000), ref: 00490329
        • GetSystemMetrics.USER32(00000001), ref: 00490334
        • lstrcpyW.KERNEL32(?,DISPLAY), ref: 0049035E
          • Part of subcall function 0048FE14: GetProcAddress.KERNEL32(76910000,00000000), ref: 0048FEB0
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: System$Metrics$AddressInfoParametersProclstrcpy
        • String ID: DISPLAY$GetMonitorInfoA
        • API String ID: 2545840971-1370492664
        • Opcode ID: 7e02c2ede06fe0cf4f34f3cf4a74e437bfb82ee9740a6abdbbd3c58a03fccdc9
        • Instruction ID: 57d55fe51d4a78aec8095e27e8e63507ce0278dcf07b123ac7a8edce0c0fa8c4
        • Opcode Fuzzy Hash: 7e02c2ede06fe0cf4f34f3cf4a74e437bfb82ee9740a6abdbbd3c58a03fccdc9
        • Instruction Fuzzy Hash: 0011D0316017049FDB308F659C8ABA7BBE8FB09710F00453EED55DB691D7B4A844CBA8
        Function 004903AC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68stringCOMMON
        Download Yara Rule
        APIs
        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00490404
        • GetSystemMetrics.USER32(00000000), ref: 00490419
        • GetSystemMetrics.USER32(00000001), ref: 00490424
        • lstrcpyW.KERNEL32(?,DISPLAY), ref: 0049044E
          • Part of subcall function 0048FE14: GetProcAddress.KERNEL32(76910000,00000000), ref: 0048FEB0
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: System$Metrics$AddressInfoParametersProclstrcpy
        • String ID: DISPLAY$GetMonitorInfoW
        • API String ID: 2545840971-2774842281
        • Opcode ID: 8d5f11a9c73c8faf4557bfcfaaee44ba9199e98c616da42e83c9da95f93f1f58
        • Instruction ID: 4c119be610182b868a641cb34d24313b75b5703697a77f867d3f3fa80a283ab3
        • Opcode Fuzzy Hash: 8d5f11a9c73c8faf4557bfcfaaee44ba9199e98c616da42e83c9da95f93f1f58
        • Instruction Fuzzy Hash: 211190316013049FDB209F659C85BBBBBE8EB05720F00453FEE59DB681D7B4A844CBA9
        Function 0048A548 Relevance: 10.6, APIs: 7, Instructions: 66COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 004892F0: GetObjectW.GDI32(?,00000004), ref: 00489307
          • Part of subcall function 004892F0: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 0048932A
        • GetDC.USER32(00000000), ref: 0048A586
        • CreateCompatibleDC.GDI32(?), ref: 0048A592
        • SelectObject.GDI32(?), ref: 0048A59F
        • SetDIBColorTable.GDI32(?,00000000,00000000,?,00000000,0048A5F7,?,?,?,?,00000000), ref: 0048A5C3
        • SelectObject.GDI32(?,?), ref: 0048A5DD
        • DeleteDC.GDI32(?), ref: 0048A5E6
        • ReleaseDC.USER32(00000000,?), ref: 0048A5F1
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Object$Select$ColorCompatibleCreateDeleteEntriesPaletteReleaseTable
        • String ID:
        • API String ID: 4046155103-0
        • Opcode ID: dd4679a87e34dce4baf1814bf217f7758b36bdca45d106fdf2de72d110b30b3d
        • Instruction ID: 1e1d5adbccf42e82f2c60299e86a6854f00aa14b1db2c532bfbb3da75cba85b2
        • Opcode Fuzzy Hash: dd4679a87e34dce4baf1814bf217f7758b36bdca45d106fdf2de72d110b30b3d
        • Instruction Fuzzy Hash: F4113671D446197BDB10EBE9DC51AAEB3BCEB08704F4048BBB904E7281DA789E908765
        Function 0042BC30 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66threadsynchronizationwindowCOMMON
        Download Yara Rule
        APIs
        • GetCurrentThreadId.KERNEL32 ref: 0042BC5B
        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0042BC87
        • MsgWaitForMultipleObjects.USER32(00000002,?,00000000,000003E8,00000040), ref: 0042BC9C
        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0042BCC9
        • GetExitCodeThread.KERNEL32(?,?,?,000000FF), ref: 0042BCD4
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: ThreadWait$CodeCurrentExitMessageMultipleObjectObjectsPeekSingle
        • String ID: <PN
        • API String ID: 1797888035-4193252389
        • Opcode ID: c6f1c3174ac8a664d6155a4f76081454ea6cf2cd28cd61a554cd113d6f1dcc54
        • Instruction ID: 5dc5f1f18b89ff76ed31c8acf161f497497537cb312ba0829355f2606edd2780
        • Opcode Fuzzy Hash: c6f1c3174ac8a664d6155a4f76081454ea6cf2cd28cd61a554cd113d6f1dcc54
        • Instruction Fuzzy Hash: 2B11BE307403206BD620FB6ADCC2B5E7398EF15714F904A2FF554AB2D2DB78A841878A
        Function 0049FF88 Relevance: 10.6, APIs: 7, Instructions: 58threadwindowCOMMON
        Download Yara Rule
        APIs
        • GetCursorPos.USER32 ref: 0049FFA3
        • WindowFromPoint.USER32(?,?), ref: 0049FFB0
        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0049FFBE
        • GetCurrentThreadId.KERNEL32 ref: 0049FFC5
        • SendMessageW.USER32(00000000,00000084,00000000,00000000), ref: 0049FFE8
        • SendMessageW.USER32(00000000,00000020,00000000,?), ref: 0049FFFA
        • SetCursor.USER32(00000000), ref: 004A000C
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
        • String ID:
        • API String ID: 1770779139-0
        • Opcode ID: c65a8a6b2e04a065e59984710b2b9739584548b0c72bf81beb8f13dddf80e6b8
        • Instruction ID: a06b17fed5f68c604cc882d90fcb7f267d35c5f8fc49361006cf2ee74a2e62f0
        • Opcode Fuzzy Hash: c65a8a6b2e04a065e59984710b2b9739584548b0c72bf81beb8f13dddf80e6b8
        • Instruction Fuzzy Hash: 0601B53225920075EA343A355C86F7F3659DFD1B54F10453FB644AA1C3EA7E9C00A27D
        Function 0049A058 Relevance: 9.2, APIs: 6, Instructions: 151COMMON
        Download Yara Rule
        APIs
        • FillRect.USER32(?,?), ref: 0049A0D7
        • GetClientRect.USER32(00000000,?), ref: 0049A102
        • FillRect.USER32(?,?,00000000), ref: 0049A11E
          • Part of subcall function 00499FCC: CallWindowProcW.USER32(?,?,?,?,?), ref: 0049A006
        • BeginPaint.USER32(?,?), ref: 0049A196
        • GetWindowRect.USER32(?,?), ref: 0049A1C3
        • EndPaint.USER32(?,?,0049A237), ref: 0049A223
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Rect$FillPaintWindow$BeginCallClientProc
        • String ID:
        • API String ID: 901200654-0
        • Opcode ID: ef8ac4bed364f9bf2bc50fbdbb93c134a9701d012c9a7330e88b138f996a365f
        • Instruction ID: aff031373551576408aff27a41274a0cf6fa59552ab4ae57cc274e9c8c001ad1
        • Opcode Fuzzy Hash: ef8ac4bed364f9bf2bc50fbdbb93c134a9701d012c9a7330e88b138f996a365f
        • Instruction Fuzzy Hash: 28512A74A04108EFCF40DBA9C589E9DBBF8AB09314F1181BAE414EB352DB39AE41CB55
        Function 00418848 Relevance: 9.1, APIs: 6, Instructions: 139COMMON
        Download Yara Rule
        APIs
        • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004188E1
        • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 004188FD
        • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 00418936
        • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004189B3
        • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004189CC
        • VariantCopy.OLEAUT32(?,?), ref: 00418A01
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: ArraySafe$BoundIndex$CopyCreateVariant
        • String ID:
        • API String ID: 351091851-0
        • Opcode ID: 8bf08db057ede390c1c5f5bf486830cb963f0bdc6532ae447b0cb46f131ffaac
        • Instruction ID: 931b83a56d61bfec6e87179a05884409f0a941ad18338d760d84273e6c6a7828
        • Opcode Fuzzy Hash: 8bf08db057ede390c1c5f5bf486830cb963f0bdc6532ae447b0cb46f131ffaac
        • Instruction Fuzzy Hash: 8E51FDB590061D9BCB22DB59CC81BDAB3BCAF48314F4441DAE50CE7212DA78AFC58F65
        Function 0049C8B8 Relevance: 9.1, APIs: 6, Instructions: 118COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 004883D8: EnterCriticalSection.KERNEL32(004EB204,00000000,004867CE,00000000,0048682D), ref: 004883E0
          • Part of subcall function 004883D8: LeaveCriticalSection.KERNEL32(004EB204,004EB204,00000000,004867CE,00000000,0048682D), ref: 004883ED
          • Part of subcall function 004883D8: EnterCriticalSection.KERNEL32(0000003C,004EB204,004EB204,00000000,004867CE,00000000,0048682D), ref: 004883F6
        • SaveDC.GDI32(?), ref: 0049C905
        • ExcludeClipRect.GDI32(?,?,?,?,?), ref: 0049C980
        • GetStockObject.GDI32(00000004), ref: 0049C99F
        • FillRect.USER32(00000000,?,00000000), ref: 0049C9B8
        • RestoreDC.GDI32(?,?), ref: 0049CA2E
          • Part of subcall function 00486F88: GetSysColor.USER32(?), ref: 00486F92
        • SetBkColor.GDI32(00000000,00000000), ref: 0049CA03
          • Part of subcall function 00488364: FillRect.USER32(?,00000000,00000000), ref: 0048838D
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: CriticalRectSection$ColorEnterFill$ClipExcludeLeaveObjectRestoreSaveStock
        • String ID:
        • API String ID: 3001281481-0
        • Opcode ID: 00d063172238897e8a190ad98876e637b7e08949b93b53a4c150c5f36985d2af
        • Instruction ID: 9f76f8c53e48e8e8f0db47c44630ecf6befd216f0d607bea2a28a0fc6ef273dc
        • Opcode Fuzzy Hash: 00d063172238897e8a190ad98876e637b7e08949b93b53a4c150c5f36985d2af
        • Instruction Fuzzy Hash: D141CB74A00208EFDB01EFA9C9D5E9E7BF9AF09304F5544BAF904A7352C638AE40DB55
        Function 004A1F9C Relevance: 9.1, APIs: 6, Instructions: 98windowCOMMON
        Download Yara Rule
        APIs
        • SetActiveWindow.USER32(?,?,?,004A192E,00000000,004A1E5E), ref: 004A1FBE
        • ShowWindow.USER32(00000000,00000009,?,?,?,004A192E,00000000,004A1E5E), ref: 004A1FE1
        • IsWindowEnabled.USER32(00000000), ref: 004A2003
        • DefWindowProcW.USER32(?,00000112,0000F120,00000000,00000000,?,?,?,004A192E,00000000,004A1E5E), ref: 004A201F
        • SetWindowPos.USER32(?,00000000,00000000,?,?,004A192E,00000000,004A1E5E), ref: 004A206B
        • SetFocus.USER32(00000000,?,?,?,004A192E,00000000,004A1E5E), ref: 004A20B9
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Window$ActiveEnabledFocusProcShow
        • String ID:
        • API String ID: 2052594614-0
        • Opcode ID: c005cedace8bd6e8e9fd0981576c7aef2a2a45a3fa96ae6a52d7414cbacdf1ed
        • Instruction ID: 559d01f3b0185762cd7149a572014817a441079433510163f4b9778015cf4a9d
        • Opcode Fuzzy Hash: c005cedace8bd6e8e9fd0981576c7aef2a2a45a3fa96ae6a52d7414cbacdf1ed
        • Instruction Fuzzy Hash: 81312F706046509BEB21AA79CD85B9A27A47B29704F0800BAFE049F3D7C6BDEC40D758
        Function 004895A0 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
        Download Yara Rule
        APIs
        • GetSystemMetrics.USER32(0000000B), ref: 004895EE
        • GetSystemMetrics.USER32(0000000C), ref: 004895FA
        • GetDC.USER32(00000000), ref: 00489616
        • GetDeviceCaps.GDI32(00000000,0000000E), ref: 0048963D
        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0048964A
        • ReleaseDC.USER32(00000000,00000000), ref: 00489683
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: CapsDeviceMetricsSystem$Release
        • String ID:
        • API String ID: 447804332-0
        • Opcode ID: 22874894e1ade0e2e350bfae6972af987804cd3969c6cec7f013bea5b5cbe7ea
        • Instruction ID: e5e7614cd92087e14a59b31f9aec5d6a3e692c04c502551e754a6c8f7a78fc82
        • Opcode Fuzzy Hash: 22874894e1ade0e2e350bfae6972af987804cd3969c6cec7f013bea5b5cbe7ea
        • Instruction Fuzzy Hash: EF315474A00604EFEB00EF95C941AAEBBB5FF49710F14896AF514BB381D6349D40CB65
        Function 00489A00 Relevance: 9.1, APIs: 6, Instructions: 65windowCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 004898AC: GetObjectW.GDI32(?,00000054), ref: 004898C0
        • CreateCompatibleDC.GDI32(00000000), ref: 00489A22
        • SelectPalette.GDI32(?,?,00000000), ref: 00489A43
        • RealizePalette.GDI32(?), ref: 00489A4F
        • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00489A66
        • SelectPalette.GDI32(?,00000000,00000000), ref: 00489A8E
        • DeleteDC.GDI32(?), ref: 00489A97
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Palette$Select$BitsCompatibleCreateDeleteObjectRealize
        • String ID:
        • API String ID: 1221726059-0
        • Opcode ID: 1e7fc4d84c4030b9525f6490c7480866f0a257063c575499618d52d2508aee7f
        • Instruction ID: 5ac64497dc152bb8c8736e05ca02a945aacb417d8b3a3e89c7ff4e55027d31f0
        • Opcode Fuzzy Hash: 1e7fc4d84c4030b9525f6490c7480866f0a257063c575499618d52d2508aee7f
        • Instruction Fuzzy Hash: 0E118F75A006047FDB10EAE9CC41F5FB7FCAF48700F54886AB918E7281DA789D008768
        Function 0048924C Relevance: 9.1, APIs: 6, Instructions: 56windowCOMMON
        Download Yara Rule
        APIs
        • CreateCompatibleDC.GDI32(00000000), ref: 00489265
        • SelectObject.GDI32(00000000,00000000), ref: 0048926E
        • GetDIBColorTable.GDI32(00000000,00000000,00000100,?,00000000,00000000,00000000,00000000,?,?,0048BD4B,?,?,?,?,0048A3B3), ref: 00489282
        • SelectObject.GDI32(00000000,00000000), ref: 0048928E
        • DeleteDC.GDI32(00000000), ref: 00489294
        • CreatePalette.GDI32 ref: 004892DB
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: CreateObjectSelect$ColorCompatibleDeletePaletteTable
        • String ID:
        • API String ID: 2515223848-0
        • Opcode ID: b47ca952f7e19f266329aa5b50a86cf4e7420bb963028384d2c9beae26a77bcd
        • Instruction ID: 598d0103953ab0653546f676710ef4cfff4cc3982fc9bb081db79eac93c5fcef
        • Opcode Fuzzy Hash: b47ca952f7e19f266329aa5b50a86cf4e7420bb963028384d2c9beae26a77bcd
        • Instruction Fuzzy Hash: 6A01846120471072E614776A8D47BBF72A88FC1718F18CD3FB585A72C2EA7C8C44539A
        Function 00401B58 Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
        Download Yara Rule
        APIs
        • Sleep.KERNEL32(00000000,?,00401B26), ref: 00401C0F
        • Sleep.KERNEL32(0000000A,00000000,?,00401B26), ref: 00401C25
        • Sleep.KERNEL32(00000000,?,?,?,00401B26), ref: 00401C53
        • Sleep.KERNEL32(0000000A,00000000,?,?,?,00401B26), ref: 00401C69
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Sleep
        • String ID:
        • API String ID: 3472027048-0
        • Opcode ID: 74b3c69755249a63b65a2c4b17261f229984b0c50e856418626e7d254f6c3a0a
        • Instruction ID: 530b7c92d773d8174b8e26e7135feb423a43f7fe8485f1acb9292af8024ba5d8
        • Opcode Fuzzy Hash: 74b3c69755249a63b65a2c4b17261f229984b0c50e856418626e7d254f6c3a0a
        • Instruction Fuzzy Hash: 59C125725007918BD715CF69D8D472ABBE1BB85318F1882BFD4099F7E2D778A841CB88
        Function 00488934 Relevance: 9.0, APIs: 6, Instructions: 43COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00487FD4: CreateBrushIndirect.GDI32(?), ref: 0048807F
        • UnrealizeObject.GDI32(00000000), ref: 00488940
        • SelectObject.GDI32(?,00000000), ref: 00488952
        • SetBkColor.GDI32(?,00000000), ref: 00488975
        • SetBkMode.GDI32(?,00000002), ref: 00488980
        • SetBkColor.GDI32(?,00000000), ref: 0048899B
        • SetBkMode.GDI32(?,00000001), ref: 004889A6
          • Part of subcall function 00486F88: GetSysColor.USER32(?), ref: 00486F92
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
        • String ID:
        • API String ID: 3527656728-0
        • Opcode ID: 703e75063ec15405bc9ffd2ecfd0340940f22c859c6754e84f09d2a7e3b43901
        • Instruction ID: 67cd8f7478b2ea350728fe4970262a4e4bd1140c82dcff5c70192a3dc1b3ac26
        • Opcode Fuzzy Hash: 703e75063ec15405bc9ffd2ecfd0340940f22c859c6754e84f09d2a7e3b43901
        • Instruction Fuzzy Hash: 5AF0C9B12441009BCF40FFAADAC6D1F67985F1430970448AAFB48EF187CE39D8108779
        Function 00402A18 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 277windowCOMMON
        Download Yara Rule
        APIs
        • MessageBoxA.USER32(00000000,?,00401594,00002010), ref: 00402DED
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Message
        • String ID: $,ZN$,ZN$7
        • API String ID: 2030045667-274170764
        • Opcode ID: 96b1cf6df2fba8618b4ea3dbae94d9dd7a20105384aa3c092deb172429444f87
        • Instruction ID: 8a297914933e4dd4996b0970b08d93284b8050a4d9d3eb52ab9f4c535b60254e
        • Opcode Fuzzy Hash: 96b1cf6df2fba8618b4ea3dbae94d9dd7a20105384aa3c092deb172429444f87
        • Instruction Fuzzy Hash: 82B19130B042548BDB61EB2DDD88B9977E4BB09304F1441F6E449EB3C2DBB89D86CB59
        Function 004C5460 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 248sleepCOMMON
        Download Yara Rule
        APIs
        • Sleep.KERNEL32(?,00000000,004C5856), ref: 004C54D4
        • ShowWindow.USER32(00000000,00000004,?,00000000,004C5856), ref: 004C551C
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: ShowSleepWindow
        • String ID: @3N
        • API String ID: 4218995503-3939786101
        • Opcode ID: 4814b75b0e370c2b62580e64d558c7d17506ffa34c572627d2e44fdcdf25d13f
        • Instruction ID: ae5cc4221319bbd81169c7bdedf57eb4659e01f80b1fabae37a825073f6295fa
        • Opcode Fuzzy Hash: 4814b75b0e370c2b62580e64d558c7d17506ffa34c572627d2e44fdcdf25d13f
        • Instruction Fuzzy Hash: 6D913D34A04644AFDB51EF69D841FAEBBF4EF49304F5104A9F504AB7A2C679AD80CB18
        Function 00484824 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 230COMMON
        Download Yara Rule
        APIs
        • OutputDebugStringW.KERNEL32(00000000,?,00000000,00484AB8,?,00000000,00484AF1,?,?,?,?,00000006,00000000,00000000), ref: 00484933
        • OutputDebugStringW.KERNEL32(00000000,?,?,00000000,00484AF1,?,?,?,?,00000006,00000000,00000000), ref: 00484A61
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: DebugOutputString
        • String ID: Hosts.Strings[I]=$Hosts.Strings[I]_1=$System32\drivers\etc\hosts
        • API String ID: 1166629820-4238265871
        • Opcode ID: f3b19cc179cd9fb6acf418ad387f77eb71116a6914023cd83eb71a50677d668e
        • Instruction ID: 4bd98763a2cf32c2246a2862f38a6c2adaf51f771c640f89fbe0bc45e5ec20fb
        • Opcode Fuzzy Hash: f3b19cc179cd9fb6acf418ad387f77eb71116a6914023cd83eb71a50677d668e
        • Instruction Fuzzy Hash: F9918174A0010A9FCB15EFA5C581AAEB7F5FF89314F21487AE801B7351DB38AD05CB69
        Function 0048C8E8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112windowCOMMON
        Download Yara Rule
        APIs
        • GetDC.USER32(00000000), ref: 0048C9A4
        • CreateHalftonePalette.GDI32(00000000,00000000), ref: 0048C9B1
        • ReleaseDC.USER32(00000000,00000000), ref: 0048C9C0
        • DeleteObject.GDI32(00000000), ref: 0048CA2E
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: CreateDeleteHalftoneObjectPaletteRelease
        • String ID: (
        • API String ID: 577518360-3887548279
        • Opcode ID: 91d35fdc6f9b526f92d7d4625c5b033d44d6dae48beca93ce4156ecdab1db63a
        • Instruction ID: 8bc0549900680e0f084ede818159f18b28f6e8ddd6428cafa5b2aeadcaada148
        • Opcode Fuzzy Hash: 91d35fdc6f9b526f92d7d4625c5b033d44d6dae48beca93ce4156ecdab1db63a
        • Instruction Fuzzy Hash: DA41E470E04208EFDB14EFA8C485B9EB7F6EF45304F1045AAE404AB392D7785E45DB99
        Function 004D5D14 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 89fileCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0040C944: GetFileAttributesW.KERNEL32(00000000,00000000,00000000,004CFDFB,00000000,?,00000023,00000000,00000000,004CFE86), ref: 0040C950
        • DeleteFileW.KERNEL32(00000000,?,?,00000000,004D5E1B,?,?,?,00000000,00000000,00000000,00000000), ref: 004D5D76
        • DeleteFileW.KERNEL32(00000000,?,?,00000000,004D5E1B,?,?,?,00000000,00000000,00000000,00000000), ref: 004D5DB4
        • DeleteFileW.KERNEL32(00000000,?,?,00000000,004D5E1B,?,?,?,00000000,00000000,00000000,00000000), ref: 004D5DF2
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: File$Delete$Attributes
        • String ID: Backups.dat$license.dat
        • API String ID: 890995776-1419279994
        • Opcode ID: ca181bebed8a3edb25034207a6700a4f6735b12e92222870f423636129849a56
        • Instruction ID: b9029098f5bbc98d521551207df45d6d5a4b0c167553a731c79aadad7f7835d7
        • Opcode Fuzzy Hash: ca181bebed8a3edb25034207a6700a4f6735b12e92222870f423636129849a56
        • Instruction Fuzzy Hash: 9B218571900518AFCF14FBA5C891EAE7779EF44318F50457BF840B7342DB38AE458AA8
        Function 004AA6E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
        Download Yara Rule
        APIs
        • GetKeyboardLayoutNameW.USER32(00000000), ref: 004AA70A
          • Part of subcall function 00455A58: RegCloseKey.ADVAPI32(10C80000,004558D4,00000001,004559D6,00000000,?,004CFCB3,00000000,004CFD34,?,00000000,004CFE86), ref: 00455A6C
          • Part of subcall function 00455CC0: RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00000200,?,00000000,00455E71,?,?,?,00000000), ref: 00455D39
          • Part of subcall function 00415890: SetErrorMode.KERNEL32 ref: 0041589A
          • Part of subcall function 00415890: LoadLibraryW.KERNEL32(00000000,00000000,004158E4,?,00000000,00415902), ref: 004158C9
          • Part of subcall function 00408A94: GetProcAddress.KERNEL32(00000000,?), ref: 00408AB8
        • FreeLibrary.KERNEL32(?,004AA7D9,?,00000000,004AA819,?,00000000), ref: 004AA7CC
        Strings
        • KbdLayerDescriptor, xrefs: 004AA796
        • \SYSTEM\CurrentControlSet\Control\Keyboard Layouts\, xrefs: 004AA74F
        • Layout File, xrefs: 004AA76B
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Library$AddressCloseErrorFreeKeyboardLayoutLoadModeNameOpenProc
        • String ID: KbdLayerDescriptor$Layout File$\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\
        • API String ID: 3365787578-2194312379
        • Opcode ID: e31dcd6024919c486ef4adf20f188074f42ffde82af79984bbb056d828cfc434
        • Instruction ID: 95de4eb44edbaad2fca504385152ad02c3650bc259fa843f9b1be0d96f8e6aba
        • Opcode Fuzzy Hash: e31dcd6024919c486ef4adf20f188074f42ffde82af79984bbb056d828cfc434
        • Instruction Fuzzy Hash: CB31B134A00608AFCB01EFA5C8519DEB7F5EB49704B60847AE400B7791D73D9D15CB19
        Function 004A1320 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75threadwindowCOMMON
        Download Yara Rule
        APIs
        • GetWindow.USER32(?,00000004), ref: 004A1330
        • GetWindowThreadProcessId.USER32(?,?), ref: 004A134D
        • GetCurrentProcessId.KERNEL32(?,00000004), ref: 004A1359
        • IsWindowVisible.USER32(?), ref: 004A13AF
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Window$Process$CurrentThreadVisible
        • String ID: ,lI
        • API String ID: 3926708836-140425993
        • Opcode ID: 8f4d8e5f16b448387d5499d16e01779292d4e9465715cfb7697958deafe23c89
        • Instruction ID: b1b830d04d70090a3d8c9c1f62a6a4995f5850043698df1486e0854bb1a42127
        • Opcode Fuzzy Hash: 8f4d8e5f16b448387d5499d16e01779292d4e9465715cfb7697958deafe23c89
        • Instruction Fuzzy Hash: 1A213D316002409FEA00EB59DDC6EAB33E9EB59315F14017BED449B363C738BD018BA9
        Function 0042D76C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50threadCOMMON
        Download Yara Rule
        APIs
        • IsWindow.USER32(?), ref: 0042D789
        • FindWindowExW.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042D7BA
        • GetWindowThreadProcessId.USER32(?,00000000), ref: 0042D7F3
        • GetCurrentThreadId.KERNEL32 ref: 0042D7FA
          • Part of subcall function 00408458: TlsGetValue.KERNEL32(00000011,00000011,0040312E,00000001,00404E9D,?,00000000,?,00000001,00404F4E,00403173,004031BA,?,?), ref: 0040847D
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Window$Thread$CurrentFindProcessValue
        • String ID: OleMainThreadWndClass
        • API String ID: 973455579-3883841218
        • Opcode ID: 51d4ed63bb5f1af0d217712a69f637d0e03076f3f8f91ad0128f3ab19db7149d
        • Instruction ID: 6ddda35cd94b70ce08ee7a4e0156e1ce277738c37126e413a43155760391f477
        • Opcode Fuzzy Hash: 51d4ed63bb5f1af0d217712a69f637d0e03076f3f8f91ad0128f3ab19db7149d
        • Instruction Fuzzy Hash: 58015631B002198ED6207B759A89BAF32949B41359F5504BFF254AF1E3EE3C4C00977E
        Function 00403B74 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
        Download Yara Rule
        APIs
        • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403B96
        • RegQueryValueExW.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00403BE5,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403BC9
        • RegCloseKey.ADVAPI32(?,00403BEC,00000000,?,00000004,00000000,00403BE5,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403BDF
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: CloseOpenQueryValue
        • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
        • API String ID: 3677997916-4173385793
        • Opcode ID: ab8fead9dbfc8be5a9cfa21ad320998173212eae776e461072538b7a9658e150
        • Instruction ID: dab711054747aca5f836f96782ae0866479182856f3b15883cef5ba8ff8ac0dc
        • Opcode Fuzzy Hash: ab8fead9dbfc8be5a9cfa21ad320998173212eae776e461072538b7a9658e150
        • Instruction Fuzzy Hash: 4401B575904308BAEB11DF919D42FBA7BFCD709B05F600077BA00F65D0E679AA10C65C
        Function 00484BBC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33sleepCOMMON
        Download Yara Rule
        APIs
        • Sleep.KERNEL32(000001F4,00000000,00484C1E,?,00000000,?,00484AA6,00484AF1,?,?,?,?,00000006,00000000,00000000), ref: 00484BD4
        • ShellExecuteW.SHELL32(00000000,00000000,cmd.exe,00000000,00000000,00000000), ref: 00484BFC
        • Sleep.KERNEL32(00000032,000001F4,00000000,00484C1E,?,00000000,?,00484AA6,00484AF1,?,?,?,?,00000006,00000000,00000000), ref: 00484C03
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Sleep$ExecuteShell
        • String ID: cmd.exe$cmd.exe /k ipconfig /flushdns &Exit
        • API String ID: 211396117-1663092916
        • Opcode ID: 7732768c9279362782a7b5ed95787fc24643b6f0e332658a2d94e3decd7bebdf
        • Instruction ID: 2e54b28682c676568dd8c53d92ab16bf6a0f07478b456e4084e36fe42457f8e8
        • Opcode Fuzzy Hash: 7732768c9279362782a7b5ed95787fc24643b6f0e332658a2d94e3decd7bebdf
        • Instruction Fuzzy Hash: 63F08230385709BEE211B762CD13F9E776CD785B04F6244B7F600A65C2CABC6900896D
        Function 0041DE14 Relevance: 7.8, APIs: 5, Instructions: 271COMMON
        Download Yara Rule
        APIs
        • VariantInit.OLEAUT32(?), ref: 0041DE80
        • VariantInit.OLEAUT32(?), ref: 0041DF96
          • Part of subcall function 0041F6F8: EnterCriticalSection.KERNEL32(004E9E38,?,?,?,?,?,00418ADF,?,?,?,?,00418B48,?,?,0041D811,00000000), ref: 0041F72E
          • Part of subcall function 0041F6F8: LeaveCriticalSection.KERNEL32(004E9E38,0041F7A7,?,004E9E38,?,?,?,?,?,00418ADF,?,?,?,?,00418B48,?), ref: 0041F79A
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: CriticalInitSectionVariant$EnterLeave
        • String ID:
        • API String ID: 2777075435-0
        • Opcode ID: 0702dcdca8b4c3746302bd64d64922d172fd6b3eceff84a1e8574045a0b82c53
        • Instruction ID: 137637a22b9947a9fa0d3c02f9ebf896357e472ffa1d4f20fcc2aec5db8deaf1
        • Opcode Fuzzy Hash: 0702dcdca8b4c3746302bd64d64922d172fd6b3eceff84a1e8574045a0b82c53
        • Instruction Fuzzy Hash: 4AB14F79A00208EFCB00DF95C5918EDBBB5EF4D714F9440A6F844A7351DB38AE86DB29
        Function 00499020 Relevance: 7.7, APIs: 5, Instructions: 181COMMON
        Download Yara Rule
        APIs
        • MulDiv.KERNEL32(00000000,?,00000000), ref: 004990F3
        • MulDiv.KERNEL32(?,00000000,00000000), ref: 00499182
        • MulDiv.KERNEL32(?,00000000,00000000), ref: 004991B1
        • MulDiv.KERNEL32(?,00000000,00000000), ref: 004991E0
        • MulDiv.KERNEL32(?,00000000,00000000), ref: 00499203
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 85a9d694ce5f6077aee05332603b302f0749f55b1f85187f0f759325c61810c0
        • Instruction ID: 25d8b6c504c600aa6ea5e3d7498472b6f0a735a8b5e4fc6b3599d41822015eef
        • Opcode Fuzzy Hash: 85a9d694ce5f6077aee05332603b302f0749f55b1f85187f0f759325c61810c0
        • Instruction Fuzzy Hash: D081D970A01244EFDB05DB99C689EAEB7F5BF49304F6540FAE804EB352D734AE409B54
        Function 004C4DDC Relevance: 7.7, APIs: 5, Instructions: 178COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00488364: FillRect.USER32(?,00000000,00000000), ref: 0048838D
        • CreateRectRgn.GDI32(?,?,?,?), ref: 004C4E48
        • SelectObject.GDI32(00000000,?), ref: 004C4E63
          • Part of subcall function 00487FD4: CreateBrushIndirect.GDI32(?), ref: 0048807F
        • FrameRgn.GDI32(00000000,?,00000000,00000001,00000001), ref: 004C4EB5
        • SelectObject.GDI32(00000000,?), ref: 004C4FF5
        • DeleteObject.GDI32(?), ref: 004C4FFE
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Object$CreateRectSelect$BrushDeleteFillFrameIndirect
        • String ID:
        • API String ID: 3847799725-0
        • Opcode ID: 64824ff7c01a94ecbd7279ef8e46a15e877ad46e30ef8bbcb76ceb47cf3f4ade
        • Instruction ID: 0ba608d35b6021b0509e1bb96b8ddaa64ed96ac587304f09bbb94570587b162b
        • Opcode Fuzzy Hash: 64824ff7c01a94ecbd7279ef8e46a15e877ad46e30ef8bbcb76ceb47cf3f4ade
        • Instruction Fuzzy Hash: F071F735A0010AEFCB00EF99C984EDEB3F9BF48304F5144A9F914AB251DB75AE06DB54
        Function 0049ADA8 Relevance: 7.7, APIs: 5, Instructions: 174windowCOMMON
        Download Yara Rule
        APIs
        • GetMenu.USER32(00000000), ref: 0049AECC
        • SetMenu.USER32(00000000,00000000), ref: 0049AEE9
        • SetMenu.USER32(00000000,00000000), ref: 0049AF1E
        • SetMenu.USER32(00000000,00000000), ref: 0049AF3A
          • Part of subcall function 0040821C: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 00408261
        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0049AF81
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Menu$LoadStringWindow
        • String ID:
        • API String ID: 1738039741-0
        • Opcode ID: d4a90ba5e96c4248a7c34c5503db1b79711cdc3764b5597ee2b20363dea478e5
        • Instruction ID: fd8e6478973e3ef964a3b1c5ad47d56531a730367e98989688dc6061f3cebb4a
        • Opcode Fuzzy Hash: d4a90ba5e96c4248a7c34c5503db1b79711cdc3764b5597ee2b20363dea478e5
        • Instruction Fuzzy Hash: 6F51AE707043005BDF61AB3A8C857AB3A98AF45308F0844BBBC459B397CE7CCC55879A
        Function 004261E0 Relevance: 7.6, APIs: 5, Instructions: 142COMMON
        Download Yara Rule
        APIs
        • CharNextW.USER32(?,?,00000000,00426382), ref: 00426240
        • CharNextW.USER32(?,?,00000000,00426382), ref: 004262E8
        • CharNextW.USER32(?,?,00000000,00426382), ref: 0042630D
        • CharNextW.USER32(00000000,?,?,00000000,00426382), ref: 00426325
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: CharNext
        • String ID:
        • API String ID: 3213498283-0
        • Opcode ID: 2b29c0b8304a17ca473f79ba3ea3595389fac3db87eae6e096e00fb5942365e6
        • Instruction ID: 3679f88a679007e921f5f73137257fdf8e7b2b6df05089300fe20f2a64209be5
        • Opcode Fuzzy Hash: 2b29c0b8304a17ca473f79ba3ea3595389fac3db87eae6e096e00fb5942365e6
        • Instruction Fuzzy Hash: 4B514C30B00624DFCF15EFA9D490A6D77B5EF06314F8204E6E800EB295DB38AD82CB59
        Function 004BBEF8 Relevance: 7.6, APIs: 5, Instructions: 126COMMON
        Download Yara Rule
        APIs
        • BeginPaint.USER32(00000000,?), ref: 004BBF23
        • SaveDC.GDI32(00000000), ref: 004BBF5C
        • ExcludeClipRect.GDI32(00000000,?,?,?,?,00000000,004BC01A,?,00000000), ref: 004BBFDE
        • RestoreDC.GDI32(00000000,00000000), ref: 004BC014
        • EndPaint.USER32(00000000,?,004BC05E), ref: 004BC051
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Paint$BeginClipExcludeRectRestoreSave
        • String ID:
        • API String ID: 3808407030-0
        • Opcode ID: 9ee908b25714ce527ac4ede230d1788147849ad717bb101971921d4975bb3db7
        • Instruction ID: 197a9537d06d323d41a139841524e781a53f3f169a5e2c02d9164045e09b2c88
        • Opcode Fuzzy Hash: 9ee908b25714ce527ac4ede230d1788147849ad717bb101971921d4975bb3db7
        • Instruction Fuzzy Hash: A2414E70A042449FDB14DBA8C995FBEBBF5FF48304F1544AAE904973A2D7789D40CB64
        Function 00497DD4 Relevance: 7.6, APIs: 5, Instructions: 95COMMON
        Download Yara Rule
        APIs
        • FlatSB_SetScrollProp.COMCTL32(00000000,00000001,?,00000000,?,00000000,?,00497F89,?,?,?,?), ref: 00497E12
        • FlatSB_SetScrollProp.COMCTL32(00000000,00000001,?,00000000,00000000,00000001,?,00000000,?,00000000,?,00497F89,?,?,?,?), ref: 00497E43
        • FlatSB_SetScrollProp.COMCTL32(00000000,00000001,?,00000000,00000000,00000001,?,00000000,?,00000000,?,00497F89,?,?,?,?), ref: 00497E74
        • FlatSB_SetScrollProp.COMCTL32(00000000,00000001,?,00000000,00000000,00000001,?,00000000,?,00000000,?,00497F89,?,?,?,?), ref: 00497EA5
        • FlatSB_SetScrollProp.COMCTL32(00000000,?,00000000,00000000,00000000,00000001,?,00000000,?,00000000,?,00497F89,?,?,?,?), ref: 00497ED3
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: FlatPropScroll
        • String ID:
        • API String ID: 3625857538-0
        • Opcode ID: bbf3abc0852a2dc2c8daad3ce56e7dd8ea84899ddca49796ad70c213f241d79a
        • Instruction ID: ff90d7007fdd652aaf510424150b2c5608bba45288c941575253e06b6097130c
        • Opcode Fuzzy Hash: bbf3abc0852a2dc2c8daad3ce56e7dd8ea84899ddca49796ad70c213f241d79a
        • Instruction Fuzzy Hash: 8C31B2B06001489FD750EF5DD885E56BBE8AF1D309F15049AB288CB363D73AEE50DBA4
        Function 0042D840 Relevance: 7.6, APIs: 5, Instructions: 86windowCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0042D76C: IsWindow.USER32(?), ref: 0042D789
          • Part of subcall function 0042D76C: FindWindowExW.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042D7BA
          • Part of subcall function 0042D76C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0042D7F3
          • Part of subcall function 0042D76C: GetCurrentThreadId.KERNEL32 ref: 0042D7FA
        • MsgWaitForMultipleObjectsEx.USER32(?,?,?,000000BF,?), ref: 0042D86E
        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0042D889
        • TranslateMessage.USER32(?), ref: 0042D896
        • DispatchMessageW.USER32(?), ref: 0042D89F
        • WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,00000000), ref: 0042D8CB
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: MessageWindow$MultipleObjectsThreadWait$CurrentDispatchFindPeekProcessTranslate
        • String ID:
        • API String ID: 2725875890-0
        • Opcode ID: e8bb21ed09c62badd5c6520bef45bb772452a79902ddc0313dbd79545f1291a0
        • Instruction ID: baef101c0684ab5cff6e3cf69e50c714cd41c034127489c3448bb63cf650b062
        • Opcode Fuzzy Hash: e8bb21ed09c62badd5c6520bef45bb772452a79902ddc0313dbd79545f1291a0
        • Instruction Fuzzy Hash: 99216271B00219AFDB10EEA4DC85F9F73A8EB08354F50453AFA15E7281D67DDD4087A9
        Function 0043E8CC Relevance: 7.6, APIs: 5, Instructions: 85fileCOMMON
        Download Yara Rule
        APIs
        • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000080,00000000), ref: 0043E900
        • GetFileSizeEx.KERNEL32(000000FF,?,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,0043E9A7,?,00000000,80000000,00000001,00000000), ref: 0043E94D
        • GetFileSize.KERNEL32(000000FF,?,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,0043E9A7,?,00000000,80000000,00000001,00000000), ref: 0043E966
        • GetLastError.KERNEL32(000000FF,?,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,0043E9A7,?,00000000,80000000,00000001,00000000), ref: 0043E974
        • CloseHandle.KERNEL32(000000FF,0043E9AE,00000000,00000000,00000000,00000000,00000000,0043E9A7,?,00000000,80000000,00000001,00000000,00000003,08000080,00000000), ref: 0043E9A1
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: File$Size$CloseCreateErrorHandleLast
        • String ID:
        • API String ID: 3878045067-0
        • Opcode ID: 9559fc7a358821432ed6d230c7ec3043fbb4afdebcb744de5406ac5af7c3e679
        • Instruction ID: 87d07eb564e42e59401691eaa800dc569116af868e78c2444f7fcc6f66e70633
        • Opcode Fuzzy Hash: 9559fc7a358821432ed6d230c7ec3043fbb4afdebcb744de5406ac5af7c3e679
        • Instruction Fuzzy Hash: AB2153B1E01205AFDB50DBEACC46BAEB7F8EF48324F104566F510E72D0D6789A408B5A
        Function 0048BD00 Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON
        Download Yara Rule
        APIs
        • GetDC.USER32(00000000), ref: 0048BD56
        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0048BD6B
        • GetDeviceCaps.GDI32(00000000,0000000E), ref: 0048BD75
        • CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,0048A3B3,00000000,0048A43F), ref: 0048BD99
        • ReleaseDC.USER32(00000000,00000000), ref: 0048BDA4
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: CapsDevice$CreateHalftonePaletteRelease
        • String ID:
        • API String ID: 2404249990-0
        • Opcode ID: e91324f630cc3b4a98f9c458bbe209de991ddc2e9c5af605b388359494de99f3
        • Instruction ID: bb731ed63db1024ae30fdffd840fbb0ad3c3b42cf9eda583b4afa3260d261b39
        • Opcode Fuzzy Hash: e91324f630cc3b4a98f9c458bbe209de991ddc2e9c5af605b388359494de99f3
        • Instruction Fuzzy Hash: 8E11B1216412597EDB60BF2589417EF3BD0EF51365F040A2BF8409A2C2D7BC8C91D3E9
        Function 0049EC24 Relevance: 7.6, APIs: 5, Instructions: 62COMMON
        Download Yara Rule
        APIs
        • GetWindowLongW.USER32(00000000,000000EC), ref: 0049EC58
        • SetWindowLongW.USER32(00000000,000000EC,00000000), ref: 0049EC8A
        • SetLayeredWindowAttributes.USER32(00000000,00000000,?,00000000,00000000,000000EC,?,?,0049BF97), ref: 0049ECC8
        • SetWindowLongW.USER32(00000000,000000EC,00000000), ref: 0049ECE1
        • RedrawWindow.USER32(00000000,00000000,00000000,00000485,00000000,000000EC,00000000,00000000,000000EC,?,?,0049BF97), ref: 0049ECF7
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Window$Long$AttributesLayeredRedraw
        • String ID:
        • API String ID: 1758778077-0
        • Opcode ID: 34a306a82720be10e4bc0ff5c80078a37600ba0091d5521fead509c67b5ad664
        • Instruction ID: fd7ca4e4430145941891626b202ecab781884262f203275c92e22f650ecd8395
        • Opcode Fuzzy Hash: 34a306a82720be10e4bc0ff5c80078a37600ba0091d5521fead509c67b5ad664
        • Instruction Fuzzy Hash: 041146606042A026DF51BB7B4C89F972E9C1B45315F18097ABD99EE2D3CA7CCD44C76C
        Function 004891B4 Relevance: 7.6, APIs: 5, Instructions: 55windowCOMMON
        Download Yara Rule
        APIs
        • GetDC.USER32(00000000), ref: 004891CC
        • GetDeviceCaps.GDI32(?,00000068), ref: 004891E8
        • GetPaletteEntries.GDI32(38080D9C,00000000,00000008,?), ref: 00489200
        • GetPaletteEntries.GDI32(38080D9C,00000008,00000008,?), ref: 00489218
        • ReleaseDC.USER32(00000000,?), ref: 00489234
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: EntriesPalette$CapsDeviceRelease
        • String ID:
        • API String ID: 3128150645-0
        • Opcode ID: 814c47558ce0ea0cdbb8226500d1c10c0e4d4d5f6082bf9f721d89869bd6643e
        • Instruction ID: ef1f130394f02fe3b3b8c373684565ef2b12eafb187cbdd1fa372f4b7074ad5d
        • Opcode Fuzzy Hash: 814c47558ce0ea0cdbb8226500d1c10c0e4d4d5f6082bf9f721d89869bd6643e
        • Instruction Fuzzy Hash: 0E116B31248704BEEB00DBE59C92F7E77A8F745714F1488AEF540EA1C2CA7A5800C328
        Function 004126FC Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
        Download Yara Rule
        APIs
        • GetThreadLocale.KERNEL32(?,00000000,00412793,?,?,00000000), ref: 00412714
          • Part of subcall function 00412324: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00412342
        • GetThreadLocale.KERNEL32(00000000,00000004,00000000,00412793,?,?,00000000), ref: 00412744
        • EnumCalendarInfoW.KERNEL32(Function_00012648,00000000,00000000,00000004,00000000,00412793,?,?,00000000), ref: 0041274F
        • GetThreadLocale.KERNEL32(00000000,00000003,Function_00012648,00000000,00000000,00000004,00000000,00412793,?,?,00000000), ref: 0041276D
        • EnumCalendarInfoW.KERNEL32(Function_00012684,00000000,00000000,00000003,Function_00012648,00000000,00000000,00000004,00000000,00412793,?,?,00000000), ref: 00412778
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Locale$InfoThread$CalendarEnum
        • String ID:
        • API String ID: 4102113445-0
        • Opcode ID: ea5ed1e68738d87d6849240a51ee1399f26a6f32b2c5a564a527e4de25f0d19b
        • Instruction ID: 6c17a117f83ad6eed4f2b33b4d516e2bf9be5bd1494dbf02b5db9dc83d199b91
        • Opcode Fuzzy Hash: ea5ed1e68738d87d6849240a51ee1399f26a6f32b2c5a564a527e4de25f0d19b
        • Instruction Fuzzy Hash: 3001D4712006046BE701B6758E12FAB725CDB41728F61057AB510F66C1DABCAE11866D
        Function 004A08A4 Relevance: 7.5, APIs: 5, Instructions: 25synchronizationthreadCOMMON
        Download Yara Rule
        APIs
        • UnhookWindowsHookEx.USER32(00000000), ref: 004A08B3
        • SetEvent.KERNEL32(00000000,004A354A,?,004A33CF), ref: 004A08CE
        • GetCurrentThreadId.KERNEL32 ref: 004A08D3
        • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,004A354A,?,004A33CF), ref: 004A08E8
        • CloseHandle.KERNEL32(00000000,00000000,004A354A,?,004A33CF), ref: 004A08F3
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: CloseCurrentEventHandleHookObjectSingleThreadUnhookWaitWindows
        • String ID:
        • API String ID: 2429646606-0
        • Opcode ID: 1ebfb214e618e78f3d0076e80283417c42718324c7dd07a52d6739aeab3e32e7
        • Instruction ID: 3c2a7f0f67a99dff2c69d2718541b364b480c8d6fc4a637ccb659e3f01d5dcec
        • Opcode Fuzzy Hash: 1ebfb214e618e78f3d0076e80283417c42718324c7dd07a52d6739aeab3e32e7
        • Instruction Fuzzy Hash: 26F0F871A006859BDB51BF7ADD86A4B32E5E705308B44453EA410DA2E3CB3C9440CB9D
        Function 004127B0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 177threadCOMMON
        Download Yara Rule
        APIs
        • GetThreadLocale.KERNEL32(?,00000000,004129E3,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004127EB
          • Part of subcall function 00412324: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00412342
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Locale$InfoThread
        • String ID: eeee$ggg$yyyy
        • API String ID: 4232894706-1253427255
        • Opcode ID: a72d6dec9f881c51b2c3d748fe5987dd0e23131fb87edebae7b64ca4e53677cf
        • Instruction ID: d6de3ed446d6b0f19bf2b14768b5d98198d9ec819dac1c1d77997311401c7bc1
        • Opcode Fuzzy Hash: a72d6dec9f881c51b2c3d748fe5987dd0e23131fb87edebae7b64ca4e53677cf
        • Instruction Fuzzy Hash: C651C370B101099BCB10EB69CA825EFB3B5EF84304F204177E445E73A1DBBC9E929A59
        Function 0048DFDC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 152COMMON
        Download Yara Rule
        APIs
        • GetComputerNameW.KERNEL32(?,00000020), ref: 0048E08E
        • CompareStringW.KERNEL32(00000400,00000001,00000000,?,00000000,?,?,00000020,00000000,0048E19D), ref: 0048E120
        • CoCreateInstanceEx.COMBASE(?,00000000,00000015,?,00000001,?), ref: 0048E156
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: CompareComputerCreateInstanceNameString
        • String ID:
        • API String ID: 3197622226-3916222277
        • Opcode ID: 092b5700f23eba296aa61c6c5e6729154c9b7f57bb85b88c6753eef70bdea028
        • Instruction ID: 38e99b92970f81440c0c9ffdda6197231676ac96b5bdc6a0d2e51396d0ff3f8f
        • Opcode Fuzzy Hash: 092b5700f23eba296aa61c6c5e6729154c9b7f57bb85b88c6753eef70bdea028
        • Instruction Fuzzy Hash: DE517231A006099BDB01EFA6CC85AAFB7B9EF49304F50443BE901E7391DB78DE458B58
        Function 004C9974 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON
        Download Yara Rule
        APIs
        • OutputDebugStringW.KERNEL32(00000000,00000000,004C9B23,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,004D14BB), ref: 004C9A07
        • OutputDebugStringW.KERNEL32(00000000,00000000,00000000,004C9B23,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004C9A41
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: DebugOutputString
        • String ID: AreaStr=$KeyAreaID=
        • API String ID: 1166629820-2418619681
        • Opcode ID: 4b5a8f900c5d65235d10b664304963473f32ecaf4f5df4820431c7fd2f76220c
        • Instruction ID: f54e7e4e246c4008911634a6e8aa6a7441db3cd551359d478c0d39e04c5c51f1
        • Opcode Fuzzy Hash: 4b5a8f900c5d65235d10b664304963473f32ecaf4f5df4820431c7fd2f76220c
        • Instruction Fuzzy Hash: 97414F38A04549BBCF54FBA5D449EAFB375EB84304B60807FE401A7785E63EAD018B5D
        Function 004B4010 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113COMMON
        Download Yara Rule
        APIs
        • GetCursorPos.USER32(004EB468), ref: 004B4031
        • GetCursor.USER32(004EB468), ref: 004B404D
          • Part of subcall function 004B3200: SetCapture.USER32(00000000,?,004B4061,004EB468), ref: 004B320F
        • GetDesktopWindow.USER32 ref: 004B413F
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Cursor$CaptureDesktopWindow
        • String ID: $0K
        • API String ID: 669539147-4266498501
        • Opcode ID: b9b109a74598427f505b92662bb7b47e4b1e2de49c76a22abd0ee472cbc2f101
        • Instruction ID: 9fc20347987d85a57ed1c4c75373492e8f0f57dc6b5dfb0634c675c1d96856e5
        • Opcode Fuzzy Hash: b9b109a74598427f505b92662bb7b47e4b1e2de49c76a22abd0ee472cbc2f101
        • Instruction Fuzzy Hash: EC414B70A05240CFC304DF2DE988A567BE1EB89314B15C56AD8888B3A7CB35D885CB99
        Function 004B3970 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 111keyboardwindowCOMMON
        Download Yara Rule
        APIs
        • GetKeyState.USER32(00000011), ref: 004B3997
        • IsWindowVisible.USER32(00000000), ref: 004B3A11
          • Part of subcall function 004B392C: IsChild.USER32(00000000,00000000), ref: 004B395C
          • Part of subcall function 004B30A4: IsChild.USER32(00000000,00000000), ref: 004B30FB
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Child$StateVisibleWindow
        • String ID: 2<K$2<K
        • API String ID: 4044940347-1682517499
        • Opcode ID: 9563ca7cdac2399e2c9764e85fad77ad326eadc29c644b78558d4fe00e1e9226
        • Instruction ID: 4f23c0abd5ec66d38ff17805c78e05934f2779157d30990e1c70d38623dca1ac
        • Opcode Fuzzy Hash: 9563ca7cdac2399e2c9764e85fad77ad326eadc29c644b78558d4fe00e1e9226
        • Instruction Fuzzy Hash: 3541217590010A9BCB01DF56C4C5AEFF7B9AF09305F244166E840B73A2D774AE45CBA8
        Function 00427388 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 105fileCOMMON
        Download Yara Rule
        APIs
        • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,004274D0,?,?,00421894,00000001), ref: 004273E4
        • GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,004274D0,?,?,00421894,00000001), ref: 00427412
          • Part of subcall function 0040C804: CreateFileW.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,00421894,00427452,00000000,004274D0,?,?,00421894), ref: 0040C852
          • Part of subcall function 0040CEC8: GetFullPathNameW.KERNEL32(00000000,00000104,?), ref: 0040CEE7
        • GetLastError.KERNEL32(00000000,004274D0,?,?,00421894,00000001), ref: 00427477
          • Part of subcall function 004122D4: FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000100,00000000), ref: 004122F3
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: CreateErrorFileLast$FormatFullMessageNamePath
        • String ID: (B
        • API String ID: 503785936-2871133820
        • Opcode ID: f70a38186f6168a92c5074acd102c9e0bfe4a0a9766645588ae96c87459d5fb7
        • Instruction ID: 3e2ce87ba01ed050ef7b301bcdddd602986594e04c8ba2f6a702714a6baf1d6e
        • Opcode Fuzzy Hash: f70a38186f6168a92c5074acd102c9e0bfe4a0a9766645588ae96c87459d5fb7
        • Instruction Fuzzy Hash: 51319170B047189BDB10EFA5DC827DEBBB4AB48314F90817AE500B73C2D77D5A418B69
        Function 004A2F08 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103timethreadwindowCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 004A2E7C: GetCursorPos.USER32 ref: 004A2E83
        • SetTimer.USER32(00000000,00000000,503B0C55,00000000), ref: 004A2FF3
        • GetCurrentThreadId.KERNEL32 ref: 004A302D
        • WaitMessage.USER32(00000000,004A3071,?,?,?,00000000), ref: 004A3051
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: CurrentCursorMessageThreadTimerWait
        • String ID: <PN
        • API String ID: 3909455694-4193252389
        • Opcode ID: 3bdc7921727f6dab475831c59cb47488c5f574fbda842d5ad3d6a058df02c2a8
        • Instruction ID: 28124adf203f4e74fa4a214f3e0f53d93982a1a27f12685111bf0c474d4d27e6
        • Opcode Fuzzy Hash: 3bdc7921727f6dab475831c59cb47488c5f574fbda842d5ad3d6a058df02c2a8
        • Instruction Fuzzy Hash: D441B430A04644EFDB11DF59D985B9E77F5EB2A304F5040BAF800A7293D7B85E40DB59
        Function 0041032C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 80threadCOMMON
        Download Yara Rule
        APIs
        • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000200,00000000,0041041D), ref: 004103B4
        • GetDateFormatW.KERNEL32(00000000,00000004,?,00000000,?,00000200,00000000,0041041D), ref: 004103BA
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: DateFormatLocaleThread
        • String ID: $yyyy
        • API String ID: 3303714858-404527807
        • Opcode ID: 8cadb6c8ce63ecbfa46b302686aba0531448fbeb7e7d7444da7fc5cc9c58a64a
        • Instruction ID: fb291fd9e1cfa3423eabfe1f7445592917075637d21e9c5d0b0d4eb3d8e020c5
        • Opcode Fuzzy Hash: 8cadb6c8ce63ecbfa46b302686aba0531448fbeb7e7d7444da7fc5cc9c58a64a
        • Instruction Fuzzy Hash: BB218731A006189BDB10EF55C881ADEB3F8EF44304F5140BBF904E7795D678AE80CB69
        Function 0040F674 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 80threadCOMMON
        Download Yara Rule
        APIs
        • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0040F765), ref: 0040F6FC
        • GetDateFormatW.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,0040F765), ref: 0040F702
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: DateFormatLocaleThread
        • String ID: $yyyy
        • API String ID: 3303714858-404527807
        • Opcode ID: 940411bce127fb1e73b6d2411cde9fc0b86ad4d6471b46554011f930f298dee6
        • Instruction ID: f571b5096a32a33018e993cd31a9e482bca29567bd91db253968a4dd3b71db8c
        • Opcode Fuzzy Hash: 940411bce127fb1e73b6d2411cde9fc0b86ad4d6471b46554011f930f298dee6
        • Instruction Fuzzy Hash: 1B218735A005189BDB20EF55C981AAEB3B8EF08300F51407BF804F7791D738AE448B69
        Function 00409DFC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMON
        Download Yara Rule
        APIs
        • FindResourceW.KERNEL32(00400000,CHARTABLE,0000000A,?,?,00409AD8,?,0040C031,00000000,0040C14D), ref: 00409E10
        • LoadResource.KERNEL32(00400000,00000000,00400000,CHARTABLE,0000000A,?,?,00409AD8,?,0040C031,00000000,0040C14D), ref: 00409E27
        • LockResource.KERNEL32(00000000,00400000,00000000,00400000,CHARTABLE,0000000A,?,?,00409AD8,?,0040C031,00000000,0040C14D), ref: 00409E38
          • Part of subcall function 00415214: GetLastError.KERNEL32(00409E49,00000000,00400000,00000000,00400000,CHARTABLE,0000000A,?,?,00409AD8,?,0040C031,00000000,0040C14D), ref: 00415214
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Resource$ErrorFindLastLoadLock
        • String ID: CHARTABLE
        • API String ID: 1074440638-2668339182
        • Opcode ID: eefcad1153bbfa5c389ccb0a5f44c87e570cf675153a1f5066cc443492296243
        • Instruction ID: 02e687f415c399b0b9c7332153376ccd9c1eaadc9c9960d23c279e6980aac0bf
        • Opcode Fuzzy Hash: eefcad1153bbfa5c389ccb0a5f44c87e570cf675153a1f5066cc443492296243
        • Instruction Fuzzy Hash: 1C0184B4A442008FC708EFA5ECD0A6673A5AB88328709457EE1455B793CB3CAC01CFAC
        Function 004A6388 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: CreateMenu$Popup
        • String ID: 0SH$PNJ
        • API String ID: 257293969-1820970785
        • Opcode ID: ab46510de955bebcdf67c530f74e7c18410e003ce1da644840f2531b307d03b0
        • Instruction ID: e4775a6d376d05f7c1ae83344de64f1a29b54ff4a829edd6169290cd58c5c302
        • Opcode Fuzzy Hash: ab46510de955bebcdf67c530f74e7c18410e003ce1da644840f2531b307d03b0
        • Instruction Fuzzy Hash: 8CF0C070600214DFDF00EF66D5C5B5A3794AB67345F0A54BAAC459F247C77898418F39
        Function 004BB884 Relevance: 6.4, APIs: 4, Instructions: 359COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Capture
        • String ID:
        • API String ID: 1145282425-0
        • Opcode ID: ee329c3a1d5bc05ac0dfbe862c8f8bc12debf42980a49d00105cf9703edbe8ba
        • Instruction ID: 5a5e4dd7db217f2032cf20f74d5c6417c5d9eca40d0870dac1dbc96ab2423463
        • Opcode Fuzzy Hash: ee329c3a1d5bc05ac0dfbe862c8f8bc12debf42980a49d00105cf9703edbe8ba
        • Instruction Fuzzy Hash: 51E13B70A00204EFCB10DB59C585BEEB7F5EF58304F2441A6E444AB766C7BCAE41DBA9
        Function 004B9528 Relevance: 6.3, APIs: 4, Instructions: 308COMMON
        Download Yara Rule
        APIs
        • MulDiv.KERNEL32(?,00000000,00000000), ref: 004B96A7
        • MulDiv.KERNEL32(?,?,?), ref: 004B96E2
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 9a8a32ad62fa376093a6eeb03648d710f62e9af94ec845c6c827c680123077ef
        • Instruction ID: c624c34abdba7af0b075cfd58706141ed29de850a78805ebbe4b4f0dbe1a6e03
        • Opcode Fuzzy Hash: 9a8a32ad62fa376093a6eeb03648d710f62e9af94ec845c6c827c680123077ef
        • Instruction Fuzzy Hash: BAD13971A04605DFCB11CF68C584BEABBF6BF49300F248A69E9569B355CB38ED01CB61
        Function 004B3D28 Relevance: 6.2, APIs: 4, Instructions: 212COMMON
        Download Yara Rule
        APIs
        • GetDesktopWindow.USER32 ref: 004B3D9D
        • GetDesktopWindow.USER32 ref: 004B3ECD
        • SetCursor.USER32(00000000), ref: 004B3F22
          • Part of subcall function 004C0968: ImageList_EndDrag.COMCTL32(?,00000000,004B453F,00000000,004B465B,?,00000000,004B46CD), ref: 004C0984
        • SetCursor.USER32(00000000), ref: 004B3F0D
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: CursorDesktopWindow$DragImageList_
        • String ID:
        • API String ID: 617806055-0
        • Opcode ID: a5364175e725112c51360b67663bafb82f4a24d8ee3947c31fcbe4023cb2caa4
        • Instruction ID: a8732890cf910c803f2fa537246c15891e723a5f6156413c3988a597b6b81429
        • Opcode Fuzzy Hash: a5364175e725112c51360b67663bafb82f4a24d8ee3947c31fcbe4023cb2caa4
        • Instruction Fuzzy Hash: 8091F834A01590CFC705DF2AD8C4A967BA5EB85305F14C5AAE8448F3A7C738ED49CBA9
        Function 004B3790 Relevance: 6.1, APIs: 4, Instructions: 136threadCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 004B3BD0: WindowFromPoint.USER32(-000000F4,?,?,004B37AA,?,-0000000C,?), ref: 004B3BD6
          • Part of subcall function 004B3BD0: GetParent.USER32(00000000), ref: 004B3BED
        • GetWindow.USER32(00000000,00000004), ref: 004B37B2
        • GetCurrentThreadId.KERNEL32 ref: 004B3889
        • EnumThreadWindows.USER32(00000000,004B3730,?), ref: 004B388F
        • GetWindowRect.USER32(00000000,?), ref: 004B38A6
          • Part of subcall function 004B2AF0: GetWindowThreadProcessId.USER32(00000000), ref: 004B2AFD
          • Part of subcall function 004B2AF0: GetCurrentProcessId.KERNEL32(?,00000000,00000000,004B470F,?,?,00000000,00000001,004B473C), ref: 004B2B06
          • Part of subcall function 004B2AF0: GlobalFindAtomW.KERNEL32(00000000,?,00000000,00000000,004B470F,?,?,00000000,00000001,004B473C), ref: 004B2B1B
          • Part of subcall function 004B2AF0: GetPropW.USER32(00000000,00000000), ref: 004B2B32
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Window$Thread$CurrentProcess$AtomEnumFindFromGlobalParentPointPropRectWindows
        • String ID:
        • API String ID: 349414421-0
        • Opcode ID: d44d13184c02a1f55edde3426c7de730768a02129f4587f316ba7f831408935e
        • Instruction ID: d1f3bbdca263e5cba177ab40c48ecafd562fd0baf8d62e4f4a1785abd54bb379
        • Opcode Fuzzy Hash: d44d13184c02a1f55edde3426c7de730768a02129f4587f316ba7f831408935e
        • Instruction Fuzzy Hash: 35510E74B002059FCB10DF6EC485AEEB7F4AF08345F148166E814EB352D778EE458BA9
        Function 00418590 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
        Download Yara Rule
        APIs
        • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0041863F
        • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041865B
        • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004186D2
        • VariantClear.OLEAUT32(?), ref: 004186FB
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: ArraySafe$Bound$ClearIndexVariant
        • String ID:
        • API String ID: 920484758-0
        • Opcode ID: f0295443ca770468b436d680f55c02e1520dbe5d99db19bddf092f571c061250
        • Instruction ID: ef54839c96ed99e11d4dd789d27488e0543d0cf8127073c02581cb22cc5bae1d
        • Opcode Fuzzy Hash: f0295443ca770468b436d680f55c02e1520dbe5d99db19bddf092f571c061250
        • Instruction Fuzzy Hash: 1B41FB75A0121D9FCB61DB59CC90ADAB3BDAB48714F4441DAE54CE7212DA38AFC08F58
        Function 00412A7C Relevance: 6.1, APIs: 4, Instructions: 113COMMON
        Download Yara Rule
        APIs
        • VirtualQuery.KERNEL32(?,?,0000001C,00000000,00412C28), ref: 00412AAF
        • GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 00412AD3
        • GetModuleFileNameW.KERNEL32(00400000,?,00000105), ref: 00412AEE
        • LoadStringW.USER32(00000000,0000FFE9,?,00000100), ref: 00412B89
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: FileModuleName$LoadQueryStringVirtual
        • String ID:
        • API String ID: 3990497365-0
        • Opcode ID: 77955a00cab5acbf521c9f5c76ce96b01f8191e0df1b38070d82cf23f6448ddb
        • Instruction ID: 3a68ee526fa8a757da22646a69dff3aeeefd06844c58658e8450b05e0dc19dd5
        • Opcode Fuzzy Hash: 77955a00cab5acbf521c9f5c76ce96b01f8191e0df1b38070d82cf23f6448ddb
        • Instruction Fuzzy Hash: 00412070A002589FDB20DF65CD81BDAB7B9AB48304F4044FAE508E7281D7B99E94CF58
        Function 00412A7A Relevance: 6.1, APIs: 4, Instructions: 112COMMON
        Download Yara Rule
        APIs
        • VirtualQuery.KERNEL32(?,?,0000001C,00000000,00412C28), ref: 00412AAF
        • GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 00412AD3
        • GetModuleFileNameW.KERNEL32(00400000,?,00000105), ref: 00412AEE
        • LoadStringW.USER32(00000000,0000FFE9,?,00000100), ref: 00412B89
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: FileModuleName$LoadQueryStringVirtual
        • String ID:
        • API String ID: 3990497365-0
        • Opcode ID: c6fd065d7e80d40f9177299679bef9015373d5c58c032573cc4104c367fbe3e9
        • Instruction ID: bbc0d5498b589010b4c2cdf7ae00b3442bcd3da6934b66cc86e45316ce2612f9
        • Opcode Fuzzy Hash: c6fd065d7e80d40f9177299679bef9015373d5c58c032573cc4104c367fbe3e9
        • Instruction Fuzzy Hash: E3413170A002589FDB20DF65CD81BDAB7F9AB48304F4044FAE508E7282D7B99E94CF58
        Function 0049F6F8 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
        Download Yara Rule
        APIs
        • GetKeyboardLayout.USER32(00000000), ref: 0049F73D
        • GetDC.USER32(00000000), ref: 0049F792
        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0049F79C
        • ReleaseDC.USER32(00000000,00000000), ref: 0049F7A7
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: CapsDeviceKeyboardLayoutRelease
        • String ID:
        • API String ID: 3331096196-0
        • Opcode ID: ae676e819d8a58350b37f00f1a7c011500dbc0c5357acba48117658d05a15df7
        • Instruction ID: 0e50dc1c515a5c0578519942824b154d9f69a93411b3c06a605e374a9889affa
        • Opcode Fuzzy Hash: ae676e819d8a58350b37f00f1a7c011500dbc0c5357acba48117658d05a15df7
        • Instruction Fuzzy Hash: 5941D3B06512408FDB50EF2AD8C5B487BE5AF08318F1590BAE908DF367D779AC48CB58
        Function 0048A360 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 004883D8: EnterCriticalSection.KERNEL32(004EB204,00000000,004867CE,00000000,0048682D), ref: 004883E0
          • Part of subcall function 004883D8: LeaveCriticalSection.KERNEL32(004EB204,004EB204,00000000,004867CE,00000000,0048682D), ref: 004883ED
          • Part of subcall function 004883D8: EnterCriticalSection.KERNEL32(0000003C,004EB204,004EB204,00000000,004867CE,00000000,0048682D), ref: 004883F6
          • Part of subcall function 0048BD00: GetDC.USER32(00000000), ref: 0048BD56
          • Part of subcall function 0048BD00: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0048BD6B
          • Part of subcall function 0048BD00: GetDeviceCaps.GDI32(00000000,0000000E), ref: 0048BD75
          • Part of subcall function 0048BD00: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,0048A3B3,00000000,0048A43F), ref: 0048BD99
          • Part of subcall function 0048BD00: ReleaseDC.USER32(00000000,00000000), ref: 0048BDA4
        • CreateCompatibleDC.GDI32(00000000), ref: 0048A3B5
        • SelectObject.GDI32(00000000,?), ref: 0048A3CE
        • SelectPalette.GDI32(00000000,?,000000FF), ref: 0048A3F7
        • RealizePalette.GDI32(00000000), ref: 0048A403
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: CriticalPaletteSection$CapsCreateDeviceEnterSelect$CompatibleHalftoneLeaveObjectRealizeRelease
        • String ID:
        • API String ID: 979337279-0
        • Opcode ID: d8608cbb3c6ac1367ff1a9623b2d960c0842c671ef004bffb61fdf6023d6d922
        • Instruction ID: 931d0b13a3a3a967ac09fd50c8fd9f35e21caab8956807addb6f6df66f981b33
        • Opcode Fuzzy Hash: d8608cbb3c6ac1367ff1a9623b2d960c0842c671ef004bffb61fdf6023d6d922
        • Instruction Fuzzy Hash: 01313834A00618EFD704EF59C981D4EB3F5EF48714B6249AAF804AB362D778EE41DB84
        Function 004B9F68 Relevance: 6.1, APIs: 4, Instructions: 77COMMON
        Download Yara Rule
        APIs
        • IsZoomed.USER32(00000000), ref: 004B9F7D
        • GetParent.USER32(00000000), ref: 004B9F92
        • GetWindowRect.USER32(00000000,?), ref: 004B9FAB
        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000016,00000000,?,00000000), ref: 004BA016
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Window$ParentRectZoomed
        • String ID:
        • API String ID: 3993858495-0
        • Opcode ID: 104184dc31058d22a733b8fbe88e5dc482104c38bcd4c8c9fa2971eb8370caa6
        • Instruction ID: fe1891393f9d4f6902f56305ba1727680b008e2be28e2d5830dadeee376c4229
        • Opcode Fuzzy Hash: 104184dc31058d22a733b8fbe88e5dc482104c38bcd4c8c9fa2971eb8370caa6
        • Instruction Fuzzy Hash: 0621A7346001059FDB20EF6DC481E9AB7F9AF58314B21455AF684EB396E636ED40CB98
        Function 004A1E98 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
        Download Yara Rule
        APIs
        • SetActiveWindow.USER32(?,?,004A1921,00000000,004A1E5E), ref: 004A1EC5
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: ActiveWindow
        • String ID:
        • API String ID: 2558294473-0
        • Opcode ID: 106efbb0270e0b7f0fc2330f6ee5abc494369e8869267c6de6293791ecce17da
        • Instruction ID: 7d0b0dcbc82a6dd44566bc86774d09b6965cf3ff71c27d31ff77a631e5339d38
        • Opcode Fuzzy Hash: 106efbb0270e0b7f0fc2330f6ee5abc494369e8869267c6de6293791ecce17da
        • Instruction Fuzzy Hash: 3B21DD706042809BEF15EA69C8C5BD62B99BF19304F0840BAFD089F2ABD779D8458729
        Function 004AB328 Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
        Download Yara Rule
        APIs
        • GetMenuState.USER32(?,?,?), ref: 004AB34B
        • GetSubMenu.USER32(?,?), ref: 004AB356
        • GetMenuItemID.USER32(?,?), ref: 004AB36F
        • GetMenuStringW.USER32(?,?,?,?,?), ref: 004AB3C4
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Menu$ItemStateString
        • String ID:
        • API String ID: 306270399-0
        • Opcode ID: 46a02f2618577621b8bf29563f13cd88905e9357f51b4a76ddda491be36c3d43
        • Instruction ID: 2d7389adb3dd02aaf419ae96b9a055e1d0f371a3746d421b484ac110a3d354e7
        • Opcode Fuzzy Hash: 46a02f2618577621b8bf29563f13cd88905e9357f51b4a76ddda491be36c3d43
        • Instruction Fuzzy Hash: 74117C31600114ABCB01EE6ACC819AF77E8EF5A364B10852AFC19E7392D738DD1197A9
        Function 0048D28C Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Object$Delete$IconInfo
        • String ID:
        • API String ID: 507670407-0
        • Opcode ID: 7ac5c57932b947c59996fc900266cb776351b887ea54cb9d8caa811953cf2fda
        • Instruction ID: abbe7049c94c5a389a88a2b09be1985b8cb5870bdc08318a1f019dcff3be702d
        • Opcode Fuzzy Hash: 7ac5c57932b947c59996fc900266cb776351b887ea54cb9d8caa811953cf2fda
        • Instruction Fuzzy Hash: 9811DD75A00208AFDB04EFA6D981C9EB7F9FF48310B5489AAB904E7391DA38DD019B54
        Function 004BE4BC Relevance: 6.1, APIs: 4, Instructions: 56COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: ecb1b8fe3049f3da3c2b7e5dc223d2b087ce879ab5fae0815a721d6c035b5fac
        • Instruction ID: a521101e1e8c67093b84bd110bda90230c759d95351935f6ffaffb67e053b207
        • Opcode Fuzzy Hash: ecb1b8fe3049f3da3c2b7e5dc223d2b087ce879ab5fae0815a721d6c035b5fac
        • Instruction Fuzzy Hash: 5B0116603002082BCA64BE675D95F9B3A6DCFD2758B4040BE78599B347EDBDAD0082B8
        Function 004A1154 Relevance: 6.1, APIs: 4, Instructions: 56COMMON
        Download Yara Rule
        APIs
        • EnumWindows.USER32(Function_000A10A0), ref: 004A1181
        • GetWindow.USER32(?,00000003), ref: 004A1199
        • GetWindowLongW.USER32(00000000,000000EC), ref: 004A11A6
        • SetWindowPos.USER32(00000000,000000EC,00000000,00000000,00000000,00000000,00000213,00000000,000000EC,?,00000003,Function_000A10A0), ref: 004A11E5
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Window$EnumLongWindows
        • String ID:
        • API String ID: 4191631535-0
        • Opcode ID: 82643a6d10f8e77082f794da26b6ba598eddf1bd4edea24df14a70a3e58907e6
        • Instruction ID: 9d6c401ddf43c651e9616651bb04946025a250a773addf7ae606f96f96f606ef
        • Opcode Fuzzy Hash: 82643a6d10f8e77082f794da26b6ba598eddf1bd4edea24df14a70a3e58907e6
        • Instruction Fuzzy Hash: D01169317046109FDB10AA28CC85F9673E4AB19764F14427AFE98EF2E2C7789C40C769
        Function 004B5CE4 Relevance: 6.1, APIs: 4, Instructions: 56COMMON
        Download Yara Rule
        APIs
        • MulDiv.KERNEL32(?,00000000,00000000), ref: 004B5CF9
        • MulDiv.KERNEL32(?,00000000,00000000), ref: 004B5D16
        • MulDiv.KERNEL32(?,00000000,00000000), ref: 004B5D33
        • MulDiv.KERNEL32(?,00000000,00000000), ref: 004B5D50
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: a73ae7e50b5b92d931dc67ca7e6fd03b71e6007ba1a3c87f76c659e0672bdb27
        • Instruction ID: 60f9b19aa0cbc965ee5ae706c5c901917738c769ff494fd0f3de94a6c79fc972
        • Opcode Fuzzy Hash: a73ae7e50b5b92d931dc67ca7e6fd03b71e6007ba1a3c87f76c659e0672bdb27
        • Instruction Fuzzy Hash: D6015A2030461827CA38BD266C48F9B7AADCBC2754B44807E79199B743DDA8EC00C2B8
        Function 004B5D68 Relevance: 6.1, APIs: 4, Instructions: 56COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 0e099f60810b3382ecd37a2e790144f79f28170f0183697018962e55118c7c76
        • Instruction ID: 6aac42ee3de146f9bbe1f8d266a2da7b34814df0a7508eb000cfb9a2228ad412
        • Opcode Fuzzy Hash: 0e099f60810b3382ecd37a2e790144f79f28170f0183697018962e55118c7c76
        • Instruction Fuzzy Hash: A20178603006082BCB64BE275D49F5B7A6DCFC2754B40817E78599B347EDBCEC0082B8
        Function 0040CB00 Relevance: 6.1, APIs: 4, Instructions: 54timefileCOMMON
        Download Yara Rule
        APIs
        • FindNextFileW.KERNEL32(?,?), ref: 0040CB11
        • GetLastError.KERNEL32(?,?), ref: 0040CB1A
        • FileTimeToLocalFileTime.KERNEL32(?), ref: 0040CB30
        • FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0040CB3F
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: FileTime$DateErrorFindLastLocalNext
        • String ID:
        • API String ID: 2103556486-0
        • Opcode ID: 71c607c2a334299287f76437228afe618df104ac2285d659921d03c444beb358
        • Instruction ID: df99459a2ffd1a17f7394b5215d9f5aa92db4c118cc1beb2e824e67d15689660
        • Opcode Fuzzy Hash: 71c607c2a334299287f76437228afe618df104ac2285d659921d03c444beb358
        • Instruction Fuzzy Hash: 651152B26002019FDB44EF69D8C1C9777ECAF4835471586BBED44DB24AE634E9108BA5
        Function 004A31BC Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
        Download Yara Rule
        APIs
        • IsWindowVisible.USER32(?), ref: 004A31D0
        • GetWindowLongW.USER32(?,000000EC), ref: 004A3212
        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 004A3223
        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,C31852FF,?,-00000001,00000000,?,004A32DD,?,?,?,00000000), ref: 004A324B
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Window$Long$Visible
        • String ID:
        • API String ID: 2967648141-0
        • Opcode ID: 7dbcba8573332f2c2263d6ec1b00ee363e99783f5095099e2e66482b6d1c7aa3
        • Instruction ID: 13d7c59ab94339834b3640f505856214e08bb86ce809c6d96cdef04b2a7308a1
        • Opcode Fuzzy Hash: 7dbcba8573332f2c2263d6ec1b00ee363e99783f5095099e2e66482b6d1c7aa3
        • Instruction Fuzzy Hash: DD1156316051546FD702DF68D888FB97BD8AB0D356F0441A2F888CF393D2359E40C758
        Function 00427A44 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
        Download Yara Rule
        APIs
        • FindResourceW.KERNEL32(?,?,?,00421B58,?,00000001,00000000,?,00427986,00000000,?,?,?,?,?,004234E1), ref: 00427A5B
        • LoadResource.KERNEL32(?,00427AE0,?,?,?,00421B58,?,00000001,00000000,?,00427986,00000000,?), ref: 00427A75
        • SizeofResource.KERNEL32(?,00427AE0,?,00427AE0,?,?,?,00421B58,?,00000001,00000000,?,00427986,00000000,?), ref: 00427A8F
        • LockResource.KERNEL32(00427570,00000000,?,00427AE0,?,00427AE0,?,?,?,00421B58,?,00000001,00000000,?,00427986,00000000), ref: 00427A99
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Resource$FindLoadLockSizeof
        • String ID:
        • API String ID: 3473537107-0
        • Opcode ID: eb18f0d0f65cde573cbc7fce5b7fd0a8f32e1dfe2549437a02f9cdcb288e6e8d
        • Instruction ID: 2800cec3bdea44479e11638f433daa295011ca7415e39587c2c8ca13b1dd4858
        • Opcode Fuzzy Hash: eb18f0d0f65cde573cbc7fce5b7fd0a8f32e1dfe2549437a02f9cdcb288e6e8d
        • Instruction Fuzzy Hash: F5F06DB26092146F9744EF6DA981D6B73ECEE99264350006FF908D7206DA39ED01477D
        Function 0041377E Relevance: 6.0, APIs: 4, Instructions: 43COMMON
        Download Yara Rule
        APIs
        • InterlockedCompareExchange.KERNEL32(004E7CC0,00000001,00000000), ref: 00413799
        • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,004E7CC0,00000001,00000000), ref: 004137B0
        • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 004137CF
        • ResetEvent.KERNEL32(00000000), ref: 004137D7
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Event$Create$CompareExchangeInterlockedReset
        • String ID:
        • API String ID: 2790937731-0
        • Opcode ID: 66e8073576b0dfb287895bd141281bd96fa22a1db0f0633ff8a22fb0ebff0a48
        • Instruction ID: 1a3235ac6eb6e9d213d548d6e8d599fb03888b02d40b6856efcb077dd6b835dd
        • Opcode Fuzzy Hash: 66e8073576b0dfb287895bd141281bd96fa22a1db0f0633ff8a22fb0ebff0a48
        • Instruction Fuzzy Hash: 81F090F13843007AFF302D124D82B7615658B90B62F24807BFA54BE2C2D6BCA984422E
        Function 004B3B70 Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON
        Download Yara Rule
        APIs
        • GetWindowThreadProcessId.USER32(00000000), ref: 004B3B7D
        • GetCurrentProcessId.KERNEL32(00000000,?,?,00000000,00000000,004B3BE8,-000000F4,?,?,004B37AA,?,-0000000C,?), ref: 004B3B86
        • GlobalFindAtomW.KERNEL32(00000000,00000000,?,?,00000000,00000000,004B3BE8,-000000F4,?,?,004B37AA,?,-0000000C,?), ref: 004B3B9B
        • GetPropW.USER32(00000000,00000000), ref: 004B3BB2
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Process$AtomCurrentFindGlobalPropThreadWindow
        • String ID:
        • API String ID: 2582817389-0
        • Opcode ID: 6352a1e930ce0bb0602465a6bca1bc69190aa100fdee18d8e0569e701ec9be0b
        • Instruction ID: 3b3c56941f8053ef37143aafaa55dda15ae9d83f7462aedc324e138bdcb5359c
        • Opcode Fuzzy Hash: 6352a1e930ce0bb0602465a6bca1bc69190aa100fdee18d8e0569e701ec9be0b
        • Instruction Fuzzy Hash: 29F0A7512065211696317B775D81DFF235CCE00719B44413BF840D619BDB2CDD4181BE
        Function 004A0830 Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON
        Download Yara Rule
        APIs
        • GetCurrentThreadId.KERNEL32 ref: 004A0848
        • SetWindowsHookExW.USER32(00000003,004A07EC,00000000,00000000), ref: 004A0858
        • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,004A3B2F), ref: 004A0873
        • CreateThread.KERNEL32(00000000,000003E8,004A0790,00000000,00000000), ref: 004A0898
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: CreateThread$CurrentEventHookWindows
        • String ID:
        • API String ID: 1195359707-0
        • Opcode ID: 48fdd4a98f99bc403a5e468971fb7e78e3d104f06c9e98a4b1e3f53890e95afd
        • Instruction ID: dc1c702207c42e3f6e5d778917c7dfd0e5d4e7586d99660546057379b51d6dee
        • Opcode Fuzzy Hash: 48fdd4a98f99bc403a5e468971fb7e78e3d104f06c9e98a4b1e3f53890e95afd
        • Instruction Fuzzy Hash: 8DF01DB0780385AEF721AB56DC87F673295D715B05F51407EF6406E2E3C7B818808B9D
        Function 004B2AF0 Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON
        Download Yara Rule
        APIs
        • GetWindowThreadProcessId.USER32(00000000), ref: 004B2AFD
        • GetCurrentProcessId.KERNEL32(?,00000000,00000000,004B470F,?,?,00000000,00000001,004B473C), ref: 004B2B06
        • GlobalFindAtomW.KERNEL32(00000000,?,00000000,00000000,004B470F,?,?,00000000,00000001,004B473C), ref: 004B2B1B
        • GetPropW.USER32(00000000,00000000), ref: 004B2B32
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Process$AtomCurrentFindGlobalPropThreadWindow
        • String ID:
        • API String ID: 2582817389-0
        • Opcode ID: 2ebc9c9cbb76396257d06ef7f5d78a7d60f1b2f97a24d95e26c34d66c4c5e6dc
        • Instruction ID: c696f3c397516c97cc2b906dd0fc848faf73d990f42ff1d35b6d839c3d3f81c6
        • Opcode Fuzzy Hash: 2ebc9c9cbb76396257d06ef7f5d78a7d60f1b2f97a24d95e26c34d66c4c5e6dc
        • Instruction Fuzzy Hash: B3F06C5170566156DA287F7A5EC1CA763ACCA04358300053FF941EB253DD7CEC5182FD
        Function 0048D428 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
        Download Yara Rule
        APIs
        • GetDC.USER32(00000000), ref: 0048D431
        • SelectObject.GDI32(00000000,058A00B4), ref: 0048D443
        • GetTextMetricsW.GDI32(00000000), ref: 0048D44E
        • ReleaseDC.USER32(00000000,00000000), ref: 0048D45F
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: MetricsObjectReleaseSelectText
        • String ID:
        • API String ID: 2013942131-0
        • Opcode ID: c2a09c62dd21e4e45928fe09b53546ccad18d775b3ae35926fdbb0b3f632bda0
        • Instruction ID: 5e3e9e7ff3da876f96efa7ed21b7234ee89ff8d46f0238890b79e116bdc69728
        • Opcode Fuzzy Hash: c2a09c62dd21e4e45928fe09b53546ccad18d775b3ae35926fdbb0b3f632bda0
        • Instruction Fuzzy Hash: 8FE04F21A0767122E51171665D92BDF27588F02AA5F08063BFD44AA2D2DA2DDD01C3FA
        Function 00497140 Relevance: 6.0, APIs: 4, Instructions: 24threadCOMMON
        Download Yara Rule
        APIs
        • GetActiveWindow.USER32 ref: 00497146
        • EnumWindows.USER32(Function_00097108), ref: 0049715F
        • GetCurrentThreadId.KERNEL32 ref: 0049716E
        • EnumThreadWindows.USER32(00000000,Function_000970E8), ref: 00497174
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: EnumThreadWindows$ActiveCurrentWindow
        • String ID:
        • API String ID: 1202916826-0
        • Opcode ID: 704f860cfa253c58028bd934d66f2484e1b4fa1257fb5aad57a06fb963c8aaf1
        • Instruction ID: 0184d50eb068e527ec441009c0707d9f9262b39153b59ec1395f79f53a7c20e2
        • Opcode Fuzzy Hash: 704f860cfa253c58028bd934d66f2484e1b4fa1257fb5aad57a06fb963c8aaf1
        • Instruction Fuzzy Hash: 7AE0865036D3406BD600637A5E47A6E6DC8CAC67A4F14443FB4D4A63C1DD3D4804633F
        Function 004BCEA0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114COMMON
        Download Yara Rule
        APIs
        • CompareStringW.KERNEL32(00000400,00000001,00000000,?,00000000,?), ref: 004BCF5E
        • ActivateKeyboardLayout.USER32(?,00000001), ref: 004BCFC7
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: ActivateCompareKeyboardLayoutString
        • String ID: L|N
        • API String ID: 1445940216-2486171611
        • Opcode ID: a5e16ef5d30e2b29a948926668e4469f540c190c73639016ad4e1f900d0b2a82
        • Instruction ID: 0618c8e373bd1c7b6695478c2d7eae3cf8078688e4cd63dcd4c92a7b80f122fe
        • Opcode Fuzzy Hash: a5e16ef5d30e2b29a948926668e4469f540c190c73639016ad4e1f900d0b2a82
        • Instruction Fuzzy Hash: BC415E307002459FDB11DB25C8C6BAAB7E6EF85704F5440BAE4009B3A2DB78ED85CA69
        Function 004C601C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: CreateInstance
        • String ID: 4YL
        • API String ID: 542301482-3358621688
        • Opcode ID: 0e6d5dd96274d3e78c1943d1051500dde41d9131479854e09a88cc757d8d9535
        • Instruction ID: a21d8510594f9bddce5fd5435df31d3fc988b9de3c8f9f2b61fea05f3b077140
        • Opcode Fuzzy Hash: 0e6d5dd96274d3e78c1943d1051500dde41d9131479854e09a88cc757d8d9535
        • Instruction Fuzzy Hash: D8317078A106049BDB40EB59C891FAE77F8EF48704F55406BF901BB382DA7CAE418B59
        Function 004BD008 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON
        Download Yara Rule
        APIs
        • CompareStringW.KERNEL32(00000400,00000001,00000000,?,00000000,?), ref: 004BD0C6
        • ActivateKeyboardLayout.USER32(?,00000001,00000400,00000001,00000000,?,00000000,?), ref: 004BD0DF
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: ActivateCompareKeyboardLayoutString
        • String ID: L|N
        • API String ID: 1445940216-2486171611
        • Opcode ID: 4815c8c6daaaf8111ac503a221fd2e8268f05fd3d962384fc1b33008b0d5226d
        • Instruction ID: 10f55ada3546a5b4c708f3d874ed1b55358ec2d3b75341d337ac26ed9561013e
        • Opcode Fuzzy Hash: 4815c8c6daaaf8111ac503a221fd2e8268f05fd3d962384fc1b33008b0d5226d
        • Instruction Fuzzy Hash: 1F31A730E002049FDB11EB69C986B9B77F9DF85708F5440B6E800AB396E779ED45CA68
        Function 00410320 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82threadCOMMON
        Download Yara Rule
        APIs
        • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000200,00000000,0041041D), ref: 004103B4
        • GetDateFormatW.KERNEL32(00000000,00000004,?,00000000,?,00000200,00000000,0041041D), ref: 004103BA
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: DateFormatLocaleThread
        • String ID:
        • API String ID: 3303714858-3916222277
        • Opcode ID: 59a56b7e44cb5acf66beac94fab5d37111c30fe0a1b6fed782a3f8166b980204
        • Instruction ID: 9e75e496f70bc0620bea66d1a61d2f6bd08986be2366226718d4f5bffe882f19
        • Opcode Fuzzy Hash: 59a56b7e44cb5acf66beac94fab5d37111c30fe0a1b6fed782a3f8166b980204
        • Instruction Fuzzy Hash: 4D21B931A046589FDB11EF64C891AEEB7F4EF45300F4140ABF944E7391D678AE80CBA9
        Function 0040F668 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82threadCOMMON
        Download Yara Rule
        APIs
        • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0040F765), ref: 0040F6FC
        • GetDateFormatW.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,0040F765), ref: 0040F702
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: DateFormatLocaleThread
        • String ID:
        • API String ID: 3303714858-3916222277
        • Opcode ID: 1bdb8746958693bfc4f8290078a6c9b774663f21896c83c8276edaf8d3fe4967
        • Instruction ID: 0356c73e5d58ef0bb17c99407289dbebe349bfa67112d577581cda1f180c5b84
        • Opcode Fuzzy Hash: 1bdb8746958693bfc4f8290078a6c9b774663f21896c83c8276edaf8d3fe4967
        • Instruction Fuzzy Hash: A521A735A046549FCB21EB64C891AAEB7B4EF09300F1540BBF844F76D1D638AE44CB6A
        Function 00455ABC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74registryCOMMON
        Download Yara Rule
        APIs
        • RegCreateKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,00455B88,?,?,00000000,00000000), ref: 00455B33
        • RegCloseKey.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,00455B88,?,?,00000000,00000000), ref: 00455B47
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: CloseCreate
        • String ID: `XE
        • API String ID: 2932200918-3275911281
        • Opcode ID: 216c254adf01bb84135661f305e1aa449d3aea7ac78ceaf18056b2a3f255b23f
        • Instruction ID: 0c1f6fbad9d438d6e6ae3febd0bc9c9b61393a2682ab208738782c9802d54ff2
        • Opcode Fuzzy Hash: 216c254adf01bb84135661f305e1aa449d3aea7ac78ceaf18056b2a3f255b23f
        • Instruction Fuzzy Hash: 72219371B40608AFD701EBA5CD62FAEB7ECDB44304F60007AF900E72D2DB79AE049659
        Function 004AA604 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69windowCOMMON
        Download Yara Rule
        APIs
        • SendMessageW.USER32(?,00000234,00000000,00000000), ref: 004AA68A
        • DrawMenuBar.USER32(00000000), ref: 004AA69B
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: DrawMenuMessageSend
        • String ID: PNJ
        • API String ID: 2625368238-1796095399
        • Opcode ID: 616af85ff2ea65dbbb5090c76a9e527e472ddee0cc3ba19c7a1cc49079a9eaf8
        • Instruction ID: ba86c77281070be63b2944eaaaf2ca0b1d5d411862843a2698a1659b236e3ad2
        • Opcode Fuzzy Hash: 616af85ff2ea65dbbb5090c76a9e527e472ddee0cc3ba19c7a1cc49079a9eaf8
        • Instruction Fuzzy Hash: D71172317002005BD711EA3A888576B77965FA7308F5D407AF980DF392DB6CDC16CB9A
        Function 004B6A00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: Cursor
        • String ID: TVI$SH
        • API String ID: 3268636600-3704761771
        • Opcode ID: abb5b48e770713413dbebb703db94d11345ff81c3b4c9a32e29966d9f423a3d5
        • Instruction ID: 74d70059c82cc09bc361997cc81334b9bc75912fd0bd80d138287a6a5027d031
        • Opcode Fuzzy Hash: abb5b48e770713413dbebb703db94d11345ff81c3b4c9a32e29966d9f423a3d5
        • Instruction Fuzzy Hash: 162162307015815BCB11EB1DE8C56AB77A6DB89318B59803AE804DB3A3CB7CEC4587AD
        Function 00432B54 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00415890: SetErrorMode.KERNEL32 ref: 0041589A
          • Part of subcall function 00415890: LoadLibraryW.KERNEL32(00000000,00000000,004158E4,?,00000000,00415902), ref: 004158C9
        • FreeLibrary.KERNEL32(00000000), ref: 00432BBC
        • GetLastError.KERNEL32(00000000,00432C2F), ref: 00432BCA
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: ErrorLibrary$FreeLastLoadMode
        • String ID: WS2_32.DLL
        • API String ID: 2136283890-2889821164
        • Opcode ID: 9476491be7404052957083e48d399e11f6e654874219df220ce66e8dc7195f0b
        • Instruction ID: f1b73fbe717c5af7faa600aa0513d5ff61efa1eff85d4f973677726bc8fc8918
        • Opcode Fuzzy Hash: 9476491be7404052957083e48d399e11f6e654874219df220ce66e8dc7195f0b
        • Instruction Fuzzy Hash: 4111BE706002449FE711EF68DE92B9A73E9F74C304F5054BBA608D3291DBB85D448F5A
        Function 00490120 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
        Download Yara Rule
        APIs
        • GetSystemMetrics.USER32(00000000), ref: 0049016E
        • GetSystemMetrics.USER32(00000001), ref: 00490180
          • Part of subcall function 0048FE14: GetProcAddress.KERNEL32(76910000,00000000), ref: 0048FEB0
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: MetricsSystem$AddressProc
        • String ID: MonitorFromPoint
        • API String ID: 1792783759-1072306578
        • Opcode ID: 952afc4831f3737818c557d80abe737d2bfdf50369fff8eb230d8eff4c8d88b7
        • Instruction ID: f955175bd4ff5db4ef15da1a7d4c647691eda2b1f5827bc4a7d9a0e417cbe78e
        • Opcode Fuzzy Hash: 952afc4831f3737818c557d80abe737d2bfdf50369fff8eb230d8eff4c8d88b7
        • Instruction Fuzzy Hash: 9401A232600248AFDF108F51EC86B6BBFA5E744354F808037FD259F262C3769C418BA8
        Function 0042DD00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44threadCOMMON
        Download Yara Rule
        APIs
        • InterlockedCompareExchange.KERNEL32(?), ref: 0042DD33
        • SwitchToThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0042DC9D), ref: 0042DD40
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: CompareExchangeInterlockedSwitchThread
        • String ID: XPN
        • API String ID: 3384000618-3056703449
        • Opcode ID: 3ec6f819b992877e3d524e3b2cf2c5363080b8fa663e8b33b9a13a05ae4a2947
        • Instruction ID: bdb5cbb5a3b9d48783b82f4b32c880966d56a84eedc41f81564cdc404920869d
        • Opcode Fuzzy Hash: 3ec6f819b992877e3d524e3b2cf2c5363080b8fa663e8b33b9a13a05ae4a2947
        • Instruction Fuzzy Hash: 29F0FC62B1D9F41BE71115197C847362689EBC23B0FA5023BB4D8871E1C5284C41D36A
        Function 004C086C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 004C08D0: ImageList_DragLeave.COMCTL32(?,00000000,004C0984,?,00000000,004B453F,00000000,004B465B,?,00000000,004B46CD), ref: 004C08E8
          • Part of subcall function 004C0700: ClientToScreen.USER32(?,004C0918), ref: 004C0718
          • Part of subcall function 004C0700: GetWindowRect.USER32(?,?), ref: 004C0722
        • ImageList_DragEnter.COMCTL32(?,?,>K,?,00000000,00000000,00000000), ref: 004C08B7
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: DragImageList_$ClientEnterLeaveRectScreenWindow
        • String ID: >K$>K
        • API String ID: 493882731-3509769979
        • Opcode ID: 620304f3d8ac09aeb790f4fc56bab10c8a7ba63f52c519b41f7ec61b73247c1f
        • Instruction ID: deeb684c6a7018f937bb2697ee24def1789a5112255163957925916128efb21e
        • Opcode Fuzzy Hash: 620304f3d8ac09aeb790f4fc56bab10c8a7ba63f52c519b41f7ec61b73247c1f
        • Instruction Fuzzy Hash: 9BF04F76B01208AB8750EEAD88C1D9EF7EDEF48214B04427EF518D3341D635AD0497E5
        Function 0048FFD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
        Download Yara Rule
        APIs
        • GetSystemMetrics.USER32(00000000), ref: 00490021
        • GetSystemMetrics.USER32(00000001), ref: 0049002D
          • Part of subcall function 0048FE14: GetProcAddress.KERNEL32(76910000,00000000), ref: 0048FEB0
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: MetricsSystem$AddressProc
        • String ID: MonitorFromRect
        • API String ID: 1792783759-4033241945
        • Opcode ID: a7f385d6a00eb2a64b6ad02c2a34ab59ce4d5efe7c52dbe0ec37487503847dd3
        • Instruction ID: 609b52102dd8ed94c137b641c8c6a3a0cad94cab0acbd46b7e4b3ade973b4f5d
        • Opcode Fuzzy Hash: a7f385d6a00eb2a64b6ad02c2a34ab59ce4d5efe7c52dbe0ec37487503847dd3
        • Instruction Fuzzy Hash: D90178322002549FDB21AB45F8C6B67BB68EB457A5F448077E9048A252C3789C84CBA8
        Function 0048FF34 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
        Download Yara Rule
        APIs
        • GetSystemMetrics.USER32(?), ref: 0048FF96
          • Part of subcall function 0048FE14: GetProcAddress.KERNEL32(76910000,00000000), ref: 0048FEB0
        • GetSystemMetrics.USER32(?), ref: 0048FF5C
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: MetricsSystem$AddressProc
        • String ID: GetSystemMetrics
        • API String ID: 1792783759-96882338
        • Opcode ID: 5ba9052b123d21f8d3f7e168377652a636bca5b04eb3f040b73df8c44c0cc2e2
        • Instruction ID: 62346e53e766f11e83b53530331865ebdffc6841110c7f832cd90bd413449ad3
        • Opcode Fuzzy Hash: 5ba9052b123d21f8d3f7e168377652a636bca5b04eb3f040b73df8c44c0cc2e2
        • Instruction Fuzzy Hash: 61F01D317242455EDB117A349DC662F3645EB8B328FA08E37B7118AAE6C73C888D935D
        Function 0049068C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36libraryCOMMON
        Download Yara Rule
        APIs
        • LoadLibraryW.KERNEL32(DWMAPI.DLL,?,?,?,0049EEF9), ref: 004906B6
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: LibraryLoad
        • String ID: DWMAPI.DLL$DwmExtendFrameIntoClientArea
        • API String ID: 1029625771-2956373744
        • Opcode ID: fe5dc23e370788f91887cd6470e92c1825b220955ad71d62aea9c6c849605086
        • Instruction ID: f0e3ecffecd30036422d8f8f3e9750b71f6f1f807febf24f3dfc5d5040579894
        • Opcode Fuzzy Hash: fe5dc23e370788f91887cd6470e92c1825b220955ad71d62aea9c6c849605086
        • Instruction Fuzzy Hash: 6EF09C71E422D09FDB115B55ACC9B673FE4D785715F14803BBA009A2A2C7780C94CF9C
        Function 00493DC8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
        Download Yara Rule
        APIs
        • FreeLibrary.KERNEL32(00000000,00000000,00493E3C), ref: 00493DF0
        • FreeLibrary.KERNEL32(00000000,00000000,00493E3C), ref: 00493E04
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: FreeLibrary
        • String ID: 0<I
        • API String ID: 3664257935-2816064585
        • Opcode ID: 920acb709e2f63175bff82f01f451a44be0f74c378b2bb15076502e3d3027c22
        • Instruction ID: 58d1f87a8a7c4d935ae53fa4b21acee9b49bac0c451c041aa4255b75c9598f93
        • Opcode Fuzzy Hash: 920acb709e2f63175bff82f01f451a44be0f74c378b2bb15076502e3d3027c22
        • Instruction Fuzzy Hash: 21F096351006808FDF12AF66EC5662337A4E746706BA1847BF5005B662CB3DD900CA9D
        Function 0040C944 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
        Download Yara Rule
        APIs
        • GetFileAttributesW.KERNEL32(00000000,00000000,00000000,004CFDFB,00000000,?,00000023,00000000,00000000,004CFE86), ref: 0040C950
        • GetLastError.KERNEL32(00000000,00000000,00000000,004CFDFB,00000000,?,00000023,00000000,00000000,004CFE86), ref: 0040C962
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: AttributesErrorFileLast
        • String ID: {
        • API String ID: 1799206407-366298937
        • Opcode ID: b66b422506ba923b79554cabc6e1a519e5904e94530f2ec4ba6c5a5fa0a79732
        • Instruction ID: a403b447d06f5ffe2b7abc8b160741d1094639ff05699f4cfa2c28d168ebea04
        • Opcode Fuzzy Hash: b66b422506ba923b79554cabc6e1a519e5904e94530f2ec4ba6c5a5fa0a79732
        • Instruction Fuzzy Hash: 0BE04FD220162085CD2433FD19CA2AF824499857A83240B37FD51F73E2D63E4C8B59AD
        Function 004AA924 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32keyboardCOMMON
        Download Yara Rule
        APIs
        • GetKeyState.USER32(00000010), ref: 004AA93F
        • GetKeyState.USER32(00000011), ref: 004AA950
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: State
        • String ID:
        • API String ID: 1649606143-3916222277
        • Opcode ID: 79cf6361b3076dbe001a0739b71795750d9bec554e6214f4cddfb021dc18db59
        • Instruction ID: 869f627d6d0a7e248796e0c653ffba467c6d3343f4f7dd7d863e12119094f056
        • Opcode Fuzzy Hash: 79cf6361b3076dbe001a0739b71795750d9bec554e6214f4cddfb021dc18db59
        • Instruction Fuzzy Hash: 17E022A2740B8202F611756A1C013E717884F637A9F0E4A6FBEC02A1C3E39E0D2590AE
        Function 00490750 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31libraryCOMMON
        Download Yara Rule
        APIs
        • LoadLibraryW.KERNEL32(DWMAPI.DLL,?,?,00490816,?,0049EE37), ref: 00490776
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: LibraryLoad
        • String ID: DWMAPI.DLL$DwmIsCompositionEnabled
        • API String ID: 1029625771-2128843254
        • Opcode ID: d25be5ad88d75b8bdc16a4bd254e692d1b4f716a3a589002d7f88ff95a6a603e
        • Instruction ID: d90d78f076efb1dfc9fc52b144e9f4d6d97211cc0c6569452f8b114e26486ca3
        • Opcode Fuzzy Hash: d25be5ad88d75b8bdc16a4bd254e692d1b4f716a3a589002d7f88ff95a6a603e
        • Instruction Fuzzy Hash: 67F06730A01399CFCB11ABA4A8CA7563BA4F708325F00097BF9119A262E3781880CB8C
        Function 0041530C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16COMMON
        Download Yara Rule
        APIs
        • GetModuleHandleW.KERNEL32(kernel32.dll,?,004D7128,00000000,004D713B), ref: 00415312
          • Part of subcall function 00408A94: GetProcAddress.KERNEL32(00000000,?), ref: 00408AB8
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: AddressHandleModuleProc
        • String ID: GetDiskFreeSpaceExW$kernel32.dll
        • API String ID: 1646373207-1127948838
        • Opcode ID: 46793605e3a377ac6353366c3618537fd924d49fceb9037224e7c0035c478c03
        • Instruction ID: 2ca14fdfa41039ed3f894e20683b3969f64cb365ff125a158d180c7fc00750cc
        • Opcode Fuzzy Hash: 46793605e3a377ac6353366c3618537fd924d49fceb9037224e7c0035c478c03
        • Instruction Fuzzy Hash: E2D09EF0703B4ADAD7009BE59D96BA627589784794B50047FA551AB3A1DAFC4C80C61C
        Function 0042D924 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 15COMMON
        Download Yara Rule
        APIs
        • GetModuleHandleW.KERNEL32(ole32.dll,?,0042D9BE), ref: 0042D92A
          • Part of subcall function 00408A94: GetProcAddress.KERNEL32(00000000,?), ref: 00408AB8
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.2196285637.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.2196257017.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196618470.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196691649.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196727913.00000000004DE000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2196922600.00000000004DF000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2197859986.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198239518.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198280331.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198312426.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198370108.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000000.00000002.2198447258.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
        Similarity
        • API ID: AddressHandleModuleProc
        • String ID: CoWaitForMultipleHandles$ole32.dll
        • API String ID: 1646373207-2593175619
        • Opcode ID: 1e1c2ecc71053925c223f1487f379d2c6151012cc71ef2f9ce51569905aeaa61
        • Instruction ID: a739f7d9c72f1b270898e192477e90f64bdf8c681cdede822b5b2aeda953c0a3
        • Opcode Fuzzy Hash: 1e1c2ecc71053925c223f1487f379d2c6151012cc71ef2f9ce51569905aeaa61
        • Instruction Fuzzy Hash: D4D09EE0B003A65ED740ABB57CC572726556745355FD0053BB280192E3DBFE4884D61C

        Execution Graph

        Execution Coverage:1.2%
        Dynamic/Decrypted Code Coverage:0%
        Signature Coverage:0%
        Total number of Nodes:561
        Total number of Limit Nodes:34
        execution_graph 64565 48d46c MulDiv 64566 48d4a8 64565->64566 64567 48d4be 64565->64567 64629 48d428 GetDC SelectObject GetTextMetricsW ReleaseDC 64566->64629 64581 4559b8 64567->64581 64570 48d4ca 64585 455a58 64570->64585 64571 48d4ad 64571->64567 64630 405b1c 64571->64630 64576 48d4f5 64577 48d511 64576->64577 64614 455f0c 64576->64614 64582 4559be 64581->64582 64583 455a58 15 API calls 64582->64583 64584 4559d6 64583->64584 64584->64570 64586 455a65 64585->64586 64587 455a7f 64585->64587 64588 455a75 64586->64588 64589 455a6b RegCloseKey 64586->64589 64591 455cc0 64587->64591 64635 455a28 14 API calls 64588->64635 64589->64588 64592 405b1c 12 API calls 64591->64592 64593 455cea 64592->64593 64594 455d0a 64593->64594 64636 406344 12 API calls 64593->64636 64596 455d38 RegOpenKeyExW 64594->64596 64597 455d4a 64596->64597 64601 455d88 64596->64601 64598 455d76 64597->64598 64637 406080 12 API calls 64597->64637 64638 455a84 14 API calls 64598->64638 64602 455da8 RegOpenKeyExW 64601->64602 64603 455dba 64602->64603 64608 455df5 64602->64608 64604 455de6 64603->64604 64639 406080 12 API calls 64603->64639 64640 455a84 14 API calls 64604->64640 64605 455d83 64605->64576 64609 455e13 RegOpenKeyExW 64608->64609 64609->64605 64610 455e25 64609->64610 64611 455e4e 64610->64611 64641 406080 12 API calls 64610->64641 64642 455a84 14 API calls 64611->64642 64643 455ee4 64614->64643 64617 455f26 64646 405c04 64617->64646 64618 455f7c 64671 405ac8 64618->64671 64621 455f38 64651 455fbc 64621->64651 64623 455f50 64624 455f5c 64623->64624 64625 455f73 64623->64625 64659 405e44 64624->64659 64670 4558f0 51 API calls 64625->64670 64628 455f71 64634 455a28 14 API calls 64628->64634 64629->64571 64632 405b20 64630->64632 64631 405b50 64631->64567 64632->64631 64707 403080 12 API calls 64632->64707 64634->64577 64635->64587 64636->64594 64638->64605 64640->64605 64642->64605 64677 455e94 64643->64677 64645 455ef8 64645->64617 64645->64618 64681 406548 64646->64681 64648 405c14 64686 405030 64648->64686 64701 405b54 64651->64701 64654 456014 64654->64623 64655 455ff0 64703 412ecc 51 API calls 64655->64703 64657 45600f 64704 404788 12 API calls 64657->64704 64660 405eb4 64659->64660 64664 405e51 64659->64664 64661 405030 12 API calls 64660->64661 64669 405ea5 64661->64669 64662 405ea8 64663 406548 12 API calls 64662->64663 64663->64660 64664->64662 64665 405e82 64664->64665 64705 403098 12 API calls 64665->64705 64667 405e8a 64668 405030 12 API calls 64667->64668 64667->64669 64668->64669 64669->64628 64670->64628 64672 405acc 64671->64672 64673 405ae8 64671->64673 64672->64673 64675 406548 12 API calls 64672->64675 64674 405b18 64673->64674 64706 403080 12 API calls 64673->64706 64674->64628 64675->64673 64678 455ead 64677->64678 64679 455ec1 RegQueryValueExW 64678->64679 64680 455ed8 64679->64680 64680->64645 64682 406581 64681->64682 64683 40654c 64681->64683 64682->64648 64683->64682 64690 403064 64683->64690 64685 40655b 64685->64648 64687 405051 64686->64687 64688 405036 64686->64688 64687->64621 64688->64687 64700 403080 12 API calls 64688->64700 64691 40307b 64690->64691 64694 403068 64690->64694 64691->64685 64692 403072 64692->64685 64693 403199 64699 403168 12 API calls 64693->64699 64694->64692 64694->64693 64698 408458 12 API calls 64694->64698 64697 4031ba 64697->64685 64698->64693 64699->64697 64700->64687 64702 405b58 RegQueryValueExW 64701->64702 64702->64654 64702->64655 64703->64657 64705->64667 64706->64674 64707->64631 64708 4d8238 64715 4084a4 64708->64715 64712 4d825c 64720 404e18 12 API calls 64712->64720 64716 4084af 64715->64716 64721 404ae8 64716->64721 64719 4d6118 InitializeCriticalSection 64719->64712 64722 404af7 64721->64722 64723 404afc GetCurrentThreadId 64721->64723 64722->64723 64724 404b32 64723->64724 64725 404ba5 64724->64725 64726 404e18 64724->64726 64740 404a80 64725->64740 64728 404e40 64726->64728 64729 404e2f 64726->64729 64730 404e49 GetCurrentThreadId 64728->64730 64735 404e56 64728->64735 64748 404d88 GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 64729->64748 64730->64735 64733 403128 12 API calls 64733->64735 64734 404e39 64734->64728 64735->64733 64736 404ee9 FreeLibrary 64735->64736 64737 404f11 64735->64737 64736->64735 64738 404f20 ExitProcess 64737->64738 64739 404f1a 64737->64739 64739->64738 64741 404a90 64740->64741 64742 404ac3 64740->64742 64741->64742 64749 407574 64741->64749 64753 4d7ab0 64741->64753 64767 4d80c0 64741->64767 64781 4d74f4 64741->64781 64795 401844 64741->64795 64742->64719 64748->64734 64750 407584 GetModuleFileNameW 64749->64750 64751 4075a0 64749->64751 64799 407814 GetModuleFileNameW RegOpenKeyExW 64750->64799 64751->64741 64754 4d7ace 64753->64754 64766 4d7b4e 64753->64766 64820 414a48 64754->64820 64766->64741 64768 4d80da GetVersion 64767->64768 64769 4d8131 64767->64769 64911 4c4368 GetCurrentProcessId 64768->64911 64769->64741 64771 4d80ed 64940 423120 53 API calls 64771->64940 64773 4d80f7 64941 4231c0 53 API calls 64773->64941 64775 4d8101 64942 42316c 55 API calls 64775->64942 64777 4d8111 64943 42316c 55 API calls 64777->64943 64779 4d8121 64944 42316c 55 API calls 64779->64944 64782 4d7514 64781->64782 64783 4d75a3 64781->64783 65156 456d04 64782->65156 64783->64741 64785 4d751c 64786 405ac8 12 API calls 64785->64786 64787 4d7529 64786->64787 65170 4074c8 17 API calls 64787->65170 64789 4d7540 64790 405ac8 12 API calls 64789->64790 64791 4d7566 64790->64791 65171 4074c8 17 API calls 64791->65171 64793 4d757d 64794 405ac8 12 API calls 64793->64794 64794->64783 65173 4017d8 64795->65173 64797 40184c VirtualAlloc 64798 401863 64797->64798 64798->64741 64800 4078b7 64799->64800 64801 407859 RegOpenKeyExW 64799->64801 64819 407618 12 API calls 64800->64819 64801->64800 64802 407877 RegOpenKeyExW 64801->64802 64802->64800 64804 407895 RegOpenKeyExW 64802->64804 64804->64800 64806 40794f lstrcpynW GetThreadLocale GetLocaleInfoW 64804->64806 64805 4078dc RegQueryValueExW 64807 40791a RegCloseKey 64805->64807 64808 4078fc RegQueryValueExW 64805->64808 64809 407987 64806->64809 64810 407a8c 64806->64810 64807->64751 64808->64807 64809->64810 64811 407999 lstrlenW 64809->64811 64810->64751 64813 4079b3 64811->64813 64813->64810 64814 4079e9 lstrcpynW LoadLibraryExW 64813->64814 64815 407a0d 64813->64815 64814->64815 64815->64810 64816 407a29 lstrcpynW LoadLibraryExW 64815->64816 64816->64810 64817 407a51 lstrcpynW LoadLibraryExW 64816->64817 64817->64810 64819->64805 64821 414a50 64820->64821 64821->64821 64822 414a57 IsValidLocale 64821->64822 64823 414a78 64822->64823 64824 414a7c GetThreadLocale 64822->64824 64892 412538 45 API calls 64823->64892 64824->64823 64826 414a8c 64893 412324 13 API calls 64826->64893 64828 414a9e 64829 405ac8 12 API calls 64828->64829 64830 414aa9 64829->64830 64894 412324 13 API calls 64830->64894 64832 414abe 64895 412324 13 API calls 64832->64895 64834 414adf 64896 412370 GetLocaleInfoW 64834->64896 64836 414afc 64897 412370 GetLocaleInfoW 64836->64897 64838 414b10 64898 412324 13 API calls 64838->64898 64840 414b29 64899 412370 GetLocaleInfoW 64840->64899 64842 414b46 64900 412324 13 API calls 64842->64900 64844 414b5f 64901 4127b0 15 API calls 64844->64901 64846 414b6a 64847 405ac8 12 API calls 64846->64847 64848 414b75 64847->64848 64902 412324 13 API calls 64848->64902 64850 414b8a 64903 4127b0 15 API calls 64850->64903 64852 414b95 64853 405ac8 12 API calls 64852->64853 64854 414ba0 64853->64854 64904 412370 GetLocaleInfoW 64854->64904 64856 414bb0 64905 412324 13 API calls 64856->64905 64858 414bc9 64859 405ac8 12 API calls 64858->64859 64860 414bd4 64859->64860 64906 412324 13 API calls 64860->64906 64862 414be9 64863 405ac8 12 API calls 64862->64863 64864 414bf4 64863->64864 64865 405b1c 12 API calls 64864->64865 64866 414bfe 64865->64866 64867 405b1c 12 API calls 64866->64867 64868 414c08 64867->64868 64907 412324 13 API calls 64868->64907 64870 414c1d 64871 414c2b 64870->64871 64872 414c3a 64870->64872 64873 405b1c 12 API calls 64871->64873 64874 405b1c 12 API calls 64872->64874 64875 414c38 64873->64875 64874->64875 64908 412324 13 API calls 64875->64908 64877 414c9a 64910 406080 12 API calls 64877->64910 64878 414c5c 64878->64877 64909 412324 13 API calls 64878->64909 64881 414c7f 64886 414c8d 64881->64886 64887 414c9c 64881->64887 64888 405b1c 12 API calls 64886->64888 64889 405b1c 12 API calls 64887->64889 64888->64877 64889->64877 64892->64826 64893->64828 64894->64832 64895->64834 64896->64836 64897->64838 64898->64840 64899->64842 64900->64844 64901->64846 64902->64850 64903->64852 64904->64856 64905->64858 64906->64862 64907->64870 64908->64878 64909->64881 64945 40d50c 64911->64945 64914 405ac8 12 API calls 64915 4c43b1 64914->64915 64916 4c43bb GlobalAddAtomW GetCurrentThreadId 64915->64916 64917 40d50c 51 API calls 64916->64917 64918 4c43f5 64917->64918 64919 405ac8 12 API calls 64918->64919 64920 4c4402 64919->64920 64921 4c440c GlobalAddAtomW 64920->64921 64922 405b54 64921->64922 64923 4c4422 RegisterWindowMessageW 64922->64923 64948 423e34 64923->64948 64925 4c4439 64952 4c3e80 64925->64952 64927 4c4443 64982 4c3c18 64927->64982 64929 4c444f 64986 49f6f8 64929->64986 64931 4c4462 65005 4a0ab8 64931->65005 64933 4c4478 65027 4b5028 58 API calls 64933->65027 64935 4c449c GetModuleHandleW 65028 4232b8 53 API calls 64935->65028 64937 4c44c1 64939 4c44d0 64937->64939 65029 408a94 15 API calls 64937->65029 64939->64771 64940->64773 64941->64775 64942->64777 64943->64779 64944->64769 65030 40d538 64945->65030 64947 40d51b 64947->64914 64949 423e3a 64948->64949 64950 423e4f InitializeCriticalSection 64949->64950 64951 423e64 64950->64951 64951->64925 64953 4c3fed 64952->64953 64954 4c3e94 SetErrorMode 64952->64954 64953->64927 64955 4c3eb8 GetModuleHandleW 64954->64955 64956 4c3ed4 64954->64956 65045 408a94 15 API calls 64955->65045 64958 4c3fcf SetErrorMode 64956->64958 64959 4c3ee1 LoadLibraryW 64956->64959 64958->64927 64959->64958 64961 4c3efd 64959->64961 64960 4c3ecf 64960->64956 65046 408a94 15 API calls 64961->65046 64963 4c3f0d 65047 408a94 15 API calls 64963->65047 64965 4c3f22 65048 408a94 15 API calls 64965->65048 64967 4c3f37 65049 408a94 15 API calls 64967->65049 64969 4c3f4c 65050 408a94 15 API calls 64969->65050 64971 4c3f61 65051 408a94 15 API calls 64971->65051 64973 4c3f76 65052 408a94 15 API calls 64973->65052 64975 4c3f8b 65053 408a94 15 API calls 64975->65053 64977 4c3fa0 65054 408a94 15 API calls 64977->65054 64979 4c3fb5 65055 408a94 15 API calls 64979->65055 64981 4c3fca 64981->64958 64983 4c3c1e 64982->64983 65056 4c3e1c 64983->65056 64985 4c3c8c 64985->64929 64987 49f702 64986->64987 65069 42bcf0 64987->65069 64989 49f718 65073 49fb24 LoadCursorW 64989->65073 64992 49f751 64993 49f78d GetDC GetDeviceCaps ReleaseDC 64992->64993 64994 49f7c3 64993->64994 65078 487424 64994->65078 64996 49f7cf 64997 487424 14 API calls 64996->64997 64998 49f7de 64997->64998 64999 487424 14 API calls 64998->64999 65000 49f7f0 64999->65000 65001 487424 14 API calls 65000->65001 65002 49f7ff 65001->65002 65082 4a001c 65002->65082 65004 49f80c 65004->64931 65006 4a0ac7 65005->65006 65007 42bcf0 56 API calls 65006->65007 65008 4a0add 65007->65008 65009 4a0afc 65008->65009 65010 4a0ae7 OleInitialize 65008->65010 65011 487424 14 API calls 65009->65011 65010->65009 65012 4a0b40 65011->65012 65013 4a0bbf LoadIconW 65012->65013 65126 48d28c 65013->65126 65015 4a0be2 65016 4a0bfe GetModuleFileNameW 65015->65016 65017 4a0c2c 65016->65017 65018 4a0c56 CharNextW CharLowerW 65017->65018 65019 4a0c7e 65018->65019 65133 497220 65019->65133 65022 4a0ca0 65136 4a0e80 62 API calls 65022->65136 65023 4a0ca7 65137 4a32e4 12 API calls 65023->65137 65026 4a0ce6 65026->64933 65027->64935 65028->64937 65029->64939 65031 40d541 65030->65031 65032 40d5e7 65031->65032 65043 40d448 51 API calls 65031->65043 65034 40d697 65032->65034 65041 40d61f 65032->65041 65035 405c04 12 API calls 65034->65035 65040 40d695 65035->65040 65036 40d68a 65038 405e44 12 API calls 65036->65038 65037 405ac8 12 API calls 65037->65041 65038->65040 65039 405e44 12 API calls 65039->65041 65040->64947 65041->65036 65041->65037 65041->65039 65044 40d448 51 API calls 65041->65044 65043->65032 65044->65041 65045->64960 65046->64963 65047->64965 65048->64967 65049->64969 65050->64971 65051->64973 65052->64975 65053->64977 65054->64979 65055->64981 65057 4c3e2b 65056->65057 65059 4c3e24 65056->65059 65060 4c3e38 65057->65060 65061 4c3e41 65057->65061 65058 4c3e29 65058->64985 65059->65058 65062 4c3e56 SystemParametersInfoW 65059->65062 65063 4c3e67 SendMessageW 65059->65063 65067 4c3da4 6 API calls 65060->65067 65068 4c3d74 SystemParametersInfoW 65061->65068 65062->65058 65063->65058 65066 4c3e48 65066->64985 65067->65058 65068->65066 65070 42bcf7 65069->65070 65072 42bd1c 65070->65072 65104 42beb4 56 API calls 65070->65104 65072->64989 65076 49fb46 65073->65076 65074 49fb5f LoadCursorW 65105 49fc68 65074->65105 65076->65074 65077 49f73b GetKeyboardLayout 65076->65077 65077->64992 65079 48742a 65078->65079 65108 486478 65079->65108 65081 487455 65081->64996 65084 4a0036 65082->65084 65083 4a0068 SystemParametersInfoW 65085 4a007f CreateFontIndirectW 65083->65085 65086 4a0094 GetStockObject 65083->65086 65084->65083 65118 48786c 19 API calls 65085->65118 65119 48786c 19 API calls 65086->65119 65089 4a00a5 SystemParametersInfoW 65091 4a0110 65089->65091 65092 4a00c6 CreateFontIndirectW 65089->65092 65090 4a0092 65090->65089 65123 4879a0 17 API calls 65091->65123 65120 48786c 19 API calls 65092->65120 65095 4a00dc CreateFontIndirectW 65121 48786c 19 API calls 65095->65121 65096 4a011d GetStockObject 65124 48786c 19 API calls 65096->65124 65099 4a00f5 CreateFontIndirectW 65122 48786c 19 API calls 65099->65122 65100 4a0131 GetStockObject 65125 48786c 19 API calls 65100->65125 65103 4a010e 65103->65004 65104->65072 65106 403064 12 API calls 65105->65106 65107 49fc7b 65106->65107 65107->65076 65109 486493 65108->65109 65116 486460 EnterCriticalSection 65109->65116 65111 48649d 65113 403064 12 API calls 65111->65113 65115 4864fa 65111->65115 65113->65115 65114 48654b 65114->65081 65117 48646c LeaveCriticalSection 65115->65117 65116->65111 65117->65114 65118->65090 65119->65089 65120->65095 65121->65099 65122->65103 65123->65096 65124->65100 65125->65103 65127 48d2a4 65126->65127 65128 48d2a8 GetIconInfo 65127->65128 65129 48d310 65127->65129 65128->65129 65130 48d2b6 GetObjectW 65128->65130 65129->65015 65131 48d2e9 DeleteObject DeleteObject 65130->65131 65132 48d2d7 65130->65132 65131->65015 65132->65131 65138 42ce78 GetClassInfoW 65133->65138 65136->65023 65137->65026 65139 42cea8 65138->65139 65140 42ced1 65139->65140 65141 42ceb6 UnregisterClassW 65139->65141 65142 42cec7 RegisterClassW 65139->65142 65148 4093f8 65140->65148 65141->65142 65142->65140 65144 42ceff 65145 42cf1c 65144->65145 65152 42cdb0 65144->65152 65145->65022 65145->65023 65147 42cf13 SetWindowLongW 65147->65145 65155 4034d4 65148->65155 65150 40940b CreateWindowExW 65151 409445 65150->65151 65151->65144 65153 42cdc0 VirtualAlloc 65152->65153 65154 42cdee 65152->65154 65153->65154 65154->65147 65155->65150 65157 405e44 12 API calls 65156->65157 65158 456d26 65157->65158 65159 456d2d GetTempPathW 65158->65159 65160 456d3c 65159->65160 65161 456d45 65160->65161 65162 456d63 65160->65162 65163 405e44 12 API calls 65161->65163 65164 405ac8 12 API calls 65162->65164 65165 456d4d 65163->65165 65166 456d61 65164->65166 65172 4310b8 12 API calls 65165->65172 65166->64785 65168 456d57 65169 405ac8 12 API calls 65168->65169 65169->65166 65170->64789 65171->64793 65172->65168 65174 401778 65173->65174 65174->64797 65175 430314 65176 430341 65175->65176 65177 430350 RaiseException 65176->65177 65178 430393 65177->65178 65179 405030 12 API calls 65178->65179 65180 4303a8 65179->65180 65181 4c5024 65182 4c5106 65181->65182 65183 4c5050 65181->65183 65203 4b2e80 13 API calls 65183->65203 65185 4c5070 65186 405ac8 12 API calls 65185->65186 65187 4c507b 65186->65187 65188 4c507f 65187->65188 65189 4c509a 65187->65189 65208 4b2ec8 13 API calls 65188->65208 65191 405ac8 12 API calls 65189->65191 65195 4c5098 65191->65195 65192 4c508d 65193 405ac8 12 API calls 65192->65193 65193->65195 65194 4c50e7 GetCursorPos 65204 4c51d8 65194->65204 65195->65194 65209 406274 13 API calls 65195->65209 65199 4c50cb 65210 40c498 51 API calls 65199->65210 65201 4c50d3 65211 406274 13 API calls 65201->65211 65203->65185 65205 4c5200 65204->65205 65212 4c5140 65205->65212 65208->65192 65209->65199 65210->65201 65211->65194 65226 4c4968 65212->65226 65214 4c5163 65215 405ac8 12 API calls 65214->65215 65216 4c5180 65215->65216 65217 405ac8 12 API calls 65216->65217 65218 4c518e 65217->65218 65219 4c51bf 65218->65219 65220 4c51ab 65218->65220 65233 4c58ac 53 API calls 65219->65233 65232 4c5214 61 API calls 65220->65232 65223 4c51ba 65223->65182 65224 4c51c6 65234 4c58b8 SetEvent 65224->65234 65227 4c496e 65226->65227 65235 4c09bc 65227->65235 65229 4c4983 65243 4880bc 16 API calls 65229->65243 65231 4c49bd 65231->65214 65232->65223 65233->65224 65234->65223 65236 4c09c6 65235->65236 65244 4b9170 65236->65244 65238 4c09dc 65261 488110 56 API calls 65238->65261 65240 4c09e8 65262 4b4a5c 81 API calls 65240->65262 65242 4c09f9 65242->65229 65243->65231 65245 4b9181 65244->65245 65263 4b5028 58 API calls 65245->65263 65247 4b91a5 65248 42cdb0 VirtualAlloc 65247->65248 65249 4b91b0 65248->65249 65264 487dc4 14 API calls 65249->65264 65251 4b91c2 65265 487f80 16 API calls 65251->65265 65253 4b91d4 65254 4b9205 65253->65254 65255 4b9214 65253->65255 65257 405ac8 12 API calls 65254->65257 65266 49fed8 65255->65266 65260 4b9212 65257->65260 65259 405ac8 12 API calls 65259->65260 65260->65238 65261->65240 65262->65242 65263->65247 65264->65251 65265->65253 65271 49fc94 65266->65271 65268 49fee5 65269 405ac8 12 API calls 65268->65269 65270 49feef 65269->65270 65270->65259 65272 49fcc4 65271->65272 65273 49fe11 65271->65273 65274 405ac8 12 API calls 65272->65274 65273->65268 65275 49fce3 GetKeyboardLayoutList 65274->65275 65275->65273 65276 49fcfa 65275->65276 65276->65273 65282 40d484 65276->65282 65279 49fd61 RegQueryValueExW 65280 49fde6 RegCloseKey 65279->65280 65281 49fd97 65279->65281 65280->65268 65281->65280 65283 40d4b3 RegOpenKeyExW 65282->65283 65284 40d494 65282->65284 65283->65276 65283->65279 65284->65283 65286 40d930 51 API calls 65284->65286 65286->65283 65287 425808 65288 425830 65287->65288 65289 425863 65288->65289 65291 426c9c 65288->65291 65292 426d53 65291->65292 65293 426cc5 65291->65293 65294 405b1c 12 API calls 65292->65294 65295 405b1c 12 API calls 65293->65295 65297 426d5d 65294->65297 65296 426ccf 65295->65296 65298 405b1c 12 API calls 65296->65298 65299 405b1c 12 API calls 65297->65299 65300 426cd9 65298->65300 65301 426d67 65299->65301 65302 426d3c CompareStringW 65300->65302 65303 426dca CompareStringW 65301->65303 65304 426ddc 65302->65304 65303->65304 65304->65288 65305 40274c 65306 402792 65305->65306 65309 402755 65305->65309 65307 4027b3 65306->65307 65308 40279b VirtualAlloc 65306->65308 65308->65307 65309->65306 65310 402760 Sleep 65309->65310 65311 402775 65310->65311 65311->65306 65312 402779 Sleep 65311->65312 65312->65309 65313 40828e GetSystemInfo

        Executed Functions

        Function 00407814 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 207registrystringlibraryCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00400000,004D97C4), ref: 00407830
        • RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004D97C4), ref: 00407850
        • RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004D97C4), ref: 0040786E
        • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000), ref: 0040788C
        • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 004078AA
        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00407948,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?), ref: 004078F3
        • RegQueryValueExW.ADVAPI32(?,00407B3C,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00407948,?,80000001), ref: 00407911
        • RegCloseKey.ADVAPI32(?,0040794F,00000000,?,?,00000000,00407948,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00407942
        • lstrcpynW.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000), ref: 0040795F
        • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 0040796C
        • GetLocaleInfoW.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00407972
        • lstrlenW.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004079A0
        • lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 004079F6
        • LoadLibraryExW.KERNEL32(?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00407A06
        • lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00407A36
        • LoadLibraryExW.KERNEL32(?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00407A46
        • lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00407A75
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Openlstrcpyn$LibraryLoadLocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
        • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales
        • API String ID: 3838733197-345420546
        • Opcode ID: 500d4192f3f4e426a2eb95fc7c74454a14723a9b485bc85c23f25a13682dcbc3
        • Instruction ID: df7b2f64f77610473c608735449ab92d2de2882fab8bbccedbc06d43c0b3ff5e
        • Opcode Fuzzy Hash: 500d4192f3f4e426a2eb95fc7c74454a14723a9b485bc85c23f25a13682dcbc3
        • Instruction Fuzzy Hash: 28614571E443197AFB10D6E5CC46FEF72AC9B08704F4441B7BA00F65D1E6BCAA448B6A
        Function 0040794F Relevance: 15.1, APIs: 10, Instructions: 108stringlibrarythreadCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 151 40794f-407981 lstrcpynW GetThreadLocale GetLocaleInfoW 152 407987-40798c 151->152 153 407a8c-407a93 151->153 154 407999-4079b1 lstrlenW 152->154 155 40798e-407993 152->155 156 4079b6-4079ba 154->156 155->153 155->154 157 4079c6-4079ce 156->157 158 4079bc-4079c4 156->158 157->153 160 4079d4-4079dc 157->160 158->157 159 4079b3 158->159 159->156 161 407a0d-407a0f 160->161 162 4079de-4079e4 160->162 161->153 165 407a11-407a16 161->165 163 4079e6 162->163 164 4079e9-407a0b lstrcpynW LoadLibraryExW 162->164 163->164 164->161 165->153 166 407a18-407a24 165->166 167 407a26 166->167 168 407a29-407a4f lstrcpynW LoadLibraryExW 166->168 167->168 168->153 169 407a51-407a63 168->169 170 407a65 169->170 171 407a68-407a8a lstrcpynW LoadLibraryExW 169->171 170->171 171->153
        APIs
        • lstrcpynW.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000), ref: 0040795F
        • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 0040796C
        • GetLocaleInfoW.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00407972
        • lstrlenW.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 004079A0
        • lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 004079F6
        • LoadLibraryExW.KERNEL32(?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00407A06
        • lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00407A36
        • LoadLibraryExW.KERNEL32(?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00407A46
        • lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00407A75
        • LoadLibraryExW.KERNEL32(?,00000000,00000002,-00000002,?,00000105,?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?), ref: 00407A85
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
        • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales
        • API String ID: 1599918012-345420546
        • Opcode ID: 721b4a117ea3b6873f3d4d86906d600b8069c49196d51dcd95da48f69cb588c4
        • Instruction ID: 84544b6faddad3eb6ad1ca77c7f63bd3b6cde16c802c52dd98678ec739623eb9
        • Opcode Fuzzy Hash: 721b4a117ea3b6873f3d4d86906d600b8069c49196d51dcd95da48f69cb588c4
        • Instruction Fuzzy Hash: 2831B871E0021966EB21D6E4DC49FEF62BD9B08314F4041B7A900F76C1F6BCAE444FAA
        Function 004C3E80 Relevance: 31.6, APIs: 4, Strings: 14, Instructions: 95libraryCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • SetErrorMode.KERNEL32(00008000), ref: 004C3E99
        • GetModuleHandleW.KERNEL32(USER32,00000000,004C3FE6,?,00008000), ref: 004C3EBD
          • Part of subcall function 00408A94: GetProcAddress.KERNEL32(00000000,?), ref: 00408AB8
        • LoadLibraryW.KERNEL32(imm32.dll,00000000,004C3FE6,?,00008000), ref: 004C3EE6
        • SetErrorMode.KERNEL32(?,004C3FED,00008000), ref: 004C3FE0
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: ErrorMode$AddressHandleLibraryLoadModuleProc
        • String ID: ImmGetCompositionStringW$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontW$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$L|N$USER32$WINNLSEnableIME$imm32.dll
        • API String ID: 380357001-891999730
        • Opcode ID: b1ec3cb565359a590017557022a06cb7bbe7b03f5ebf7f372a900d6d679cbd94
        • Instruction ID: 363e22e76900ae788d202c86b9cf52365794c0ca40d66826023f44dd51ee54f7
        • Opcode Fuzzy Hash: b1ec3cb565359a590017557022a06cb7bbe7b03f5ebf7f372a900d6d679cbd94
        • Instruction Fuzzy Hash: FA3153F5A45381AEDB41DFA1AE8AF1677A8E344705710483FB2809F6E3EA7C4940CB1C
        Function 004C4368 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 108registrythreadwindowCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • GetCurrentProcessId.KERNEL32(?,00000000,004C44F3), ref: 004C4389
        • GlobalAddAtomW.KERNEL32(00000000), ref: 004C43BC
        • GetCurrentThreadId.KERNEL32 ref: 004C43D7
        • GlobalAddAtomW.KERNEL32(00000000), ref: 004C440D
        • RegisterWindowMessageW.USER32(00000000,00000000,?,?,00000000,004C44F3), ref: 004C4423
          • Part of subcall function 00423E34: InitializeCriticalSection.KERNEL32(00420FD0,?,?,0046798C,00000000), ref: 00423E53
          • Part of subcall function 004C3E80: SetErrorMode.KERNEL32(00008000), ref: 004C3E99
          • Part of subcall function 004C3E80: GetModuleHandleW.KERNEL32(USER32,00000000,004C3FE6,?,00008000), ref: 004C3EBD
          • Part of subcall function 004C3E80: LoadLibraryW.KERNEL32(imm32.dll,00000000,004C3FE6,?,00008000), ref: 004C3EE6
          • Part of subcall function 004C3E80: SetErrorMode.KERNEL32(?,004C3FED,00008000), ref: 004C3FE0
          • Part of subcall function 0049F6F8: GetKeyboardLayout.USER32(00000000), ref: 0049F73D
          • Part of subcall function 0049F6F8: GetDC.USER32(00000000), ref: 0049F792
          • Part of subcall function 0049F6F8: GetDeviceCaps.GDI32(00000000,0000005A), ref: 0049F79C
          • Part of subcall function 0049F6F8: ReleaseDC.USER32(00000000,00000000), ref: 0049F7A7
          • Part of subcall function 004A0AB8: OleInitialize.OLE32(00000000), ref: 004A0AE9
          • Part of subcall function 004A0AB8: LoadIconW.USER32(00000000,MAINICON), ref: 004A0BD4
          • Part of subcall function 004A0AB8: GetModuleFileNameW.KERNEL32(00000000,?,00000100,00000000,MAINICON), ref: 004A0C18
        • GetModuleHandleW.KERNEL32(USER32,00000000,00000000,?,?,00000000,004C44F3), ref: 004C44A6
          • Part of subcall function 00408A94: GetProcAddress.KERNEL32(00000000,?), ref: 00408AB8
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Module$AtomCurrentErrorGlobalHandleInitializeLoadMode$AddressCapsCriticalDeviceFileIconKeyboardLayoutLibraryMessageNameProcProcessRegisterReleaseSectionThreadWindow
        • String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
        • API String ID: 2902964639-1126952177
        • Opcode ID: 15e94844adeafbbdbdc272b8b994b048eaf8667c0d73c1db01582b9adbb10e82
        • Instruction ID: 488db71c8d726a2e9866f244600e5eb894141720428c7692eb7cc5ec6f3ba09e
        • Opcode Fuzzy Hash: 15e94844adeafbbdbdc272b8b994b048eaf8667c0d73c1db01582b9adbb10e82
        • Instruction Fuzzy Hash: F3415074A002459BCB41EFB9E982A9E77B5EB55308B50457FF400EB3A3DB3C69048B5D
        Function 004A0AB8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 150comwindowCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • OleInitialize.OLE32(00000000), ref: 004A0AE9
        • LoadIconW.USER32(00000000,MAINICON), ref: 004A0BD4
        • GetModuleFileNameW.KERNEL32(00000000,?,00000100,00000000,MAINICON), ref: 004A0C18
        • CharNextW.USER32(?,00000000,?,00000100,00000000,MAINICON), ref: 004A0C5D
        • CharLowerW.USER32(00000000,?,00000000,?,00000100,00000000,MAINICON), ref: 004A0C63
          • Part of subcall function 004A0E80: GetClassInfoW.USER32(00400000,004A0A9C,?), ref: 004A0EE2
          • Part of subcall function 004A0E80: RegisterClassW.USER32(004E344C), ref: 004A0EFA
          • Part of subcall function 004A0E80: SetWindowLongW.USER32(?,000000FC,?), ref: 004A0F9A
          • Part of subcall function 004A0E80: SendMessageW.USER32(?,00000080,00000001,00000000), ref: 004A0FBF
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: CharClass$FileIconInfoInitializeLoadLongLowerMessageModuleNameNextRegisterSendWindow
        • String ID: 8PN$@PN$MAINICON$TbH
        • API String ID: 896494604-1834456522
        • Opcode ID: 271b1d32eff5edf4237fe094fc8b38156d4f290e78266b3748cb3aca1ae4f9c6
        • Instruction ID: 94b55644650267ad0994bdaec0ad4f25fb40503fc93284be06ae06ad02613ab9
        • Opcode Fuzzy Hash: 271b1d32eff5edf4237fe094fc8b38156d4f290e78266b3748cb3aca1ae4f9c6
        • Instruction Fuzzy Hash: A6613F706043848FD751DF69C9C9B863BE4AF15308F4440BAE848DF397D7B99948CB69
        Function 00414A48 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 212threadCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • IsValidLocale.KERNEL32(?,00000001,00000000,00414D0E,?,?,?,?,00000000,00000000), ref: 00414A6F
        • GetThreadLocale.KERNEL32(?,00000001,00000000,00414D0E,?,?,?,?,00000000,00000000), ref: 00414A7C
          • Part of subcall function 00412370: GetLocaleInfoW.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00414710,00000000,0041493A,?,?,00000000,00000000), ref: 00412383
          • Part of subcall function 00412324: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00412342
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Locale$Info$ThreadValid
        • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
        • API String ID: 233154393-2493093252
        • Opcode ID: e144f7fff5f9a3d744e6d24209b038e9b3f31150fb9d269a7cffc4059d964cb2
        • Instruction ID: a5f6a48efb51da4af733d622893e4eb31ae066812828113a4e1f6162f8c36b1b
        • Opcode Fuzzy Hash: e144f7fff5f9a3d744e6d24209b038e9b3f31150fb9d269a7cffc4059d964cb2
        • Instruction Fuzzy Hash: D67160307002099BDB11EBB5D981ADFB3B6EF88304F50943BB511E7686DA7CED468758
        Function 0049FC94 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 126registryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 262 49fc94-49fcbe 263 49fe22-49fe40 call 405ab8 262->263 264 49fcc4-49fcf4 call 426e08 call 405ac8 GetKeyboardLayoutList 262->264 271 49fcfa-49fd04 264->271 272 49fe11-49fe1d call 426bf4 264->272 273 49fd07-49fd13 call 4c42b4 271->273 272->263 277 49fd19-49fd5b call 40d484 RegOpenKeyExW 273->277 278 49fe04-49fe0b 273->278 277->278 281 49fd61-49fd95 RegQueryValueExW 277->281 278->272 278->273 282 49fd97-49fdce call 405cc8 281->282 283 49fde6-49fdfc RegCloseKey 281->283 282->283 287 49fdd0-49fde1 call 405cc8 282->287 287->283
        APIs
        • GetKeyboardLayoutList.USER32(00000040,?,00000000,0049FE41,?,04D859E0,?,0049FEE5,00000000,?,004B9223), ref: 0049FCEC
        • RegOpenKeyExW.ADVAPI32(80000002,00000000), ref: 0049FD54
        • RegQueryValueExW.ADVAPI32(?,layout text,00000000,00000000,?,00000200,00000000,0049FDFD,?,80000002,00000000), ref: 0049FD8E
        • RegCloseKey.ADVAPI32(?,0049FE04,00000000,?,00000200,00000000,0049FDFD,?,80000002,00000000), ref: 0049FDF7
        Strings
        • layout text, xrefs: 0049FD85
        • System\CurrentControlSet\Control\Keyboard Layouts\%.8x, xrefs: 0049FD3E
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: CloseKeyboardLayoutListOpenQueryValue
        • String ID: System\CurrentControlSet\Control\Keyboard Layouts\%.8x$layout text
        • API String ID: 1703357764-2652665750
        • Opcode ID: 685eb142b6a9cbb1d1f66b527d3b4b5acb2a75a6457c23e8d677c7cf40820bf7
        • Instruction ID: 72c0d8b78966675bfcc32a8bf9e70a0532fac2d52a62bfbb3d7d50cd100e1aa0
        • Opcode Fuzzy Hash: 685eb142b6a9cbb1d1f66b527d3b4b5acb2a75a6457c23e8d677c7cf40820bf7
        • Instruction Fuzzy Hash: 37413A74A002099FDF11DB55C981F9EBBF9EB48304FA040BAE904E7352D778AE04CB69
        Function 004079B5 Relevance: 9.1, APIs: 6, Instructions: 81librarystringCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 289 4079b5-4079ba 290 4079c6-4079ce 289->290 291 4079bc-4079c4 289->291 293 4079d4-4079dc 290->293 294 407a8c-407a93 290->294 291->290 292 4079b3-4079ba 291->292 292->290 292->291 296 407a0d-407a0f 293->296 297 4079de-4079e4 293->297 296->294 300 407a11-407a16 296->300 298 4079e6 297->298 299 4079e9-407a0b lstrcpynW LoadLibraryExW 297->299 298->299 299->296 300->294 301 407a18-407a24 300->301 302 407a26 301->302 303 407a29-407a4f lstrcpynW LoadLibraryExW 301->303 302->303 303->294 304 407a51-407a63 303->304 305 407a65 304->305 306 407a68-407a8a lstrcpynW LoadLibraryExW 304->306 305->306 306->294
        APIs
        • lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 004079F6
        • LoadLibraryExW.KERNEL32(?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00407A06
        • lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00407A36
        • LoadLibraryExW.KERNEL32(?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00407A46
        • lstrcpynW.KERNEL32(-00000002,?,00000105,?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00407A75
        • LoadLibraryExW.KERNEL32(?,00000000,00000002,-00000002,?,00000105,?,00000000,00000002,-00000002,?,00000105,?,00000000,00000003,?), ref: 00407A85
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: LibraryLoadlstrcpyn
        • String ID:
        • API String ID: 4087624111-0
        • Opcode ID: ab8818e025a55ee8e45b34d9a85fef4f984031b212bd8edc2354dcdfef0788af
        • Instruction ID: 5ac6ca9e8965384e7114ab991b92e9f90bd8394330b36e3c640473becc844f08
        • Opcode Fuzzy Hash: ab8818e025a55ee8e45b34d9a85fef4f984031b212bd8edc2354dcdfef0788af
        • Instruction Fuzzy Hash: 9721B372F0021926EB219AB4CC49BEF63AD9B48350F4441B2E900F36C5F67CEE444BA6
        Function 0048D46C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 307 48d46c-48d4a6 MulDiv 308 48d4a8-48d4af call 48d428 307->308 309 48d4be-48d4f7 call 4559b8 call 455a58 call 455cc0 307->309 308->309 315 48d4b1-48d4b9 call 405b1c 308->315 320 48d4f9-48d504 call 455f0c 309->320 321 48d511-48d526 call 403dac 309->321 315->309 324 48d509-48d50c call 455a28 320->324 324->321
        APIs
        • MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0048D492
          • Part of subcall function 0048D428: GetDC.USER32(00000000), ref: 0048D431
          • Part of subcall function 0048D428: SelectObject.GDI32(00000000,058A00B4), ref: 0048D443
          • Part of subcall function 0048D428: GetTextMetricsW.GDI32(00000000), ref: 0048D44E
          • Part of subcall function 0048D428: ReleaseDC.USER32(00000000,00000000), ref: 0048D45F
        Strings
        • MS Shell Dlg 2, xrefs: 0048D4FC
        • SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 0048D4E8
        • Tahoma, xrefs: 0048D4B4
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: MetricsObjectReleaseSelectText
        • String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
        • API String ID: 2013942131-1011973972
        • Opcode ID: 1deb0ebd453dd0459b1c663e2c71c7c6e00c548da896f0cab4252f1318124a93
        • Instruction ID: b741e2279395ff2e5182d28255e2c421c77c5749542e274d6136cd036d57fee6
        • Opcode Fuzzy Hash: 1deb0ebd453dd0459b1c663e2c71c7c6e00c548da896f0cab4252f1318124a93
        • Instruction Fuzzy Hash: 50118E30A01608AFC701FF65DC5296E7BB5EB89718FA14877F800A7792D739AE048B1C
        Function 00404AE8 Relevance: 6.2, APIs: 4, Instructions: 158threadCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 327 404ae8-404af5 328 404af7 327->328 329 404afc-404b30 GetCurrentThreadId 327->329 328->329 330 404b32 329->330 331 404b34-404b60 call 4049d4 329->331 330->331 334 404b62-404b64 331->334 335 404b69-404b70 331->335 334->335 336 404b66 334->336 337 404b72-404b75 335->337 338 404b7a-404b80 335->338 336->335 337->338 339 404b82 338->339 340 404b85-404b8c 338->340 339->340 341 404b9b-404b9f 340->341 342 404b8e-404b95 340->342 343 404ba5 call 404a80 341->343 344 404e18-404e2d 341->344 342->341 350 404baa 343->350 346 404e40-404e47 344->346 347 404e2f-404e3b call 404cf0 call 404d88 344->347 348 404e49-404e54 GetCurrentThreadId 346->348 349 404e6a-404e6e 346->349 347->346 348->349 352 404e56-404e65 call 4049f4 call 404d5c 348->352 353 404e70-404e73 349->353 354 404e84-404e88 349->354 352->349 353->354 357 404e75-404e82 353->357 358 404e98-404ea1 call 403128 354->358 359 404e8a-404e91 354->359 357->354 368 404ea3-404eb3 call 403dac call 403128 358->368 369 404eb5-404ebe call 404a1c 358->369 359->358 362 404e93-404e95 359->362 362->358 368->369 375 404ec0-404ec7 369->375 376 404ec9-404ece 369->376 375->376 378 404eef-404efa call 4049f4 375->378 376->378 379 404ed0-404ee3 call 407c40 376->379 384 404efc 378->384 385 404eff-404f03 378->385 379->378 386 404ee5-404ee7 379->386 384->385 387 404f05-404f07 call 404d5c 385->387 388 404f0c-404f0f 385->388 386->378 389 404ee9-404eea FreeLibrary 386->389 387->388 391 404f11-404f18 388->391 392 404f2b-404f3a 388->392 389->378 393 404f20-404f26 ExitProcess 391->393 394 404f1a 391->394 392->354 394->393
        APIs
        • GetCurrentThreadId.KERNEL32 ref: 00404B1F
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: CurrentThread
        • String ID:
        • API String ID: 2882836952-0
        • Opcode ID: 7c745618e3b6b7e3c84140a1cc68fa399c7bb0a091d078ed40c32aed6c8133b6
        • Instruction ID: c68ce5c85e8e450121dc820ed95f9e57b7ef639d5be5b0cf549b3a1641ab74b6
        • Opcode Fuzzy Hash: 7c745618e3b6b7e3c84140a1cc68fa399c7bb0a091d078ed40c32aed6c8133b6
        • Instruction Fuzzy Hash: 37516DB06002449FDB24EF69D48475A77A4BB88328F14457FEA05AB292D77CED80CB9D
        Function 0042CE78 Relevance: 6.1, APIs: 4, Instructions: 59registryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 395 42ce78-42cea6 GetClassInfoW 396 42ceb2-42ceb4 395->396 397 42cea8-42ceb0 395->397 399 42ceb6-42cec2 UnregisterClassW 396->399 400 42cec7-42cecc RegisterClassW 396->400 397->396 398 42ced1-42cf06 call 4093f8 397->398 403 42cf08-42cf0e call 42cdb0 398->403 404 42cf1c-42cf22 398->404 399->400 400->398 406 42cf13-42cf17 SetWindowLongW 403->406 406->404
        APIs
        • GetClassInfoW.USER32(00400000,0042CE5C,?), ref: 0042CE99
        • UnregisterClassW.USER32(0042CE5C,00400000), ref: 0042CEC2
        • RegisterClassW.USER32(004D9D9C), ref: 0042CECC
        • SetWindowLongW.USER32(00000000,000000FC,00000000), ref: 0042CF17
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Class$InfoLongRegisterUnregisterWindow
        • String ID:
        • API String ID: 4025006896-0
        • Opcode ID: 6dde7edaefd55bdd9afec60d328267539526cd3643666fc791a003a735848c11
        • Instruction ID: 819faa140f1add904aba23483a0426c3386c7d3aa52e1ccc5eaded36d916c81b
        • Opcode Fuzzy Hash: 6dde7edaefd55bdd9afec60d328267539526cd3643666fc791a003a735848c11
        • Instruction Fuzzy Hash: DE0100717041046ACB50ABA9ECD1F6F376AB708314F54453BF954E73D2D635AD408758
        Function 00455FBC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47registryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 407 455fbc-455fee call 405b54 RegQueryValueExW 410 456014-45602c call 455990 407->410 411 455ff0-45600f call 412ecc call 404788 407->411 411->410
        APIs
        • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,?,?,00000000), ref: 00455FE7
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: QueryValue
        • String ID: InstallLocation$`XE
        • API String ID: 3660427363-1060252270
        • Opcode ID: 52a9247b03dc05966bf407c75f9daa5717b453c41fb74cf7a942edf2af81cd1f
        • Instruction ID: 2e81a3a570a130c2392b2f380bbe0421837a438b5cb8e3d38c782731012cd6bf
        • Opcode Fuzzy Hash: 52a9247b03dc05966bf407c75f9daa5717b453c41fb74cf7a942edf2af81cd1f
        • Instruction Fuzzy Hash: 82012176600208ABD700EE99DC81A9AB7ACDB45314F00816AFD14DB352D6759E448BA5
        Function 0049FB24 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 417 49fb24-49fb41 LoadCursorW 418 49fb46-49fb49 417->418 419 49fb4b-49fb4e 418->419 420 49fb50-49fb53 418->420 419->420 421 49fb55-49fb5b 419->421 420->421 422 49fb5d 420->422 423 49fb5f-49fb7a LoadCursorW call 49fc68 421->423 422->423 423->418 426 49fb7c-49fb80 423->426
        APIs
        • LoadCursorW.USER32(00000000,00007F00), ref: 0049FB31
        • LoadCursorW.USER32(00000000,00000000), ref: 0049FB63
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: CursorLoad
        • String ID: 3N
        • API String ID: 3238433803-2168364347
        • Opcode ID: 454eb69b7fa905ff21c8c73c97dc5099a9daec728a0f2fa1944e5fa7f0942d08
        • Instruction ID: 1a2071ff0d4d260c5d151b197ca9503db8e0b3940d429ea436de1c192c05c888
        • Opcode Fuzzy Hash: 454eb69b7fa905ff21c8c73c97dc5099a9daec728a0f2fa1944e5fa7f0942d08
        • Instruction Fuzzy Hash: FBF08221B042455ADE201D3E9CE4E6AB6549B86379F20037BFA3ADB3D2C63E3C095259
        Function 00455CC0 Relevance: 4.6, APIs: 3, Instructions: 144registryCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00000200,?,00000000,00455E71,?,?,?,00000000), ref: 00455D39
        • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00000200,?,?,00000000,00000000,00000000,00000200,?,00000000,00455E71), ref: 00455DA9
        • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00000200,?,00000000,00000000,00000000,00000000,00000200,?,?,00000000,00000000,00000000,00000200), ref: 00455E14
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Open
        • String ID:
        • API String ID: 71445658-0
        • Opcode ID: 5c99e64d9ac875954756ed6435d01a05ca2fe1650ad07db8ac1f5e97718b33f2
        • Instruction ID: 7eb8e3fa54d4dfee1b8c01da266d2d295de670e3b5851d55b12553ac02ff90dc
        • Opcode Fuzzy Hash: 5c99e64d9ac875954756ed6435d01a05ca2fe1650ad07db8ac1f5e97718b33f2
        • Instruction Fuzzy Hash: E6418431A00648AFDB11DBA5C952BAFB7FAAF44304F14447AE845E3282D739AF09D748
        Function 0040274C Relevance: 3.8, APIs: 3, Instructions: 32sleepmemoryCOMMON
        Download Yara Rule
        APIs
        • Sleep.KERNEL32(00000000,00402816,?,?,?,004028A9), ref: 00402762
        • Sleep.KERNEL32(0000000A,00000000,00402816,?,?,?,004028A9), ref: 0040277B
        • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,00402816,?,?,?,004028A9), ref: 004027A9
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Sleep$AllocVirtual
        • String ID:
        • API String ID: 3510833457-0
        • Opcode ID: 23a1573e0544ad60a2eb7342b4b371c819cc43349ec3640cc67e0e4135d412cf
        • Instruction ID: 68f347ffa438d19a7863e3948cb3eb8e35cb458c138dde4e43f55bbedbf88d93
        • Opcode Fuzzy Hash: 23a1573e0544ad60a2eb7342b4b371c819cc43349ec3640cc67e0e4135d412cf
        • Instruction Fuzzy Hash: ADF05824A8838065EF20B7316E8A75B228097117ADF10047BF6423F2E3C7FC0589820E
        Function 00455E90 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37registryCOMMON
        Download Yara Rule
        APIs
        • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00455EF8,?,InstallLocation,?,InstallLocation,?,00455EF8), ref: 00455EC6
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: QueryValue
        • String ID: InstallLocation
        • API String ID: 3660427363-779285727
        • Opcode ID: 2297c62739d228c3ad2dd79bc23fc9af415a6b3fa80245ffa2b0c02291cef3a9
        • Instruction ID: 339418a17dea5f17fa901b5cdf8604e0a36cfb6031989b344c9d5cc35275aaae
        • Opcode Fuzzy Hash: 2297c62739d228c3ad2dd79bc23fc9af415a6b3fa80245ffa2b0c02291cef3a9
        • Instruction Fuzzy Hash: EBF05E623092446BD704EA6D9C41BAB7B9C9B85314F04807FF588C7682DA24D9088369
        Function 00455E94 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36registryCOMMON
        Download Yara Rule
        APIs
        • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00455EF8,?,InstallLocation,?,InstallLocation,?,00455EF8), ref: 00455EC6
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: QueryValue
        • String ID: InstallLocation
        • API String ID: 3660427363-779285727
        • Opcode ID: 29368faf28512232a31da5a9f275ec1ddbb373fdef311237ef5867f50f5e29dc
        • Instruction ID: 6b10f4f9ec51a46b811b7a63492c64e8c85db4dfc0d0eb82bccbc1d05a0f7fca
        • Opcode Fuzzy Hash: 29368faf28512232a31da5a9f275ec1ddbb373fdef311237ef5867f50f5e29dc
        • Instruction Fuzzy Hash: C1F030623095046BE714EA6E9D41FAB7BDCDB84355F00843FF548C7681DA25DD088375
        Function 004D80C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33COMMON
        Download Yara Rule
        APIs
        • GetVersion.KERNEL32(00000000,004D813F), ref: 004D80DA
          • Part of subcall function 004C4368: GetCurrentProcessId.KERNEL32(?,00000000,004C44F3), ref: 004C4389
          • Part of subcall function 004C4368: GlobalAddAtomW.KERNEL32(00000000), ref: 004C43BC
          • Part of subcall function 004C4368: GetCurrentThreadId.KERNEL32 ref: 004C43D7
          • Part of subcall function 004C4368: GlobalAddAtomW.KERNEL32(00000000), ref: 004C440D
          • Part of subcall function 004C4368: RegisterWindowMessageW.USER32(00000000,00000000,?,?,00000000,004C44F3), ref: 004C4423
          • Part of subcall function 004C4368: GetModuleHandleW.KERNEL32(USER32,00000000,00000000,?,?,00000000,004C44F3), ref: 004C44A6
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: AtomCurrentGlobal$HandleMessageModuleProcessRegisterThreadVersionWindow
        • String ID: J
        • API String ID: 3196784325-3962827965
        • Opcode ID: efd5b1783374d5782e50a06fde42e24064fdaa86a57068f62f9870869c5b2e63
        • Instruction ID: 01757a7481c3e47eb77a1f15dea223faa87409544d0b0a5fb043de73d9a5a9d4
        • Opcode Fuzzy Hash: efd5b1783374d5782e50a06fde42e24064fdaa86a57068f62f9870869c5b2e63
        • Instruction Fuzzy Hash: A2F0FF343042444BE701EF2AFD6283A37BDF75A7887D1453AF65447676CA3CAC228A5D
        Function 00426C9C Relevance: 3.1, APIs: 2, Instructions: 126COMMON
        Download Yara Rule
        APIs
        • CompareStringW.KERNEL32(00000400,00000000,00000000,?,00000000,?), ref: 00426D44
        • CompareStringW.KERNEL32(00000400,00000001,00000000,?,00000000,?), ref: 00426DD2
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: CompareString
        • String ID:
        • API String ID: 1825529933-0
        • Opcode ID: 86d1ad3d5bc14e5a3b6ff7cea29ab51c09b72f9fe867fc84c2e42b7fc86bb840
        • Instruction ID: 1bce3101b33b97643a0eb353b1ecb527c83228c91fff1d79e3d3d4158c065343
        • Opcode Fuzzy Hash: 86d1ad3d5bc14e5a3b6ff7cea29ab51c09b72f9fe867fc84c2e42b7fc86bb840
        • Instruction Fuzzy Hash: 7541B030B10629ABDB11EA75DC81B9F77B9EB44304F914076E900BB385DAB8EE458A58
        Function 00455CBC Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
        Download Yara Rule
        APIs
        • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00000200,?,00000000,00455E71,?,?,?,00000000), ref: 00455D39
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Open
        • String ID:
        • API String ID: 71445658-0
        • Opcode ID: 2f440508c5680e4cfa5d6386d9114472fc9e0cd71971e58d01c444e0fd6f812e
        • Instruction ID: a4ae3f5a1a4ed38312c9ca041c1909ea04a79e3b6359ff122a38a6224e6f66cd
        • Opcode Fuzzy Hash: 2f440508c5680e4cfa5d6386d9114472fc9e0cd71971e58d01c444e0fd6f812e
        • Instruction Fuzzy Hash: 3621C731A04A44AFDB11DB65C862BAEB7F9DB44304F14407AE845E3683D63D9F09D748
        Function 00430314 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
        Download Yara Rule
        APIs
        • RaiseException.KERNEL32(406D1388,00000000,00000004,00001000,00000000,00430389,?,00000000,004303A9), ref: 0043037A
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: ExceptionRaise
        • String ID:
        • API String ID: 3997070919-0
        • Opcode ID: aaa21181d0cd41feac223646c09e8e3ebaa914546c0ee4c35471368cf147714f
        • Instruction ID: 2edde985e47b0314ced98806a66aa516f40345392f25052c84e6695f70a2a573
        • Opcode Fuzzy Hash: aaa21181d0cd41feac223646c09e8e3ebaa914546c0ee4c35471368cf147714f
        • Instruction Fuzzy Hash: 8C018071614608AFE711DFA5DC22A5FBBFCEB89710F61457AF804E26D0E6785E008A68
        Function 00456D04 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
        Download Yara Rule
        APIs
        • GetTempPathW.KERNEL32(00000104,00000000,00000000,00456D82,?,?,00000000), ref: 00456D33
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: PathTemp
        • String ID:
        • API String ID: 2920410445-0
        • Opcode ID: 964d6cf9439cd43be4cb881bc6c29a82fa2e8d86a71a2738342a37bff1830004
        • Instruction ID: 0339562263a00f4877b4dccc4e7ffb70b86c602b32d2c14d66dd173946d6a9ee
        • Opcode Fuzzy Hash: 964d6cf9439cd43be4cb881bc6c29a82fa2e8d86a71a2738342a37bff1830004
        • Instruction Fuzzy Hash: C5F086303047415BE711FB7ACCC2A5A72B9DB44704B91847BB900EB6C3D97CED0D8A59
        Function 004093F6 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
        Download Yara Rule
        APIs
        • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409437
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: CreateWindow
        • String ID:
        • API String ID: 716092398-0
        • Opcode ID: 5d79dc1d150812a74f68fa7706fa2beab0d892f6ba99adc312daa151b57a2822
        • Instruction ID: 98720d54b23087314b148b8a69a058bdf383c0a3bb0f14c0e4776b0a0ff7c045
        • Opcode Fuzzy Hash: 5d79dc1d150812a74f68fa7706fa2beab0d892f6ba99adc312daa151b57a2822
        • Instruction Fuzzy Hash: 9FF074B2704158BF9B84DE9EDC81D9B77ECEB4C264B054169BA0CD7241D634ED108BA4
        Function 004093F8 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
        Download Yara Rule
        APIs
        • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409437
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: CreateWindow
        • String ID:
        • API String ID: 716092398-0
        • Opcode ID: c8a3575097422ecc91b89690a66d94928a93d395be7ff5566125bd86243a52f9
        • Instruction ID: a8eb29dffa521f169027adbe36a3955fa50e3f1e7fcc5986cd68263037f3546d
        • Opcode Fuzzy Hash: c8a3575097422ecc91b89690a66d94928a93d395be7ff5566125bd86243a52f9
        • Instruction Fuzzy Hash: 3CF074B2604158BF8B84DE9EDC81D9B77ECEB4C264B054169BA0CD7241D634ED108BA4
        Function 00407574 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
        Download Yara Rule
        APIs
        • GetModuleFileNameW.KERNEL32(00400000,?,0000020A), ref: 00407592
          • Part of subcall function 00407814: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00400000,004D97C4), ref: 00407830
          • Part of subcall function 00407814: RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004D97C4), ref: 00407850
          • Part of subcall function 00407814: RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,004D97C4), ref: 0040786E
          • Part of subcall function 00407814: RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000), ref: 0040788C
          • Part of subcall function 00407814: RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 004078AA
          • Part of subcall function 00407814: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00407948,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?), ref: 004078F3
          • Part of subcall function 00407814: RegQueryValueExW.ADVAPI32(?,00407B3C,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00407948,?,80000001), ref: 00407911
          • Part of subcall function 00407814: RegCloseKey.ADVAPI32(?,0040794F,00000000,?,?,00000000,00407948,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00407942
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Open$FileModuleNameQueryValue$Close
        • String ID:
        • API String ID: 2796650324-0
        • Opcode ID: d2b5520c25cc607b631faaef4382f4f52f25dc6b420cd36ee7423438a50a4f0b
        • Instruction ID: 15bc9e0eae040b997de83f91aae6423356b4c95741ec3523426e05a1fedf3b8f
        • Opcode Fuzzy Hash: d2b5520c25cc607b631faaef4382f4f52f25dc6b420cd36ee7423438a50a4f0b
        • Instruction Fuzzy Hash: 58E0C971A05310AFDB14EE58C8C5A473798AB48754F0449A6AD28DF386D379D91087E6
        Function 0040828E Relevance: 1.5, APIs: 1, Instructions: 7COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: InfoSystem
        • String ID:
        • API String ID: 31276548-0
        • Opcode ID: 0ef9315fa0addcb004a16f9bb7b60b1bf41dd01ffd9b44470a51e98d2a209b44
        • Instruction ID: a2ad52d0e49e74ac93d16fd1bc8dcb7af829259f33293182aadfecf5cd0cac90
        • Opcode Fuzzy Hash: 0ef9315fa0addcb004a16f9bb7b60b1bf41dd01ffd9b44470a51e98d2a209b44
        • Instruction Fuzzy Hash: FFB012106084020BC604A72D4C4344F31C01A81324FC40234745CF62E2F61DC9A503EB
        Function 0042CDB0 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
        Download Yara Rule
        APIs
        • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0042CDCE
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: AllocVirtual
        • String ID:
        • API String ID: 4275171209-0
        • Opcode ID: e9a9ebc85c4420921d348b36584d1a19baf88346eb3c1ad9c9815b67b63e27e5
        • Instruction ID: 20e24bef9e3a4877ae098f34533155ea9661877811daeba9fbce7bb77a1ed721
        • Opcode Fuzzy Hash: e9a9ebc85c4420921d348b36584d1a19baf88346eb3c1ad9c9815b67b63e27e5
        • Instruction Fuzzy Hash: 801148342403159BD710DF19D8C1B8ABBE5EF88750F50C57AE9989F385D374E9018BA8
        Function 00401844 Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON
        Download Yara Rule
        APIs
        • VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,00401E53,?,00401B26), ref: 0040185A
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: AllocVirtual
        • String ID:
        • API String ID: 4275171209-0
        • Opcode ID: 3b95f647205e982edb36745675ad3542bea169b2280bb8a893d17a7c88b328cf
        • Instruction ID: de1504ff1474c9a49c600275acd639b721de49a4ecbb0d66a55633acd36d1602
        • Opcode Fuzzy Hash: 3b95f647205e982edb36745675ad3542bea169b2280bb8a893d17a7c88b328cf
        • Instruction Fuzzy Hash: B6F04FF1B117404BDB149F799DC17167AD6B78930CF10823EE509DFBA9E77484018708

        Non-executed Functions

        Function 00484FE8 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 221pipeCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00484824: OutputDebugStringW.KERNEL32(00000000,?,00000000,00484AB8,?,00000000,00484AF1,?,?,?,?,00000006,00000000,00000000), ref: 00484933
        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0048509E
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: CreateDebugOutputPipeString
        • String ID: A$D$cmd.exe /k ping
        • API String ID: 1172444661-226192315
        • Opcode ID: 036a7e521363ea5a36e3ca6ec3aad9114771636336aa34cce797ea6a16ce70fa
        • Instruction ID: fc9a1415fd0955bb89a07bec7805042ec8be1484c3c6c14ef68dc9a06b8892e7
        • Opcode Fuzzy Hash: 036a7e521363ea5a36e3ca6ec3aad9114771636336aa34cce797ea6a16ce70fa
        • Instruction Fuzzy Hash: 53814071A046099EDB10FBA5CD45B9EB7B8EB48304F2049ABE504F7281DF789E01CF69
        Function 00407618 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 152stringlibraryfileCOMMON
        Download Yara Rule
        APIs
        • GetModuleHandleW.KERNEL32(kernel32.dll,00420A28,00400000,004D97C4), ref: 00407635
        • GetProcAddress.KERNEL32(?,GetLongPathNameW), ref: 0040764C
        • lstrcpynW.KERNEL32(?,?,?), ref: 0040767C
        • lstrcpynW.KERNEL32(?,?,?,kernel32.dll,00420A28,00400000,004D97C4), ref: 004076EB
        • lstrcpynW.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,00420A28,00400000,004D97C4), ref: 00407733
        • FindFirstFileW.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,00420A28,00400000,004D97C4), ref: 00407746
        • FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,00420A28,00400000,004D97C4), ref: 0040775C
        • lstrlenW.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,00420A28,00400000,004D97C4), ref: 00407768
        • lstrcpynW.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,00420A28,00400000), ref: 004077A4
        • lstrlenW.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,00420A28), ref: 004077B0
        • lstrcpynW.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 004077D3
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
        • String ID: GetLongPathNameW$\$kernel32.dll
        • API String ID: 3245196872-3908791685
        • Opcode ID: d7d111a059713bf4eda24ac3aa40c7b5e1bb4d21e36ca2d85ce569ab9031eb31
        • Instruction ID: f2b674abe2ba20a150e79b47893a8681c7c64638fb5bd3151d35c61cd4aafac2
        • Opcode Fuzzy Hash: d7d111a059713bf4eda24ac3aa40c7b5e1bb4d21e36ca2d85ce569ab9031eb31
        • Instruction Fuzzy Hash: 23518272D046189BDB10EBA8CC85AEE73FCAB04350F1445B6A905F7691E778BE408B5A
        Function 004BED60 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90windowCOMMON
        Download Yara Rule
        APIs
        • IsIconic.USER32(?), ref: 004BED6F
        • GetWindowPlacement.USER32(?,0000002C), ref: 004BED8C
        • GetWindowRect.USER32(?,?), ref: 004BEDAB
        • GetWindowLongW.USER32(?,000000F0), ref: 004BEDB9
        • GetWindowLongW.USER32(?,000000F8), ref: 004BEDD2
        • GetWindowLongW.USER32(00000000,000000EC), ref: 004BEDE0
        • ScreenToClient.USER32(00000000), ref: 004BEE10
        • ScreenToClient.USER32(00000000), ref: 004BEE35
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Window$Long$ClientScreen$IconicPlacementRect
        • String ID: ,
        • API String ID: 1823113212-3772416878
        • Opcode ID: 54e5411ac4d1231112c913961141d8655a205c32bf1127ab81a5b0bc7eeb1232
        • Instruction ID: c7173f946874bfd70d87507649719b056ae5bdfab5a7580695f540a1b111c5ec
        • Opcode Fuzzy Hash: 54e5411ac4d1231112c913961141d8655a205c32bf1127ab81a5b0bc7eeb1232
        • Instruction Fuzzy Hash: 2C31C9B5609702AFC741DF6DC484A8FBBE8EF88350F14892EB998DB351D734D8448B66
        Function 004C7378 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 181fileCOMMON
        Download Yara Rule
        APIs
        • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000003,00000000,00000000,?,00000000,004C75CD,?,?,?,?,?,004CA631), ref: 004C740F
        • GetLastError.KERNEL32(?,C0000000,00000007,00000000,00000003,00000000,00000000,?,00000000,004C75CD,?,?,?,?,?,004CA631), ref: 004C741D
        • DeviceIoControl.KERNEL32(000000FF,00074080,00000000,00000000,?,00000018,00000000,00000000), ref: 004C748A
        • GetLastError.KERNEL32(00000000,004C759D,?,?,C0000000,00000007,00000000,00000003,00000000,00000000,?,00000000,004C75CD), ref: 004C7493
        • CloseHandle.KERNEL32(000000FF,004C75A4,004C759D,?,?,C0000000,00000007,00000000,00000003,00000000,00000000,?,00000000,004C75CD), ref: 004C7597
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: ErrorLast$CloseControlCreateDeviceFileHandle
        • String ID: \\.\PhysicalDrive%d
        • API String ID: 1177325624-2935326385
        • Opcode ID: a14e9b7c7b478fee40778d151be5a5df8f5eb6b8f243dd996312628aba624c08
        • Instruction ID: bba0966b8e81fe5bcff8f46d1acefcc068ad42b9a10d3efaf7f5fc5dd5b145ad
        • Opcode Fuzzy Hash: a14e9b7c7b478fee40778d151be5a5df8f5eb6b8f243dd996312628aba624c08
        • Instruction Fuzzy Hash: 07618474A04218AFDB50DF65CC41FAEB7B9EB88714F5044BEB508E3681DA389E44CF59
        Function 00499A24 Relevance: 12.4, APIs: 8, Instructions: 381windowCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: RestoreSave$FocusIconicWindow
        • String ID:
        • API String ID: 1400084646-0
        • Opcode ID: 583a10e75f26a93a762f26665fa86cd0a7490dc8408021ac43ff7dac9a75fa93
        • Instruction ID: 4d1aa48dba98c79f1140ee898be312b4124a1550ad50b543197c56b43dbb0cb0
        • Opcode Fuzzy Hash: 583a10e75f26a93a762f26665fa86cd0a7490dc8408021ac43ff7dac9a75fa93
        • Instruction Fuzzy Hash: C9E17D30A042049FDF15DF6DC986AAEBBE5EB44304F1545BBE404DB756CB78AE40CB98
        Function 00496DD8 Relevance: 12.1, APIs: 8, Instructions: 71windowCOMMON
        Download Yara Rule
        APIs
        • GetWindowLongW.USER32(?,000000EC), ref: 00496DE6
        • IsIconic.USER32(?), ref: 00496E14
        • IsWindowVisible.USER32(?), ref: 00496E24
        • ShowWindow.USER32(?,00000000,?,?,?,000000EC,00000001,?,?,00000000,004A1619,?,?,?,004A17AF,00000000), ref: 00496E41
        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00496E54
        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00496E65
        • ShowWindow.USER32(?,00000006,?,000000EC,00000000,?,?,?,000000EC,00000001,?,?,00000000,004A1619), ref: 00496E85
        • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,?,?,000000EC,00000001,?,?,00000000,004A1619), ref: 00496E8F
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Window$LongShow$IconicVisible
        • String ID:
        • API String ID: 3484284227-0
        • Opcode ID: f486eb1f0e8aee1c5efc9ed415bbe8db03c6e016de86be8dd2baedf350856df3
        • Instruction ID: ca95bb8bb0818ea5a90282b5e38d4bf22da05f14513b66965b8ba9bba351b6b4
        • Opcode Fuzzy Hash: f486eb1f0e8aee1c5efc9ed415bbe8db03c6e016de86be8dd2baedf350856df3
        • Instruction Fuzzy Hash: ED11E60524D79025DF2232264C02FAF2E984FC7318F19463FF8D4A11C3C23D4905822F
        Function 004AB5D0 Relevance: 10.9, APIs: 7, Instructions: 415COMMON
        Download Yara Rule
        APIs
        • SaveDC.GDI32(?), ref: 004AB8A0
        • RestoreDC.GDI32(?,?), ref: 004AB914
        • GetWindowDC.USER32(?,00000000,004ABB22), ref: 004AB98E
        • SaveDC.GDI32(?), ref: 004AB9C5
        • RestoreDC.GDI32(?,?), ref: 004ABA50
        • DefWindowProcW.USER32(?,?,?,?,00000000,004ABB22), ref: 004ABB04
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: RestoreSaveWindow$Proc
        • String ID:
        • API String ID: 1975259465-0
        • Opcode ID: b0d897ef777358d9d8a85d196c2d1809446aa99833d3ffa7a7ea1fcd05aa5c54
        • Instruction ID: 18256cceddf1e8ed75d6d9bc5e2c99ab8c56aa32022ef838ee28643ebdd135b7
        • Opcode Fuzzy Hash: b0d897ef777358d9d8a85d196c2d1809446aa99833d3ffa7a7ea1fcd05aa5c54
        • Instruction Fuzzy Hash: B7F15E34A006459FCB10DF6AC5819AEF7F5FF69304B60866AE801A7362D738ED41CB99
        Function 004C764C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 166fileCOMMON
        Download Yara Rule
        APIs
        • CreateFileW.KERNEL32(?,00000000,00000003,00000000,00000003,00000000,00000000), ref: 004C76F0
        • GetLastError.KERNEL32(?,00000000,00000003,00000000,00000003,00000000,00000000), ref: 004C76FC
        • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00002710,?,00000000), ref: 004C7782
        • GetLastError.KERNEL32(00000000,002D1400,?,0000000C,?,00002710,?,00000000,?,00000000,00000003,00000000,00000003,00000000,00000000), ref: 004C781C
        • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,002D1400,?,0000000C,?,00002710,?,00000000,?,00000000,00000003,00000000,00000003), ref: 004C7843
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: ErrorLast$CloseControlCreateDeviceFileHandle
        • String ID: \\.\PhysicalDrive%d
        • API String ID: 1177325624-2935326385
        • Opcode ID: f3c30636827642e90f579d618aa1d65b4a6edc7c85f9015f0e45443e17a90f9d
        • Instruction ID: 90e68ab612a092c82b2f8a928bf183565ba8cfef8866bcc2dc7fc7d3850c149d
        • Opcode Fuzzy Hash: f3c30636827642e90f579d618aa1d65b4a6edc7c85f9015f0e45443e17a90f9d
        • Instruction Fuzzy Hash: 16516274A05118ABDB50EB69CC85F9E77B9EF48304F5081BBB508E7281DB389F448F68
        Function 004BE398 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83windowCOMMON
        Download Yara Rule
        APIs
        • IsIconic.USER32(?), ref: 004BE3D7
        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 004BE3F5
        • GetWindowPlacement.USER32(?,0000002C), ref: 004BE42B
        • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 004BE44F
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Window$Placement$Iconic
        • String ID: ,
        • API String ID: 568898626-3772416878
        • Opcode ID: 4e6e4ef97e99ef16ee460287f45b08c1578ad03f4d2ea65ef27bb564f1b4a047
        • Instruction ID: 5d4e0461e67527e3e1f8b298f42a18f5d16419f86d2eb7804103e1a06a5a5d6e
        • Opcode Fuzzy Hash: 4e6e4ef97e99ef16ee460287f45b08c1578ad03f4d2ea65ef27bb564f1b4a047
        • Instruction Fuzzy Hash: 8321F871600204ABCB54EF6EC8C59CE77E9AF49314F04946AFE18EF346D679EC048BA5
        Function 00490074 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: AddressProc
        • String ID: MonitorFromWindow
        • API String ID: 190572456-2842599566
        • Opcode ID: 83aca5a9695eadc929b4d4a5ed6d77c9f91f381b9bebc0cb1ef110b99310690a
        • Instruction ID: cafcb5095a8310dc163b16c7fae9225561532fe0018daeddf9dab4be1aa80a6e
        • Opcode Fuzzy Hash: 83aca5a9695eadc929b4d4a5ed6d77c9f91f381b9bebc0cb1ef110b99310690a
        • Instruction Fuzzy Hash: FB01AD31604108AEDB00EA95AC86EFF779CDB09304B44403BFE10AB252D72D9E0187FE
        Function 0048F2C4 Relevance: 86.0, APIs: 1, Strings: 48, Instructions: 268libraryCOMMON
        Download Yara Rule
        APIs
        • LoadLibraryW.KERNEL32(uxtheme.dll,00000000,0048F676), ref: 0048F2F9
          • Part of subcall function 00408A94: GetProcAddress.KERNEL32(00000000,?), ref: 00408AB8
          • Part of subcall function 00408A94: GetProcAddress.KERNEL32(00000000,00000000), ref: 00408ADA
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: AddressProc$LibraryLoad
        • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundExtent$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
        • API String ID: 2238633743-1748089680
        • Opcode ID: 187df02b06c548eaf988eb9952c75c812548da6fb832dbe92318c3edd329b07d
        • Instruction ID: 26beca7ca8fcc2098c5f34ba191b4d88d65d21a4254215378b52510d44da9c77
        • Opcode Fuzzy Hash: 187df02b06c548eaf988eb9952c75c812548da6fb832dbe92318c3edd329b07d
        • Instruction Fuzzy Hash: E1A1F0B0A05691AFDF00FBA5D9C6A2E37A4EF0970031009BBB580DF695EB789805CF5D
        Function 00417534 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
        Download Yara Rule
        APIs
        • GetModuleHandleW.KERNEL32(oleaut32.dll), ref: 0041753D
          • Part of subcall function 00417508: GetProcAddress.KERNEL32(00000000), ref: 00417521
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: AddressHandleModuleProc
        • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
        • API String ID: 1646373207-1918263038
        • Opcode ID: 7d74fa0fa542dd6a90115ec814fdc6afdb47c90297310b54933d19200431db80
        • Instruction ID: c7086d84d78b30961cf965b4812dcb75fb6d125a852e24fab665e357e8c97dd9
        • Opcode Fuzzy Hash: 7d74fa0fa542dd6a90115ec814fdc6afdb47c90297310b54933d19200431db80
        • Instruction Fuzzy Hash: 3241F77169C3486A9305AB6EAC418E67BBED7447147A0C07FB4148BBC6DB38BDC1862D
        Function 004CBA7C Relevance: 38.9, APIs: 3, Strings: 19, Instructions: 398fileCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0040C944: GetFileAttributesW.KERNEL32(00000000,00000000,00000000,004CFDFB,00000000,?,00000023,00000000,00000000,004CFE86), ref: 0040C950
        • DeleteFileW.KERNEL32(00000000,00000000,004CBFFD,?,00000000,004CC040,?,?,?,00000000,0000000C,00000000,00000000), ref: 004CBC54
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: File$AttributesDelete
        • String ID: Backups.dat$Code$ExpDate$Expried$FingerPrint$LastCheckTime$LastServerDate$LastValidate$LeftDays$LicenseType$License\$OverSeat$Register.ini$Seat$Tag$license$license.dat$main$registercm-2013
        • API String ID: 2910425767-3901113137
        • Opcode ID: 81e008b5915434d74932a53c878c8fc3876c47dc80ca27d4fb7d399862ea9377
        • Instruction ID: eea1452e1ddb545e4d386a193ce17c70eb33f91d8a31fd686b54018faf68b9ff
        • Opcode Fuzzy Hash: 81e008b5915434d74932a53c878c8fc3876c47dc80ca27d4fb7d399862ea9377
        • Instruction Fuzzy Hash: B7F1E074A00209DFDB40EF95C991E9EB7B5EF45308F50817AE504BB396CB38AE458B58
        Function 00488D04 Relevance: 37.7, APIs: 25, Instructions: 245windowCOMMON
        Download Yara Rule
        APIs
        • CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00488D47
        • SelectObject.GDI32(?,?), ref: 00488D5C
        • MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,CCAA0029,00000000,00488DCC,?,?), ref: 00488DA0
        • SelectObject.GDI32(?,?), ref: 00488DBA
        • DeleteObject.GDI32(?), ref: 00488DC6
        • CreateCompatibleDC.GDI32(00000000), ref: 00488DDA
        • CreateCompatibleBitmap.GDI32(?,?,?), ref: 00488DFB
        • SelectObject.GDI32(?,?), ref: 00488E10
        • SelectPalette.GDI32(?,2C080D4E,00000000), ref: 00488E24
        • SelectPalette.GDI32(?,?,00000000), ref: 00488E36
        • SelectPalette.GDI32(?,00000000,000000FF), ref: 00488E4B
        • SelectPalette.GDI32(?,2C080D4E,000000FF), ref: 00488E61
        • RealizePalette.GDI32(?), ref: 00488E6D
        • StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00488E8F
        • StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 00488EB1
        • SetTextColor.GDI32(?,00000000), ref: 00488EB9
        • SetBkColor.GDI32(?,00FFFFFF), ref: 00488EC7
        • StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 00488EF3
        • StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00488F18
        • SetTextColor.GDI32(?,?), ref: 00488F22
        • SetBkColor.GDI32(?,?), ref: 00488F2C
        • SelectObject.GDI32(?,00000000), ref: 00488F3F
        • DeleteObject.GDI32(?), ref: 00488F48
        • SelectPalette.GDI32(?,00000000,00000000), ref: 00488F6A
        • DeleteDC.GDI32(?), ref: 00488F73
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Select$ObjectPalette$ColorStretch$CompatibleCreateDelete$BitmapText$MaskRealize
        • String ID:
        • API String ID: 3976802218-0
        • Opcode ID: 83face600e95b1db92ee050226cf0949d7f6bac1d52ec5d9064765206e6bf5b2
        • Instruction ID: afe38d66815507dd39c3d985836d01f551c8b4be3d14fe105cef71fc62ec9e8d
        • Opcode Fuzzy Hash: 83face600e95b1db92ee050226cf0949d7f6bac1d52ec5d9064765206e6bf5b2
        • Instruction Fuzzy Hash: 738196B2A00209AFDB50EE99CD85EAF77FCEB0D754F540569F618E7281C638AD008B64
        Function 0048AD18 Relevance: 31.7, APIs: 21, Instructions: 194windowCOMMON
        Download Yara Rule
        APIs
        • GetObjectW.GDI32(?,00000054,?), ref: 0048AD3B
        • GetDC.USER32(00000000), ref: 0048AD69
        • CreateCompatibleDC.GDI32(?), ref: 0048AD7A
        • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0048AD95
        • SelectObject.GDI32(?,00000000), ref: 0048ADAF
        • PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 0048ADD1
        • CreateCompatibleDC.GDI32(?), ref: 0048ADDF
        • SelectObject.GDI32(?), ref: 0048AE27
        • SelectPalette.GDI32(?,?,00000000), ref: 0048AE3A
        • RealizePalette.GDI32(?), ref: 0048AE43
        • SelectPalette.GDI32(?,?,00000000), ref: 0048AE4F
        • RealizePalette.GDI32(?), ref: 0048AE58
        • SetBkColor.GDI32(?), ref: 0048AE62
        • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0048AE86
        • SetBkColor.GDI32(?,00000000), ref: 0048AE90
        • SelectObject.GDI32(?,00000000), ref: 0048AEA3
        • DeleteObject.GDI32 ref: 0048AEAF
        • DeleteDC.GDI32(?), ref: 0048AEC5
        • SelectObject.GDI32(?,00000000), ref: 0048AEE0
        • DeleteDC.GDI32(00000000), ref: 0048AEFC
        • ReleaseDC.USER32(00000000,00000000), ref: 0048AF0D
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: ObjectSelect$Palette$CreateDelete$ColorCompatibleRealize$BitmapRelease
        • String ID:
        • API String ID: 332224125-0
        • Opcode ID: 2cac4a80aba9dfe0c8de1a4a82a75e73e04a52e05a089e6a3579aa00ad204c2d
        • Instruction ID: 9c06c7dda7fcfc5ad6c4421aa6e65aa7861f55791373c489131cca595259fe26
        • Opcode Fuzzy Hash: 2cac4a80aba9dfe0c8de1a4a82a75e73e04a52e05a089e6a3579aa00ad204c2d
        • Instruction Fuzzy Hash: A5512371E40315ABEB10EBE9CC45FAFB7BCAB08704F104C6BB614F7281DAB899508B55
        Function 004CB168 Relevance: 30.0, APIs: 1, Strings: 16, Instructions: 290COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID:
        • String ID: Code$ExpDate$Expried$FingerPrint$LastServerDate$LastValidate$LicenseDir$LicenseType$OverSeat$Random$Register.ini$Seat$license$main$registercm-2013$temp.dat
        • API String ID: 0-2637983748
        • Opcode ID: 66eb7d1761eca98bc82b11bc9c42932db23c991429f14d29c9c36317cb916755
        • Instruction ID: 33a7efb123719fd28a3dd8b95e7c71bd9d3de02028391c13461883df6478f167
        • Opcode Fuzzy Hash: 66eb7d1761eca98bc82b11bc9c42932db23c991429f14d29c9c36317cb916755
        • Instruction Fuzzy Hash: B7B13F347006099FD740EF69C852B9EB7B9EF88308F50847EE415AB791DB38AD058B99
        Function 0049D9D4 Relevance: 23.2, APIs: 12, Strings: 1, Instructions: 474COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: LoadString
        • String ID: TVI
        • API String ID: 2948472770-1997888664
        • Opcode ID: 2ba87a619d2595b7eeda14a5f1e9bf5be9d789d22926bd3d65133d7928b9c6ee
        • Instruction ID: 00ade9b86a7784bfe93b308d5dbaac5f2d7195dda20df1c3ceee83e8e468aced
        • Opcode Fuzzy Hash: 2ba87a619d2595b7eeda14a5f1e9bf5be9d789d22926bd3d65133d7928b9c6ee
        • Instruction Fuzzy Hash: 8B124B35E00244EFDF11DBA9C9C5B9E7BF4AB08304F5501B6E904EB3A2D779AE419B48
        Function 0048B500 Relevance: 22.8, APIs: 15, Instructions: 253windowCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0048BD00: GetDC.USER32(00000000), ref: 0048BD56
          • Part of subcall function 0048BD00: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0048BD6B
          • Part of subcall function 0048BD00: GetDeviceCaps.GDI32(00000000,0000000E), ref: 0048BD75
          • Part of subcall function 0048BD00: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,0048A3B3,00000000,0048A43F), ref: 0048BD99
          • Part of subcall function 0048BD00: ReleaseDC.USER32(00000000,00000000), ref: 0048BDA4
        • SelectPalette.GDI32(?,?,000000FF), ref: 0048B543
        • RealizePalette.GDI32(?), ref: 0048B552
        • GetDeviceCaps.GDI32(?,0000000C), ref: 0048B564
        • GetDeviceCaps.GDI32(?,0000000E), ref: 0048B573
        • GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 0048B5A6
        • SetStretchBltMode.GDI32(?,00000004), ref: 0048B5B4
        • SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 0048B5CC
        • SetStretchBltMode.GDI32(00000000,00000003), ref: 0048B5E9
        • CreateCompatibleDC.GDI32(00000000), ref: 0048B64A
        • SelectObject.GDI32(?,?), ref: 0048B65F
        • SelectObject.GDI32(?,00000000), ref: 0048B6BE
        • DeleteDC.GDI32(00000000), ref: 0048B6CD
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: CapsDevice$PaletteSelect$BrushCreateModeObjectStretch$CompatibleDeleteHalftoneRealizeRelease
        • String ID:
        • API String ID: 2414602066-0
        • Opcode ID: 11a5c63dcc666d555219aa18cd50f05cf95811c2cd1f03427ac667ad4593409f
        • Instruction ID: 4ea75079db86eeafe748e51e91bc2ce4348301661d69cb1802e1ce5bd15a8252
        • Opcode Fuzzy Hash: 11a5c63dcc666d555219aa18cd50f05cf95811c2cd1f03427ac667ad4593409f
        • Instruction Fuzzy Hash: 56910D75A04245AFDB50EBADC985F5EBBF8EF08304F14496AF548E7281D738E940CBA4
        Function 0048B254 Relevance: 22.8, APIs: 15, Instructions: 252windowCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0048BD00: GetDC.USER32(00000000), ref: 0048BD56
          • Part of subcall function 0048BD00: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0048BD6B
          • Part of subcall function 0048BD00: GetDeviceCaps.GDI32(00000000,0000000E), ref: 0048BD75
          • Part of subcall function 0048BD00: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,0048A3B3,00000000,0048A43F), ref: 0048BD99
          • Part of subcall function 0048BD00: ReleaseDC.USER32(00000000,00000000), ref: 0048BDA4
        • SelectPalette.GDI32(?,?,000000FF), ref: 0048B297
        • RealizePalette.GDI32(?), ref: 0048B2A6
        • GetDeviceCaps.GDI32(?,0000000C), ref: 0048B2B8
        • GetDeviceCaps.GDI32(?,0000000E), ref: 0048B2C7
        • GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 0048B2FA
        • SetStretchBltMode.GDI32(?,00000004), ref: 0048B308
        • SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 0048B320
        • SetStretchBltMode.GDI32(00000000,00000003), ref: 0048B33D
        • CreateCompatibleDC.GDI32(00000000), ref: 0048B39E
        • SelectObject.GDI32(?,?), ref: 0048B3B3
        • SelectObject.GDI32(?,00000000), ref: 0048B412
        • DeleteDC.GDI32(00000000), ref: 0048B421
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: CapsDevice$PaletteSelect$BrushCreateModeObjectStretch$CompatibleDeleteHalftoneRealizeRelease
        • String ID:
        • API String ID: 2414602066-0
        • Opcode ID: 02695f0c5804b680e8bf96489d561046dfd432ab049a8968246fd0b6e0f79cf7
        • Instruction ID: 16b87fca996e456d442e38dc50db067db372b3eea94fbb4a62e43ac1f1d69196
        • Opcode Fuzzy Hash: 02695f0c5804b680e8bf96489d561046dfd432ab049a8968246fd0b6e0f79cf7
        • Instruction Fuzzy Hash: BB91EA71A00605AFDB50EBADC986F5EB7E8EF08704F148969F548E7292D738ED00CB94
        Function 00488B64 Relevance: 21.1, APIs: 14, Instructions: 131windowCOMMON
        Download Yara Rule
        APIs
        • CreateCompatibleDC.GDI32(00000000), ref: 00488B7B
        • CreateCompatibleDC.GDI32(00000000), ref: 00488B85
        • GetObjectW.GDI32(?,00000018,?), ref: 00488BA5
        • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00488BBC
        • GetDC.USER32(00000000), ref: 00488BC8
        • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00488BF5
        • ReleaseDC.USER32(00000000,00000000), ref: 00488C1B
        • SelectObject.GDI32(?,?), ref: 00488C36
        • SelectObject.GDI32(?,00000000), ref: 00488C45
        • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 00488C71
        • SelectObject.GDI32(?,00000000), ref: 00488C7F
        • SelectObject.GDI32(?,00000000), ref: 00488C8D
        • DeleteDC.GDI32(?), ref: 00488CA3
        • DeleteDC.GDI32(?), ref: 00488CAC
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
        • String ID:
        • API String ID: 644427674-0
        • Opcode ID: 806c24bca244e504280a82ee2c76bef609dce8e1bcbfd4a444282ea8ac8f3065
        • Instruction ID: 0d4f64c06a186f71b404dd2d53cb844b4a2c14f9f2be506dfc0bb3639ce36d1d
        • Opcode Fuzzy Hash: 806c24bca244e504280a82ee2c76bef609dce8e1bcbfd4a444282ea8ac8f3065
        • Instruction Fuzzy Hash: 3F411F71E00209AFEB50EBE9CD42FAFB7BCEB09704F50486EB604F7281CA7859008764
        Function 004A173C Relevance: 19.9, APIs: 13, Instructions: 429COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: f955eac85e4d80bcc9fac75ac4ef00d8a4cbc81919ba420b6230188277531ad3
        • Instruction ID: 1b441663d77bed767848bba8963e0e1720fa250bcef5a82c562cac141473f366
        • Opcode Fuzzy Hash: f955eac85e4d80bcc9fac75ac4ef00d8a4cbc81919ba420b6230188277531ad3
        • Instruction Fuzzy Hash: 56F16D34A00204DFDB10DFA9C585A9EB7F5AF2A314F1441ABE805AB372D738AE41DB48
        Function 004BF904 Relevance: 19.7, APIs: 13, Instructions: 248COMMON
        Download Yara Rule
        APIs
        • GetWindowDC.USER32(00000000), ref: 004BF938
        • GetClientRect.USER32(00000000,?), ref: 004BF95B
        • GetWindowRect.USER32(00000000,?), ref: 004BF96D
        • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004BF983
        • ExcludeClipRect.GDI32(?,?,?,?,?,00000000,00000000,?,00000002,00000000,?,00000000,?,00000000,004BFBAF), ref: 004BF9AE
        • InflateRect.USER32(?,00000000,00000000), ref: 004BF9CC
        • GetWindowLongW.USER32(00000000,000000F0), ref: 004BF9E6
        • DrawEdge.USER32(?,?,?,00000008), ref: 004BFAE9
        • IntersectClipRect.GDI32(?,?,?,?,?), ref: 004BFB02
        • GetRgnBox.GDI32(?,?), ref: 004BFB38
        • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004BFB4E
        • FillRect.USER32(?,?,00000000), ref: 004BFB8A
        • ReleaseDC.USER32(00000000,?), ref: 004BFBA9
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Rect$Window$ClipPoints$ClientDrawEdgeExcludeFillInflateIntersectLongRelease
        • String ID:
        • API String ID: 2031318930-0
        • Opcode ID: 02c7d6aaa28a1b506deb8fc21d6ff8e673a458d009f6e1a774e9b371f0e32949
        • Instruction ID: 92102b26dbb23526907a45db69a961f474fb8d5f32ad96d4ab9a02b8ec3d4bb9
        • Opcode Fuzzy Hash: 02c7d6aaa28a1b506deb8fc21d6ff8e673a458d009f6e1a774e9b371f0e32949
        • Instruction Fuzzy Hash: 14A14271E04108AFDB05DB99C885EDEB7F9AF49304F1440AAF558FB292C738AE05CB64
        Function 004D0428 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 158COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00403408: GetModuleFileNameW.KERNEL32(00000000,?,00000105,?,00000000,?,004CAC74,00000000,004CAD63,?,?,?,00000000,00000000,?,004D0F84), ref: 0040342E
          • Part of subcall function 0040C944: GetFileAttributesW.KERNEL32(00000000,00000000,00000000,004CFDFB,00000000,?,00000023,00000000,00000000,004CFE86), ref: 0040C950
        • OutputDebugStringW.KERNEL32(IsUseAPI,?,00000000,004D06A6,?,?,?,?), ref: 004D063E
        • OutputDebugStringW.KERNEL32(IsUseWMI,?,00000000,004D06A6,?,?,?,?), ref: 004D064E
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: DebugFileOutputString$AttributesModuleName
        • String ID: "M$Code$IsUseAPI$IsUseWMI$N/A$Tag$license$main$registercm-2013
        • API String ID: 3707199777-817946996
        • Opcode ID: e05e54a569128ee4c4a0affdb839a15c12a1d99a30f93da555ea350bf67471a0
        • Instruction ID: 14384b7ee3e773b67e7ec7a3f2f7b99a5c868776b16f49bf8a219aaa44701a28
        • Opcode Fuzzy Hash: e05e54a569128ee4c4a0affdb839a15c12a1d99a30f93da555ea350bf67471a0
        • Instruction Fuzzy Hash: 5B516270A042059FDB04DF99D8A1B9EBBF5EB88304F10857BE504A7791DB38A945CF6C
        Function 004A0E80 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 131windowregistryCOMMON
        Download Yara Rule
        APIs
        • GetClassInfoW.USER32(00400000,004A0A9C,?), ref: 004A0EE2
        • RegisterClassW.USER32(004E344C), ref: 004A0EFA
          • Part of subcall function 0040821C: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 00408261
        • SetWindowLongW.USER32(?,000000FC,?), ref: 004A0F9A
        • SendMessageW.USER32(?,00000080,00000001,00000000), ref: 004A0FBF
        • SetClassLongW.USER32(?,000000F2,00000000), ref: 004A0FD5
        • GetSystemMenu.USER32(?,00000000,?,000000FC,?), ref: 004A0FE3
        • DeleteMenu.USER32(00000000,0000F030,00000000,?,00000000,?,000000FC,?), ref: 004A0FF2
        • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,?,00000000,?,000000FC,?), ref: 004A0FFF
        • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,?,00000000,?,000000FC,?), ref: 004A1016
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Menu$ClassDelete$Long$InfoLoadMessageRegisterSendStringSystemWindow
        • String ID: TPN$pSH
        • API String ID: 2334458219-864774921
        • Opcode ID: 94ed9bf4f317dac9d07c381cb2d05b08d694bca29ad0791b5100615f7065b0b3
        • Instruction ID: 4d184f11ec7fdd6884dcd6e037d8254d8e48218c0c86b7b5b9e00d0bd4eebe3c
        • Opcode Fuzzy Hash: 94ed9bf4f317dac9d07c381cb2d05b08d694bca29ad0791b5100615f7065b0b3
        • Instruction Fuzzy Hash: 624164706442406FEB11EF79DCC5FA633A8AB19704F54457AF944EF2D3CA79AC408728
        Function 00412C68 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 97filewindowCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00412A7C: VirtualQuery.KERNEL32(?,?,0000001C,00000000,00412C28), ref: 00412AAF
          • Part of subcall function 00412A7C: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 00412AD3
          • Part of subcall function 00412A7C: GetModuleFileNameW.KERNEL32(00400000,?,00000105), ref: 00412AEE
          • Part of subcall function 00412A7C: LoadStringW.USER32(00000000,0000FFE9,?,00000100), ref: 00412B89
        • WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,00000000,00000000,00000000,00000000,00000400,00000000,00412D8D), ref: 00412CC9
        • WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00412CFC
        • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00412D0E
        • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00412D14
        • GetStdHandle.KERNEL32(000000F4,00412DA8,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?), ref: 00412D28
        • WriteFile.KERNEL32(00000000,000000F4,00412DA8,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000), ref: 00412D2E
        • LoadStringW.USER32(00000000,0000FFEA,?,00000040), ref: 00412D52
        • MessageBoxW.USER32(00000000,?,?,00002010), ref: 00412D6C
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: File$ByteCharHandleLoadModuleMultiNameStringWideWrite$MessageQueryVirtual
        • String ID: ,SN$H,A$TPN
        • API String ID: 135118572-3547145698
        • Opcode ID: bd625d9b98a0a7a06df433bf5e0f93d5420eff34eaa205febc43da7335612ba6
        • Instruction ID: 5f1650f25f6c9bc125e37627f5d62d57eca79b4502ee9af04add75c0f3de8bee
        • Opcode Fuzzy Hash: bd625d9b98a0a7a06df433bf5e0f93d5420eff34eaa205febc43da7335612ba6
        • Instruction Fuzzy Hash: 8331B5B1644204BEE714DBA4DD82FEA77ACEB04704F5040BAB644F71D2DEB46E40876D
        Function 00409450 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61windowregistryCOMMON
        Download Yara Rule
        APIs
        • FindWindowW.USER32(MouseZ,Magellan MSWHEEL), ref: 00409468
        • RegisterWindowMessageW.USER32(MSWHEEL_ROLLMSG), ref: 00409474
        • RegisterWindowMessageW.USER32(MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG), ref: 00409483
        • RegisterWindowMessageW.USER32(MSH_SCROLL_LINES_MSG,MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG), ref: 0040948F
        • SendMessageW.USER32(00000000,00000000,00000000,00000000), ref: 004094A7
        • SendMessageW.USER32(00000000,?,00000000,00000000), ref: 004094CB
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Message$Window$Register$Send$Find
        • String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
        • API String ID: 3569030445-3736581797
        • Opcode ID: 2751fb53e279f2334aca41324726efc0be691bd30645f4d3afd637d7b5a27103
        • Instruction ID: cd1048737af0da3b37f397480d1dfc979b9146f9204238d19d497a535efaeb4d
        • Opcode Fuzzy Hash: 2751fb53e279f2334aca41324726efc0be691bd30645f4d3afd637d7b5a27103
        • Instruction Fuzzy Hash: 141121B1245305BFE7119FA6CC41B6BB7A8EF45714F24447AF940AB2C2D6B85C41CB98
        Function 004BC678 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 192COMMON
        Download Yara Rule
        APIs
        • BeginPaint.USER32(00000000,?), ref: 004BC6E4
          • Part of subcall function 004BBEF8: BeginPaint.USER32(00000000,?), ref: 004BBF23
          • Part of subcall function 004BBEF8: EndPaint.USER32(00000000,?,004BC05E), ref: 004BC051
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Paint$Begin
        • String ID: TVI
        • API String ID: 3787552996-1997888664
        • Opcode ID: 2ba2ff30430d528bc6185053cea646927cdbe01c2b51c160db21efe227a4b8e1
        • Instruction ID: 521d90b6e051d4fefd3c2027ddc2799d3b7b339b6042634e78cb49c1a045784c
        • Opcode Fuzzy Hash: 2ba2ff30430d528bc6185053cea646927cdbe01c2b51c160db21efe227a4b8e1
        • Instruction Fuzzy Hash: 50611271A00508AFDB05EFA9C991EEEBBF9EB49704F10447AF504E7691DB389E01CB64
        Function 0049049C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109COMMON
        Download Yara Rule
        APIs
        • EnumDisplayMonitors.USER32(?,?,?,?), ref: 004904D5
        • GetSystemMetrics.USER32(00000000), ref: 004904FA
        • GetSystemMetrics.USER32(00000001), ref: 00490505
        • GetClipBox.GDI32(?,?), ref: 00490517
        • GetDCOrgEx.GDI32(?,?), ref: 00490524
        • OffsetRect.USER32(?,?,?), ref: 0049053D
        • IntersectRect.USER32(?,?,?), ref: 0049054E
        • IntersectRect.USER32(?,?,?), ref: 00490564
          • Part of subcall function 0048FE14: GetProcAddress.KERNEL32(76910000,00000000), ref: 0048FEB0
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Rect$IntersectMetricsSystem$AddressClipDisplayEnumMonitorsOffsetProc
        • String ID: EnumDisplayMonitors
        • API String ID: 362875416-2491903729
        • Opcode ID: e8bb12f0c525c1eda4cc895c968282a0e876e650603c79ce9be44681508c2962
        • Instruction ID: 57c5c6e81dc5889973ec9ba1f7259f7de1f8324325462771828850b1773c8b4b
        • Opcode Fuzzy Hash: e8bb12f0c525c1eda4cc895c968282a0e876e650603c79ce9be44681508c2962
        • Instruction Fuzzy Hash: 9C311A72A01209AEDF10DAA589859EF7BACAF49310F01453BED25E6241E738D9048FA9
        Function 004ACE6C Relevance: 16.6, APIs: 11, Instructions: 138COMMON
        Download Yara Rule
        APIs
        • GetWindowLongW.USER32(00000000,000000EC), ref: 004ACE87
        • GetWindowRect.USER32(00000000,?), ref: 004ACEA2
        • GetWindowDC.USER32(00000000,00000000,?,00000000,000000EC), ref: 004ACEC2
        • GetWindowLongW.USER32(00000000,000000F0), ref: 004ACEF3
        • GetSystemMetrics.USER32(00000002), ref: 004ACF08
        • GetSystemMetrics.USER32(00000003), ref: 004ACF11
        • InflateRect.USER32(?,000000FE,000000FE), ref: 004ACF20
        • GetSysColorBrush.USER32(0000000F), ref: 004ACF4D
        • FillRect.USER32(?,?,00000000), ref: 004ACF5B
        • ExcludeClipRect.GDI32(?,?,?,?,?,00000000,004ACFC2,?,00000000,00000000,?,00000000,000000EC), ref: 004ACF80
        • ReleaseDC.USER32(00000000,?), ref: 004ACFBC
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: RectWindow$LongMetricsSystem$BrushClipColorExcludeFillInflateRelease
        • String ID:
        • API String ID: 3669760922-0
        • Opcode ID: b5738dbbcc0f1cd0d5242e9a3d5f1a400d39b79b6864938cfc952bd8b563022a
        • Instruction ID: 9d66d09ac220f92a828ffefec6c85cf72b1476fc86ef9c1ce5c1d03d2131d1fe
        • Opcode Fuzzy Hash: b5738dbbcc0f1cd0d5242e9a3d5f1a400d39b79b6864938cfc952bd8b563022a
        • Instruction Fuzzy Hash: E6413371A00109AFDB01EAA9CD86DDFB7BDAF49314F14056AF504F7282DA38AE018768
        Function 004B29AC Relevance: 16.6, APIs: 11, Instructions: 91COMMON
        Download Yara Rule
        APIs
        • IsWindowUnicode.USER32(?), ref: 004B29C6
        • SetWindowLongW.USER32(?,000000FC,?), ref: 004B29E1
        • GetWindowLongW.USER32(?,000000F0), ref: 004B29EC
        • GetWindowLongW.USER32(?,000000F4), ref: 004B29FE
        • SetWindowLongW.USER32(?,000000F4,?), ref: 004B2A11
        • SetWindowLongW.USER32(?,000000FC,?), ref: 004B2A2A
        • GetWindowLongW.USER32(?,000000F0), ref: 004B2A35
        • GetWindowLongW.USER32(?,000000F4), ref: 004B2A47
        • SetWindowLongW.USER32(?,000000F4,?), ref: 004B2A5A
        • SetPropW.USER32(?,00000000,00000000), ref: 004B2A71
        • SetPropW.USER32(?,00000000,00000000), ref: 004B2A88
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Window$Long$Prop$Unicode
        • String ID:
        • API String ID: 1693715928-0
        • Opcode ID: 4468226d433bd0301ec60c2119b2e5561746ce2c39e429a74cfa05bbb2f96cb0
        • Instruction ID: 1b991acb374edd193739c1baab8095eac5f2689447c292df2641d94bbf1cb7d5
        • Opcode Fuzzy Hash: 4468226d433bd0301ec60c2119b2e5561746ce2c39e429a74cfa05bbb2f96cb0
        • Instruction Fuzzy Hash: 3E31EE75600145BBDF10DFA9DC88DDA37A8AB0D365F108626BD18DF2E2D638DD40CB68
        Function 004AD9D4 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 170windowCOMMON
        Download Yara Rule
        APIs
        • ImageList_DrawEx.COMCTL32(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,?), ref: 004ADA33
        • ImageList_DrawEx.COMCTL32(00000000,?,00000000,00000000,00000000,00000000,00000000,000000FF,00000000,00000000), ref: 004ADAD4
        • SetTextColor.GDI32(00000000,00FFFFFF), ref: 004ADB21
        • SetBkColor.GDI32(00000000,00000000), ref: 004ADB29
        • BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 004ADB4E
          • Part of subcall function 004AD9AC: ImageList_GetBkColor.COMCTL32(00000000,?,004ADA0D,00000000,?), ref: 004AD9C2
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: ColorImageList_$Draw$Text
        • String ID: `H
        • API String ID: 2027629008-4190844569
        • Opcode ID: 37303f34c8bdad51dbcec38365a04466ab4b49959a5f10a74d41b25400b7a855
        • Instruction ID: 317df277f8f19346671695372b23265649f4c340855b0f1742a9eb3b6d830ca9
        • Opcode Fuzzy Hash: 37303f34c8bdad51dbcec38365a04466ab4b49959a5f10a74d41b25400b7a855
        • Instruction Fuzzy Hash: DF51F9716002046BDB40FF69CD82F9E37ACAF19314F50156AFA14EB286CA78EC4597A9
        Function 00412C5B Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 106filewindowCOMMON
        Download Yara Rule
        APIs
        • WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,00000000,00000000,00000000,00000000,00000400,00000000,00412D8D), ref: 00412CC9
        • WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00412CFC
        • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00412D0E
        • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00412D14
        • GetStdHandle.KERNEL32(000000F4,00412DA8,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?), ref: 00412D28
        • WriteFile.KERNEL32(00000000,000000F4,00412DA8,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000), ref: 00412D2E
          • Part of subcall function 00412A7C: VirtualQuery.KERNEL32(?,?,0000001C,00000000,00412C28), ref: 00412AAF
          • Part of subcall function 00412A7C: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 00412AD3
          • Part of subcall function 00412A7C: GetModuleFileNameW.KERNEL32(00400000,?,00000105), ref: 00412AEE
          • Part of subcall function 00412A7C: LoadStringW.USER32(00000000,0000FFE9,?,00000100), ref: 00412B89
        • LoadStringW.USER32(00000000,0000FFEA,?,00000040), ref: 00412D52
        • MessageBoxW.USER32(00000000,?,?,00002010), ref: 00412D6C
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: File$ByteCharHandleLoadModuleMultiNameStringWideWrite$MessageQueryVirtual
        • String ID: ,SN$H,A$TPN
        • API String ID: 135118572-3547145698
        • Opcode ID: db3e0638e0213f5a4969752519b4c06d43779a39d126e93f5c2d26995e497777
        • Instruction ID: a36de6f8be41258c96cc5c656c11b188c82894e7e72865433a7f9b0660e6e264
        • Opcode Fuzzy Hash: db3e0638e0213f5a4969752519b4c06d43779a39d126e93f5c2d26995e497777
        • Instruction Fuzzy Hash: 4731C671644204BFE714EB60DE42FEE77ACDB05714F6041BAB600E61D2DAB86E50876C
        Function 004BC094 Relevance: 15.2, APIs: 10, Instructions: 231windowCOMMON
        Download Yara Rule
        APIs
        • RectVisible.GDI32(?,?), ref: 004BC1AC
        • SaveDC.GDI32(?), ref: 004BC1CF
        • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004BC20F
        • RestoreDC.GDI32(?,004BC057), ref: 004BC23B
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Rect$ClipIntersectRestoreSaveVisible
        • String ID:
        • API String ID: 1976014923-0
        • Opcode ID: 4711b357fb44512edd3753a216ceebd1bc243029991c4cab82e4a262f956564f
        • Instruction ID: edd7c5e8bcd210b53009ec5bb4c341e7fa5cd51bf2157b51580f2b1c48bcb3da
        • Opcode Fuzzy Hash: 4711b357fb44512edd3753a216ceebd1bc243029991c4cab82e4a262f956564f
        • Instruction Fuzzy Hash: 8091D570A042489FDB04DF99C5C5BEEBBF4AF48304F1440AAE944AB392D779ED81CB64
        Function 004BC420 Relevance: 15.2, APIs: 10, Instructions: 197COMMON
        Download Yara Rule
        APIs
        • SaveDC.GDI32(?), ref: 004BC43D
          • Part of subcall function 004B47BC: GetWindowOrgEx.GDI32(?), ref: 004B47CA
          • Part of subcall function 004B47BC: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 004B47E0
        • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004BC476
        • GetWindowLongW.USER32(00000000,000000EC), ref: 004BC48A
        • GetWindowLongW.USER32(00000000,000000F0), ref: 004BC4AB
        • SetRect.USER32(00000010,00000000,00000000,?,?), ref: 004BC50B
        • IntersectClipRect.GDI32(?,00000000,00000000,00000010,?), ref: 004BC57B
          • Part of subcall function 004BC374: SaveDC.GDI32(?), ref: 004BC384
          • Part of subcall function 004BC374: ExcludeClipRect.GDI32(?,?,?,?,?,00000000,004BC408,?,?), ref: 004BC3C5
          • Part of subcall function 004BC374: RestoreDC.GDI32(?,?), ref: 004BC402
        • SetRect.USER32(?,00000000,00000000,?,?), ref: 004BC59C
        • DrawEdge.USER32(?,?,00000000,00000000), ref: 004BC5AB
        • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004BC5D4
        • RestoreDC.GDI32(?,?), ref: 004BC653
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Rect$ClipWindow$Intersect$LongRestoreSave$DrawEdgeExclude
        • String ID:
        • API String ID: 3997055466-0
        • Opcode ID: 03ce09718371efd3715800d22b17bcbfbb2050d87704dc706779f2e904746545
        • Instruction ID: 7d1e804c4187e36a224897998dd1483f9712322017a5392542c9d1a1fa5538ca
        • Opcode Fuzzy Hash: 03ce09718371efd3715800d22b17bcbfbb2050d87704dc706779f2e904746545
        • Instruction Fuzzy Hash: 3B71DE75A00209AFDB10DB99C9C5FDEB7F9AF49304F104196B914A7392CB38AE41DB64
        Function 0049E3D0 Relevance: 15.2, APIs: 10, Instructions: 163windowCOMMON
        Download Yara Rule
        APIs
        • GetCapture.USER32 ref: 0049E441
        • GetCapture.USER32 ref: 0049E450
        • SendMessageW.USER32(00000000,0000001F,00000000,00000000), ref: 0049E456
        • ReleaseCapture.USER32 ref: 0049E45B
        • GetActiveWindow.USER32 ref: 0049E478
        • IsWindow.USER32(00000000), ref: 0049E4BE
        • GetActiveWindow.USER32 ref: 0049E4C7
        • SendMessageW.USER32(00000000,0000B000,00000000,00000000), ref: 0049E55D
        • SendMessageW.USER32(00000000,0000B001,00000000,00000000), ref: 0049E5CA
        • GetActiveWindow.USER32 ref: 0049E5D9
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Window$ActiveCaptureMessageSend$Release
        • String ID:
        • API String ID: 3054343883-0
        • Opcode ID: 79d3162e025b625b3f2c58657d4003ff1c57b1e361c36933f21b9f7315f7daaa
        • Instruction ID: d77e2d3a7c7f4e4bf64f19aba89d1aec0ad0ec67f739e26fd3bc6e7c4c82ad79
        • Opcode Fuzzy Hash: 79d3162e025b625b3f2c58657d4003ff1c57b1e361c36933f21b9f7315f7daaa
        • Instruction Fuzzy Hash: 0B615270A00244EFDB11EF66C986B9E7BF5EF45704F5544BAF400AB2A2DB789D40DB48
        Function 0049A74C Relevance: 15.1, APIs: 10, Instructions: 133windowCOMMON
        Download Yara Rule
        APIs
        • GetWindowLongW.USER32(00000000,000000F0), ref: 0049A7BD
        • GetWindowLongW.USER32(00000000,000000EC), ref: 0049A7CF
        • GetClassLongW.USER32(00000000,000000E6), ref: 0049A7E2
        • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0049A822
        • SetWindowLongW.USER32(00000000,000000EC,?), ref: 0049A836
        • SetClassLongW.USER32(00000000,000000E6,?), ref: 0049A84A
        • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0049A884
        • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0049A89C
        • GetSystemMenu.USER32(00000000,000000FF,00000000,000000EC,?,00000000,000000F0,00000000,?,00000000,000000EC,00000000,000000F0), ref: 0049A8AB
        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037,00000000,000000EC,?,00000000,000000F0,00000000,?,00000000,000000EC), ref: 0049A8D4
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Long$Window$ClassMessageSend$MenuSystem
        • String ID:
        • API String ID: 494549727-0
        • Opcode ID: e15f2f2472d57cefc9bbcae6fec14d07a6f342ad341ab193849953bb45b14a00
        • Instruction ID: f389430844721380c32f264ae6b3fd6fb1bf9ddb1f05504a93a2a8840b66e5e0
        • Opcode Fuzzy Hash: e15f2f2472d57cefc9bbcae6fec14d07a6f342ad341ab193849953bb45b14a00
        • Instruction Fuzzy Hash: 3741D86070420166DA01B77E8C4ABFF6E5D6FC5308F18466AB454AB2D3CA7CDC16D39B
        Function 0042DE58 Relevance: 15.1, APIs: 10, Instructions: 89synchronizationthreadCOMMON
        Download Yara Rule
        APIs
        • GetCurrentThreadId.KERNEL32 ref: 0042DE68
        • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0042DE89
        • InterlockedExchangeAdd.KERNEL32(?,?), ref: 0042DEBD
        • LeaveCriticalSection.KERNEL32(?,00000000,0042DF39,?,00000000,00000000,00000000,00000000), ref: 0042DEC3
        • WaitForSingleObject.KERNEL32(?,?,?,00000000,0042DF39,?,00000000,00000000,00000000,00000000), ref: 0042DED0
        • SetLastError.KERNEL32(000005B4,?,?,?,00000000,0042DF39,?,00000000,00000000,00000000,00000000), ref: 0042DEEA
        • SetLastError.KERNEL32(00000000,?,?,?,00000000,0042DF39,?,00000000,00000000,00000000,00000000), ref: 0042DEFD
        • EnterCriticalSection.KERNEL32(?,?,?,?,00000000,0042DF39,?,00000000,00000000,00000000,00000000), ref: 0042DF03
        • InterlockedExchangeAdd.KERNEL32(?,?), ref: 0042DF1A
        • CloseHandle.KERNEL32(?,0042DF44,?,?,?,00000000,0042DF39,?,00000000,00000000,00000000,00000000), ref: 0042DF33
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: CriticalErrorExchangeInterlockedLastSection$CloseCreateCurrentEnterEventHandleLeaveObjectSingleThreadWait
        • String ID:
        • API String ID: 3135347424-0
        • Opcode ID: ff1d896375ddd14abc5365b3da9a3513c058e479cef420746dddb7cbf3609cc7
        • Instruction ID: 61575e172f3a7f3c7ab0ddb9c477ef1ad7a5c290e3402839519c7c4a618876ad
        • Opcode Fuzzy Hash: ff1d896375ddd14abc5365b3da9a3513c058e479cef420746dddb7cbf3609cc7
        • Instruction Fuzzy Hash: 6E21EB71F04254AADF10EBA5DD42B6EB7F8DB04304F5584ABF944EB282CA7C9900877E
        Function 0049CCA8 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON
        Download Yara Rule
        APIs
        • GetSystemMenu.USER32(00000000,00000000), ref: 0049CCF3
        • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 0049CD11
        • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0049CD1E
        • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0049CD2B
        • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0049CD38
        • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 0049CD45
        • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 0049CD52
        • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 0049CD5F
        • EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 0049CD7D
        • EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 0049CD99
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Menu$Delete$EnableItem$System
        • String ID:
        • API String ID: 3985193851-0
        • Opcode ID: 00c915f5e46cb1f40671114be2c3a96ae1e70554b11399ee766d8acd6fa921a7
        • Instruction ID: d95e9002f4c886db997a1fcb8ed6ae53c8e1023d2f581d7934c89cfc23cbc06a
        • Opcode Fuzzy Hash: 00c915f5e46cb1f40671114be2c3a96ae1e70554b11399ee766d8acd6fa921a7
        • Instruction Fuzzy Hash: 6F2150743853057AEB20DA35CECEF997FD95B04B48F1440B9B6887F2D3CAB8A940965C
        Function 004CF8C8 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 164COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00455A58: RegCloseKey.ADVAPI32(10C80000,004558D4,00000001,004559D6,00000000,?,004CFCB3,00000000,004CFD34,?,00000000,004CFE86), ref: 00455A6C
          • Part of subcall function 00455B98: RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00455C9D,?,00000000,00000000), ref: 00455C12
        • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000023,00000000,00000000,004CFAFB,?,?,?,?,?,004D3524,00000000,004D388C), ref: 004CF9B7
          • Part of subcall function 00403468: QueryPerformanceCounter.KERNEL32 ref: 0040346C
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: CloseCounterFolderOpenPathPerformanceQuerySpecial
        • String ID: .ShellClassInfo$480EA5B8931F267E4A7558F0111B5F71$CLSID$LocalDB6Flag$c$desktop.ini${E0224FF9-7AE3-4F9E-991A-2F004F7E3952}
        • API String ID: 2104657973-3525347970
        • Opcode ID: d9620ec36ac6bfd394fec85f9e1292dc4aa91dd649f043d67b4769e6a23abc2c
        • Instruction ID: b7d9b331e1561564fc754e9eb3742f6794eff5ded8a699b3b1204317578cc6a4
        • Opcode Fuzzy Hash: d9620ec36ac6bfd394fec85f9e1292dc4aa91dd649f043d67b4769e6a23abc2c
        • Instruction Fuzzy Hash: EC5186747006089FD750EF65D892B9EB7B5EB48304F6044BEF805A7382D73DAE098B58
        Function 0042B9EC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 119synchronizationthreadCOMMON
        Download Yara Rule
        APIs
        • GetCurrentThreadId.KERNEL32 ref: 0042B9F9
        • CreateEventW.KERNEL32(00000000,000000FF,00000000,00000000), ref: 0042BA6B
        • EnterCriticalSection.KERNEL32(004E9E74,00000000,0042BB89), ref: 0042BA93
        • LeaveCriticalSection.KERNEL32(004E9E74,00000000,0042BB62,?,004E9E74,00000000,0042BB89), ref: 0042BB0A
        • WaitForSingleObject.KERNEL32(?,000000FF,00000000,0042BB43,?,004E9E74,00000000,0042BB62,?,004E9E74,00000000,0042BB89), ref: 0042BB26
        • EnterCriticalSection.KERNEL32(004E9E74,0042BB4A,0042BB43,?,004E9E74,00000000,0042BB62,?,004E9E74,00000000,0042BB89), ref: 0042BB3D
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: CriticalSection$Enter$CreateCurrentEventLeaveObjectSingleThreadWait
        • String ID: <PN
        • API String ID: 1504017990-4193252389
        • Opcode ID: 616336ac9c0020fbb9fde4e4a9b5b22c73cab5ac8feaa022cf873af4986cfa76
        • Instruction ID: 9443b20aeeab2f96d9992d8a114789c949be5aed6358a9623936e7c11f1a5130
        • Opcode Fuzzy Hash: 616336ac9c0020fbb9fde4e4a9b5b22c73cab5ac8feaa022cf873af4986cfa76
        • Instruction Fuzzy Hash: 8741B030B04254EFD710DF69E892E59BBF1EB09300F9581A7E850977E5C778AD00DB99
        Function 004B5EB4 Relevance: 13.7, APIs: 9, Instructions: 154COMMON
        Download Yara Rule
        APIs
        • MulDiv.KERNEL32(?,?,?), ref: 004B5EEF
        • MulDiv.KERNEL32(?,?,?), ref: 004B5F09
        • MulDiv.KERNEL32(?,?,?), ref: 004B5F37
        • MulDiv.KERNEL32(?,?,?), ref: 004B5F4D
        • MulDiv.KERNEL32(?,?,?), ref: 004B5F7B
        • MulDiv.KERNEL32(?,?,?), ref: 004B5F93
          • Part of subcall function 00487984: MulDiv.KERNEL32(00000000,00000048,?), ref: 00487995
        • MulDiv.KERNEL32(?), ref: 004B5FF6
        • MulDiv.KERNEL32(?), ref: 004B6020
        • MulDiv.KERNEL32(00000000), ref: 004B6046
          • Part of subcall function 004879A0: MulDiv.KERNEL32(00000000,?,00000048), ref: 004879AD
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 52e440e2166533400f631bb549aa738d13d6b1e629f2cd9525d1c0b661bcf21f
        • Instruction ID: b73c9c362ea31a7355c4f49cfcde276da3c920a503d20eb8009e7b59bffb299d
        • Opcode Fuzzy Hash: 52e440e2166533400f631bb549aa738d13d6b1e629f2cd9525d1c0b661bcf21f
        • Instruction Fuzzy Hash: 4E5162B1604B50AFC310EB6AC885BABF7F9AF85344F04482EB5D5C7351CA79E9408B29
        Function 004B6E8C Relevance: 13.6, APIs: 9, Instructions: 122windowCOMMON
        Download Yara Rule
        APIs
        • GetDesktopWindow.USER32 ref: 004B6EC3
        • GetDCEx.USER32(?,00000000,00000402), ref: 004B6ED6
        • SelectObject.GDI32(?,00000000), ref: 004B6EF9
        • PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004B6F1F
        • PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 004B6F41
        • PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004B6F60
        • PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 004B6F7A
        • SelectObject.GDI32(?,?), ref: 004B6F87
        • ReleaseDC.USER32(?,?), ref: 004B6FA1
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: ObjectSelect$DesktopReleaseWindow
        • String ID:
        • API String ID: 1187665388-0
        • Opcode ID: 5cdf7d3ffd94fadfd483eef8bb959c6d7f91a87d1f479697a81bdf5d5fed3883
        • Instruction ID: 004ff0a56827d61eb5354df34c93af9adc4b10ca797a72ec412b59e6fee2582d
        • Opcode Fuzzy Hash: 5cdf7d3ffd94fadfd483eef8bb959c6d7f91a87d1f479697a81bdf5d5fed3883
        • Instruction Fuzzy Hash: 3F31F9B6A00619AFDB00DEEDCD85EEFBBBDAF09704B414469B504F7241C679AD048BA4
        Function 004A001C Relevance: 13.6, APIs: 9, Instructions: 106COMMON
        Download Yara Rule
        APIs
        • SystemParametersInfoW.USER32(0000001F,0000005C,?,00000000), ref: 004A0076
        • CreateFontIndirectW.GDI32(?), ref: 004A0083
        • GetStockObject.GDI32(0000000D), ref: 004A0096
          • Part of subcall function 004879A0: MulDiv.KERNEL32(00000000,?,00000048), ref: 004879AD
        • SystemParametersInfoW.USER32(00000029,00000000,?,00000000), ref: 004A00BD
        • CreateFontIndirectW.GDI32(?), ref: 004A00CD
        • CreateFontIndirectW.GDI32(?), ref: 004A00E3
        • CreateFontIndirectW.GDI32(?), ref: 004A00FC
        • GetStockObject.GDI32(0000000D), ref: 004A011F
        • GetStockObject.GDI32(0000000D), ref: 004A0133
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: CreateFontIndirect$ObjectStock$InfoParametersSystem
        • String ID:
        • API String ID: 2565622021-0
        • Opcode ID: 0776fa03f8224b8544b5a1109ace03f530f5b004912077ae6826c52b1357f9a5
        • Instruction ID: 54dedf420582d4181b2da3adfe7c2d59a034c96846d72afcee8b2e84bfb7a7c6
        • Opcode Fuzzy Hash: 0776fa03f8224b8544b5a1109ace03f530f5b004912077ae6826c52b1357f9a5
        • Instruction Fuzzy Hash: 8841B3306042049BDB50FB6ADD9AB9E37E4AF49304F50447BB908DB397DA78DC04CB68
        Function 004A5DFC Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 217windowCOMMON
        Download Yara Rule
        APIs
        • InsertMenuItemW.USER32(?,000000FF,000000FF,00000030), ref: 004A6012
          • Part of subcall function 004A6388: CreateMenu.USER32 ref: 004A63B3
        • GetVersion.KERNEL32(00000000,004A60C4), ref: 004A5E99
          • Part of subcall function 004A6388: CreatePopupMenu.USER32 ref: 004A63A6
        • InsertMenuW.USER32(?,000000FF,00000000,00000000,00000000), ref: 004A6085
        • InsertMenuW.USER32(?,000000FF,00000000,?,00000000), ref: 004A60A1
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Menu$Insert$Create$ItemPopupVersion
        • String ID: ,$?$`KJ
        • API String ID: 2359071979-3359517160
        • Opcode ID: 66727b5b979415396753331197a3c814777cd3031c22b8e2df5bb4afda21a7b6
        • Instruction ID: f2a88a99ef0e44ff95a4f8c9f36d06a887f2fbadaa59b62f82584f3536064026
        • Opcode Fuzzy Hash: 66727b5b979415396753331197a3c814777cd3031c22b8e2df5bb4afda21a7b6
        • Instruction Fuzzy Hash: 7F81E230A00685AFDB11EF69CA80AAEB7F5BB16304F18416BF550D7792D338EE51CB58
        Function 0041465C Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 203threadCOMMON
        Download Yara Rule
        APIs
        • GetThreadLocale.KERNEL32(00000000,0041493A,?,?,00000000,00000000), ref: 00414692
          • Part of subcall function 00412324: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00412342
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Locale$InfoThread
        • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
        • API String ID: 4232894706-2493093252
        • Opcode ID: 7db61faeaae01e81919bcb269c75940e3a4b504abe6a49e8dde41969325aa69c
        • Instruction ID: 703be39ab42d4fa64003ac936c2f4343490b4c6daea84c8ec6e43df52901141d
        • Opcode Fuzzy Hash: 7db61faeaae01e81919bcb269c75940e3a4b504abe6a49e8dde41969325aa69c
        • Instruction Fuzzy Hash: AA717F747101889BDB01FBB5D891ADF76B6EB88308F50943BB511AB286DA3CE945871C
        Function 004D5E74 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 184windowCOMMON
        Download Yara Rule
        APIs
        • CloseHandle.KERNEL32(00000000,?,00000000,?,?,?,00000000,004D60AB,?,00000000,004D60EF,?,?,?,?,00000000), ref: 004D5F75
        • GetSurplusDays.REGISTER(?,?,?,00000000,004D60AB,?,00000000,004D60EF,?,?,?,?,00000000,00000000), ref: 004D5F80
        • CloseHandle.KERNEL32(00000000,?,00000000,?,?,?,?,00000000,004D60AB,?,00000000,004D60EF), ref: 004D602C
        • CloseHandle.KERNEL32(00000000,?,00000000,?,?,?,?,00000000,004D60AB,?,00000000,004D60EF), ref: 004D5FD3
          • Part of subcall function 00404FB4: CreateThread.KERNEL32(00000000,?,00404F7C,00000000,FFFFFFFF,?), ref: 00405004
        • CloseHandle.KERNEL32(00000000,?,00000000,?,?,?,00000000,004D60AB,?,00000000,004D60EF,?,?,?,?,00000000), ref: 004D6084
        • PostMessageW.USER32(?,0000052C,00000001,00000000), ref: 004D609C
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: CloseHandle$CreateDaysMessagePostSurplusThread
        • String ID: N/A
        • API String ID: 3316436020-2525114547
        • Opcode ID: 09d6c516cd552e474dad7d3a1451a301c2ca5e783e8777c1afbd8f5c10cd4ff6
        • Instruction ID: 88261e82a986a4890467b88b601cefeac56fdcad105a1dc9e58ecde1798e09e6
        • Opcode Fuzzy Hash: 09d6c516cd552e474dad7d3a1451a301c2ca5e783e8777c1afbd8f5c10cd4ff6
        • Instruction Fuzzy Hash: D161B830A103099FEB04EFA5C8A1B9F77A9EB85318F51853FE804A73C5DA3C59058B65
        Function 004CFC48 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 167COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00455A58: RegCloseKey.ADVAPI32(10C80000,004558D4,00000001,004559D6,00000000,?,004CFCB3,00000000,004CFD34,?,00000000,004CFE86), ref: 00455A6C
          • Part of subcall function 00455B98: RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00455C9D,?,00000000,00000000), ref: 00455C12
        • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000023,00000000,00000000,004CFE86), ref: 004CFD55
          • Part of subcall function 004560D8: RegCloseKey.ADVAPI32(00000000,00000000,0045613D,?,00000000), ref: 0045611B
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Close$FolderOpenPathSpecial
        • String ID: .ShellClassInfo$480EA5B8931F267E4A7558F0111B5F71$CLSID$LocalDB6Flag$desktop.ini${E0224FF9-7AE3-4F9E-991A-2F004F7E3952}
        • API String ID: 3637076197-677811820
        • Opcode ID: 6fb5abf29e028827cf002bbc1bac85e9345faf49b050de88e90be8ce0b1fca4b
        • Instruction ID: 918b3a06a32e50c9a49e35c309e01d572dd1ce78479d26214e5ea295d5129353
        • Opcode Fuzzy Hash: 6fb5abf29e028827cf002bbc1bac85e9345faf49b050de88e90be8ce0b1fca4b
        • Instruction Fuzzy Hash: FB5151346002089FDB50EF65D991B9E77F6EB49304F6044BAE805E7392D73C9E498B58
        Function 004BA9B8 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134registryCOMMON
        Download Yara Rule
        APIs
        • GetClassInfoW.USER32(?,?,?), ref: 004BAA88
        • UnregisterClassW.USER32(?,?), ref: 004BAAB3
        • RegisterClassW.USER32(?), ref: 004BAAD2
        • GetWindowLongW.USER32(00000000,000000F0), ref: 004BAB0E
        • GetWindowLongW.USER32(00000000,000000F4), ref: 004BAB23
        • SetWindowLongW.USER32(00000000,000000F4,00000000), ref: 004BAB36
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: ClassLongWindow$InfoRegisterUnregister
        • String ID: @
        • API String ID: 717780171-2766056989
        • Opcode ID: e2b5cbae2bd71b14f27f86a1545d9164307eb182d6ff9745fb27e2ddd699fd6e
        • Instruction ID: fd71a725764761384c1fc39b46d662ef39ab567b2811f4546cfa6bbce731f075
        • Opcode Fuzzy Hash: e2b5cbae2bd71b14f27f86a1545d9164307eb182d6ff9745fb27e2ddd699fd6e
        • Instruction Fuzzy Hash: A451C3306003149FDB20EB69CC85BDA73E8AF09308F1045BAE459E7282DB78AD44CF69
        Function 0042B428 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 119threadCOMMON
        Download Yara Rule
        APIs
        • GetCurrentThreadId.KERNEL32 ref: 0042B433
        • GetCurrentThreadId.KERNEL32 ref: 0042B442
          • Part of subcall function 0042B3DC: ResetEvent.KERNEL32(00000254,0042B47D), ref: 0042B3E2
        • EnterCriticalSection.KERNEL32(004E9E74), ref: 0042B487
        • InterlockedExchange.KERNEL32(004D9D94,?), ref: 0042B4A3
        • LeaveCriticalSection.KERNEL32(004E9E74,00000000,0042B5EB,?,004D9D94,?,00000000,0042B60A,?,004E9E74), ref: 0042B4FC
        • EnterCriticalSection.KERNEL32(004E9E74,0042B594,004E9E74,00000000,0042B5EB,?,004D9D94,?,00000000,0042B60A,?,004E9E74), ref: 0042B587
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: CriticalSection$CurrentEnterThread$EventExchangeInterlockedLeaveReset
        • String ID: <PN
        • API String ID: 2189153385-4193252389
        • Opcode ID: f5b8661bba5d1c6233b8f32775328d542a66d944e60efaead852df78887e76b8
        • Instruction ID: 2107f9235c6b9ec34adea447ff4df02b38e2c1a540b9846fbd6970f2cb29fff4
        • Opcode Fuzzy Hash: f5b8661bba5d1c6233b8f32775328d542a66d944e60efaead852df78887e76b8
        • Instruction Fuzzy Hash: 7741C430B04754AFD711EF65E891A6AB7F4EF09704F9144ABF8009B292D77C9D40CA69
        Function 004901CC Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68stringCOMMON
        Download Yara Rule
        APIs
        • GetMonitorInfoA.USER32(?,?), ref: 004901FD
        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00490224
        • GetSystemMetrics.USER32(00000000), ref: 00490239
        • GetSystemMetrics.USER32(00000001), ref: 00490244
        • lstrcpyW.KERNEL32(?,DISPLAY), ref: 0049026E
          • Part of subcall function 0048FE14: GetProcAddress.KERNEL32(76910000,00000000), ref: 0048FEB0
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: System$InfoMetrics$AddressMonitorParametersProclstrcpy
        • String ID: DISPLAY$GetMonitorInfoW
        • API String ID: 1539801207-2774842281
        • Opcode ID: b3346cdbbea97296fafb614ebb99dd31dc4b8424575365dbf47f9a79a48e9c2e
        • Instruction ID: 06bd93b746cdcf1361913523d4f0f7ee7063f646e40f37399ca4edfcc83fdf0b
        • Opcode Fuzzy Hash: b3346cdbbea97296fafb614ebb99dd31dc4b8424575365dbf47f9a79a48e9c2e
        • Instruction Fuzzy Hash: 5811EE31600319AFDB208F619C89BA7BBE8EB45310F00053AEC55DB281D7B4AC04CBA8
        Function 00404D88 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
        Download Yara Rule
        APIs
        • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00404E39,?,00000000,?,00000001,00404F4E,00403173,004031BA,?,?), ref: 00404DC1
        • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00404E39,?,00000000,?,00000001,00404F4E,00403173,004031BA,?), ref: 00404DC7
        • GetStdHandle.KERNEL32(000000F5,00404E14,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00404E39,?,00000000), ref: 00404DDC
        • WriteFile.KERNEL32(00000000,000000F5,00404E14,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00404E39,?,00000000), ref: 00404DE2
        • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404E00
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: FileHandleWrite$Message
        • String ID: Error$Runtime error at 00000000
        • API String ID: 1570097196-2970929446
        • Opcode ID: b9e09fdfad5755abd85d3238de91445b1049d583da806ad37d3decfb01c1f777
        • Instruction ID: 58daa97144d4e482d55ab461567c7ad963b218e1f466acc67ee02093c53baa81
        • Opcode Fuzzy Hash: b9e09fdfad5755abd85d3238de91445b1049d583da806ad37d3decfb01c1f777
        • Instruction Fuzzy Hash: 38F096A069138075E61067505C96FDA22985790F69F60437FF720F85E296FC48C4825D
        Function 00401EDC Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON
        Download Yara Rule
        APIs
        • Sleep.KERNEL32(00000000,?,?,00000000,00401B4E), ref: 00401F72
        • Sleep.KERNEL32(0000000A,00000000,?,?,00000000,00401B4E), ref: 00401F8C
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Sleep
        • String ID:
        • API String ID: 3472027048-0
        • Opcode ID: 026ddfe4424b8862bb5ea508dcad1ac2b5a18eb1c9df433f07595b522c479b57
        • Instruction ID: 6fc1c855a53b7638fdfde927724344da7cf1f9963f1eb0829b047a052f8b6f15
        • Opcode Fuzzy Hash: 026ddfe4424b8862bb5ea508dcad1ac2b5a18eb1c9df433f07595b522c479b57
        • Instruction Fuzzy Hash: E571E2716043408FD7159B29C9C5B2ABBD4AF85318F18827FE548AB3F2D7B88845CB5A
        Function 004A249C Relevance: 12.1, APIs: 8, Instructions: 118windowCOMMON
        Download Yara Rule
        APIs
        • PeekMessageW.USER32(?,00000000,00000200,0000020A,00000001), ref: 004A24B8
        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 004A24D0
        • IsWindowUnicode.USER32 ref: 004A24E4
        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004A250B
        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004A2521
        • TranslateMessage.USER32 ref: 004A25AC
        • DispatchMessageW.USER32 ref: 004A25B9
        • DispatchMessageA.USER32 ref: 004A25C1
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Message$Peek$Dispatch$TranslateUnicodeWindow
        • String ID:
        • API String ID: 2190272339-0
        • Opcode ID: 48f97378b78c14c74323410bce683d8bf4758b4eea33bf99aca62540bcb3225f
        • Instruction ID: cba9e3adfee8f4ee34f356098a068f1c77d621b207720d1cb9339dacf5a96f26
        • Opcode Fuzzy Hash: 48f97378b78c14c74323410bce683d8bf4758b4eea33bf99aca62540bcb3225f
        • Instruction Fuzzy Hash: DF31062074434035EA31362D0E52BAF66C52FB3B09F14495FF9C0672C2DBED9946A26E
        Function 004A2250 Relevance: 12.1, APIs: 8, Instructions: 99windowthreadCOMMON
        Download Yara Rule
        APIs
        • GetCapture.USER32 ref: 004A2276
        • IsWindowUnicode.USER32(00000000), ref: 004A22B9
        • SendMessageW.USER32(00000000,-0000BBEE,04D77480,?), ref: 004A22D4
        • SendMessageA.USER32(00000000,-0000BBEE,04D77480,?), ref: 004A22F3
        • GetWindowThreadProcessId.USER32(00000000), ref: 004A2302
        • GetWindowThreadProcessId.USER32(?,?), ref: 004A2313
        • SendMessageW.USER32(00000000,-0000BBEE,04D77480,?), ref: 004A2333
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: MessageSendWindow$ProcessThread$CaptureUnicode
        • String ID:
        • API String ID: 1994056952-0
        • Opcode ID: 3be9a4472b7b608821ad60ad63960da6291405b125ad3e8e3dbe75b5b2c28e47
        • Instruction ID: 38ad978151c65801440ae158faef9e7502875018ee650d9953c2c5dbb78d0894
        • Opcode Fuzzy Hash: 3be9a4472b7b608821ad60ad63960da6291405b125ad3e8e3dbe75b5b2c28e47
        • Instruction Fuzzy Hash: F02171712046096FD620EA6DCE40FAB73DC9F27314B14446AFD59D7742DAACFC009769
        Function 0048909C Relevance: 12.1, APIs: 8, Instructions: 79windowCOMMON
        Download Yara Rule
        APIs
        • GetDC.USER32(00000000), ref: 004890CA
        • GetDeviceCaps.GDI32(?,00000068), ref: 004890E6
        • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 00489105
        • GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 00489129
        • GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 00489147
        • GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 0048915B
        • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0048917B
        • ReleaseDC.USER32(00000000,?), ref: 00489193
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: EntriesPaletteSystem$CapsDeviceRelease
        • String ID:
        • API String ID: 1781840570-0
        • Opcode ID: fe0e8d78f6ecdd54a0bad73cefd17c22b87c54ed4f4ba74fed2dc700dd139e2c
        • Instruction ID: 3516ea628146eee330a9369aa4bc06b9763796a3649f7be477acb381c09ca2d3
        • Opcode Fuzzy Hash: fe0e8d78f6ecdd54a0bad73cefd17c22b87c54ed4f4ba74fed2dc700dd139e2c
        • Instruction Fuzzy Hash: 4621A6B1A00609FAEB10DBA5CD85FAE73ACEB08704F5005AAF704F61C1D6789E409B28
        Function 004020D4 Relevance: 10.9, APIs: 7, Instructions: 407COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 025845d9d61e1786f5c57a6eea5e24909f272c0f2c8c373da7e2e6127155694b
        • Instruction ID: 6af61f43e6ce22b0e372bb51e11ebd2a254c7ec7893bdc80cc56d31e5a5c430a
        • Opcode Fuzzy Hash: 025845d9d61e1786f5c57a6eea5e24909f272c0f2c8c373da7e2e6127155694b
        • Instruction Fuzzy Hash: 42C126727006000BD714AABD9DC976EB3869BC5325F18827FE614EB3E6DABCDC458748
        Function 004C0320 Relevance: 10.7, APIs: 7, Instructions: 224COMMON
        Download Yara Rule
        APIs
        • SetWindowPos.USER32(00000000,000000FF,?,?,?,?,00000010,00000000,004C05BD), ref: 004C04B5
        • GetTickCount.KERNEL32 ref: 004C04BA
        • SystemParametersInfoW.USER32(00001016,00000000,?,00000000), ref: 004C0519
        • SystemParametersInfoW.USER32(00001018,00000000,00000000,00000000), ref: 004C0531
        • AnimateWindow.USER32(00000000,00000064,?), ref: 004C0576
        • ShowWindow.USER32(00000000,00000004,00000000,000000FF,?,?,?,?,00000010,00000000,004C05BD), ref: 004C0587
        • GetTickCount.KERNEL32 ref: 004C05A4
          • Part of subcall function 004C3D0C: GetCursorPos.USER32(?), ref: 004C3D10
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Window$CountInfoParametersSystemTick$AnimateCursorShow
        • String ID:
        • API String ID: 3024527889-0
        • Opcode ID: 2e1b5785c6f29ee98f1f18f9c666b4af444c511921d1fda1ed7e6c78754100a6
        • Instruction ID: 6420fddc959929e084193d73c747eb83de9cd798c4af6887e3c82209ff5dd4c1
        • Opcode Fuzzy Hash: 2e1b5785c6f29ee98f1f18f9c666b4af444c511921d1fda1ed7e6c78754100a6
        • Instruction Fuzzy Hash: C0812874A00204AFDB50EF69C885A9EBBF5AF48304F20457AF545EB362DA38ED45CB18
        Function 004A27FC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138windowCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 004A3CAC: GetActiveWindow.USER32 ref: 004A3CD3
          • Part of subcall function 004A3CAC: GetLastActivePopup.USER32(?), ref: 004A3CE8
        • GetWindowRect.USER32(?,?), ref: 004A2887
        • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,?), ref: 004A28C2
        • MessageBoxW.USER32(00000000,?,?,?), ref: 004A2901
        • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,004A297A,?,00000000,004A2973), ref: 004A2954
        • SetActiveWindow.USER32(00000000,004A297A,?,00000000,004A2973), ref: 004A2965
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Window$Active$LastMessagePopupRect
        • String ID: (
        • API String ID: 3456420849-3887548279
        • Opcode ID: b54ef6d9c2f5a319b265a65c06451acfe832705281246b21c71696d747f4bf64
        • Instruction ID: e56f9b25b62bcb337546f0062eeb499b2f8fa45af8f81344d3d74f0843275989
        • Opcode Fuzzy Hash: b54ef6d9c2f5a319b265a65c06451acfe832705281246b21c71696d747f4bf64
        • Instruction Fuzzy Hash: A3512A75E00208AFDB04DBA8CD85FAEB7F9FB49700F544569F504EB392D678AD008B54
        Function 004A1414 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 107COMMON
        Download Yara Rule
        APIs
        • EnumWindows.USER32(004A1320,00000000), ref: 004A144B
        • ShowWindow.USER32(?,00000000,004A1320,00000000), ref: 004A1482
        • ShowOwnedPopups.USER32(00000000,?), ref: 004A14B1
        • ShowWindow.USER32(?,00000005), ref: 004A1519
        • ShowOwnedPopups.USER32(00000000,?), ref: 004A1548
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Show$OwnedPopupsWindow$EnumWindows
        • String ID: ,lI
        • API String ID: 315437064-140425993
        • Opcode ID: c90e21120917fdab337e5d11d681d5c718c0c6c4e64063d37c73997faa584f6e
        • Instruction ID: 6f0f4a5057f1e2efaac6161588a3c624fa5c3ed1e47d2534e77243f67036fdd6
        • Opcode Fuzzy Hash: c90e21120917fdab337e5d11d681d5c718c0c6c4e64063d37c73997faa584f6e
        • Instruction Fuzzy Hash: 41416A71A006009FE720DB3CC885F9673E6ABA5329F45063BE559972F2C738AC85CB58
        Function 004AABD4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 85windowCOMMON
        Download Yara Rule
        APIs
        • GetMenuItemInfoW.USER32(00000000,00000000,000000FF,?), ref: 004AAC55
        • SetMenuItemInfoW.USER32(00000000,00000000,000000FF,?), ref: 004AACAD
        • DrawMenuBar.USER32(00000000), ref: 004AACBA
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Menu$InfoItem$Draw
        • String ID: ,$L|N$P
        • API String ID: 3227129158-1428255042
        • Opcode ID: 21c4fc5721ee024aac96c84a97faaa3fe2c818a108471e38b5b2f2ad5ea075ba
        • Instruction ID: 6e48032f36651ba2e3fac002ce0a03034c2e44466208ea9b874b4f43bb8a4c85
        • Opcode Fuzzy Hash: 21c4fc5721ee024aac96c84a97faaa3fe2c818a108471e38b5b2f2ad5ea075ba
        • Instruction Fuzzy Hash: AE21E130A102089FEB11DF68DC84BAAB7A8EB56324F50417AF410EB3D1D73CC854DB9A
        Function 004AE578 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 80COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 004139E0: GetFileVersionInfoSizeW.VERSION(00000000,?,00000000,00413AB6), ref: 00413A22
          • Part of subcall function 004139E0: GetFileVersionInfoW.VERSION(00000000,?,00000000,?,00000000,00413A99,?,00000000,?,00000000,00413AB6), ref: 00413A57
          • Part of subcall function 004139E0: VerQueryValueW.VERSION(?,00413AC8,?,?,00000000,?,00000000,?,00000000,00413A99,?,00000000,?,00000000,00413AB6), ref: 00413A71
        • GetModuleHandleW.KERNEL32(comctl32.dll), ref: 004AE5AC
          • Part of subcall function 00408A94: GetProcAddress.KERNEL32(00000000,?), ref: 00408AB8
        • ImageList_Write.COMCTL32(00000000,?,00000000,004AE672), ref: 004AE63C
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: FileInfoVersion$AddressHandleImageList_ModuleProcQuerySizeValueWrite
        • String ID: ImageList_WriteEx$`SH$comctl32.dll$comctl32.dll
        • API String ID: 4063495462-250629128
        • Opcode ID: e009e52c67d60169b3d9b6b7f447eaceb6830053d7bc7bf31a8393b1f395dd1a
        • Instruction ID: a0754209a3d69aa0463abc22eda53a6ffd85aade6d676af5151b993cd0e530a6
        • Opcode Fuzzy Hash: e009e52c67d60169b3d9b6b7f447eaceb6830053d7bc7bf31a8393b1f395dd1a
        • Instruction Fuzzy Hash: 31218170700200ABD710AF779D86B2B36A8DB7A718B91053BF414DB6A3DB789D409A6D
        Function 004A6254 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID:
        • String ID: `KJ
        • API String ID: 0-840051826
        • Opcode ID: f9c29d5cd35f1795b8a5ced0a22ee56ec0085fb424377a8b88c1b06880a06096
        • Instruction ID: 35da3c995cd61e8b09fc1ac05cade9ba3610a21798c0b9262c7fbbea5ce5136b
        • Opcode Fuzzy Hash: f9c29d5cd35f1795b8a5ced0a22ee56ec0085fb424377a8b88c1b06880a06096
        • Instruction Fuzzy Hash: AC116021B453495AEF206A3A4805B9B27985FB3749F0E40AFBC449B287CA7DCC07879C
        Function 004C9054 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 74COMMON
        Download Yara Rule
        APIs
        • CoInitialize.OLE32(00000000), ref: 004C9072
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Initialize
        • String ID: SerialNumber$Tag$TzL$Win32_PhysicalMedia$\\.\PHYSICALDRIVE0$root\CIMV2
        • API String ID: 2538663250-1504190909
        • Opcode ID: 1bef88409bab9020cb0a40f889bdb0de57cb004ac3a20baa140397ed5cba40ab
        • Instruction ID: 7c6a12469fedc05b3dc7b0522fcedab9dd942989ca73d564de460bda4b887fdd
        • Opcode Fuzzy Hash: 1bef88409bab9020cb0a40f889bdb0de57cb004ac3a20baa140397ed5cba40ab
        • Instruction Fuzzy Hash: 57218739614109BFE784DA56CC4BFAFB7B9EB84704F65847FB401E3281DA789E018658
        Function 004902BC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68stringCOMMON
        Download Yara Rule
        APIs
        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00490314
        • GetSystemMetrics.USER32(00000000), ref: 00490329
        • GetSystemMetrics.USER32(00000001), ref: 00490334
        • lstrcpyW.KERNEL32(?,DISPLAY), ref: 0049035E
          • Part of subcall function 0048FE14: GetProcAddress.KERNEL32(76910000,00000000), ref: 0048FEB0
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: System$Metrics$AddressInfoParametersProclstrcpy
        • String ID: DISPLAY$GetMonitorInfoA
        • API String ID: 2545840971-1370492664
        • Opcode ID: 7e02c2ede06fe0cf4f34f3cf4a74e437bfb82ee9740a6abdbbd3c58a03fccdc9
        • Instruction ID: 57d55fe51d4a78aec8095e27e8e63507ce0278dcf07b123ac7a8edce0c0fa8c4
        • Opcode Fuzzy Hash: 7e02c2ede06fe0cf4f34f3cf4a74e437bfb82ee9740a6abdbbd3c58a03fccdc9
        • Instruction Fuzzy Hash: 0011D0316017049FDB308F659C8ABA7BBE8FB09710F00453EED55DB691D7B4A844CBA8
        Function 004903AC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68stringCOMMON
        Download Yara Rule
        APIs
        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00490404
        • GetSystemMetrics.USER32(00000000), ref: 00490419
        • GetSystemMetrics.USER32(00000001), ref: 00490424
        • lstrcpyW.KERNEL32(?,DISPLAY), ref: 0049044E
          • Part of subcall function 0048FE14: GetProcAddress.KERNEL32(76910000,00000000), ref: 0048FEB0
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: System$Metrics$AddressInfoParametersProclstrcpy
        • String ID: DISPLAY$GetMonitorInfoW
        • API String ID: 2545840971-2774842281
        • Opcode ID: 8d5f11a9c73c8faf4557bfcfaaee44ba9199e98c616da42e83c9da95f93f1f58
        • Instruction ID: 4c119be610182b868a641cb34d24313b75b5703697a77f867d3f3fa80a283ab3
        • Opcode Fuzzy Hash: 8d5f11a9c73c8faf4557bfcfaaee44ba9199e98c616da42e83c9da95f93f1f58
        • Instruction Fuzzy Hash: 211190316013049FDB209F659C85BBBBBE8EB05720F00453FEE59DB681D7B4A844CBA9
        Function 0048A548 Relevance: 10.6, APIs: 7, Instructions: 66COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 004892F0: GetObjectW.GDI32(?,00000004), ref: 00489307
          • Part of subcall function 004892F0: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 0048932A
        • GetDC.USER32(00000000), ref: 0048A586
        • CreateCompatibleDC.GDI32(?), ref: 0048A592
        • SelectObject.GDI32(?), ref: 0048A59F
        • SetDIBColorTable.GDI32(?,00000000,00000000,?,00000000,0048A5F7,?,?,?,?,00000000), ref: 0048A5C3
        • SelectObject.GDI32(?,?), ref: 0048A5DD
        • DeleteDC.GDI32(?), ref: 0048A5E6
        • ReleaseDC.USER32(00000000,?), ref: 0048A5F1
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Object$Select$ColorCompatibleCreateDeleteEntriesPaletteReleaseTable
        • String ID:
        • API String ID: 4046155103-0
        • Opcode ID: dd4679a87e34dce4baf1814bf217f7758b36bdca45d106fdf2de72d110b30b3d
        • Instruction ID: 1e1d5adbccf42e82f2c60299e86a6854f00aa14b1db2c532bfbb3da75cba85b2
        • Opcode Fuzzy Hash: dd4679a87e34dce4baf1814bf217f7758b36bdca45d106fdf2de72d110b30b3d
        • Instruction Fuzzy Hash: F4113671D446197BDB10EBE9DC51AAEB3BCEB08704F4048BBB904E7281DA789E908765
        Function 0042BC30 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66threadsynchronizationwindowCOMMON
        Download Yara Rule
        APIs
        • GetCurrentThreadId.KERNEL32 ref: 0042BC5B
        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0042BC87
        • MsgWaitForMultipleObjects.USER32(00000002,?,00000000,000003E8,00000040), ref: 0042BC9C
        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0042BCC9
        • GetExitCodeThread.KERNEL32(?,?,?,000000FF), ref: 0042BCD4
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: ThreadWait$CodeCurrentExitMessageMultipleObjectObjectsPeekSingle
        • String ID: <PN
        • API String ID: 1797888035-4193252389
        • Opcode ID: c6f1c3174ac8a664d6155a4f76081454ea6cf2cd28cd61a554cd113d6f1dcc54
        • Instruction ID: 5dc5f1f18b89ff76ed31c8acf161f497497537cb312ba0829355f2606edd2780
        • Opcode Fuzzy Hash: c6f1c3174ac8a664d6155a4f76081454ea6cf2cd28cd61a554cd113d6f1dcc54
        • Instruction Fuzzy Hash: 2B11BE307403206BD620FB6ADCC2B5E7398EF15714F904A2FF554AB2D2DB78A841878A
        Function 0049A058 Relevance: 9.2, APIs: 6, Instructions: 151COMMON
        Download Yara Rule
        APIs
        • FillRect.USER32(?,?), ref: 0049A0D7
        • GetClientRect.USER32(00000000,?), ref: 0049A102
        • FillRect.USER32(?,?,00000000), ref: 0049A11E
          • Part of subcall function 00499FCC: CallWindowProcW.USER32(?,?,?,?,?), ref: 0049A006
        • BeginPaint.USER32(?,?), ref: 0049A196
        • GetWindowRect.USER32(?,?), ref: 0049A1C3
        • EndPaint.USER32(?,?,0049A237), ref: 0049A223
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Rect$FillPaintWindow$BeginCallClientProc
        • String ID:
        • API String ID: 901200654-0
        • Opcode ID: ef8ac4bed364f9bf2bc50fbdbb93c134a9701d012c9a7330e88b138f996a365f
        • Instruction ID: aff031373551576408aff27a41274a0cf6fa59552ab4ae57cc274e9c8c001ad1
        • Opcode Fuzzy Hash: ef8ac4bed364f9bf2bc50fbdbb93c134a9701d012c9a7330e88b138f996a365f
        • Instruction Fuzzy Hash: 28512A74A04108EFCF40DBA9C589E9DBBF8AB09314F1181BAE414EB352DB39AE41CB55
        Function 00418848 Relevance: 9.1, APIs: 6, Instructions: 139COMMON
        Download Yara Rule
        APIs
        • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004188E1
        • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 004188FD
        • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 00418936
        • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004189B3
        • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004189CC
        • VariantCopy.OLEAUT32(?,?), ref: 00418A01
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: ArraySafe$BoundIndex$CopyCreateVariant
        • String ID:
        • API String ID: 351091851-0
        • Opcode ID: 8bf08db057ede390c1c5f5bf486830cb963f0bdc6532ae447b0cb46f131ffaac
        • Instruction ID: 931b83a56d61bfec6e87179a05884409f0a941ad18338d760d84273e6c6a7828
        • Opcode Fuzzy Hash: 8bf08db057ede390c1c5f5bf486830cb963f0bdc6532ae447b0cb46f131ffaac
        • Instruction Fuzzy Hash: 8E51FDB590061D9BCB22DB59CC81BDAB3BCAF48314F4441DAE50CE7212DA78AFC58F65
        Function 0049C8B8 Relevance: 9.1, APIs: 6, Instructions: 118COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 004883D8: EnterCriticalSection.KERNEL32(004EB204,00000000,004867CE,00000000,0048682D), ref: 004883E0
          • Part of subcall function 004883D8: LeaveCriticalSection.KERNEL32(004EB204,004EB204,00000000,004867CE,00000000,0048682D), ref: 004883ED
          • Part of subcall function 004883D8: EnterCriticalSection.KERNEL32(0000003C,004EB204,004EB204,00000000,004867CE,00000000,0048682D), ref: 004883F6
        • SaveDC.GDI32(?), ref: 0049C905
        • ExcludeClipRect.GDI32(?,?,?,?,?), ref: 0049C980
        • GetStockObject.GDI32(00000004), ref: 0049C99F
        • FillRect.USER32(00000000,?,00000000), ref: 0049C9B8
        • RestoreDC.GDI32(?,?), ref: 0049CA2E
          • Part of subcall function 00486F88: GetSysColor.USER32(?), ref: 00486F92
        • SetBkColor.GDI32(00000000,00000000), ref: 0049CA03
          • Part of subcall function 00488364: FillRect.USER32(?,00000000,00000000), ref: 0048838D
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: CriticalRectSection$ColorEnterFill$ClipExcludeLeaveObjectRestoreSaveStock
        • String ID:
        • API String ID: 3001281481-0
        • Opcode ID: 00d063172238897e8a190ad98876e637b7e08949b93b53a4c150c5f36985d2af
        • Instruction ID: 9f76f8c53e48e8e8f0db47c44630ecf6befd216f0d607bea2a28a0fc6ef273dc
        • Opcode Fuzzy Hash: 00d063172238897e8a190ad98876e637b7e08949b93b53a4c150c5f36985d2af
        • Instruction Fuzzy Hash: D141CB74A00208EFDB01EFA9C9D5E9E7BF9AF09304F5544BAF904A7352C638AE40DB55
        Function 004895A0 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
        Download Yara Rule
        APIs
        • GetSystemMetrics.USER32(0000000B), ref: 004895EE
        • GetSystemMetrics.USER32(0000000C), ref: 004895FA
        • GetDC.USER32(00000000), ref: 00489616
        • GetDeviceCaps.GDI32(00000000,0000000E), ref: 0048963D
        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0048964A
        • ReleaseDC.USER32(00000000,00000000), ref: 00489683
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: CapsDeviceMetricsSystem$Release
        • String ID:
        • API String ID: 447804332-0
        • Opcode ID: 22874894e1ade0e2e350bfae6972af987804cd3969c6cec7f013bea5b5cbe7ea
        • Instruction ID: e5e7614cd92087e14a59b31f9aec5d6a3e692c04c502551e754a6c8f7a78fc82
        • Opcode Fuzzy Hash: 22874894e1ade0e2e350bfae6972af987804cd3969c6cec7f013bea5b5cbe7ea
        • Instruction Fuzzy Hash: EF315474A00604EFEB00EF95C941AAEBBB5FF49710F14896AF514BB381D6349D40CB65
        Function 00489A00 Relevance: 9.1, APIs: 6, Instructions: 65windowCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 004898AC: GetObjectW.GDI32(?,00000054), ref: 004898C0
        • CreateCompatibleDC.GDI32(00000000), ref: 00489A22
        • SelectPalette.GDI32(?,?,00000000), ref: 00489A43
        • RealizePalette.GDI32(?), ref: 00489A4F
        • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00489A66
        • SelectPalette.GDI32(?,00000000,00000000), ref: 00489A8E
        • DeleteDC.GDI32(?), ref: 00489A97
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Palette$Select$BitsCompatibleCreateDeleteObjectRealize
        • String ID:
        • API String ID: 1221726059-0
        • Opcode ID: 1e7fc4d84c4030b9525f6490c7480866f0a257063c575499618d52d2508aee7f
        • Instruction ID: 5ac64497dc152bb8c8736e05ca02a945aacb417d8b3a3e89c7ff4e55027d31f0
        • Opcode Fuzzy Hash: 1e7fc4d84c4030b9525f6490c7480866f0a257063c575499618d52d2508aee7f
        • Instruction Fuzzy Hash: 0E118F75A006047FDB10EAE9CC41F5FB7FCAF48700F54886AB918E7281DA789D008768
        Function 0048924C Relevance: 9.1, APIs: 6, Instructions: 56windowCOMMON
        Download Yara Rule
        APIs
        • CreateCompatibleDC.GDI32(00000000), ref: 00489265
        • SelectObject.GDI32(00000000,00000000), ref: 0048926E
        • GetDIBColorTable.GDI32(00000000,00000000,00000100,?,00000000,00000000,00000000,00000000,?,?,0048BD4B,?,?,?,?,0048A3B3), ref: 00489282
        • SelectObject.GDI32(00000000,00000000), ref: 0048928E
        • DeleteDC.GDI32(00000000), ref: 00489294
        • CreatePalette.GDI32 ref: 004892DB
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: CreateObjectSelect$ColorCompatibleDeletePaletteTable
        • String ID:
        • API String ID: 2515223848-0
        • Opcode ID: b47ca952f7e19f266329aa5b50a86cf4e7420bb963028384d2c9beae26a77bcd
        • Instruction ID: 598d0103953ab0653546f676710ef4cfff4cc3982fc9bb081db79eac93c5fcef
        • Opcode Fuzzy Hash: b47ca952f7e19f266329aa5b50a86cf4e7420bb963028384d2c9beae26a77bcd
        • Instruction Fuzzy Hash: 6A01846120471072E614776A8D47BBF72A88FC1718F18CD3FB585A72C2EA7C8C44539A
        Function 00401B58 Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
        Download Yara Rule
        APIs
        • Sleep.KERNEL32(00000000,?,00401B26), ref: 00401C0F
        • Sleep.KERNEL32(0000000A,00000000,?,00401B26), ref: 00401C25
        • Sleep.KERNEL32(00000000,?,?,?,00401B26), ref: 00401C53
        • Sleep.KERNEL32(0000000A,00000000,?,?,?,00401B26), ref: 00401C69
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Sleep
        • String ID:
        • API String ID: 3472027048-0
        • Opcode ID: 74b3c69755249a63b65a2c4b17261f229984b0c50e856418626e7d254f6c3a0a
        • Instruction ID: 530b7c92d773d8174b8e26e7135feb423a43f7fe8485f1acb9292af8024ba5d8
        • Opcode Fuzzy Hash: 74b3c69755249a63b65a2c4b17261f229984b0c50e856418626e7d254f6c3a0a
        • Instruction Fuzzy Hash: 59C125725007918BD715CF69D8D472ABBE1BB85318F1882BFD4099F7E2D778A841CB88
        Function 00488934 Relevance: 9.0, APIs: 6, Instructions: 43COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00487FD4: CreateBrushIndirect.GDI32(?), ref: 0048807F
        • UnrealizeObject.GDI32(00000000), ref: 00488940
        • SelectObject.GDI32(?,00000000), ref: 00488952
        • SetBkColor.GDI32(?,00000000), ref: 00488975
        • SetBkMode.GDI32(?,00000002), ref: 00488980
        • SetBkColor.GDI32(?,00000000), ref: 0048899B
        • SetBkMode.GDI32(?,00000001), ref: 004889A6
          • Part of subcall function 00486F88: GetSysColor.USER32(?), ref: 00486F92
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
        • String ID:
        • API String ID: 3527656728-0
        • Opcode ID: 703e75063ec15405bc9ffd2ecfd0340940f22c859c6754e84f09d2a7e3b43901
        • Instruction ID: 67cd8f7478b2ea350728fe4970262a4e4bd1140c82dcff5c70192a3dc1b3ac26
        • Opcode Fuzzy Hash: 703e75063ec15405bc9ffd2ecfd0340940f22c859c6754e84f09d2a7e3b43901
        • Instruction Fuzzy Hash: 5AF0C9B12441009BCF40FFAADAC6D1F67985F1430970448AAFB48EF187CE39D8108779
        Function 004C5460 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 248sleepCOMMON
        Download Yara Rule
        APIs
        • Sleep.KERNEL32(?,00000000,004C5856), ref: 004C54D4
        • ShowWindow.USER32(00000000,00000004,?,00000000,004C5856), ref: 004C551C
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: ShowSleepWindow
        • String ID: @3N
        • API String ID: 4218995503-3939786101
        • Opcode ID: 4814b75b0e370c2b62580e64d558c7d17506ffa34c572627d2e44fdcdf25d13f
        • Instruction ID: ae5cc4221319bbd81169c7bdedf57eb4659e01f80b1fabae37a825073f6295fa
        • Opcode Fuzzy Hash: 4814b75b0e370c2b62580e64d558c7d17506ffa34c572627d2e44fdcdf25d13f
        • Instruction Fuzzy Hash: 6D913D34A04644AFDB51EF69D841FAEBBF4EF49304F5104A9F504AB7A2C679AD80CB18
        Function 00484824 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 230COMMON
        Download Yara Rule
        APIs
        • OutputDebugStringW.KERNEL32(00000000,?,00000000,00484AB8,?,00000000,00484AF1,?,?,?,?,00000006,00000000,00000000), ref: 00484933
        • OutputDebugStringW.KERNEL32(00000000,?,?,00000000,00484AF1,?,?,?,?,00000006,00000000,00000000), ref: 00484A61
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: DebugOutputString
        • String ID: Hosts.Strings[I]=$Hosts.Strings[I]_1=$System32\drivers\etc\hosts
        • API String ID: 1166629820-4238265871
        • Opcode ID: f3b19cc179cd9fb6acf418ad387f77eb71116a6914023cd83eb71a50677d668e
        • Instruction ID: 4bd98763a2cf32c2246a2862f38a6c2adaf51f771c640f89fbe0bc45e5ec20fb
        • Opcode Fuzzy Hash: f3b19cc179cd9fb6acf418ad387f77eb71116a6914023cd83eb71a50677d668e
        • Instruction Fuzzy Hash: F9918174A0010A9FCB15EFA5C581AAEB7F5FF89314F21487AE801B7351DB38AD05CB69
        Function 0048C8E8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112windowCOMMON
        Download Yara Rule
        APIs
        • GetDC.USER32(00000000), ref: 0048C9A4
        • CreateHalftonePalette.GDI32(00000000,00000000), ref: 0048C9B1
        • ReleaseDC.USER32(00000000,00000000), ref: 0048C9C0
        • DeleteObject.GDI32(00000000), ref: 0048CA2E
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: CreateDeleteHalftoneObjectPaletteRelease
        • String ID: (
        • API String ID: 577518360-3887548279
        • Opcode ID: 91d35fdc6f9b526f92d7d4625c5b033d44d6dae48beca93ce4156ecdab1db63a
        • Instruction ID: 8bc0549900680e0f084ede818159f18b28f6e8ddd6428cafa5b2aeadcaada148
        • Opcode Fuzzy Hash: 91d35fdc6f9b526f92d7d4625c5b033d44d6dae48beca93ce4156ecdab1db63a
        • Instruction Fuzzy Hash: DA41E470E04208EFDB14EFA8C485B9EB7F6EF45304F1045AAE404AB392D7785E45DB99
        Function 004D5D14 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 89fileCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0040C944: GetFileAttributesW.KERNEL32(00000000,00000000,00000000,004CFDFB,00000000,?,00000023,00000000,00000000,004CFE86), ref: 0040C950
        • DeleteFileW.KERNEL32(00000000,?,?,00000000,004D5E1B,?,?,?,00000000,00000000,00000000,00000000), ref: 004D5D76
        • DeleteFileW.KERNEL32(00000000,?,?,00000000,004D5E1B,?,?,?,00000000,00000000,00000000,00000000), ref: 004D5DB4
        • DeleteFileW.KERNEL32(00000000,?,?,00000000,004D5E1B,?,?,?,00000000,00000000,00000000,00000000), ref: 004D5DF2
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: File$Delete$Attributes
        • String ID: Backups.dat$license.dat
        • API String ID: 890995776-1419279994
        • Opcode ID: ca181bebed8a3edb25034207a6700a4f6735b12e92222870f423636129849a56
        • Instruction ID: b9029098f5bbc98d521551207df45d6d5a4b0c167553a731c79aadad7f7835d7
        • Opcode Fuzzy Hash: ca181bebed8a3edb25034207a6700a4f6735b12e92222870f423636129849a56
        • Instruction Fuzzy Hash: 9B218571900518AFCF14FBA5C891EAE7779EF44318F50457BF840B7342DB38AE458AA8
        Function 004AA6E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
        Download Yara Rule
        APIs
        • GetKeyboardLayoutNameW.USER32(00000000), ref: 004AA70A
          • Part of subcall function 00455A58: RegCloseKey.ADVAPI32(10C80000,004558D4,00000001,004559D6,00000000,?,004CFCB3,00000000,004CFD34,?,00000000,004CFE86), ref: 00455A6C
          • Part of subcall function 00455CC0: RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00000200,?,00000000,00455E71,?,?,?,00000000), ref: 00455D39
          • Part of subcall function 00415890: SetErrorMode.KERNEL32 ref: 0041589A
          • Part of subcall function 00415890: LoadLibraryW.KERNEL32(00000000,00000000,004158E4,?,00000000,00415902), ref: 004158C9
          • Part of subcall function 00408A94: GetProcAddress.KERNEL32(00000000,?), ref: 00408AB8
        • FreeLibrary.KERNEL32(?,004AA7D9,?,00000000,004AA819,?,00000000), ref: 004AA7CC
        Strings
        • Layout File, xrefs: 004AA76B
        • KbdLayerDescriptor, xrefs: 004AA796
        • \SYSTEM\CurrentControlSet\Control\Keyboard Layouts\, xrefs: 004AA74F
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Library$AddressCloseErrorFreeKeyboardLayoutLoadModeNameOpenProc
        • String ID: KbdLayerDescriptor$Layout File$\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\
        • API String ID: 3365787578-2194312379
        • Opcode ID: e31dcd6024919c486ef4adf20f188074f42ffde82af79984bbb056d828cfc434
        • Instruction ID: 95de4eb44edbaad2fca504385152ad02c3650bc259fa843f9b1be0d96f8e6aba
        • Opcode Fuzzy Hash: e31dcd6024919c486ef4adf20f188074f42ffde82af79984bbb056d828cfc434
        • Instruction Fuzzy Hash: CB31B134A00608AFCB01EFA5C8519DEB7F5EB49704B60847AE400B7791D73D9D15CB19
        Function 004A1320 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75threadwindowCOMMON
        Download Yara Rule
        APIs
        • GetWindow.USER32(?,00000004), ref: 004A1330
        • GetWindowThreadProcessId.USER32(?,?), ref: 004A134D
        • GetCurrentProcessId.KERNEL32(?,00000004), ref: 004A1359
        • IsWindowVisible.USER32(?), ref: 004A13AF
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Window$Process$CurrentThreadVisible
        • String ID: ,lI
        • API String ID: 3926708836-140425993
        • Opcode ID: 8f4d8e5f16b448387d5499d16e01779292d4e9465715cfb7697958deafe23c89
        • Instruction ID: b1b830d04d70090a3d8c9c1f62a6a4995f5850043698df1486e0854bb1a42127
        • Opcode Fuzzy Hash: 8f4d8e5f16b448387d5499d16e01779292d4e9465715cfb7697958deafe23c89
        • Instruction Fuzzy Hash: 1A213D316002409FEA00EB59DDC6EAB33E9EB59315F14017BED449B363C738BD018BA9
        Function 0042D76C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50threadCOMMON
        Download Yara Rule
        APIs
        • IsWindow.USER32(?), ref: 0042D789
        • FindWindowExW.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042D7BA
        • GetWindowThreadProcessId.USER32(?,00000000), ref: 0042D7F3
        • GetCurrentThreadId.KERNEL32 ref: 0042D7FA
          • Part of subcall function 00408458: TlsGetValue.KERNEL32(00000016,00000016,0040312E,00000001,00404E9D,?,00000000,?,00000001,00404F4E,00403173,004031BA,?,?), ref: 0040847D
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Window$Thread$CurrentFindProcessValue
        • String ID: OleMainThreadWndClass
        • API String ID: 973455579-3883841218
        • Opcode ID: 51d4ed63bb5f1af0d217712a69f637d0e03076f3f8f91ad0128f3ab19db7149d
        • Instruction ID: 6ddda35cd94b70ce08ee7a4e0156e1ce277738c37126e413a43155760391f477
        • Opcode Fuzzy Hash: 51d4ed63bb5f1af0d217712a69f637d0e03076f3f8f91ad0128f3ab19db7149d
        • Instruction Fuzzy Hash: 58015631B002198ED6207B759A89BAF32949B41359F5504BFF254AF1E3EE3C4C00977E
        Function 00403B74 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
        Download Yara Rule
        APIs
        • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403B96
        • RegQueryValueExW.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00403BE5,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403BC9
        • RegCloseKey.ADVAPI32(?,00403BEC,00000000,?,00000004,00000000,00403BE5,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403BDF
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: CloseOpenQueryValue
        • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
        • API String ID: 3677997916-4173385793
        • Opcode ID: ab8fead9dbfc8be5a9cfa21ad320998173212eae776e461072538b7a9658e150
        • Instruction ID: dab711054747aca5f836f96782ae0866479182856f3b15883cef5ba8ff8ac0dc
        • Opcode Fuzzy Hash: ab8fead9dbfc8be5a9cfa21ad320998173212eae776e461072538b7a9658e150
        • Instruction Fuzzy Hash: 4401B575904308BAEB11DF919D42FBA7BFCD709B05F600077BA00F65D0E679AA10C65C
        Function 00484BBC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33sleepCOMMON
        Download Yara Rule
        APIs
        • Sleep.KERNEL32(000001F4,00000000,00484C1E,?,00000000,?,00484AA6,00484AF1,?,?,?,?,00000006,00000000,00000000), ref: 00484BD4
        • ShellExecuteW.SHELL32(00000000,00000000,cmd.exe,00000000,00000000,00000000), ref: 00484BFC
        • Sleep.KERNEL32(00000032,000001F4,00000000,00484C1E,?,00000000,?,00484AA6,00484AF1,?,?,?,?,00000006,00000000,00000000), ref: 00484C03
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Sleep$ExecuteShell
        • String ID: cmd.exe$cmd.exe /k ipconfig /flushdns &Exit
        • API String ID: 211396117-1663092916
        • Opcode ID: 7732768c9279362782a7b5ed95787fc24643b6f0e332658a2d94e3decd7bebdf
        • Instruction ID: 2e54b28682c676568dd8c53d92ab16bf6a0f07478b456e4084e36fe42457f8e8
        • Opcode Fuzzy Hash: 7732768c9279362782a7b5ed95787fc24643b6f0e332658a2d94e3decd7bebdf
        • Instruction Fuzzy Hash: 63F08230385709BEE211B762CD13F9E776CD785B04F6244B7F600A65C2CABC6900896D
        Function 0041DE14 Relevance: 7.8, APIs: 5, Instructions: 271COMMON
        Download Yara Rule
        APIs
        • VariantInit.OLEAUT32(?), ref: 0041DE80
        • VariantInit.OLEAUT32(?), ref: 0041DF96
          • Part of subcall function 0041F6F8: EnterCriticalSection.KERNEL32(004E9E38,?,?,?,?,?,00418ADF,?,?,?,?,00418B48,?,?,0041D811,00000000), ref: 0041F72E
          • Part of subcall function 0041F6F8: LeaveCriticalSection.KERNEL32(004E9E38,0041F7A7,?,004E9E38,?,?,?,?,?,00418ADF,?,?,?,?,00418B48,?), ref: 0041F79A
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: CriticalInitSectionVariant$EnterLeave
        • String ID:
        • API String ID: 2777075435-0
        • Opcode ID: 0702dcdca8b4c3746302bd64d64922d172fd6b3eceff84a1e8574045a0b82c53
        • Instruction ID: 137637a22b9947a9fa0d3c02f9ebf896357e472ffa1d4f20fcc2aec5db8deaf1
        • Opcode Fuzzy Hash: 0702dcdca8b4c3746302bd64d64922d172fd6b3eceff84a1e8574045a0b82c53
        • Instruction Fuzzy Hash: 4AB14F79A00208EFCB00DF95C5918EDBBB5EF4D714F9440A6F844A7351DB38AE86DB29
        Function 00499020 Relevance: 7.7, APIs: 5, Instructions: 181COMMON
        Download Yara Rule
        APIs
        • MulDiv.KERNEL32(00000000,?,00000000), ref: 004990F3
        • MulDiv.KERNEL32(?,00000000,00000000), ref: 00499182
        • MulDiv.KERNEL32(?,00000000,00000000), ref: 004991B1
        • MulDiv.KERNEL32(?,00000000,00000000), ref: 004991E0
        • MulDiv.KERNEL32(?,00000000,00000000), ref: 00499203
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 85a9d694ce5f6077aee05332603b302f0749f55b1f85187f0f759325c61810c0
        • Instruction ID: 25d8b6c504c600aa6ea5e3d7498472b6f0a735a8b5e4fc6b3599d41822015eef
        • Opcode Fuzzy Hash: 85a9d694ce5f6077aee05332603b302f0749f55b1f85187f0f759325c61810c0
        • Instruction Fuzzy Hash: D081D970A01244EFDB05DB99C689EAEB7F5BF49304F6540FAE804EB352D734AE409B54
        Function 004C4DDC Relevance: 7.7, APIs: 5, Instructions: 178COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00488364: FillRect.USER32(?,00000000,00000000), ref: 0048838D
        • CreateRectRgn.GDI32(?,?,?,?), ref: 004C4E48
        • SelectObject.GDI32(00000000,?), ref: 004C4E63
          • Part of subcall function 00487FD4: CreateBrushIndirect.GDI32(?), ref: 0048807F
        • FrameRgn.GDI32(00000000,?,00000000,00000001,00000001), ref: 004C4EB5
        • SelectObject.GDI32(00000000,?), ref: 004C4FF5
        • DeleteObject.GDI32(?), ref: 004C4FFE
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Object$CreateRectSelect$BrushDeleteFillFrameIndirect
        • String ID:
        • API String ID: 3847799725-0
        • Opcode ID: 64824ff7c01a94ecbd7279ef8e46a15e877ad46e30ef8bbcb76ceb47cf3f4ade
        • Instruction ID: 0ba608d35b6021b0509e1bb96b8ddaa64ed96ac587304f09bbb94570587b162b
        • Opcode Fuzzy Hash: 64824ff7c01a94ecbd7279ef8e46a15e877ad46e30ef8bbcb76ceb47cf3f4ade
        • Instruction Fuzzy Hash: F071F735A0010AEFCB00EF99C984EDEB3F9BF48304F5144A9F914AB251DB75AE06DB54
        Function 0049ADA8 Relevance: 7.7, APIs: 5, Instructions: 174windowCOMMON
        Download Yara Rule
        APIs
        • GetMenu.USER32(00000000), ref: 0049AECC
        • SetMenu.USER32(00000000,00000000), ref: 0049AEE9
        • SetMenu.USER32(00000000,00000000), ref: 0049AF1E
        • SetMenu.USER32(00000000,00000000), ref: 0049AF3A
          • Part of subcall function 0040821C: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 00408261
        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0049AF81
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Menu$LoadStringWindow
        • String ID:
        • API String ID: 1738039741-0
        • Opcode ID: d4a90ba5e96c4248a7c34c5503db1b79711cdc3764b5597ee2b20363dea478e5
        • Instruction ID: fd8e6478973e3ef964a3b1c5ad47d56531a730367e98989688dc6061f3cebb4a
        • Opcode Fuzzy Hash: d4a90ba5e96c4248a7c34c5503db1b79711cdc3764b5597ee2b20363dea478e5
        • Instruction Fuzzy Hash: 6F51AE707043005BDF61AB3A8C857AB3A98AF45308F0844BBBC459B397CE7CCC55879A
        Function 004261E0 Relevance: 7.6, APIs: 5, Instructions: 142COMMON
        Download Yara Rule
        APIs
        • CharNextW.USER32(?,?,00000000,00426382), ref: 00426240
        • CharNextW.USER32(?,?,00000000,00426382), ref: 004262E8
        • CharNextW.USER32(?,?,00000000,00426382), ref: 0042630D
        • CharNextW.USER32(00000000,?,?,00000000,00426382), ref: 00426325
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: CharNext
        • String ID:
        • API String ID: 3213498283-0
        • Opcode ID: 2b29c0b8304a17ca473f79ba3ea3595389fac3db87eae6e096e00fb5942365e6
        • Instruction ID: 3679f88a679007e921f5f73137257fdf8e7b2b6df05089300fe20f2a64209be5
        • Opcode Fuzzy Hash: 2b29c0b8304a17ca473f79ba3ea3595389fac3db87eae6e096e00fb5942365e6
        • Instruction Fuzzy Hash: 4B514C30B00624DFCF15EFA9D490A6D77B5EF06314F8204E6E800EB295DB38AD82CB59
        Function 004BBEF8 Relevance: 7.6, APIs: 5, Instructions: 126COMMON
        Download Yara Rule
        APIs
        • BeginPaint.USER32(00000000,?), ref: 004BBF23
        • SaveDC.GDI32(00000000), ref: 004BBF5C
        • ExcludeClipRect.GDI32(00000000,?,?,?,?,00000000,004BC01A,?,00000000), ref: 004BBFDE
        • RestoreDC.GDI32(00000000,00000000), ref: 004BC014
        • EndPaint.USER32(00000000,?,004BC05E), ref: 004BC051
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Paint$BeginClipExcludeRectRestoreSave
        • String ID:
        • API String ID: 3808407030-0
        • Opcode ID: 9ee908b25714ce527ac4ede230d1788147849ad717bb101971921d4975bb3db7
        • Instruction ID: 197a9537d06d323d41a139841524e781a53f3f169a5e2c02d9164045e09b2c88
        • Opcode Fuzzy Hash: 9ee908b25714ce527ac4ede230d1788147849ad717bb101971921d4975bb3db7
        • Instruction Fuzzy Hash: A2414E70A042449FDB14DBA8C995FBEBBF5FF48304F1544AAE904973A2D7789D40CB64
        Function 00497DD4 Relevance: 7.6, APIs: 5, Instructions: 95COMMON
        Download Yara Rule
        APIs
        • FlatSB_SetScrollProp.COMCTL32(00000000,00000001,?,00000000,?,00000000,?,00497F89,?,?,?,?), ref: 00497E12
        • FlatSB_SetScrollProp.COMCTL32(00000000,00000001,?,00000000,00000000,00000001,?,00000000,?,00000000,?,00497F89,?,?,?,?), ref: 00497E43
        • FlatSB_SetScrollProp.COMCTL32(00000000,00000001,?,00000000,00000000,00000001,?,00000000,?,00000000,?,00497F89,?,?,?,?), ref: 00497E74
        • FlatSB_SetScrollProp.COMCTL32(00000000,00000001,?,00000000,00000000,00000001,?,00000000,?,00000000,?,00497F89,?,?,?,?), ref: 00497EA5
        • FlatSB_SetScrollProp.COMCTL32(00000000,?,00000000,00000000,00000000,00000001,?,00000000,?,00000000,?,00497F89,?,?,?,?), ref: 00497ED3
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: FlatPropScroll
        • String ID:
        • API String ID: 3625857538-0
        • Opcode ID: bbf3abc0852a2dc2c8daad3ce56e7dd8ea84899ddca49796ad70c213f241d79a
        • Instruction ID: ff90d7007fdd652aaf510424150b2c5608bba45288c941575253e06b6097130c
        • Opcode Fuzzy Hash: bbf3abc0852a2dc2c8daad3ce56e7dd8ea84899ddca49796ad70c213f241d79a
        • Instruction Fuzzy Hash: 8C31B2B06001489FD750EF5DD885E56BBE8AF1D309F15049AB288CB363D73AEE50DBA4
        Function 0042D840 Relevance: 7.6, APIs: 5, Instructions: 86windowCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0042D76C: IsWindow.USER32(?), ref: 0042D789
          • Part of subcall function 0042D76C: FindWindowExW.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 0042D7BA
          • Part of subcall function 0042D76C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0042D7F3
          • Part of subcall function 0042D76C: GetCurrentThreadId.KERNEL32 ref: 0042D7FA
        • MsgWaitForMultipleObjectsEx.USER32(?,?,?,000000BF,?), ref: 0042D86E
        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0042D889
        • TranslateMessage.USER32(?), ref: 0042D896
        • DispatchMessageW.USER32(?), ref: 0042D89F
        • WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,00000000), ref: 0042D8CB
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: MessageWindow$MultipleObjectsThreadWait$CurrentDispatchFindPeekProcessTranslate
        • String ID:
        • API String ID: 2725875890-0
        • Opcode ID: e8bb21ed09c62badd5c6520bef45bb772452a79902ddc0313dbd79545f1291a0
        • Instruction ID: baef101c0684ab5cff6e3cf69e50c714cd41c034127489c3448bb63cf650b062
        • Opcode Fuzzy Hash: e8bb21ed09c62badd5c6520bef45bb772452a79902ddc0313dbd79545f1291a0
        • Instruction Fuzzy Hash: 99216271B00219AFDB10EEA4DC85F9F73A8EB08354F50453AFA15E7281D67DDD4087A9
        Function 0043E8CC Relevance: 7.6, APIs: 5, Instructions: 85fileCOMMON
        Download Yara Rule
        APIs
        • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000080,00000000), ref: 0043E900
        • GetFileSizeEx.KERNEL32(000000FF,?,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,0043E9A7,?,00000000,80000000,00000001,00000000), ref: 0043E94D
        • GetFileSize.KERNEL32(000000FF,?,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,0043E9A7,?,00000000,80000000,00000001,00000000), ref: 0043E966
        • GetLastError.KERNEL32(000000FF,?,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,0043E9A7,?,00000000,80000000,00000001,00000000), ref: 0043E974
        • CloseHandle.KERNEL32(000000FF,0043E9AE,00000000,00000000,00000000,00000000,00000000,0043E9A7,?,00000000,80000000,00000001,00000000,00000003,08000080,00000000), ref: 0043E9A1
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: File$Size$CloseCreateErrorHandleLast
        • String ID:
        • API String ID: 3878045067-0
        • Opcode ID: f7c99d30768562456460ef14279ec8c04ab5e6154ffa0b08746a6a4cb659166a
        • Instruction ID: 87d07eb564e42e59401691eaa800dc569116af868e78c2444f7fcc6f66e70633
        • Opcode Fuzzy Hash: f7c99d30768562456460ef14279ec8c04ab5e6154ffa0b08746a6a4cb659166a
        • Instruction Fuzzy Hash: AB2153B1E01205AFDB50DBEACC46BAEB7F8EF48324F104566F510E72D0D6789A408B5A
        Function 0048BD00 Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON
        Download Yara Rule
        APIs
        • GetDC.USER32(00000000), ref: 0048BD56
        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0048BD6B
        • GetDeviceCaps.GDI32(00000000,0000000E), ref: 0048BD75
        • CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,0048A3B3,00000000,0048A43F), ref: 0048BD99
        • ReleaseDC.USER32(00000000,00000000), ref: 0048BDA4
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: CapsDevice$CreateHalftonePaletteRelease
        • String ID:
        • API String ID: 2404249990-0
        • Opcode ID: e91324f630cc3b4a98f9c458bbe209de991ddc2e9c5af605b388359494de99f3
        • Instruction ID: bb731ed63db1024ae30fdffd840fbb0ad3c3b42cf9eda583b4afa3260d261b39
        • Opcode Fuzzy Hash: e91324f630cc3b4a98f9c458bbe209de991ddc2e9c5af605b388359494de99f3
        • Instruction Fuzzy Hash: 8E11B1216412597EDB60BF2589417EF3BD0EF51365F040A2BF8409A2C2D7BC8C91D3E9
        Function 0049EC24 Relevance: 7.6, APIs: 5, Instructions: 62COMMON
        Download Yara Rule
        APIs
        • GetWindowLongW.USER32(00000000,000000EC), ref: 0049EC58
        • SetWindowLongW.USER32(00000000,000000EC,00000000), ref: 0049EC8A
        • SetLayeredWindowAttributes.USER32(00000000,00000000,?,00000000,00000000,000000EC,?,?,0049BF97), ref: 0049ECC8
        • SetWindowLongW.USER32(00000000,000000EC,00000000), ref: 0049ECE1
        • RedrawWindow.USER32(00000000,00000000,00000000,00000485,00000000,000000EC,00000000,00000000,000000EC,?,?,0049BF97), ref: 0049ECF7
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Window$Long$AttributesLayeredRedraw
        • String ID:
        • API String ID: 1758778077-0
        • Opcode ID: 34a306a82720be10e4bc0ff5c80078a37600ba0091d5521fead509c67b5ad664
        • Instruction ID: fd7ca4e4430145941891626b202ecab781884262f203275c92e22f650ecd8395
        • Opcode Fuzzy Hash: 34a306a82720be10e4bc0ff5c80078a37600ba0091d5521fead509c67b5ad664
        • Instruction Fuzzy Hash: 041146606042A026DF51BB7B4C89F972E9C1B45315F18097ABD99EE2D3CA7CCD44C76C
        Function 004891B4 Relevance: 7.6, APIs: 5, Instructions: 55windowCOMMON
        Download Yara Rule
        APIs
        • GetDC.USER32(00000000), ref: 004891CC
        • GetDeviceCaps.GDI32(?,00000068), ref: 004891E8
        • GetPaletteEntries.GDI32(2C080D4E,00000000,00000008,?), ref: 00489200
        • GetPaletteEntries.GDI32(2C080D4E,00000008,00000008,?), ref: 00489218
        • ReleaseDC.USER32(00000000,?), ref: 00489234
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: EntriesPalette$CapsDeviceRelease
        • String ID:
        • API String ID: 3128150645-0
        • Opcode ID: 814c47558ce0ea0cdbb8226500d1c10c0e4d4d5f6082bf9f721d89869bd6643e
        • Instruction ID: ef1f130394f02fe3b3b8c373684565ef2b12eafb187cbdd1fa372f4b7074ad5d
        • Opcode Fuzzy Hash: 814c47558ce0ea0cdbb8226500d1c10c0e4d4d5f6082bf9f721d89869bd6643e
        • Instruction Fuzzy Hash: 0E116B31248704BEEB00DBE59C92F7E77A8F745714F1488AEF540EA1C2CA7A5800C328
        Function 004126FC Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
        Download Yara Rule
        APIs
        • GetThreadLocale.KERNEL32(?,00000000,00412793,?,?,00000000), ref: 00412714
          • Part of subcall function 00412324: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00412342
        • GetThreadLocale.KERNEL32(00000000,00000004,00000000,00412793,?,?,00000000), ref: 00412744
        • EnumCalendarInfoW.KERNEL32(Function_00012648,00000000,00000000,00000004,00000000,00412793,?,?,00000000), ref: 0041274F
        • GetThreadLocale.KERNEL32(00000000,00000003,Function_00012648,00000000,00000000,00000004,00000000,00412793,?,?,00000000), ref: 0041276D
        • EnumCalendarInfoW.KERNEL32(Function_00012684,00000000,00000000,00000003,Function_00012648,00000000,00000000,00000004,00000000,00412793,?,?,00000000), ref: 00412778
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Locale$InfoThread$CalendarEnum
        • String ID:
        • API String ID: 4102113445-0
        • Opcode ID: ea5ed1e68738d87d6849240a51ee1399f26a6f32b2c5a564a527e4de25f0d19b
        • Instruction ID: 6c17a117f83ad6eed4f2b33b4d516e2bf9be5bd1494dbf02b5db9dc83d199b91
        • Opcode Fuzzy Hash: ea5ed1e68738d87d6849240a51ee1399f26a6f32b2c5a564a527e4de25f0d19b
        • Instruction Fuzzy Hash: 3001D4712006046BE701B6758E12FAB725CDB41728F61057AB510F66C1DABCAE11866D
        Function 004A08A4 Relevance: 7.5, APIs: 5, Instructions: 25synchronizationthreadCOMMON
        Download Yara Rule
        APIs
        • UnhookWindowsHookEx.USER32(00000000), ref: 004A08B3
        • SetEvent.KERNEL32(00000000,004A354A,?,004A33CF), ref: 004A08CE
        • GetCurrentThreadId.KERNEL32 ref: 004A08D3
        • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,004A354A,?,004A33CF), ref: 004A08E8
        • CloseHandle.KERNEL32(00000000,00000000,004A354A,?,004A33CF), ref: 004A08F3
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: CloseCurrentEventHandleHookObjectSingleThreadUnhookWaitWindows
        • String ID:
        • API String ID: 2429646606-0
        • Opcode ID: 11024e9a3beb014d235df44220b26c508bfb8ffb92bb527082baffa26b771989
        • Instruction ID: 3c2a7f0f67a99dff2c69d2718541b364b480c8d6fc4a637ccb659e3f01d5dcec
        • Opcode Fuzzy Hash: 11024e9a3beb014d235df44220b26c508bfb8ffb92bb527082baffa26b771989
        • Instruction Fuzzy Hash: 26F0F871A006859BDB51BF7ADD86A4B32E5E705308B44453EA410DA2E3CB3C9440CB9D
        Function 004127B0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 177threadCOMMON
        Download Yara Rule
        APIs
        • GetThreadLocale.KERNEL32(?,00000000,004129E3,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004127EB
          • Part of subcall function 00412324: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00412342
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Locale$InfoThread
        • String ID: eeee$ggg$yyyy
        • API String ID: 4232894706-1253427255
        • Opcode ID: a72d6dec9f881c51b2c3d748fe5987dd0e23131fb87edebae7b64ca4e53677cf
        • Instruction ID: d6de3ed446d6b0f19bf2b14768b5d98198d9ec819dac1c1d77997311401c7bc1
        • Opcode Fuzzy Hash: a72d6dec9f881c51b2c3d748fe5987dd0e23131fb87edebae7b64ca4e53677cf
        • Instruction Fuzzy Hash: C651C370B101099BCB10EB69CA825EFB3B5EF84304F204177E445E73A1DBBC9E929A59
        Function 004C9974 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON
        Download Yara Rule
        APIs
        • OutputDebugStringW.KERNEL32(00000000,00000000,004C9B23,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,004D14BB), ref: 004C9A07
        • OutputDebugStringW.KERNEL32(00000000,00000000,00000000,004C9B23,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004C9A41
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: DebugOutputString
        • String ID: AreaStr=$KeyAreaID=
        • API String ID: 1166629820-2418619681
        • Opcode ID: 4b5a8f900c5d65235d10b664304963473f32ecaf4f5df4820431c7fd2f76220c
        • Instruction ID: f54e7e4e246c4008911634a6e8aa6a7441db3cd551359d478c0d39e04c5c51f1
        • Opcode Fuzzy Hash: 4b5a8f900c5d65235d10b664304963473f32ecaf4f5df4820431c7fd2f76220c
        • Instruction Fuzzy Hash: 97414F38A04549BBCF54FBA5D449EAFB375EB84304B60807FE401A7785E63EAD018B5D
        Function 004B4010 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113COMMON
        Download Yara Rule
        APIs
        • GetCursorPos.USER32(004EB468), ref: 004B4031
        • GetCursor.USER32(004EB468), ref: 004B404D
          • Part of subcall function 004B3200: SetCapture.USER32(00000000,?,004B4061,004EB468), ref: 004B320F
        • GetDesktopWindow.USER32 ref: 004B413F
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Cursor$CaptureDesktopWindow
        • String ID: $0K
        • API String ID: 669539147-4266498501
        • Opcode ID: b9b109a74598427f505b92662bb7b47e4b1e2de49c76a22abd0ee472cbc2f101
        • Instruction ID: 9fc20347987d85a57ed1c4c75373492e8f0f57dc6b5dfb0634c675c1d96856e5
        • Opcode Fuzzy Hash: b9b109a74598427f505b92662bb7b47e4b1e2de49c76a22abd0ee472cbc2f101
        • Instruction Fuzzy Hash: EC414B70A05240CFC304DF2DE988A567BE1EB89314B15C56AD8888B3A7CB35D885CB99
        Function 004B3970 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 111keyboardwindowCOMMON
        Download Yara Rule
        APIs
        • GetKeyState.USER32(00000011), ref: 004B3997
        • IsWindowVisible.USER32(00000000), ref: 004B3A11
          • Part of subcall function 004B392C: IsChild.USER32(00000000,00000000), ref: 004B395C
          • Part of subcall function 004B30A4: IsChild.USER32(00000000,00000000), ref: 004B30FB
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Child$StateVisibleWindow
        • String ID: 2<K$2<K
        • API String ID: 4044940347-1682517499
        • Opcode ID: 9563ca7cdac2399e2c9764e85fad77ad326eadc29c644b78558d4fe00e1e9226
        • Instruction ID: 4f23c0abd5ec66d38ff17805c78e05934f2779157d30990e1c70d38623dca1ac
        • Opcode Fuzzy Hash: 9563ca7cdac2399e2c9764e85fad77ad326eadc29c644b78558d4fe00e1e9226
        • Instruction Fuzzy Hash: 3541217590010A9BCB01DF56C4C5AEFF7B9AF09305F244166E840B73A2D774AE45CBA8
        Function 00427388 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 105fileCOMMON
        Download Yara Rule
        APIs
        • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,004274D0,?,?,00421894,00000001), ref: 004273E4
        • GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,004274D0,?,?,00421894,00000001), ref: 00427412
          • Part of subcall function 0040C804: CreateFileW.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,00421894,00427452,00000000,004274D0,?,?,00421894), ref: 0040C852
          • Part of subcall function 0040CEC8: GetFullPathNameW.KERNEL32(00000000,00000104,?), ref: 0040CEE7
        • GetLastError.KERNEL32(00000000,004274D0,?,?,00421894,00000001), ref: 00427477
          • Part of subcall function 004122D4: FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000100,00000000), ref: 004122F3
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: CreateErrorFileLast$FormatFullMessageNamePath
        • String ID: (B
        • API String ID: 503785936-2871133820
        • Opcode ID: f70a38186f6168a92c5074acd102c9e0bfe4a0a9766645588ae96c87459d5fb7
        • Instruction ID: 3e2ce87ba01ed050ef7b301bcdddd602986594e04c8ba2f6a702714a6baf1d6e
        • Opcode Fuzzy Hash: f70a38186f6168a92c5074acd102c9e0bfe4a0a9766645588ae96c87459d5fb7
        • Instruction Fuzzy Hash: 51319170B047189BDB10EFA5DC827DEBBB4AB48314F90817AE500B73C2D77D5A418B69
        Function 004A2F08 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103timethreadwindowCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 004A2E7C: GetCursorPos.USER32 ref: 004A2E83
        • SetTimer.USER32(00000000,00000000,503B0C55,00000000), ref: 004A2FF3
        • GetCurrentThreadId.KERNEL32 ref: 004A302D
        • WaitMessage.USER32(00000000,004A3071,?,?,?,04D77480), ref: 004A3051
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: CurrentCursorMessageThreadTimerWait
        • String ID: <PN
        • API String ID: 3909455694-4193252389
        • Opcode ID: 3bdc7921727f6dab475831c59cb47488c5f574fbda842d5ad3d6a058df02c2a8
        • Instruction ID: 28124adf203f4e74fa4a214f3e0f53d93982a1a27f12685111bf0c474d4d27e6
        • Opcode Fuzzy Hash: 3bdc7921727f6dab475831c59cb47488c5f574fbda842d5ad3d6a058df02c2a8
        • Instruction Fuzzy Hash: D441B430A04644EFDB11DF59D985B9E77F5EB2A304F5040BAF800A7293D7B85E40DB59
        Function 0041032C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 80threadCOMMON
        Download Yara Rule
        APIs
        • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000200,00000000,0041041D), ref: 004103B4
        • GetDateFormatW.KERNEL32(00000000,00000004,?,00000000,?,00000200,00000000,0041041D), ref: 004103BA
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: DateFormatLocaleThread
        • String ID: $yyyy
        • API String ID: 3303714858-404527807
        • Opcode ID: 8cadb6c8ce63ecbfa46b302686aba0531448fbeb7e7d7444da7fc5cc9c58a64a
        • Instruction ID: fb291fd9e1cfa3423eabfe1f7445592917075637d21e9c5d0b0d4eb3d8e020c5
        • Opcode Fuzzy Hash: 8cadb6c8ce63ecbfa46b302686aba0531448fbeb7e7d7444da7fc5cc9c58a64a
        • Instruction Fuzzy Hash: BB218731A006189BDB10EF55C881ADEB3F8EF44304F5140BBF904E7795D678AE80CB69
        Function 0040F674 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 80threadCOMMON
        Download Yara Rule
        APIs
        • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0040F765), ref: 0040F6FC
        • GetDateFormatW.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,0040F765), ref: 0040F702
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: DateFormatLocaleThread
        • String ID: $yyyy
        • API String ID: 3303714858-404527807
        • Opcode ID: 940411bce127fb1e73b6d2411cde9fc0b86ad4d6471b46554011f930f298dee6
        • Instruction ID: f571b5096a32a33018e993cd31a9e482bca29567bd91db253968a4dd3b71db8c
        • Opcode Fuzzy Hash: 940411bce127fb1e73b6d2411cde9fc0b86ad4d6471b46554011f930f298dee6
        • Instruction Fuzzy Hash: 1B218735A005189BDB20EF55C981AAEB3B8EF08300F51407BF804F7791D738AE448B69
        Function 00409DFC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMON
        Download Yara Rule
        APIs
        • FindResourceW.KERNEL32(00400000,CHARTABLE,0000000A,?,?,00409AD8,?,0040C031,00000000,0040C14D), ref: 00409E10
        • LoadResource.KERNEL32(00400000,00000000,00400000,CHARTABLE,0000000A,?,?,00409AD8,?,0040C031,00000000,0040C14D), ref: 00409E27
        • LockResource.KERNEL32(00000000,00400000,00000000,00400000,CHARTABLE,0000000A,?,?,00409AD8,?,0040C031,00000000,0040C14D), ref: 00409E38
          • Part of subcall function 00415214: GetLastError.KERNEL32(00409E49,00000000,00400000,00000000,00400000,CHARTABLE,0000000A,?,?,00409AD8,?,0040C031,00000000,0040C14D), ref: 00415214
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Resource$ErrorFindLastLoadLock
        • String ID: CHARTABLE
        • API String ID: 1074440638-2668339182
        • Opcode ID: eefcad1153bbfa5c389ccb0a5f44c87e570cf675153a1f5066cc443492296243
        • Instruction ID: 02e687f415c399b0b9c7332153376ccd9c1eaadc9c9960d23c279e6980aac0bf
        • Opcode Fuzzy Hash: eefcad1153bbfa5c389ccb0a5f44c87e570cf675153a1f5066cc443492296243
        • Instruction Fuzzy Hash: 1C0184B4A442008FC708EFA5ECD0A6673A5AB88328709457EE1455B793CB3CAC01CFAC
        Function 004A6388 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: CreateMenu$Popup
        • String ID: 0SH$PNJ
        • API String ID: 257293969-1820970785
        • Opcode ID: ab46510de955bebcdf67c530f74e7c18410e003ce1da644840f2531b307d03b0
        • Instruction ID: e4775a6d376d05f7c1ae83344de64f1a29b54ff4a829edd6169290cd58c5c302
        • Opcode Fuzzy Hash: ab46510de955bebcdf67c530f74e7c18410e003ce1da644840f2531b307d03b0
        • Instruction Fuzzy Hash: 8CF0C070600214DFDF00EF66D5C5B5A3794AB67345F0A54BAAC459F247C77898418F39
        Function 004BB884 Relevance: 6.4, APIs: 4, Instructions: 359COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Capture
        • String ID:
        • API String ID: 1145282425-0
        • Opcode ID: ee329c3a1d5bc05ac0dfbe862c8f8bc12debf42980a49d00105cf9703edbe8ba
        • Instruction ID: 5a5e4dd7db217f2032cf20f74d5c6417c5d9eca40d0870dac1dbc96ab2423463
        • Opcode Fuzzy Hash: ee329c3a1d5bc05ac0dfbe862c8f8bc12debf42980a49d00105cf9703edbe8ba
        • Instruction Fuzzy Hash: 51E13B70A00204EFCB10DB59C585BEEB7F5EF58304F2441A6E444AB766C7BCAE41DBA9
        Function 004B9528 Relevance: 6.3, APIs: 4, Instructions: 308COMMON
        Download Yara Rule
        APIs
        • MulDiv.KERNEL32(?,00000000,00000000), ref: 004B96A7
        • MulDiv.KERNEL32(?,?,?), ref: 004B96E2
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 9a8a32ad62fa376093a6eeb03648d710f62e9af94ec845c6c827c680123077ef
        • Instruction ID: c624c34abdba7af0b075cfd58706141ed29de850a78805ebbe4b4f0dbe1a6e03
        • Opcode Fuzzy Hash: 9a8a32ad62fa376093a6eeb03648d710f62e9af94ec845c6c827c680123077ef
        • Instruction Fuzzy Hash: BAD13971A04605DFCB11CF68C584BEABBF6BF49300F248A69E9569B355CB38ED01CB61
        Function 004B3D28 Relevance: 6.2, APIs: 4, Instructions: 212COMMON
        Download Yara Rule
        APIs
        • GetDesktopWindow.USER32 ref: 004B3D9D
        • GetDesktopWindow.USER32 ref: 004B3ECD
        • SetCursor.USER32(00000000), ref: 004B3F22
          • Part of subcall function 004C0968: ImageList_EndDrag.COMCTL32(?,00000000,004B453F,00000000,004B465B,?,00000000,004B46CD), ref: 004C0984
        • SetCursor.USER32(00000000), ref: 004B3F0D
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: CursorDesktopWindow$DragImageList_
        • String ID:
        • API String ID: 617806055-0
        • Opcode ID: a5364175e725112c51360b67663bafb82f4a24d8ee3947c31fcbe4023cb2caa4
        • Instruction ID: a8732890cf910c803f2fa537246c15891e723a5f6156413c3988a597b6b81429
        • Opcode Fuzzy Hash: a5364175e725112c51360b67663bafb82f4a24d8ee3947c31fcbe4023cb2caa4
        • Instruction Fuzzy Hash: 8091F834A01590CFC705DF2AD8C4A967BA5EB85305F14C5AAE8448F3A7C738ED49CBA9
        Function 004B3790 Relevance: 6.1, APIs: 4, Instructions: 136threadCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 004B3BD0: WindowFromPoint.USER32(-000000F4,?,?,004B37AA,?,-0000000C,?), ref: 004B3BD6
          • Part of subcall function 004B3BD0: GetParent.USER32(00000000), ref: 004B3BED
        • GetWindow.USER32(00000000,00000004), ref: 004B37B2
        • GetCurrentThreadId.KERNEL32 ref: 004B3889
        • EnumThreadWindows.USER32(00000000,004B3730,?), ref: 004B388F
        • GetWindowRect.USER32(00000000,?), ref: 004B38A6
          • Part of subcall function 004B2AF0: GetWindowThreadProcessId.USER32(00000000), ref: 004B2AFD
          • Part of subcall function 004B2AF0: GetCurrentProcessId.KERNEL32(?,00000000,00000000,004B470F,?,?,00000000,00000001,004B473C), ref: 004B2B06
          • Part of subcall function 004B2AF0: GlobalFindAtomW.KERNEL32(00000000,?,00000000,00000000,004B470F,?,?,00000000,00000001,004B473C), ref: 004B2B1B
          • Part of subcall function 004B2AF0: GetPropW.USER32(00000000,00000000), ref: 004B2B32
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Window$Thread$CurrentProcess$AtomEnumFindFromGlobalParentPointPropRectWindows
        • String ID:
        • API String ID: 349414421-0
        • Opcode ID: d44d13184c02a1f55edde3426c7de730768a02129f4587f316ba7f831408935e
        • Instruction ID: d1f3bbdca263e5cba177ab40c48ecafd562fd0baf8d62e4f4a1785abd54bb379
        • Opcode Fuzzy Hash: d44d13184c02a1f55edde3426c7de730768a02129f4587f316ba7f831408935e
        • Instruction Fuzzy Hash: 35510E74B002059FCB10DF6EC485AEEB7F4AF08345F148166E814EB352D778EE458BA9
        Function 00418590 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
        Download Yara Rule
        APIs
        • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0041863F
        • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041865B
        • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004186D2
        • VariantClear.OLEAUT32(?), ref: 004186FB
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: ArraySafe$Bound$ClearIndexVariant
        • String ID:
        • API String ID: 920484758-0
        • Opcode ID: f0295443ca770468b436d680f55c02e1520dbe5d99db19bddf092f571c061250
        • Instruction ID: ef54839c96ed99e11d4dd789d27488e0543d0cf8127073c02581cb22cc5bae1d
        • Opcode Fuzzy Hash: f0295443ca770468b436d680f55c02e1520dbe5d99db19bddf092f571c061250
        • Instruction Fuzzy Hash: 1B41FB75A0121D9FCB61DB59CC90ADAB3BDAB48714F4441DAE54CE7212DA38AFC08F58
        Function 00412A7C Relevance: 6.1, APIs: 4, Instructions: 113COMMON
        Download Yara Rule
        APIs
        • VirtualQuery.KERNEL32(?,?,0000001C,00000000,00412C28), ref: 00412AAF
        • GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 00412AD3
        • GetModuleFileNameW.KERNEL32(00400000,?,00000105), ref: 00412AEE
        • LoadStringW.USER32(00000000,0000FFE9,?,00000100), ref: 00412B89
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: FileModuleName$LoadQueryStringVirtual
        • String ID:
        • API String ID: 3990497365-0
        • Opcode ID: 77955a00cab5acbf521c9f5c76ce96b01f8191e0df1b38070d82cf23f6448ddb
        • Instruction ID: 3a68ee526fa8a757da22646a69dff3aeeefd06844c58658e8450b05e0dc19dd5
        • Opcode Fuzzy Hash: 77955a00cab5acbf521c9f5c76ce96b01f8191e0df1b38070d82cf23f6448ddb
        • Instruction Fuzzy Hash: 00412070A002589FDB20DF65CD81BDAB7B9AB48304F4044FAE508E7281D7B99E94CF58
        Function 00412A7A Relevance: 6.1, APIs: 4, Instructions: 112COMMON
        Download Yara Rule
        APIs
        • VirtualQuery.KERNEL32(?,?,0000001C,00000000,00412C28), ref: 00412AAF
        • GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 00412AD3
        • GetModuleFileNameW.KERNEL32(00400000,?,00000105), ref: 00412AEE
        • LoadStringW.USER32(00000000,0000FFE9,?,00000100), ref: 00412B89
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: FileModuleName$LoadQueryStringVirtual
        • String ID:
        • API String ID: 3990497365-0
        • Opcode ID: c6fd065d7e80d40f9177299679bef9015373d5c58c032573cc4104c367fbe3e9
        • Instruction ID: bbc0d5498b589010b4c2cdf7ae00b3442bcd3da6934b66cc86e45316ce2612f9
        • Opcode Fuzzy Hash: c6fd065d7e80d40f9177299679bef9015373d5c58c032573cc4104c367fbe3e9
        • Instruction Fuzzy Hash: E3413170A002589FDB20DF65CD81BDAB7F9AB48304F4044FAE508E7282D7B99E94CF58
        Function 0049F6F8 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
        Download Yara Rule
        APIs
        • GetKeyboardLayout.USER32(00000000), ref: 0049F73D
        • GetDC.USER32(00000000), ref: 0049F792
        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0049F79C
        • ReleaseDC.USER32(00000000,00000000), ref: 0049F7A7
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: CapsDeviceKeyboardLayoutRelease
        • String ID:
        • API String ID: 3331096196-0
        • Opcode ID: ae676e819d8a58350b37f00f1a7c011500dbc0c5357acba48117658d05a15df7
        • Instruction ID: 0e50dc1c515a5c0578519942824b154d9f69a93411b3c06a605e374a9889affa
        • Opcode Fuzzy Hash: ae676e819d8a58350b37f00f1a7c011500dbc0c5357acba48117658d05a15df7
        • Instruction Fuzzy Hash: 5941D3B06512408FDB50EF2AD8C5B487BE5AF08318F1590BAE908DF367D779AC48CB58
        Function 0048A360 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 004883D8: EnterCriticalSection.KERNEL32(004EB204,00000000,004867CE,00000000,0048682D), ref: 004883E0
          • Part of subcall function 004883D8: LeaveCriticalSection.KERNEL32(004EB204,004EB204,00000000,004867CE,00000000,0048682D), ref: 004883ED
          • Part of subcall function 004883D8: EnterCriticalSection.KERNEL32(0000003C,004EB204,004EB204,00000000,004867CE,00000000,0048682D), ref: 004883F6
          • Part of subcall function 0048BD00: GetDC.USER32(00000000), ref: 0048BD56
          • Part of subcall function 0048BD00: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0048BD6B
          • Part of subcall function 0048BD00: GetDeviceCaps.GDI32(00000000,0000000E), ref: 0048BD75
          • Part of subcall function 0048BD00: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,0048A3B3,00000000,0048A43F), ref: 0048BD99
          • Part of subcall function 0048BD00: ReleaseDC.USER32(00000000,00000000), ref: 0048BDA4
        • CreateCompatibleDC.GDI32(00000000), ref: 0048A3B5
        • SelectObject.GDI32(00000000,?), ref: 0048A3CE
        • SelectPalette.GDI32(00000000,?,000000FF), ref: 0048A3F7
        • RealizePalette.GDI32(00000000), ref: 0048A403
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: CriticalPaletteSection$CapsCreateDeviceEnterSelect$CompatibleHalftoneLeaveObjectRealizeRelease
        • String ID:
        • API String ID: 979337279-0
        • Opcode ID: d8608cbb3c6ac1367ff1a9623b2d960c0842c671ef004bffb61fdf6023d6d922
        • Instruction ID: 931d0b13a3a3a967ac09fd50c8fd9f35e21caab8956807addb6f6df66f981b33
        • Opcode Fuzzy Hash: d8608cbb3c6ac1367ff1a9623b2d960c0842c671ef004bffb61fdf6023d6d922
        • Instruction Fuzzy Hash: 01313834A00618EFD704EF59C981D4EB3F5EF48714B6249AAF804AB362D778EE41DB84
        Function 004A1E98 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
        Download Yara Rule
        APIs
        • SetActiveWindow.USER32(?,?,004A1921,00000000,004A1E5E), ref: 004A1EC5
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: ActiveWindow
        • String ID:
        • API String ID: 2558294473-0
        • Opcode ID: 106efbb0270e0b7f0fc2330f6ee5abc494369e8869267c6de6293791ecce17da
        • Instruction ID: 7d0b0dcbc82a6dd44566bc86774d09b6965cf3ff71c27d31ff77a631e5339d38
        • Opcode Fuzzy Hash: 106efbb0270e0b7f0fc2330f6ee5abc494369e8869267c6de6293791ecce17da
        • Instruction Fuzzy Hash: 3B21DD706042809BEF15EA69C8C5BD62B99BF19304F0840BAFD089F2ABD779D8458729
        Function 004AB328 Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
        Download Yara Rule
        APIs
        • GetMenuState.USER32(?,?,?), ref: 004AB34B
        • GetSubMenu.USER32(?,?), ref: 004AB356
        • GetMenuItemID.USER32(?,?), ref: 004AB36F
        • GetMenuStringW.USER32(?,?,?,?,?), ref: 004AB3C4
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Menu$ItemStateString
        • String ID:
        • API String ID: 306270399-0
        • Opcode ID: 46a02f2618577621b8bf29563f13cd88905e9357f51b4a76ddda491be36c3d43
        • Instruction ID: 2d7389adb3dd02aaf419ae96b9a055e1d0f371a3746d421b484ac110a3d354e7
        • Opcode Fuzzy Hash: 46a02f2618577621b8bf29563f13cd88905e9357f51b4a76ddda491be36c3d43
        • Instruction Fuzzy Hash: 74117C31600114ABCB01EE6ACC819AF77E8EF5A364B10852AFC19E7392D738DD1197A9
        Function 0048D28C Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Object$Delete$IconInfo
        • String ID:
        • API String ID: 507670407-0
        • Opcode ID: 7ac5c57932b947c59996fc900266cb776351b887ea54cb9d8caa811953cf2fda
        • Instruction ID: abbe7049c94c5a389a88a2b09be1985b8cb5870bdc08318a1f019dcff3be702d
        • Opcode Fuzzy Hash: 7ac5c57932b947c59996fc900266cb776351b887ea54cb9d8caa811953cf2fda
        • Instruction Fuzzy Hash: 9811DD75A00208AFDB04EFA6D981C9EB7F9FF48310B5489AAB904E7391DA38DD019B54
        Function 004BE4BC Relevance: 6.1, APIs: 4, Instructions: 56COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: ecb1b8fe3049f3da3c2b7e5dc223d2b087ce879ab5fae0815a721d6c035b5fac
        • Instruction ID: a521101e1e8c67093b84bd110bda90230c759d95351935f6ffaffb67e053b207
        • Opcode Fuzzy Hash: ecb1b8fe3049f3da3c2b7e5dc223d2b087ce879ab5fae0815a721d6c035b5fac
        • Instruction Fuzzy Hash: 5B0116603002082BCA64BE675D95F9B3A6DCFD2758B4040BE78599B347EDBDAD0082B8
        Function 004A1154 Relevance: 6.1, APIs: 4, Instructions: 56COMMON
        Download Yara Rule
        APIs
        • EnumWindows.USER32(Function_000A10A0), ref: 004A1181
        • GetWindow.USER32(?,00000003), ref: 004A1199
        • GetWindowLongW.USER32(00000000,000000EC), ref: 004A11A6
        • SetWindowPos.USER32(00000000,000000EC,00000000,00000000,00000000,00000000,00000213,00000000,000000EC,?,00000003,Function_000A10A0), ref: 004A11E5
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Window$EnumLongWindows
        • String ID:
        • API String ID: 4191631535-0
        • Opcode ID: 82643a6d10f8e77082f794da26b6ba598eddf1bd4edea24df14a70a3e58907e6
        • Instruction ID: 9d6c401ddf43c651e9616651bb04946025a250a773addf7ae606f96f96f606ef
        • Opcode Fuzzy Hash: 82643a6d10f8e77082f794da26b6ba598eddf1bd4edea24df14a70a3e58907e6
        • Instruction Fuzzy Hash: D01169317046109FDB10AA28CC85F9673E4AB19764F14427AFE98EF2E2C7789C40C769
        Function 004B5CE4 Relevance: 6.1, APIs: 4, Instructions: 56COMMON
        Download Yara Rule
        APIs
        • MulDiv.KERNEL32(?,00000000,00000000), ref: 004B5CF9
        • MulDiv.KERNEL32(?,00000000,00000000), ref: 004B5D16
        • MulDiv.KERNEL32(?,00000000,00000000), ref: 004B5D33
        • MulDiv.KERNEL32(?,00000000,00000000), ref: 004B5D50
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: a73ae7e50b5b92d931dc67ca7e6fd03b71e6007ba1a3c87f76c659e0672bdb27
        • Instruction ID: 60f9b19aa0cbc965ee5ae706c5c901917738c769ff494fd0f3de94a6c79fc972
        • Opcode Fuzzy Hash: a73ae7e50b5b92d931dc67ca7e6fd03b71e6007ba1a3c87f76c659e0672bdb27
        • Instruction Fuzzy Hash: D6015A2030461827CA38BD266C48F9B7AADCBC2754B44807E79199B743DDA8EC00C2B8
        Function 004B5D68 Relevance: 6.1, APIs: 4, Instructions: 56COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 0e099f60810b3382ecd37a2e790144f79f28170f0183697018962e55118c7c76
        • Instruction ID: 6aac42ee3de146f9bbe1f8d266a2da7b34814df0a7508eb000cfb9a2228ad412
        • Opcode Fuzzy Hash: 0e099f60810b3382ecd37a2e790144f79f28170f0183697018962e55118c7c76
        • Instruction Fuzzy Hash: A20178603006082BCB64BE275D49F5B7A6DCFC2754B40817E78599B347EDBCEC0082B8
        Function 0040CB00 Relevance: 6.1, APIs: 4, Instructions: 54timefileCOMMON
        Download Yara Rule
        APIs
        • FindNextFileW.KERNEL32(?,?), ref: 0040CB11
        • GetLastError.KERNEL32(?,?), ref: 0040CB1A
        • FileTimeToLocalFileTime.KERNEL32(?), ref: 0040CB30
        • FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0040CB3F
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: FileTime$DateErrorFindLastLocalNext
        • String ID:
        • API String ID: 2103556486-0
        • Opcode ID: 71c607c2a334299287f76437228afe618df104ac2285d659921d03c444beb358
        • Instruction ID: df99459a2ffd1a17f7394b5215d9f5aa92db4c118cc1beb2e824e67d15689660
        • Opcode Fuzzy Hash: 71c607c2a334299287f76437228afe618df104ac2285d659921d03c444beb358
        • Instruction Fuzzy Hash: 651152B26002019FDB44EF69D8C1C9777ECAF4835471586BBED44DB24AE634E9108BA5
        Function 004A31BC Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
        Download Yara Rule
        APIs
        • IsWindowVisible.USER32(?), ref: 004A31D0
        • GetWindowLongW.USER32(?,000000EC), ref: 004A3212
        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 004A3223
        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,C31852FF,?,-00000001,04D859E0,?,004A32DD,?,?,?,04D859E0), ref: 004A324B
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Window$Long$Visible
        • String ID:
        • API String ID: 2967648141-0
        • Opcode ID: 7dbcba8573332f2c2263d6ec1b00ee363e99783f5095099e2e66482b6d1c7aa3
        • Instruction ID: 13d7c59ab94339834b3640f505856214e08bb86ce809c6d96cdef04b2a7308a1
        • Opcode Fuzzy Hash: 7dbcba8573332f2c2263d6ec1b00ee363e99783f5095099e2e66482b6d1c7aa3
        • Instruction Fuzzy Hash: DD1156316051546FD702DF68D888FB97BD8AB0D356F0441A2F888CF393D2359E40C758
        Function 00427A44 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
        Download Yara Rule
        APIs
        • FindResourceW.KERNEL32(?,?,?,00421B58,?,00000001,00000000,?,00427986,00000000,?,?,?,?,?,004234E1), ref: 00427A5B
        • LoadResource.KERNEL32(?,00427AE0,?,?,?,00421B58,?,00000001,00000000,?,00427986,00000000,?), ref: 00427A75
        • SizeofResource.KERNEL32(?,00427AE0,?,00427AE0,?,?,?,00421B58,?,00000001,00000000,?,00427986,00000000,?), ref: 00427A8F
        • LockResource.KERNEL32(00427570,00000000,?,00427AE0,?,00427AE0,?,?,?,00421B58,?,00000001,00000000,?,00427986,00000000), ref: 00427A99
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Resource$FindLoadLockSizeof
        • String ID:
        • API String ID: 3473537107-0
        • Opcode ID: eb18f0d0f65cde573cbc7fce5b7fd0a8f32e1dfe2549437a02f9cdcb288e6e8d
        • Instruction ID: 2800cec3bdea44479e11638f433daa295011ca7415e39587c2c8ca13b1dd4858
        • Opcode Fuzzy Hash: eb18f0d0f65cde573cbc7fce5b7fd0a8f32e1dfe2549437a02f9cdcb288e6e8d
        • Instruction Fuzzy Hash: F5F06DB26092146F9744EF6DA981D6B73ECEE99264350006FF908D7206DA39ED01477D
        Function 0041377E Relevance: 6.0, APIs: 4, Instructions: 43COMMON
        Download Yara Rule
        APIs
        • InterlockedCompareExchange.KERNEL32(004E7CC0,00000001,00000000), ref: 00413799
        • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,004E7CC0,00000001,00000000), ref: 004137B0
        • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 004137CF
        • ResetEvent.KERNEL32(00000000), ref: 004137D7
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Event$Create$CompareExchangeInterlockedReset
        • String ID:
        • API String ID: 2790937731-0
        • Opcode ID: 66e8073576b0dfb287895bd141281bd96fa22a1db0f0633ff8a22fb0ebff0a48
        • Instruction ID: 1a3235ac6eb6e9d213d548d6e8d599fb03888b02d40b6856efcb077dd6b835dd
        • Opcode Fuzzy Hash: 66e8073576b0dfb287895bd141281bd96fa22a1db0f0633ff8a22fb0ebff0a48
        • Instruction Fuzzy Hash: 81F090F13843007AFF302D124D82B7615658B90B62F24807BFA54BE2C2D6BCA984422E
        Function 004B3B70 Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON
        Download Yara Rule
        APIs
        • GetWindowThreadProcessId.USER32(00000000), ref: 004B3B7D
        • GetCurrentProcessId.KERNEL32(00000000,?,?,00000000,00000000,004B3BE8,-000000F4,?,?,004B37AA,?,-0000000C,?), ref: 004B3B86
        • GlobalFindAtomW.KERNEL32(00000000,00000000,?,?,00000000,00000000,004B3BE8,-000000F4,?,?,004B37AA,?,-0000000C,?), ref: 004B3B9B
        • GetPropW.USER32(00000000,00000000), ref: 004B3BB2
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Process$AtomCurrentFindGlobalPropThreadWindow
        • String ID:
        • API String ID: 2582817389-0
        • Opcode ID: 6352a1e930ce0bb0602465a6bca1bc69190aa100fdee18d8e0569e701ec9be0b
        • Instruction ID: 3b3c56941f8053ef37143aafaa55dda15ae9d83f7462aedc324e138bdcb5359c
        • Opcode Fuzzy Hash: 6352a1e930ce0bb0602465a6bca1bc69190aa100fdee18d8e0569e701ec9be0b
        • Instruction Fuzzy Hash: 29F0A7512065211696317B775D81DFF235CCE00719B44413BF840D619BDB2CDD4181BE
        Function 004A0830 Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON
        Download Yara Rule
        APIs
        • GetCurrentThreadId.KERNEL32 ref: 004A0848
        • SetWindowsHookExW.USER32(00000003,004A07EC,00000000,00000000), ref: 004A0858
        • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,004A3B2F), ref: 004A0873
        • CreateThread.KERNEL32(00000000,000003E8,004A0790,00000000,00000000), ref: 004A0898
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: CreateThread$CurrentEventHookWindows
        • String ID:
        • API String ID: 1195359707-0
        • Opcode ID: 48fdd4a98f99bc403a5e468971fb7e78e3d104f06c9e98a4b1e3f53890e95afd
        • Instruction ID: dc1c702207c42e3f6e5d778917c7dfd0e5d4e7586d99660546057379b51d6dee
        • Opcode Fuzzy Hash: 48fdd4a98f99bc403a5e468971fb7e78e3d104f06c9e98a4b1e3f53890e95afd
        • Instruction Fuzzy Hash: 8DF01DB0780385AEF721AB56DC87F673295D715B05F51407EF6406E2E3C7B818808B9D
        Function 004B2AF0 Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON
        Download Yara Rule
        APIs
        • GetWindowThreadProcessId.USER32(00000000), ref: 004B2AFD
        • GetCurrentProcessId.KERNEL32(?,00000000,00000000,004B470F,?,?,00000000,00000001,004B473C), ref: 004B2B06
        • GlobalFindAtomW.KERNEL32(00000000,?,00000000,00000000,004B470F,?,?,00000000,00000001,004B473C), ref: 004B2B1B
        • GetPropW.USER32(00000000,00000000), ref: 004B2B32
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Process$AtomCurrentFindGlobalPropThreadWindow
        • String ID:
        • API String ID: 2582817389-0
        • Opcode ID: 2ebc9c9cbb76396257d06ef7f5d78a7d60f1b2f97a24d95e26c34d66c4c5e6dc
        • Instruction ID: c696f3c397516c97cc2b906dd0fc848faf73d990f42ff1d35b6d839c3d3f81c6
        • Opcode Fuzzy Hash: 2ebc9c9cbb76396257d06ef7f5d78a7d60f1b2f97a24d95e26c34d66c4c5e6dc
        • Instruction Fuzzy Hash: B3F06C5170566156DA287F7A5EC1CA763ACCA04358300053FF941EB253DD7CEC5182FD
        Function 0048D428 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
        Download Yara Rule
        APIs
        • GetDC.USER32(00000000), ref: 0048D431
        • SelectObject.GDI32(00000000,058A00B4), ref: 0048D443
        • GetTextMetricsW.GDI32(00000000), ref: 0048D44E
        • ReleaseDC.USER32(00000000,00000000), ref: 0048D45F
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: MetricsObjectReleaseSelectText
        • String ID:
        • API String ID: 2013942131-0
        • Opcode ID: c2a09c62dd21e4e45928fe09b53546ccad18d775b3ae35926fdbb0b3f632bda0
        • Instruction ID: 5e3e9e7ff3da876f96efa7ed21b7234ee89ff8d46f0238890b79e116bdc69728
        • Opcode Fuzzy Hash: c2a09c62dd21e4e45928fe09b53546ccad18d775b3ae35926fdbb0b3f632bda0
        • Instruction Fuzzy Hash: 8FE04F21A0767122E51171665D92BDF27588F02AA5F08063BFD44AA2D2DA2DDD01C3FA
        Function 00497140 Relevance: 6.0, APIs: 4, Instructions: 24threadCOMMON
        Download Yara Rule
        APIs
        • GetActiveWindow.USER32 ref: 00497146
        • EnumWindows.USER32(Function_00097108), ref: 0049715F
        • GetCurrentThreadId.KERNEL32 ref: 0049716E
        • EnumThreadWindows.USER32(00000000,Function_000970E8), ref: 00497174
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: EnumThreadWindows$ActiveCurrentWindow
        • String ID:
        • API String ID: 1202916826-0
        • Opcode ID: 704f860cfa253c58028bd934d66f2484e1b4fa1257fb5aad57a06fb963c8aaf1
        • Instruction ID: 0184d50eb068e527ec441009c0707d9f9262b39153b59ec1395f79f53a7c20e2
        • Opcode Fuzzy Hash: 704f860cfa253c58028bd934d66f2484e1b4fa1257fb5aad57a06fb963c8aaf1
        • Instruction Fuzzy Hash: 7AE0865036D3406BD600637A5E47A6E6DC8CAC67A4F14443FB4D4A63C1DD3D4804633F
        Function 00402A18 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277windowCOMMON
        Download Yara Rule
        APIs
        • MessageBoxA.USER32(00000000,?,00401594,00002010), ref: 00402DED
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Message
        • String ID: $7
        • API String ID: 2030045667-2388253531
        • Opcode ID: 96b1cf6df2fba8618b4ea3dbae94d9dd7a20105384aa3c092deb172429444f87
        • Instruction ID: 8a297914933e4dd4996b0970b08d93284b8050a4d9d3eb52ab9f4c535b60254e
        • Opcode Fuzzy Hash: 96b1cf6df2fba8618b4ea3dbae94d9dd7a20105384aa3c092deb172429444f87
        • Instruction Fuzzy Hash: 82B19130B042548BDB61EB2DDD88B9977E4BB09304F1441F6E449EB3C2DBB89D86CB59
        Function 004BCEA0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114COMMON
        Download Yara Rule
        APIs
        • CompareStringW.KERNEL32(00000400,00000001,00000000,?,00000000,?), ref: 004BCF5E
        • ActivateKeyboardLayout.USER32(?,00000001), ref: 004BCFC7
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: ActivateCompareKeyboardLayoutString
        • String ID: L|N
        • API String ID: 1445940216-2486171611
        • Opcode ID: a5e16ef5d30e2b29a948926668e4469f540c190c73639016ad4e1f900d0b2a82
        • Instruction ID: 0618c8e373bd1c7b6695478c2d7eae3cf8078688e4cd63dcd4c92a7b80f122fe
        • Opcode Fuzzy Hash: a5e16ef5d30e2b29a948926668e4469f540c190c73639016ad4e1f900d0b2a82
        • Instruction Fuzzy Hash: BC415E307002459FDB11DB25C8C6BAAB7E6EF85704F5440BAE4009B3A2DB78ED85CA69
        Function 004C601C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: CreateInstance
        • String ID: 4YL
        • API String ID: 542301482-3358621688
        • Opcode ID: 0e6d5dd96274d3e78c1943d1051500dde41d9131479854e09a88cc757d8d9535
        • Instruction ID: a21d8510594f9bddce5fd5435df31d3fc988b9de3c8f9f2b61fea05f3b077140
        • Opcode Fuzzy Hash: 0e6d5dd96274d3e78c1943d1051500dde41d9131479854e09a88cc757d8d9535
        • Instruction Fuzzy Hash: D8317078A106049BDB40EB59C891FAE77F8EF48704F55406BF901BB382DA7CAE418B59
        Function 004BD008 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON
        Download Yara Rule
        APIs
        • CompareStringW.KERNEL32(00000400,00000001,00000000,?,00000000,?), ref: 004BD0C6
        • ActivateKeyboardLayout.USER32(?,00000001,00000400,00000001,00000000,?,00000000,?), ref: 004BD0DF
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: ActivateCompareKeyboardLayoutString
        • String ID: L|N
        • API String ID: 1445940216-2486171611
        • Opcode ID: 4815c8c6daaaf8111ac503a221fd2e8268f05fd3d962384fc1b33008b0d5226d
        • Instruction ID: 10f55ada3546a5b4c708f3d874ed1b55358ec2d3b75341d337ac26ed9561013e
        • Opcode Fuzzy Hash: 4815c8c6daaaf8111ac503a221fd2e8268f05fd3d962384fc1b33008b0d5226d
        • Instruction Fuzzy Hash: 1F31A730E002049FDB11EB69C986B9B77F9DF85708F5440B6E800AB396E779ED45CA68
        Function 00410320 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82threadCOMMON
        Download Yara Rule
        APIs
        • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000200,00000000,0041041D), ref: 004103B4
        • GetDateFormatW.KERNEL32(00000000,00000004,?,00000000,?,00000200,00000000,0041041D), ref: 004103BA
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: DateFormatLocaleThread
        • String ID:
        • API String ID: 3303714858-3916222277
        • Opcode ID: 59a56b7e44cb5acf66beac94fab5d37111c30fe0a1b6fed782a3f8166b980204
        • Instruction ID: 9e75e496f70bc0620bea66d1a61d2f6bd08986be2366226718d4f5bffe882f19
        • Opcode Fuzzy Hash: 59a56b7e44cb5acf66beac94fab5d37111c30fe0a1b6fed782a3f8166b980204
        • Instruction Fuzzy Hash: 4D21B931A046589FDB11EF64C891AEEB7F4EF45300F4140ABF944E7391D678AE80CBA9
        Function 0040F668 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82threadCOMMON
        Download Yara Rule
        APIs
        • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0040F765), ref: 0040F6FC
        • GetDateFormatW.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,0040F765), ref: 0040F702
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: DateFormatLocaleThread
        • String ID:
        • API String ID: 3303714858-3916222277
        • Opcode ID: 1bdb8746958693bfc4f8290078a6c9b774663f21896c83c8276edaf8d3fe4967
        • Instruction ID: 0356c73e5d58ef0bb17c99407289dbebe349bfa67112d577581cda1f180c5b84
        • Opcode Fuzzy Hash: 1bdb8746958693bfc4f8290078a6c9b774663f21896c83c8276edaf8d3fe4967
        • Instruction Fuzzy Hash: A521A735A046549FCB21EB64C891AAEB7B4EF09300F1540BBF844F76D1D638AE44CB6A
        Function 00455ABC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74registryCOMMON
        Download Yara Rule
        APIs
        • RegCreateKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,00455B88,?,?,00000000,00000000), ref: 00455B33
        • RegCloseKey.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,00455B88,?,?,00000000,00000000), ref: 00455B47
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: CloseCreate
        • String ID: `XE
        • API String ID: 2932200918-3275911281
        • Opcode ID: 216c254adf01bb84135661f305e1aa449d3aea7ac78ceaf18056b2a3f255b23f
        • Instruction ID: 0c1f6fbad9d438d6e6ae3febd0bc9c9b61393a2682ab208738782c9802d54ff2
        • Opcode Fuzzy Hash: 216c254adf01bb84135661f305e1aa449d3aea7ac78ceaf18056b2a3f255b23f
        • Instruction Fuzzy Hash: 72219371B40608AFD701EBA5CD62FAEB7ECDB44304F60007AF900E72D2DB79AE049659
        Function 004AA604 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69windowCOMMON
        Download Yara Rule
        APIs
        • SendMessageW.USER32(?,00000234,00000000,00000000), ref: 004AA68A
        • DrawMenuBar.USER32(00000000), ref: 004AA69B
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: DrawMenuMessageSend
        • String ID: PNJ
        • API String ID: 2625368238-1796095399
        • Opcode ID: 616af85ff2ea65dbbb5090c76a9e527e472ddee0cc3ba19c7a1cc49079a9eaf8
        • Instruction ID: ba86c77281070be63b2944eaaaf2ca0b1d5d411862843a2698a1659b236e3ad2
        • Opcode Fuzzy Hash: 616af85ff2ea65dbbb5090c76a9e527e472ddee0cc3ba19c7a1cc49079a9eaf8
        • Instruction Fuzzy Hash: D71172317002005BD711EA3A888576B77965FA7308F5D407AF980DF392DB6CDC16CB9A
        Function 004B6A00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: Cursor
        • String ID: TVI$SH
        • API String ID: 3268636600-3704761771
        • Opcode ID: abb5b48e770713413dbebb703db94d11345ff81c3b4c9a32e29966d9f423a3d5
        • Instruction ID: 74d70059c82cc09bc361997cc81334b9bc75912fd0bd80d138287a6a5027d031
        • Opcode Fuzzy Hash: abb5b48e770713413dbebb703db94d11345ff81c3b4c9a32e29966d9f423a3d5
        • Instruction Fuzzy Hash: 162162307015815BCB11EB1DE8C56AB77A6DB89318B59803AE804DB3A3CB7CEC4587AD
        Function 00432B54 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00415890: SetErrorMode.KERNEL32 ref: 0041589A
          • Part of subcall function 00415890: LoadLibraryW.KERNEL32(00000000,00000000,004158E4,?,00000000,00415902), ref: 004158C9
        • FreeLibrary.KERNEL32(00000000), ref: 00432BBC
        • GetLastError.KERNEL32(00000000,00432C2F), ref: 00432BCA
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: ErrorLibrary$FreeLastLoadMode
        • String ID: WS2_32.DLL
        • API String ID: 2136283890-2889821164
        • Opcode ID: 9476491be7404052957083e48d399e11f6e654874219df220ce66e8dc7195f0b
        • Instruction ID: f1b73fbe717c5af7faa600aa0513d5ff61efa1eff85d4f973677726bc8fc8918
        • Opcode Fuzzy Hash: 9476491be7404052957083e48d399e11f6e654874219df220ce66e8dc7195f0b
        • Instruction Fuzzy Hash: 4111BE706002449FE711EF68DE92B9A73E9F74C304F5054BBA608D3291DBB85D448F5A
        Function 00490120 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
        Download Yara Rule
        APIs
        • GetSystemMetrics.USER32(00000000), ref: 0049016E
        • GetSystemMetrics.USER32(00000001), ref: 00490180
          • Part of subcall function 0048FE14: GetProcAddress.KERNEL32(76910000,00000000), ref: 0048FEB0
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: MetricsSystem$AddressProc
        • String ID: MonitorFromPoint
        • API String ID: 1792783759-1072306578
        • Opcode ID: 952afc4831f3737818c557d80abe737d2bfdf50369fff8eb230d8eff4c8d88b7
        • Instruction ID: f955175bd4ff5db4ef15da1a7d4c647691eda2b1f5827bc4a7d9a0e417cbe78e
        • Opcode Fuzzy Hash: 952afc4831f3737818c557d80abe737d2bfdf50369fff8eb230d8eff4c8d88b7
        • Instruction Fuzzy Hash: 9401A232600248AFDF108F51EC86B6BBFA5E744354F808037FD259F262C3769C418BA8
        Function 0042DD00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44threadCOMMON
        Download Yara Rule
        APIs
        • InterlockedCompareExchange.KERNEL32(?), ref: 0042DD33
        • SwitchToThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0042DC9D), ref: 0042DD40
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: CompareExchangeInterlockedSwitchThread
        • String ID: XPN
        • API String ID: 3384000618-3056703449
        • Opcode ID: 3ec6f819b992877e3d524e3b2cf2c5363080b8fa663e8b33b9a13a05ae4a2947
        • Instruction ID: bdb5cbb5a3b9d48783b82f4b32c880966d56a84eedc41f81564cdc404920869d
        • Opcode Fuzzy Hash: 3ec6f819b992877e3d524e3b2cf2c5363080b8fa663e8b33b9a13a05ae4a2947
        • Instruction Fuzzy Hash: 29F0FC62B1D9F41BE71115197C847362689EBC23B0FA5023BB4D8871E1C5284C41D36A
        Function 004C086C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 004C08D0: ImageList_DragLeave.COMCTL32(?,00000000,004C0984,?,00000000,004B453F,00000000,004B465B,?,00000000,004B46CD), ref: 004C08E8
          • Part of subcall function 004C0700: ClientToScreen.USER32(?,004C0918), ref: 004C0718
          • Part of subcall function 004C0700: GetWindowRect.USER32(?,?), ref: 004C0722
        • ImageList_DragEnter.COMCTL32(?,?,>K,?,00000000,00000000,00000000), ref: 004C08B7
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: DragImageList_$ClientEnterLeaveRectScreenWindow
        • String ID: >K$>K
        • API String ID: 493882731-3509769979
        • Opcode ID: 620304f3d8ac09aeb790f4fc56bab10c8a7ba63f52c519b41f7ec61b73247c1f
        • Instruction ID: deeb684c6a7018f937bb2697ee24def1789a5112255163957925916128efb21e
        • Opcode Fuzzy Hash: 620304f3d8ac09aeb790f4fc56bab10c8a7ba63f52c519b41f7ec61b73247c1f
        • Instruction Fuzzy Hash: 9BF04F76B01208AB8750EEAD88C1D9EF7EDEF48214B04427EF518D3341D635AD0497E5
        Function 0049068C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36libraryCOMMON
        Download Yara Rule
        APIs
        • LoadLibraryW.KERNEL32(DWMAPI.DLL,?,?,?,0049EEF9), ref: 004906B6
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: LibraryLoad
        • String ID: DWMAPI.DLL$DwmExtendFrameIntoClientArea
        • API String ID: 1029625771-2956373744
        • Opcode ID: fe5dc23e370788f91887cd6470e92c1825b220955ad71d62aea9c6c849605086
        • Instruction ID: f0e3ecffecd30036422d8f8f3e9750b71f6f1f807febf24f3dfc5d5040579894
        • Opcode Fuzzy Hash: fe5dc23e370788f91887cd6470e92c1825b220955ad71d62aea9c6c849605086
        • Instruction Fuzzy Hash: 6EF09C71E422D09FDB115B55ACC9B673FE4D785715F14803BBA009A2A2C7780C94CF9C
        Function 00493DC8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
        Download Yara Rule
        APIs
        • FreeLibrary.KERNEL32(00000000,00000000,00493E3C), ref: 00493DF0
        • FreeLibrary.KERNEL32(00000000,00000000,00493E3C), ref: 00493E04
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: FreeLibrary
        • String ID: 0<I
        • API String ID: 3664257935-2816064585
        • Opcode ID: 920acb709e2f63175bff82f01f451a44be0f74c378b2bb15076502e3d3027c22
        • Instruction ID: 58d1f87a8a7c4d935ae53fa4b21acee9b49bac0c451c041aa4255b75c9598f93
        • Opcode Fuzzy Hash: 920acb709e2f63175bff82f01f451a44be0f74c378b2bb15076502e3d3027c22
        • Instruction Fuzzy Hash: 21F096351006808FDF12AF66EC5662337A4E746706BA1847BF5005B662CB3DD900CA9D
        Function 0040C944 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
        Download Yara Rule
        APIs
        • GetFileAttributesW.KERNEL32(00000000,00000000,00000000,004CFDFB,00000000,?,00000023,00000000,00000000,004CFE86), ref: 0040C950
        • GetLastError.KERNEL32(00000000,00000000,00000000,004CFDFB,00000000,?,00000023,00000000,00000000,004CFE86), ref: 0040C962
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: AttributesErrorFileLast
        • String ID: {
        • API String ID: 1799206407-366298937
        • Opcode ID: b66b422506ba923b79554cabc6e1a519e5904e94530f2ec4ba6c5a5fa0a79732
        • Instruction ID: a403b447d06f5ffe2b7abc8b160741d1094639ff05699f4cfa2c28d168ebea04
        • Opcode Fuzzy Hash: b66b422506ba923b79554cabc6e1a519e5904e94530f2ec4ba6c5a5fa0a79732
        • Instruction Fuzzy Hash: 0BE04FD220162085CD2433FD19CA2AF824499857A83240B37FD51F73E2D63E4C8B59AD
        Function 004AA924 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32keyboardCOMMON
        Download Yara Rule
        APIs
        • GetKeyState.USER32(00000010), ref: 004AA93F
        • GetKeyState.USER32(00000011), ref: 004AA950
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: State
        • String ID:
        • API String ID: 1649606143-3916222277
        • Opcode ID: 79cf6361b3076dbe001a0739b71795750d9bec554e6214f4cddfb021dc18db59
        • Instruction ID: 869f627d6d0a7e248796e0c653ffba467c6d3343f4f7dd7d863e12119094f056
        • Opcode Fuzzy Hash: 79cf6361b3076dbe001a0739b71795750d9bec554e6214f4cddfb021dc18db59
        • Instruction Fuzzy Hash: 17E022A2740B8202F611756A1C013E717884F637A9F0E4A6FBEC02A1C3E39E0D2590AE
        Function 00490750 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31libraryCOMMON
        Download Yara Rule
        APIs
        • LoadLibraryW.KERNEL32(DWMAPI.DLL,?,?,00490816,?,0049EE37), ref: 00490776
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: LibraryLoad
        • String ID: DWMAPI.DLL$DwmIsCompositionEnabled
        • API String ID: 1029625771-2128843254
        • Opcode ID: d25be5ad88d75b8bdc16a4bd254e692d1b4f716a3a589002d7f88ff95a6a603e
        • Instruction ID: d90d78f076efb1dfc9fc52b144e9f4d6d97211cc0c6569452f8b114e26486ca3
        • Opcode Fuzzy Hash: d25be5ad88d75b8bdc16a4bd254e692d1b4f716a3a589002d7f88ff95a6a603e
        • Instruction Fuzzy Hash: 67F06730A01399CFCB11ABA4A8CA7563BA4F708325F00097BF9119A262E3781880CB8C
        Function 0041530C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16COMMON
        Download Yara Rule
        APIs
        • GetModuleHandleW.KERNEL32(kernel32.dll,?,004D7128,00000000,004D713B), ref: 00415312
          • Part of subcall function 00408A94: GetProcAddress.KERNEL32(00000000,?), ref: 00408AB8
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: AddressHandleModuleProc
        • String ID: GetDiskFreeSpaceExW$kernel32.dll
        • API String ID: 1646373207-1127948838
        • Opcode ID: 46793605e3a377ac6353366c3618537fd924d49fceb9037224e7c0035c478c03
        • Instruction ID: 2ca14fdfa41039ed3f894e20683b3969f64cb365ff125a158d180c7fc00750cc
        • Opcode Fuzzy Hash: 46793605e3a377ac6353366c3618537fd924d49fceb9037224e7c0035c478c03
        • Instruction Fuzzy Hash: E2D09EF0703B4ADAD7009BE59D96BA627589784794B50047FA551AB3A1DAFC4C80C61C
        Function 0042D924 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 15COMMON
        Download Yara Rule
        APIs
        • GetModuleHandleW.KERNEL32(ole32.dll,?,0042D9BE), ref: 0042D92A
          • Part of subcall function 00408A94: GetProcAddress.KERNEL32(00000000,?), ref: 00408AB8
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.2162771548.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000004.00000002.2162751888.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162842223.00000000004D9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162899551.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162916055.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162932314.00000000004E4000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162947854.00000000004E5000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162963483.00000000004E9000.00000004.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2162989902.00000000004ED000.00000008.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.00000000004EF000.00000002.00000001.01000000.00000003.sdmpDownload File
        • Associated: 00000004.00000002.2163012919.000000000050C000.00000002.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
        Similarity
        • API ID: AddressHandleModuleProc
        • String ID: CoWaitForMultipleHandles$ole32.dll
        • API String ID: 1646373207-2593175619
        • Opcode ID: 1e1c2ecc71053925c223f1487f379d2c6151012cc71ef2f9ce51569905aeaa61
        • Instruction ID: a739f7d9c72f1b270898e192477e90f64bdf8c681cdede822b5b2aeda953c0a3
        • Opcode Fuzzy Hash: 1e1c2ecc71053925c223f1487f379d2c6151012cc71ef2f9ce51569905aeaa61
        • Instruction Fuzzy Hash: D4D09EE0B003A65ED740ABB57CC572726556745355FD0053BB280192E3DBFE4884D61C