Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exe

Overview

General Information

Sample name:SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exe
Analysis ID:1468056
MD5:02b1bc1d92b390560c7d7ff9aa8e4e79
SHA1:ab51a613b594c17a481eea7d43cac97cec124411
SHA256:a35e13209e866dbdc6ef31c72e55630438e04e1e175b441ec9f680076a846e93
Tags:exe
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Contains functionality to detect sleep reduction / modifications
Machine Learning detection for sample
Uses Windows timers to delay execution
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May check if the current machine is a sandbox (GetTickCount - Sleep)
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeVirustotal: Detection: 9%Perma Link
Machine Learning detection for sample
Source: SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeJoe Sandbox ML: detected
Source: SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_00405070 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00405070
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_00420314 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,0_2_00420314
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_00430A64 GetKeyboardState,KiUserCallbackDispatcher,0_2_00430A64
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_00433974 NtdllDefWindowProc_A,GetCapture,0_2_00433974
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_0044DF14 NtdllDefWindowProc_A,0_2_0044DF14
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_0044E6BC IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_0044E6BC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_0044E76C IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_0044E76C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_00443268 GetSubMenu,SaveDC,RestoreDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,0_2_00443268
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_00427524 NtdllDefWindowProc_A,0_2_00427524
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_0044840C0_2_0044840C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_0041ACFF0_2_0041ACFF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_004432680_2_00443268
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: String function: 004035D4 appears 32 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: String function: 00406020 appears 61 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: String function: 00403F98 appears 73 times
Source: SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exe, 00000000.00000003.2012528482.0000000002124000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCOMCTL32.DLL.MUIj% vs SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exe
Source: SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeStatic PE information: Section: UPX1 ZLIB complexity 0.9915806361607142
Source: classification engineClassification label: mal60.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_0041D7B4 GetLastError,FormatMessageA,0_2_0041D7B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_00408346 GetDiskFreeSpaceA,0_2_00408346
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_00413440 FindResourceA,0_2_00413440
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeVirustotal: Detection: 9%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeSection loaded: wintypes.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_0043A7A0 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,0_2_0043A7A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_0043ADD0 push 0043AE5Dh; ret 0_2_0043AE55
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_0042405C push 00424088h; ret 0_2_00424080
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_00426070 push 0042609Ch; ret 0_2_00426094
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_00426000 push 0042602Ch; ret 0_2_00426024
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_00426038 push 00426064h; ret 0_2_0042605C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_004260E0 push 0042610Ch; ret 0_2_00426104
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_0043C098 push 0043C0C4h; ret 0_2_0043C0BC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_0042409C push 004240C8h; ret 0_2_004240C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_004260A8 push 004260D4h; ret 0_2_004260CC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_00426150 push 0042617Ch; ret 0_2_00426174
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_00450164 push 004501BEh; ret 0_2_004501B6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_00426118 push 00426144h; ret 0_2_0042613C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_00426188 push 004261B4h; ret 0_2_004261AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_004103AA push 00410422h; ret 0_2_0041041A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_004103AC push 00410422h; ret 0_2_0041041A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_0041A456 push 0041A503h; ret 0_2_0041A4FB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_0041A458 push 0041A503h; ret 0_2_0041A4FB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_00410424 push 004104CCh; ret 0_2_004104C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_0041A508 push 0041A598h; ret 0_2_0041A590
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_004505FC push 00450628h; ret 0_2_00450620
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_0042A5B4 push 0042A629h; ret 0_2_0042A621
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_004105B8 push 004105E4h; ret 0_2_004105DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_0042A62C push 0042A685h; ret 0_2_0042A67D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_00450634 push 0045065Ah; ret 0_2_00450652
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_00412708 push ecx; mov dword ptr [esp], edx0_2_0041270D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_00426794 push 004267EDh; ret 0_2_004267E5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_00430804 push ecx; mov dword ptr [esp], ecx0_2_00430808
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_0041A81C push 0041A848h; ret 0_2_0041A840
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_0040C8E8 push ecx; mov dword ptr [esp], edx0_2_0040C8ED
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_004068AC push ecx; mov dword ptr [esp], eax0_2_004068AD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_0042891C push 0042895Eh; ret 0_2_00428956
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_0044AFC4 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,0_2_0044AFC4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_0044DF9C PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,0_2_0044DF9C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_004361CC IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,0_2_004361CC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_0044E6BC IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_0044E6BC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_0044E76C IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_0044E76C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_00435098 IsIconic,GetCapture,0_2_00435098
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_0043594C IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,0_2_0043594C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_00423B14 MonitorFromWindow,MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect,0_2_00423B14
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_0043A7A0 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,0_2_0043A7A0

Malware Analysis System Evasion

barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_0042A4B40_2_0042A4B4
Uses Windows timers to delay execution
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeUser Timer Set: Timeout: 20msJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,0_2_0044D50C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeAPI coverage: 9.4 %
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_0042A4B40_2_0042A4B4
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_00405070 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00405070
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_0041DD44 GetSystemInfo,0_2_0041DD44
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_0043A7A0 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,0_2_0043A7A0
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,0_2_00405228
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: GetLocaleInfoA,GetACP,0_2_0040C134
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: GetLocaleInfoA,0_2_0040AB48
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: GetLocaleInfoA,0_2_0040AB94
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: GetLocaleInfoA,0_2_00405B1E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: GetLocaleInfoA,0_2_00405B20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_00409648 GetLocalTime,0_2_00409648
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exeCode function: 0_2_0043ADD0 GetVersion,0_2_0043ADD0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
Virtualization/Sandbox Evasion		11
Input Capture		1
System Time Discovery		Remote Services11
Input Capture		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Deobfuscate/Decode Files or Information		LSASS Memory12
Security Software Discovery		Remote Desktop Protocol1
Archive Collected Data		Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)21
Obfuscated Files or Information		Security Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin Shares1
Clipboard Data		SteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Software Packing		NTDS11
Application Window Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials16
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exe11%ReversingLabs
SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exe9%VirustotalBrowse
SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1468056
Start date and time:2024-07-05 09:33:14 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 3m 59s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exe
Detection:MAL
Classification:mal60.evad.winEXE@1/0@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 87%
  • Number of executed functions: 49
  • Number of non-executed functions: 105
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):7.931306061227011
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.63%
  • UPX compressed Win32 Executable (30571/9) 0.30%
  • Win16/32 Executable Delphi generic (2074/23) 0.02%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
File name:SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exe
File size:150'016 bytes
MD5:02b1bc1d92b390560c7d7ff9aa8e4e79
SHA1:ab51a613b594c17a481eea7d43cac97cec124411
SHA256:a35e13209e866dbdc6ef31c72e55630438e04e1e175b441ec9f680076a846e93
SHA512:c86ca1154faddd251521558ebd8db890b426c5b316caab0867fe58e915dab9b40e1a4275be1758a33fa484672a39dfc1f634efee903fc10d1cd8b3c5a40b7ac4
SSDEEP:3072:jS13+pTUL3+rasKgvb8PHjdP7LLHSL54kmj0sjZNYuCdfblout:jS13UTm4a9gvba5zyuRehoS
TLSH:C7E31247F7BAB964DD8104BA6E9B5E381B31F0F09CA3CF871AE4B369CD437242651621
File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon

Icon Hash:a4868c93a2c6b0a6

Static PE Info

General

Entrypoint:0x467340
Entrypoint Section:UPX1
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:4e951e86436c76d700c0d4b4eb177a14

Entrypoint Preview

Instruction
pushad
mov esi, 00445000h
lea edi, dword ptr [esi-00044000h]
mov dword ptr [edi+0005009Ch], 212E6B55h
push edi
mov ebp, esp
lea ebx, dword ptr [esp-00003E80h]
xor eax, eax
push eax
cmp esp, ebx
jne 00007F5D55074BCDh
inc esi
inc esi
push ebx
push 0006592Ch
push edi
add ebx, 04h
push ebx
push 00022339h
push esi
add ebx, 04h
push ebx
push eax
mov dword ptr [ebx], 00000003h
push ebp
push edi
push esi
push ebx
sub esp, 7Ch
mov edx, dword ptr [esp+00000090h]
mov dword ptr [esp+74h], 00000000h
mov byte ptr [esp+73h], 00000000h
mov ebp, dword ptr [esp+0000009Ch]
lea eax, dword ptr [edx+04h]
mov dword ptr [esp+78h], eax
mov eax, 00000001h
movzx ecx, byte ptr [edx+02h]
mov ebx, eax
shl ebx, cl
mov ecx, ebx
dec ecx
mov dword ptr [esp+6Ch], ecx
movzx ecx, byte ptr [edx+01h]
shl eax, cl
dec eax
mov dword ptr [esp+68h], eax
mov eax, dword ptr [esp+000000A8h]
movzx esi, byte ptr [edx]
mov dword ptr [ebp+00h], 00000000h
mov dword ptr [esp+60h], 00000000h
mov dword ptr [eax], 00000000h
mov eax, 00000300h
mov dword ptr [esp+64h], esi
mov dword ptr [esp+5Ch], 00000001h
mov dword ptr [esp+58h], 00000001h
mov dword ptr [esp+00h], 00000000h

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x6936c0x1c4.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE0x680000x136c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x67efc0x18UPX1
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
UPX00x10000x440000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX10x450000x230000x2300048f531e312091764d3036e0861777976False0.9915806361607142data7.9950539598993IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x680000x20000x1600f977ad8496001191e7ff92543546ec85False0.3586647727272727data3.7549499134853774IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_CURSOR0x5faa80x134data1.0357142857142858
RT_CURSOR0x5fbdc0x134data1.0357142857142858
RT_CURSOR0x5fd100x134data1.0357142857142858
RT_CURSOR0x5fe440x134data1.0357142857142858
RT_CURSOR0x5ff780x134data1.0357142857142858
RT_CURSOR0x600ac0x134data1.0357142857142858
RT_CURSOR0x601e00x134data1.0357142857142858
RT_BITMAP0x603140x1d0data1.0237068965517242
RT_BITMAP0x604e40x1e4data1.0227272727272727
RT_BITMAP0x606c80x1d0data1.0237068965517242
RT_BITMAP0x608980x1d0data1.0237068965517242
RT_BITMAP0x60a680x1d0data1.0237068965517242
RT_BITMAP0x60c380x1d0data1.0237068965517242
RT_BITMAP0x60e080x1d0data1.0237068965517242
RT_BITMAP0x60fd80x1d0data1.0237068965517242
RT_BITMAP0x611a80x1d0data1.0237068965517242
RT_BITMAP0x613780x1d0data1.0237068965517242
RT_BITMAP0x615480xe8data1.0474137931034482
RT_ICON0x68aac0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0PolishPoland0.421028880866426
RT_DIALOG0x61ed80x52data1.1341463414634145
RT_STRING0x61f2c0x164data1.0308988764044944
RT_STRING0x620900x200data1.021484375
RT_STRING0x622900xf8data1.0443548387096775
RT_STRING0x623880x300data1.0143229166666667
RT_STRING0x626880xbcdata1.0585106382978724
RT_STRING0x627440x10cdata1.041044776119403
RT_STRING0x628500x1c4data1.0243362831858407
RT_STRING0x62a140x450data1.0099637681159421
RT_STRING0x62e640x35cdata1.0127906976744185
RT_STRING0x631c00x3e8data1.011
RT_STRING0x635a80x234data1.0195035460992907
RT_STRING0x637dc0xecdata1.0466101694915255
RT_STRING0x638c80x1b4data1.025229357798165
RT_STRING0x63a7c0x3e4data1.0110441767068272
RT_STRING0x63e600x358data1.0128504672897196
RT_STRING0x641b80x2b4OpenPGP Public Key1.0158959537572254
RT_RCDATA0x6446c0x10data1.5625
RT_RCDATA0x6447c0x264data1.0179738562091503
RT_RCDATA0x646e00x2abdata1.0161054172767203
RT_GROUP_CURSOR0x6498c0x14data1.45
RT_GROUP_CURSOR0x649a00x14data1.45
RT_GROUP_CURSOR0x649b40x14data1.55
RT_GROUP_CURSOR0x649c80x14data1.45
RT_GROUP_CURSOR0x649dc0x14Non-ISO extended-ASCII text, with no line terminators1.45
RT_GROUP_CURSOR0x649f00x14data1.45
RT_GROUP_CURSOR0x64a040x14data1.45
RT_GROUP_ICON0x693580x14dataPolishPoland1.15

Imports

DLLImport
advapi32.dllRegCloseKey
comctl32.dllImageList_Add
gdi32.dllSaveDC
KERNEL32.DLLLoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
oleaut32.dllVariantCopy
user32.dllGetDC
version.dllVerQueryValueA

Possible Origin

Language of compilation systemCountry where language is spokenMap
PolishPoland

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:03:34:01
Start date:05/07/2024
Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Win32.Banload.24378.5325.exe"
Imagebase:0x400000
File size:150'016 bytes
MD5 hash:02B1BC1D92B390560C7D7FF9AA8E4E79
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Borland Delphi
Reputation:low
Has exited:false

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:6.2%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:15.8%
    Total number of Nodes:1190
    Total number of Limit Nodes:56
    execution_graph 29309 44a684 29310 44a693 29309->29310 29315 4490ac 29310->29315 29313 44a6b3 29316 449140 29315->29316 29327 4490d0 29315->29327 29318 449151 29316->29318 29351 442be4 72 API calls 29316->29351 29319 449191 29318->29319 29321 449229 29318->29321 29323 449204 29319->29323 29330 4491ac 29319->29330 29320 44c8c8 56 API calls 29320->29327 29322 449243 29321->29322 29328 44923d SetMenu 29321->29328 29324 449255 29322->29324 29325 449202 29322->29325 29323->29322 29334 449218 29323->29334 29354 448fe4 62 API calls 29324->29354 29325->29322 29353 44a170 64 API calls 29325->29353 29327->29316 29327->29320 29344 405ac8 29327->29344 29350 40b340 56 API calls 29327->29350 29328->29322 29330->29322 29338 4491cf GetMenu 29330->29338 29331 44925c 29355 403f98 29331->29355 29337 449221 SetMenu 29334->29337 29337->29322 29339 4491f2 29338->29339 29340 4491d9 29338->29340 29352 442be4 72 API calls 29339->29352 29342 4491ec SetMenu 29340->29342 29342->29339 29343 44a588 10 API calls 29343->29313 29345 405ad8 29344->29345 29346 405b09 29344->29346 29345->29346 29359 405034 29345->29359 29346->29327 29348 405af8 LoadStringA 29364 404088 29348->29364 29350->29327 29351->29318 29352->29325 29353->29324 29354->29331 29356 403fb9 29355->29356 29357 403f9e 29355->29357 29356->29313 29356->29343 29357->29356 29485 4026dc 11 API calls 29357->29485 29360 40505b 29359->29360 29361 40503e 29359->29361 29360->29348 29361->29360 29369 404fec 29361->29369 29392 40405c 29364->29392 29366 404098 29367 403f98 11 API calls 29366->29367 29368 4040b0 29367->29368 29368->29346 29370 405018 29369->29370 29371 404ffc GetModuleFileNameA 29369->29371 29370->29348 29373 405228 GetModuleFileNameA RegOpenKeyExA 29371->29373 29374 4052ab 29373->29374 29375 40526b RegOpenKeyExA 29373->29375 29391 405070 12 API calls 29374->29391 29375->29374 29376 405289 RegOpenKeyExA 29375->29376 29376->29374 29378 405334 lstrcpyn GetThreadLocale GetLocaleInfoA 29376->29378 29382 40536b 29378->29382 29383 40544e 29378->29383 29379 4052d0 RegQueryValueExA 29380 4052f0 RegQueryValueExA 29379->29380 29381 40530e RegCloseKey 29379->29381 29380->29381 29381->29370 29382->29383 29385 40537b lstrlen 29382->29385 29383->29370 29386 405393 29385->29386 29386->29383 29387 4053e0 29386->29387 29388 4053b8 lstrcpyn LoadLibraryExA 29386->29388 29387->29383 29389 4053ea lstrcpyn LoadLibraryExA 29387->29389 29388->29387 29389->29383 29390 40541c lstrcpyn LoadLibraryExA 29389->29390 29390->29383 29391->29379 29393 404060 29392->29393 29394 404084 29392->29394 29397 4026bc 29393->29397 29394->29366 29398 4026c1 29397->29398 29399 4026d4 29397->29399 29403 4020e8 29398->29403 29399->29366 29400 4026c7 29400->29399 29414 4027cc 11 API calls 29400->29414 29404 402101 29403->29404 29405 4020fc 29403->29405 29407 40212e RtlEnterCriticalSection 29404->29407 29408 402138 29404->29408 29411 40210d 29404->29411 29415 4019fc RtlInitializeCriticalSection 29405->29415 29407->29408 29408->29411 29422 401ff4 29408->29422 29411->29400 29412 402263 29412->29400 29413 402259 RtlLeaveCriticalSection 29413->29412 29414->29399 29416 401a20 RtlEnterCriticalSection 29415->29416 29417 401a2a 29415->29417 29416->29417 29418 401a48 LocalAlloc 29417->29418 29419 401a62 29418->29419 29420 401ab1 29419->29420 29421 401aa7 RtlLeaveCriticalSection 29419->29421 29420->29404 29421->29420 29425 402004 29422->29425 29423 402030 29427 402054 29423->29427 29433 401e08 29423->29433 29425->29423 29425->29427 29428 401f68 29425->29428 29427->29412 29427->29413 29437 4017bc 29428->29437 29431 401f85 29431->29425 29434 401e26 29433->29434 29435 401e5d 29433->29435 29434->29427 29435->29434 29459 401d58 29435->29459 29441 4017d8 29437->29441 29438 4017e2 29456 4016a8 VirtualAlloc 29438->29456 29441->29438 29442 40183f 29441->29442 29444 401833 29441->29444 29448 401514 29441->29448 29457 401410 LocalAlloc 29441->29457 29442->29431 29447 401edc 9 API calls 29442->29447 29458 4015f0 VirtualFree 29444->29458 29445 4017ee 29445->29442 29447->29431 29449 401523 VirtualAlloc 29448->29449 29451 401550 29449->29451 29452 401573 29449->29452 29453 4013c8 LocalAlloc 29451->29453 29452->29441 29454 40155c 29453->29454 29454->29452 29455 401560 VirtualFree 29454->29455 29455->29452 29456->29445 29457->29441 29458->29442 29460 401d6e 29459->29460 29461 401d99 29460->29461 29462 401dad 29460->29462 29471 401df6 29460->29471 29472 401970 29461->29472 29463 401970 3 API calls 29462->29463 29465 401dab 29463->29465 29465->29471 29482 401c34 9 API calls 29465->29482 29467 401dd1 29468 401deb 29467->29468 29483 401c88 9 API calls 29467->29483 29484 401480 LocalAlloc 29468->29484 29471->29434 29473 4019ef 29472->29473 29474 401996 29472->29474 29473->29465 29475 40173c VirtualFree 29474->29475 29476 4019a3 29475->29476 29477 401410 LocalAlloc 29476->29477 29478 4019b3 29477->29478 29479 4019ca 29478->29479 29480 4015f0 VirtualFree 29478->29480 29479->29473 29481 401480 LocalAlloc 29479->29481 29480->29479 29481->29473 29482->29467 29483->29468 29484->29471 29485->29356 29486 44afc4 29487 44afec 29486->29487 29488 44b014 29486->29488 29487->29488 29490 405ac8 56 API calls 29487->29490 29533 44f6e8 29488->29533 29492 44b005 29490->29492 29542 40b304 25 API calls 29492->29542 29493 44b45a 29495 44b058 29524 44b176 29495->29524 29529 44b0bf 29495->29529 29496 44b3f4 29497 44b446 29496->29497 29548 44a170 64 API calls 29496->29548 29499 44b452 29497->29499 29500 44b45f 29497->29500 29549 4334b8 56 API calls 29499->29549 29501 44b48a 29500->29501 29502 44b46b 29500->29502 29505 44b494 GetActiveWindow 29501->29505 29504 44b482 SetWindowPos 29502->29504 29504->29493 29508 44b4be 29505->29508 29509 44b49f 29505->29509 29506 44b3cf 29512 44b3e9 ShowWindow 29506->29512 29507 44b31a 29510 44b326 29507->29510 29511 44b35c 29507->29511 29513 44b4c4 29508->29513 29514 44b4e9 29508->29514 29515 44b4a7 IsIconic 29509->29515 29516 44b330 SendMessageA 29510->29516 29517 44b376 ShowWindow 29511->29517 29512->29493 29518 44b4db SetWindowPos SetActiveWindow 29513->29518 29519 44b4f3 ShowWindow 29514->29519 29515->29508 29520 44b4b1 29515->29520 29545 435f60 29516->29545 29522 435f60 29517->29522 29518->29493 29519->29493 29550 445dd4 GetCurrentThreadId 29520->29550 29526 44b39a CallWindowProcA 29522->29526 29523 44b171 29523->29506 29523->29507 29524->29523 29544 449420 56 API calls 29524->29544 29525 44b354 ShowWindow 29528 44b3ad SendMessageA 29525->29528 29547 42fa50 29526->29547 29528->29493 29529->29523 29543 449420 56 API calls 29529->29543 29534 44b023 29533->29534 29540 44f6fb 29533->29540 29534->29493 29534->29495 29534->29496 29535 44f75e 29536 44f68c 2 API calls 29535->29536 29536->29534 29538 44f74f 29554 44f68c IsWindowVisible 29538->29554 29540->29535 29540->29538 29541 44f745 IsChild 29540->29541 29551 44c8c8 29540->29551 29541->29538 29541->29540 29542->29488 29543->29523 29544->29523 29546 435f6a 29545->29546 29546->29525 29547->29528 29548->29497 29549->29493 29550->29508 29558 413890 29551->29558 29555 44f6e3 29554->29555 29556 44f6af 29554->29556 29555->29534 29556->29555 29557 44f6b7 SetWindowPos 29556->29557 29557->29555 29559 41389a 29558->29559 29560 4138ae 29559->29560 29562 41381c 56 API calls 29559->29562 29560->29540 29562->29560 29563 44efe4 29576 404030 29563->29576 29565 44f051 29580 44e8a8 29565->29580 29567 44f017 29567->29565 29601 403fec 25 API calls 29567->29601 29568 44f060 29586 44ee7c GetActiveWindow 29568->29586 29570 44f07e 29572 403f98 11 API calls 29570->29572 29573 44f096 29572->29573 29574 403f98 11 API calls 29573->29574 29575 44f09e 29574->29575 29578 404034 29576->29578 29577 404058 29577->29567 29578->29577 29602 4026dc 11 API calls 29578->29602 29581 44e8dd 29580->29581 29582 44e8bd GetWindowTextA 29580->29582 29603 403fec 29581->29603 29583 404088 25 API calls 29582->29583 29585 44e8db 29583->29585 29585->29568 29587 44eea6 29586->29587 29588 44ef26 29587->29588 29590 44eede GetWindowRect 29587->29590 29610 445c84 GetCurrentThreadId 29588->29610 29591 44ef00 SetWindowPos 29590->29591 29591->29588 29593 44ef2d 29594 44ef4a MessageBoxA 29593->29594 29595 44efb7 29594->29595 29596 44ef7f SetWindowPos 29594->29596 29612 445d38 13 API calls 29595->29612 29596->29595 29598 44efbf SetActiveWindow 29600 44efd0 29598->29600 29600->29570 29601->29565 29602->29577 29604 403ff0 29603->29604 29605 404000 29603->29605 29604->29605 29607 40405c 25 API calls 29604->29607 29606 40402e 29605->29606 29609 4026dc 11 API calls 29605->29609 29606->29585 29607->29605 29609->29606 29611 445cde 29610->29611 29611->29593 29612->29598 29613 405d80 GetModuleHandleA 29614 405db3 29613->29614 29617 403ce0 29614->29617 29618 403d13 29617->29618 29621 403c80 29618->29621 29622 403cbc 29621->29622 29623 403c8f 29621->29623 29623->29622 29625 4026bc 25 API calls 29623->29625 29626 404fec 30 API calls 29623->29626 29627 43add0 29623->29627 29625->29623 29626->29623 29628 43adea GetVersion 29627->29628 29629 43ae48 29627->29629 29641 43ab9c GetCurrentProcessId 29628->29641 29629->29623 29633 43ae0e 29675 41316c 58 API calls 29633->29675 29635 43ae18 29676 413118 58 API calls 29635->29676 29637 43ae28 29677 413118 58 API calls 29637->29677 29639 43ae38 29678 413118 58 API calls 29639->29678 29679 408a84 29641->29679 29644 403fec 25 API calls 29645 43abe5 29644->29645 29646 43abef GlobalAddAtomA GetCurrentThreadId 29645->29646 29647 408a84 56 API calls 29646->29647 29648 43ac29 29647->29648 29649 403fec 25 API calls 29648->29649 29650 43ac36 29649->29650 29651 43ac40 GlobalAddAtomA 29650->29651 29682 404458 29651->29682 29655 43ac6d 29688 43a7a0 29655->29688 29657 43ac77 29696 43a5c8 29657->29696 29659 43ac83 29700 44c630 29659->29700 29661 43ac96 29717 44d714 29661->29717 29663 43acac 29731 44f30c 121 API calls 29663->29731 29665 43acc2 29732 413258 58 API calls 29665->29732 29667 43acd6 GetModuleHandleA 29668 43acf6 29667->29668 29669 43ace6 GetProcAddress 29667->29669 29670 403f98 11 API calls 29668->29670 29669->29668 29671 43ad0b 29670->29671 29672 403f98 11 API calls 29671->29672 29673 43ad13 29672->29673 29674 4130cc 58 API calls 29673->29674 29674->29633 29675->29635 29676->29637 29677->29639 29678->29629 29733 408a98 29679->29733 29683 40445c RegisterClipboardFormatA 29682->29683 29684 413aa4 29683->29684 29685 413aaa 29684->29685 29686 413abf RtlInitializeCriticalSection 29685->29686 29687 413ad4 29686->29687 29687->29655 29689 43a7b4 SetErrorMode 29688->29689 29690 43a90d 29688->29690 29691 43a7f4 29689->29691 29692 43a7d8 GetModuleHandleA GetProcAddress 29689->29692 29690->29657 29693 43a801 LoadLibraryA 29691->29693 29694 43a8ef SetErrorMode 29691->29694 29692->29691 29693->29694 29695 43a81d 10 API calls 29693->29695 29694->29657 29695->29694 29697 43a5ce 29696->29697 29750 43a73c 29697->29750 29699 43a63c 29699->29659 29701 44c63a 29700->29701 29786 419230 29701->29786 29703 44c650 29790 44c9ec LoadCursorA 29703->29790 29706 44c689 29707 44c6c5 73A0A570 29706->29707 29708 44c6d9 29707->29708 29795 41c3f0 29708->29795 29710 44c707 29711 41c3f0 27 API calls 29710->29711 29712 44c719 29711->29712 29713 41c3f0 27 API calls 29712->29713 29714 44c72b 29713->29714 29799 44ce0c 29714->29799 29716 44c738 29716->29661 29718 44d723 29717->29718 29719 419230 56 API calls 29718->29719 29720 44d739 29719->29720 29721 44d7e4 LoadIconA 29720->29721 29844 422e8c 29721->29844 29723 44d807 GetModuleFileNameA OemToCharA 29724 44d850 29723->29724 29725 44d876 CharLowerA 29724->29725 29726 44d899 29725->29726 29727 44d8aa 29726->29727 29846 44da1c 29726->29846 29870 44f770 11 API calls 29727->29870 29730 44d8cc 29730->29663 29731->29665 29732->29667 29734 408abc 29733->29734 29736 408ae7 29734->29736 29746 40868c 56 API calls 29734->29746 29737 408b3f 29736->29737 29744 408afc 29736->29744 29738 404088 25 API calls 29737->29738 29740 408a93 29738->29740 29739 408b35 29749 4045e4 25 API calls 29739->29749 29740->29644 29742 403f98 11 API calls 29742->29744 29744->29739 29744->29742 29747 4045e4 25 API calls 29744->29747 29748 40868c 56 API calls 29744->29748 29746->29736 29747->29744 29748->29744 29749->29740 29751 43a744 29750->29751 29752 43a74b 29750->29752 29753 43a749 29751->29753 29756 43a787 SendMessageA 29751->29756 29757 43a776 SystemParametersInfoA 29751->29757 29763 43a6a0 29752->29763 29753->29699 29756->29753 29757->29753 29758 43a761 29767 43a6bc SystemParametersInfoA 29758->29767 29759 43a758 29766 43a6ec 6 API calls 29759->29766 29762 43a768 29762->29699 29768 4239fc 29763->29768 29766->29753 29767->29762 29769 423a0c 29768->29769 29772 423a2c 29768->29772 29775 423914 29769->29775 29773 423a63 29772->29773 29774 423a5d GetSystemMetrics 29772->29774 29773->29758 29773->29759 29774->29773 29776 42392a 29775->29776 29778 42399d 29776->29778 29779 423985 29776->29779 29782 423914 11 API calls 29776->29782 29777 403f98 11 API calls 29780 4239d2 KiUserCallbackDispatcher 29777->29780 29778->29777 29781 42398d GetProcAddress 29779->29781 29780->29773 29781->29778 29783 42396f 29782->29783 29783->29779 29784 42397d 29783->29784 29785 403f98 11 API calls 29784->29785 29785->29779 29787 419237 29786->29787 29788 41925a 29787->29788 29820 4193e8 56 API calls 29787->29820 29788->29703 29791 44ca0b 29790->29791 29792 44ca24 LoadCursorA 29791->29792 29794 44c673 GetKeyboardLayout 29791->29794 29821 44caa4 29792->29821 29794->29706 29796 41c3f6 29795->29796 29824 41b934 29796->29824 29798 41c418 29798->29710 29800 44ce25 29799->29800 29801 44ce56 SystemParametersInfoA 29800->29801 29839 44f30c 121 API calls 29800->29839 29802 44ce81 GetStockObject 29801->29802 29803 44ce69 CreateFontIndirectA 29801->29803 29806 41c780 30 API calls 29802->29806 29834 41c780 29803->29834 29808 44ce95 SystemParametersInfoA 29806->29808 29809 44ceb5 CreateFontIndirectA 29808->29809 29810 44cee9 29808->29810 29811 41c780 30 API calls 29809->29811 29840 41c864 30 API calls 29810->29840 29813 44cece CreateFontIndirectA 29811->29813 29815 41c780 30 API calls 29813->29815 29814 44cef9 GetStockObject 29816 41c780 30 API calls 29814->29816 29818 44cee7 29815->29818 29816->29818 29817 44cf50 29817->29716 29818->29817 29841 44f30c 121 API calls 29818->29841 29820->29788 29822 4026bc 25 API calls 29821->29822 29823 44cab7 29822->29823 29823->29791 29825 41b94f 29824->29825 29832 41b91c RtlEnterCriticalSection 29825->29832 29827 41b959 29828 4026bc 25 API calls 29827->29828 29829 41b9b6 29827->29829 29828->29829 29833 41b928 RtlLeaveCriticalSection 29829->29833 29831 41ba07 29831->29798 29832->29827 29833->29831 29842 41c33c GetObjectA 29834->29842 29836 41c792 29843 41c574 29 API calls 29836->29843 29838 41c79b 29838->29808 29839->29801 29840->29814 29841->29817 29842->29836 29843->29838 29845 422e98 29844->29845 29845->29723 29847 44da45 29846->29847 29848 44dba7 29846->29848 29847->29848 29871 41a2c0 29847->29871 29849 403f98 11 API calls 29848->29849 29851 44dbbc 29849->29851 29851->29727 29852 44da5e GetClassInfoA 29853 44da84 RegisterClassA 29852->29853 29858 44dab9 29852->29858 29854 44da9d 29853->29854 29853->29858 29855 405ac8 56 API calls 29854->29855 29856 44daaa 29855->29856 29883 40b304 25 API calls 29856->29883 29874 406940 29858->29874 29860 44db10 29861 403f98 11 API calls 29860->29861 29862 44db1e SetWindowLongA 29861->29862 29863 44db3e 29862->29863 29864 44db69 GetSystemMenu DeleteMenu DeleteMenu 29862->29864 29878 44e6a0 29863->29878 29864->29848 29865 44db9a DeleteMenu 29864->29865 29865->29848 29868 44e6a0 61 API calls 29869 44db5d SetClassLongA 29868->29869 29869->29864 29870->29730 29872 41a2d0 VirtualAlloc 29871->29872 29873 41a2fe 29871->29873 29872->29873 29873->29852 29884 402a54 29874->29884 29876 406953 CreateWindowExA 29877 40698b 29876->29877 29877->29860 29885 422bf8 29878->29885 29881 44e6af LoadIconA 29882 44db45 SendMessageA 29881->29882 29882->29868 29883->29858 29884->29876 29888 422c34 29885->29888 29889 422c44 29888->29889 29897 422c02 29888->29897 29889->29897 29899 4154f0 29889->29899 29893 422c63 29894 422c70 29893->29894 29895 422c7d 29893->29895 29893->29897 29904 41d748 56 API calls 29894->29904 29903 41e29c 59 API calls 29895->29903 29897->29881 29897->29882 29901 41591c SetFilePointer 29899->29901 29900 415500 29902 4156fc 56 API calls 29900->29902 29901->29900 29902->29893 29903->29897 29904->29897 29905 43a1e0 29906 43a20a 29905->29906 29907 43a22c 29905->29907 29910 43a210 29906->29910 29911 43a3ab 29906->29911 29908 43a233 29907->29908 29909 43a2ac 29907->29909 29912 43a23e 29908->29912 29920 43a4c3 29908->29920 29981 438c70 57 API calls 29909->29981 29915 43a219 29910->29915 29916 43a41c GetCursorPos 29910->29916 29913 43a3b4 29911->29913 29914 43a40f 29911->29914 29921 43a227 29912->29921 29977 43a0c8 57 API calls 29912->29977 29972 438c70 57 API calls 29913->29972 29986 439c14 35 API calls 29914->29986 29918 43a269 29915->29918 29922 43a220 29915->29922 29933 43a436 29916->29933 29918->29921 29978 439cc8 32 API calls 29918->29978 29920->29921 29932 43a4f1 29920->29932 29944 43a501 29920->29944 29923 403f98 11 API calls 29921->29923 29922->29921 29961 438c70 57 API calls 29922->29961 29927 43a5b7 29923->29927 29928 43a27e 29979 43a150 25 API calls 29928->29979 29930 43a314 29930->29921 29939 43a336 29930->29939 29940 43a324 29930->29940 29931 43a2c5 29931->29921 29982 42e060 128 API calls 29931->29982 29937 403f98 11 API calls 29932->29937 29933->29921 29987 434a90 56 API calls 29933->29987 29935 43a3cd 29935->29921 29947 43a401 29935->29947 29948 43a3f5 29935->29948 29937->29921 29939->29921 29953 43a357 PeekMessageA 29939->29953 29984 439bb4 35 API calls 29940->29984 29941 43a2e8 29983 4304e4 102 API calls 29941->29983 29942 43a29e 29980 439cc8 32 API calls 29942->29980 29943 43a46c 29943->29921 29988 438c70 57 API calls 29943->29988 29944->29921 29989 42f7f0 121 API calls 29944->29989 29973 42f710 29947->29973 29985 44b654 124 API calls 29948->29985 29954 43a365 29953->29954 29954->29921 29962 42fe8c 29954->29962 29956 43a482 29956->29921 29959 43a4b1 SetCursor 29956->29959 29957 43a570 29960 403fec 25 API calls 29957->29960 29959->29921 29960->29921 29961->29930 29963 42fea5 29962->29963 29965 42fec4 29963->29965 30001 40b3c0 29963->30001 29966 42ff47 29965->29966 29967 42feef GetCursorPos 29965->29967 29969 42ff27 29965->29969 29966->29921 29968 42ff02 29967->29968 30005 430998 29968->30005 29969->29966 29990 42db50 29969->29990 29972->29935 29974 42f71c 29973->29974 29976 42f73c 29973->29976 29975 430998 121 API calls 29974->29975 29975->29976 29976->29921 29977->29921 29978->29928 29979->29942 29980->29921 29981->29931 29982->29941 29983->29921 29984->29921 29985->29921 29986->29921 29987->29943 29988->29956 29989->29957 29991 42db89 29990->29991 29993 42dbd4 29990->29993 29992 42dba0 29991->29992 30009 42d9e0 GetCursorPos GetCursor 29991->30009 29992->29966 29993->29992 29994 42dc0c 29993->29994 30017 42cf14 98 API calls 29993->30017 29997 42dc2d 29994->29997 29999 42dc46 29994->29999 29998 42dc3b GetWindowRect 29997->29998 29998->29991 29999->29991 30000 42dc63 GetCursorPos 29999->30000 30000->29991 30002 40b3c7 30001->30002 30003 405ac8 56 API calls 30002->30003 30004 40b3df 30003->30004 30004->29965 30006 4309b4 30005->30006 30007 4309bf 30005->30007 30038 433974 30006->30038 30007->29969 30018 42cc0c 30009->30018 30011 42da31 30012 42db09 GetDesktopWindow 30011->30012 30014 42db26 30011->30014 30021 4378a4 60 API calls 30012->30021 30015 42db4a 30014->30015 30022 42d710 148 API calls 30014->30022 30015->29992 30017->29994 30023 41a37c GetClassInfoA 30018->30023 30021->30014 30022->30015 30024 41a3ac 30023->30024 30025 41a3d5 30024->30025 30026 41a3cb RegisterClassA 30024->30026 30027 41a3ba UnregisterClassA 30024->30027 30033 4068e8 30025->30033 30026->30025 30027->30026 30029 41a403 30030 41a420 SetCapture 30029->30030 30031 41a2c0 VirtualAlloc 30029->30031 30030->30011 30032 41a417 SetWindowLongA 30031->30032 30032->30030 30037 402a54 30033->30037 30035 4068fb CreateWindowExA 30036 406935 30035->30036 30036->30029 30037->30035 30039 433987 30038->30039 30040 43399f 30038->30040 30041 4339f9 30039->30041 30047 433989 30039->30047 30043 43399a 30040->30043 30070 4338e0 121 API calls 30040->30070 30042 430a64 119 API calls 30041->30042 30049 433a02 30042->30049 30053 433a36 30043->30053 30056 430a64 30043->30056 30045 433a53 30045->30043 30051 433a57 30045->30051 30047->30043 30048 433a96 GetCapture 30047->30048 30048->30043 30050 433aa1 30048->30050 30049->30053 30069 43384c 121 API calls 30049->30069 30050->30043 30054 430998 119 API calls 30050->30054 30051->30053 30055 433a7a NtdllDefWindowProc_A 30051->30055 30053->30007 30054->30043 30055->30053 30057 430a7a 30056->30057 30058 430bcf 30057->30058 30060 430b08 30057->30060 30064 430ac0 30057->30064 30065 430b51 30057->30065 30059 430be6 KiUserCallbackDispatcher 30058->30059 30072 42f3a0 121 API calls 30058->30072 30059->30065 30062 430b36 30060->30062 30066 430b2b 30060->30066 30071 44f804 121 API calls 30062->30071 30064->30059 30064->30065 30065->30053 30066->30059 30066->30064 30067 430b92 GetKeyboardState 30066->30067 30068 430bae 30067->30068 30068->30065 30069->30053 30070->30045 30071->30064 30072->30059 30073 415c84 30074 415c8c 30073->30074 30075 415cc1 30074->30075 30076 415cb6 30074->30076 30084 415cbd 30074->30084 30078 415cc5 30075->30078 30079 415cd8 30075->30079 30086 40688c GlobalHandle GlobalUnWire GlobalFree 30076->30086 30085 406860 GlobalAlloc GlobalFix 30078->30085 30087 406870 GlobalHandle GlobalUnWire GlobalReAlloc GlobalFix 30079->30087 30082 415cd4 30083 40b3c0 56 API calls 30082->30083 30082->30084 30083->30084 30085->30082 30086->30084 30087->30082 30088 4036e6 30094 4036e8 30088->30094 30089 40376c 30090 40379c RtlUnwind 30089->30090 30092 403787 UnhandledExceptionFilter 30089->30092 30097 405d34 30090->30097 30092->30090 30093 4037c9 30092->30093 30094->30089 30094->30093 30095 40374c UnhandledExceptionFilter 30094->30095 30095->30093 30096 403761 30095->30096 30096->30090 30098 405d43 30097->30098 30099 405d69 TlsGetValue 30097->30099 30098->30093 30100 405d73 30099->30100 30101 405d4e 30099->30101 30100->30093 30105 405cf0 LocalAlloc TlsSetValue 30101->30105 30103 405d53 TlsGetValue 30104 405d62 30103->30104 30104->30093 30105->30103 30106 44ec6c 30107 44ec7f 30106->30107 30110 4474a4 30107->30110 30108 44eca0 30112 4474ba 30110->30112 30111 4475ce 30111->30108 30112->30111 30119 413650 30112->30119 30114 447593 30114->30108 30115 44754a 30115->30114 30116 405ac8 56 API calls 30115->30116 30117 447581 30116->30117 30129 40b340 56 API calls 30117->30129 30120 413666 30119->30120 30121 41369b 30120->30121 30142 4134c4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 30120->30142 30130 4135a8 30121->30130 30125 4136c6 30127 4136de 30125->30127 30144 41354c 56 API calls 30125->30144 30127->30115 30129->30114 30131 4135d2 30130->30131 30132 413626 30130->30132 30131->30132 30135 4135a8 177 API calls 30131->30135 30133 403f98 11 API calls 30132->30133 30134 41363d 30133->30134 30134->30125 30143 41351c 56 API calls 30134->30143 30136 4135ea 30135->30136 30145 404fe4 30136->30145 30139 405034 30 API calls 30140 413618 30139->30140 30148 413440 30140->30148 30142->30121 30143->30125 30144->30127 30157 404fbc VirtualQuery 30145->30157 30149 413451 30148->30149 30150 413460 FindResourceA 30149->30150 30151 413470 30150->30151 30152 4134bd 30150->30152 30159 415d60 30151->30159 30152->30132 30154 413481 30163 415860 30154->30163 30156 41349c 30156->30132 30158 404fd6 30157->30158 30158->30139 30160 415d6a 30159->30160 30168 415e28 FindResourceA 30160->30168 30162 415d98 30162->30154 30180 415ee4 30163->30180 30165 41587c 30184 417f18 30165->30184 30167 415897 30167->30156 30169 415e54 LoadResource 30168->30169 30170 415e4d 30168->30170 30172 415e67 30169->30172 30173 415e6e SizeofResource LockResource 30169->30173 30178 415db8 56 API calls 30170->30178 30179 415db8 56 API calls 30172->30179 30176 415e8c 30173->30176 30174 415e53 30174->30169 30176->30162 30177 415e6d 30177->30173 30178->30174 30179->30177 30181 415eee 30180->30181 30182 4026bc 25 API calls 30181->30182 30183 415f07 30182->30183 30183->30165 30214 418300 30184->30214 30187 417f90 30275 418324 30187->30275 30188 417fc5 30189 418324 56 API calls 30188->30189 30191 417fd6 30189->30191 30193 417fec 30191->30193 30194 417fdf 30191->30194 30197 418324 56 API calls 30193->30197 30196 418324 56 API calls 30194->30196 30202 417fb8 30196->30202 30199 418007 30197->30199 30198 417fa3 30201 418324 56 API calls 30198->30201 30285 417eb8 56 API calls 30199->30285 30201->30202 30219 412d40 30202->30219 30205 405d34 4 API calls 30206 418060 30205->30206 30230 41d538 30206->30230 30240 42f67c 30206->30240 30242 41d280 30206->30242 30246 447b54 30206->30246 30207 4180f0 30208 413890 56 API calls 30207->30208 30209 418130 30207->30209 30208->30207 30209->30167 30286 416ac4 30214->30286 30217 417f51 30217->30187 30217->30188 30220 412d4d 30219->30220 30292 412c2c RtlEnterCriticalSection 30220->30292 30222 412e27 30293 412ce4 RtlLeaveCriticalSection 30222->30293 30223 413890 56 API calls 30228 412d84 30223->30228 30226 412e3e 30226->30205 30227 413890 56 API calls 30229 412de6 30227->30229 30228->30223 30228->30229 30294 412768 56 API calls 30228->30294 30229->30222 30229->30227 30231 41d59e 30230->30231 30236 41d551 30230->30236 30231->30207 30232 41d575 30233 41d586 30232->30233 30295 41d5d4 18 API calls 30232->30295 30235 41d592 30233->30235 30296 41d600 6 API calls 30233->30296 30235->30231 30297 41d630 10 API calls 30235->30297 30236->30232 30239 40b3c0 56 API calls 30236->30239 30239->30232 30241 42f696 KiUserCallbackDispatcher 30240->30241 30241->30207 30243 41d538 73 API calls 30242->30243 30244 41d296 30243->30244 30245 41d2af GetTextExtentPoint32A 30244->30245 30245->30207 30247 447b67 30246->30247 30298 431fc0 30247->30298 30249 447bb2 30251 447d1e 30249->30251 30252 447c21 30249->30252 30263 447c12 MulDiv 30249->30263 30250 447d35 30254 447d4c 30250->30254 30307 42f260 KiUserCallbackDispatcher 30250->30307 30251->30250 30306 42f21c KiUserCallbackDispatcher 30251->30306 30303 447edc 74 API calls 30252->30303 30255 447d83 30254->30255 30308 4471b4 64 API calls 30254->30308 30259 430998 121 API calls 30255->30259 30262 447d94 30259->30262 30260 447c3a 30260->30251 30304 4471b4 64 API calls 30260->30304 30261 447d71 30309 435a24 56 API calls 30261->30309 30262->30207 30302 41c7ac 29 API calls 30263->30302 30267 447c5b 30305 435a24 56 API calls 30267->30305 30269 447c6e 30270 447c9d 30269->30270 30271 447c7a MulDiv 30269->30271 30272 447ccc 30270->30272 30273 447ca9 MulDiv 30270->30273 30271->30270 30272->30251 30274 447cd8 MulDiv MulDiv 30272->30274 30273->30272 30274->30251 30276 416ac4 56 API calls 30275->30276 30277 418339 30276->30277 30278 404088 25 API calls 30277->30278 30279 418347 30278->30279 30327 4044b0 30279->30327 30282 416ac4 56 API calls 30283 417f9b 30282->30283 30284 412ff0 58 API calls 30283->30284 30284->30198 30285->30202 30289 416acf 30286->30289 30287 416b09 30287->30217 30290 416584 56 API calls 30287->30290 30289->30287 30291 416b10 56 API calls 30289->30291 30290->30217 30291->30289 30292->30228 30293->30226 30294->30228 30295->30233 30296->30235 30297->30231 30299 431fd2 30298->30299 30310 42ec3c 30299->30310 30301 431fea 30301->30249 30302->30252 30303->30260 30304->30267 30305->30269 30306->30250 30307->30254 30308->30261 30309->30255 30311 42ec58 30310->30311 30324 419690 30311->30324 30313 42ecc9 30313->30301 30315 430998 121 API calls 30316 42ec89 30315->30316 30317 430998 121 API calls 30316->30317 30318 42ec99 30317->30318 30319 430998 121 API calls 30318->30319 30320 42eca9 30319->30320 30321 430998 121 API calls 30320->30321 30322 42ecb9 30321->30322 30323 430998 121 API calls 30322->30323 30323->30313 30325 4172b4 93 API calls 30324->30325 30326 419696 30325->30326 30326->30313 30326->30315 30328 404464 30327->30328 30329 40449f 30328->30329 30330 40405c 25 API calls 30328->30330 30329->30282 30331 40447b 30330->30331 30331->30329 30333 4026dc 11 API calls 30331->30333 30333->30329 30334 42922c 30335 429255 30334->30335 30337 42928a 30335->30337 30355 403fec 25 API calls 30335->30355 30338 4292c1 OffsetRect 30337->30338 30339 429347 30337->30339 30340 4292de 30338->30340 30351 41d464 30339->30351 30343 41d464 73 API calls 30340->30343 30345 4292fd DrawTextA OffsetRect 30343->30345 30344 42936c 30346 403f98 11 API calls 30344->30346 30348 429320 30345->30348 30347 429381 30346->30347 30349 41d464 73 API calls 30348->30349 30350 42933f DrawTextA 30349->30350 30350->30344 30352 41d46e 30351->30352 30353 41d538 73 API calls 30352->30353 30354 41d47b DrawTextA 30353->30354 30354->30344 30355->30337 30356 43d5ec 30357 43d600 30356->30357 30358 43d63b 30356->30358 30372 40bb54 30357->30372 30362 43d665 30358->30362 30363 43d69d 30358->30363 30360 43d60a 30360->30358 30361 43d61b GetModuleHandleA 30360->30361 30361->30358 30364 43d62b GetProcAddress 30361->30364 30387 43c534 57 API calls 30362->30387 30388 43c534 57 API calls 30363->30388 30364->30358 30367 43d679 30369 40b3c0 56 API calls 30367->30369 30371 43d696 30367->30371 30368 43d6af 30370 40b3c0 56 API calls 30368->30370 30368->30371 30369->30371 30370->30371 30373 404030 11 API calls 30372->30373 30374 40bb81 30373->30374 30389 4044a8 30374->30389 30376 40bb89 30377 40bba1 30376->30377 30378 40bc14 30376->30378 30379 4026bc 25 API calls 30377->30379 30380 403f98 11 API calls 30378->30380 30382 40bba8 30379->30382 30381 40bc29 30380->30381 30381->30360 30383 40bbd4 74D31540 30382->30383 30384 40bbee 30382->30384 30383->30384 30395 4026dc 11 API calls 30384->30395 30386 40bc0c 30386->30360 30387->30367 30388->30368 30390 404464 30389->30390 30391 40405c 25 API calls 30390->30391 30393 40449f 30390->30393 30392 40447b 30391->30392 30392->30393 30396 4026dc 11 API calls 30392->30396 30393->30376 30395->30386 30396->30393 30397 446a10 30398 446a19 30397->30398 30401 446f50 30398->30401 30400 446a26 30402 447042 30401->30402 30403 446f67 30401->30403 30402->30400 30403->30402 30422 4464f0 30403->30422 30406 446fc7 30408 4464f0 2 API calls 30406->30408 30407 446fa1 30409 446b5c 62 API calls 30407->30409 30410 446fd5 30408->30410 30411 446fb3 30409->30411 30412 446fff 30410->30412 30413 446fd9 30410->30413 30414 446b5c 62 API calls 30411->30414 30425 446b5c 30412->30425 30415 446b5c 62 API calls 30413->30415 30417 446fc5 30414->30417 30418 446feb 30415->30418 30417->30400 30420 446b5c 62 API calls 30418->30420 30420->30417 30421 446b5c 62 API calls 30421->30417 30437 446470 30422->30437 30424 4464fe 30424->30406 30424->30407 30426 446b82 30425->30426 30427 446b9b 30426->30427 30428 446470 2 API calls 30426->30428 30429 446470 2 API calls 30427->30429 30428->30427 30430 446be9 30429->30430 30447 446a54 30430->30447 30432 446c03 30451 4468d8 59 API calls 30432->30451 30434 446c34 30435 446470 2 API calls 30434->30435 30436 446c3f 30435->30436 30436->30421 30438 435f60 30437->30438 30439 44648d GetWindowLongA 30438->30439 30440 4464ca 30439->30440 30441 4464aa 30439->30441 30446 4463f4 GetWindowLongA 30440->30446 30445 4463f4 GetWindowLongA 30441->30445 30444 4464b6 30444->30424 30445->30444 30446->30444 30448 446a91 30447->30448 30452 41c104 GetSysColor 30448->30452 30450 446b36 30450->30432 30451->30434 30452->30450 30453 447930 30454 447947 30453->30454 30455 447967 30453->30455 30464 408204 CloseHandle 30454->30464 30465 41d724 30454->30465 30468 4503e0 30454->30468 30485 415504 30454->30485 30492 4029e4 30454->30492 30501 408174 ReadFile 30454->30501 30456 4479a6 30455->30456 30503 4482e8 121 API calls 30455->30503 30464->30455 30466 40b3c0 56 API calls 30465->30466 30467 41d735 30466->30467 30467->30455 30504 44f2fc 30468->30504 30472 450433 30473 4154f0 SetFilePointer 30472->30473 30474 45044a 30473->30474 30475 4154f0 SetFilePointer 30474->30475 30476 45048c 30475->30476 30511 41576c 30476->30511 30478 45049c 30479 4154f0 SetFilePointer 30478->30479 30480 4504ae 30479->30480 30522 4493e0 ShowWindow 30480->30522 30482 4504f2 30483 403f98 11 API calls 30482->30483 30484 450507 30483->30484 30484->30455 30563 41591c 30485->30563 30487 41552c 30491 41591c SetFilePointer 30487->30491 30488 415544 30488->30455 30490 41591c SetFilePointer 30490->30487 30491->30488 30493 403f98 11 API calls 30492->30493 30494 4029f8 30493->30494 30495 402a1a GetCommandLineA 30494->30495 30496 4029fc GetModuleFileNameA 30494->30496 30498 402a21 30495->30498 30497 404088 25 API calls 30496->30497 30499 402a18 30497->30499 30498->30499 30567 4028f8 34 API calls 30498->30567 30499->30455 30502 408191 30501->30502 30502->30455 30503->30456 30505 4029e4 36 API calls 30504->30505 30506 44f308 30505->30506 30507 415984 30506->30507 30508 41598d 30507->30508 30523 4159c8 30508->30523 30510 4159a9 30510->30472 30512 415780 30511->30512 30514 415791 30511->30514 30513 4154f0 SetFilePointer 30512->30513 30512->30514 30513->30514 30515 4026bc 25 API calls 30514->30515 30520 4157d3 30515->30520 30516 41582f 30562 4026dc 11 API calls 30516->30562 30519 415847 30519->30478 30520->30516 30560 4156fc 56 API calls 30520->30560 30561 415734 56 API calls 30520->30561 30522->30482 30524 4159e3 30523->30524 30525 415a73 30524->30525 30526 415a0a 30524->30526 30544 4080f0 30525->30544 30552 40816c CreateFileA 30526->30552 30529 415a7d 30543 415a6c 30529->30543 30556 40830c 26 API calls 30529->30556 30530 415a14 30530->30543 30553 40830c 26 API calls 30530->30553 30533 415a98 GetLastError 30557 40aafc 26 API calls 30533->30557 30534 415a33 GetLastError 30554 40aafc 26 API calls 30534->30554 30539 415aaf 30558 40b3fc 56 API calls 30539->30558 30540 415a4a 30555 40b3fc 56 API calls 30540->30555 30548 403fbc 30543->30548 30545 408143 30544->30545 30546 408104 30544->30546 30545->30529 30546->30545 30547 40813d CreateFileA 30546->30547 30547->30545 30550 403fc2 30548->30550 30549 403fe8 30549->30510 30550->30549 30559 4026dc 11 API calls 30550->30559 30552->30530 30553->30534 30554->30540 30555->30543 30556->30533 30557->30539 30558->30543 30559->30550 30560->30520 30561->30520 30562->30519 30566 4081cc SetFilePointer 30563->30566 30565 415517 30565->30490 30566->30565 30567->30498 30568 42c5f4 SetWindowLongA GetWindowLongA 30569 42c633 GetWindowLongA 30568->30569 30570 42c651 SetPropA SetPropA 30568->30570 30569->30570 30571 42c642 SetWindowLongA 30569->30571 30575 41a296 30570->30575 30581 41a298 30570->30581 30571->30570 30572 42c6a0 30576 41a298 30575->30576 30577 41a2ae 30576->30577 30586 44dc9c 30576->30586 30594 43371c 30576->30594 30601 44df9c 30576->30601 30577->30572 30582 41a2ae 30581->30582 30583 44dc9c 60 API calls 30581->30583 30584 44df9c 209 API calls 30581->30584 30585 43371c 138 API calls 30581->30585 30582->30572 30583->30582 30584->30582 30585->30582 30587 44dd40 30586->30587 30588 44dcb2 30586->30588 30587->30577 30588->30587 30589 44dcbf EnumWindows 30588->30589 30589->30587 30590 44dce2 GetWindow GetWindowLongA 30589->30590 30591 44dcff 30590->30591 30591->30587 30592 413890 56 API calls 30591->30592 30593 44dd34 SetWindowPos 30592->30593 30593->30587 30593->30591 30600 433974 121 API calls 30594->30600 30595 43374b 30689 42e228 88 API calls 30595->30689 30597 43375d 30690 420468 90 API calls 30597->30690 30599 433762 30599->30577 30600->30595 30602 44e004 30601->30602 30606 44dfd2 30601->30606 30691 44de50 30602->30691 30604 413890 56 API calls 30604->30606 30605 44e00f 30607 44e0cd 30605->30607 30608 44e01f 30605->30608 30606->30602 30606->30604 30684 44dff3 30606->30684 30609 44e0d4 30607->30609 30610 44e123 30607->30610 30611 44e025 30608->30611 30612 44e56b 30608->30612 30616 44e0da 30609->30616 30639 44e443 30609->30639 30613 44e149 30610->30613 30614 44e12a 30610->30614 30617 44e0b6 30611->30617 30618 44e099 30611->30618 30649 44e0b1 30611->30649 30611->30684 30715 44f0bc 12 API calls 30612->30715 30630 44e400 30613->30630 30613->30649 30613->30684 30619 44e585 30614->30619 30620 44e130 30614->30620 30621 44e0e1 30616->30621 30622 44e10a 30616->30622 30624 44e0bf 30617->30624 30625 44e1fb 30617->30625 30623 44e09f 30618->30623 30644 44e60f 30618->30644 30626 44e5a6 30619->30626 30627 44e58e 30619->30627 30628 44e52c IsIconic 30620->30628 30629 44e13b 30620->30629 30640 44e165 30621->30640 30641 44e0ee 30621->30641 30621->30684 30643 44e421 30622->30643 30622->30649 30622->30684 30632 44e0a8 30623->30632 30633 44e5e9 30623->30633 30635 44e34c 30624->30635 30624->30649 30636 44e6a0 61 API calls 30625->30636 30717 44ebd8 57 API calls 30626->30717 30716 44eb7c 26 API calls 30627->30716 30631 44e540 GetFocus 30628->30631 30628->30684 30629->30612 30629->30649 30712 44fff8 121 API calls 30630->30712 30645 44e551 30631->30645 30631->30684 30646 44e22f 30632->30646 30632->30649 30650 43a73c 23 API calls 30633->30650 30665 44e37a 30635->30665 30635->30684 30636->30684 30663 44e469 IsWindowEnabled 30639->30663 30639->30684 30651 44e177 30640->30651 30652 44e180 30640->30652 30648 44e304 SendMessageA 30641->30648 30641->30649 30713 44ea54 IsWindowEnabled 30643->30713 30720 44df14 NtdllDefWindowProc_A 30644->30720 30714 445dd4 GetCurrentThreadId 30645->30714 30698 44df14 NtdllDefWindowProc_A 30646->30698 30648->30684 30649->30684 30707 44df14 NtdllDefWindowProc_A 30649->30707 30659 44e5fb 30650->30659 30653 44e18d 30651->30653 30654 44e17e 30651->30654 30708 44e6bc 68 API calls 30652->30708 30709 44e76c 132 API calls 30653->30709 30710 44df14 NtdllDefWindowProc_A 30654->30710 30718 44dea8 11 API calls 30659->30718 30661 44e558 30667 44e560 SetFocus 30661->30667 30661->30684 30662 44e235 30668 44e274 30662->30668 30669 44e252 30662->30669 30670 44e477 30663->30670 30663->30684 30711 40cd3c SetErrorMode LoadLibraryA 30665->30711 30667->30684 30704 44dda4 30668->30704 30699 44ddb4 30669->30699 30679 44e47e IsWindowVisible 30670->30679 30671 44e606 30719 44df14 NtdllDefWindowProc_A 30671->30719 30676 44e389 30680 44e3d8 GetLastError 30676->30680 30681 44e398 GetProcAddress 30676->30681 30683 44e48c GetFocus 30679->30683 30679->30684 30680->30684 30682 44e3c0 30681->30682 30681->30684 30682->30684 30685 435f60 30683->30685 30684->30577 30686 44e4a1 SetFocus 30685->30686 30687 430998 121 API calls 30686->30687 30688 44e4c0 SetFocus 30687->30688 30688->30684 30689->30597 30690->30599 30692 44de63 30691->30692 30693 44de8d 30692->30693 30694 44de7d 30692->30694 30695 44de6e SetThreadLocale 30692->30695 30693->30605 30694->30693 30697 44ce0c 132 API calls 30694->30697 30721 40c394 74 API calls 30695->30721 30697->30693 30698->30662 30700 44ddc3 30699->30700 30701 44de12 PostMessageA 30699->30701 30700->30701 30702 413890 56 API calls 30700->30702 30701->30684 30703 44de06 SetWindowPos 30702->30703 30703->30700 30703->30701 30705 44dc9c 60 API calls 30704->30705 30706 44ddab PostMessageA 30705->30706 30706->30684 30707->30684 30708->30684 30709->30684 30710->30684 30711->30676 30712->30684 30713->30684 30714->30661 30715->30682 30716->30682 30717->30682 30718->30671 30719->30684 30720->30684 30721->30694 30722 433654 30724 43365c 30722->30724 30723 43368f 30724->30723 30726 433558 30724->30726 30731 43356d 30726->30731 30727 4335df 30728 433624 30727->30728 30729 430998 121 API calls 30727->30729 30728->30723 30729->30728 30730 413890 56 API calls 30730->30731 30731->30727 30731->30730 30732 433558 121 API calls 30731->30732 30732->30731 30733 432f18 30739 432f4b 30733->30739 30734 432fc4 GetClassInfoA 30735 432feb 30734->30735 30736 433029 30735->30736 30737 433009 RegisterClassA 30735->30737 30738 432ffc UnregisterClassA 30735->30738 30763 4330e8 30736->30763 30737->30736 30740 433024 30737->30740 30738->30737 30739->30734 30741 405ac8 56 API calls 30739->30741 30749 432f78 30739->30749 30791 40c714 58 API calls 30740->30791 30744 432fad 30741->30744 30790 40b340 56 API calls 30744->30790 30746 43304d GetWindowLongA 30747 433083 30746->30747 30748 433062 GetWindowLongA 30746->30748 30766 4085f4 30747->30766 30748->30747 30751 433074 SetWindowLongA 30748->30751 30749->30734 30751->30747 30755 433097 30777 41c5d8 30755->30777 30757 4330a1 30758 430998 121 API calls 30757->30758 30759 4330af 30758->30759 30760 403f98 11 API calls 30759->30760 30761 4330d8 30760->30761 30764 4068e8 CreateWindowExA 30763->30764 30765 43303f 30764->30765 30765->30746 30792 40c714 58 API calls 30765->30792 30767 408602 30766->30767 30768 4085f8 30766->30768 30770 4361cc IsIconic 30767->30770 30793 4026dc 11 API calls 30768->30793 30771 4361e4 GetWindowPlacement 30770->30771 30772 436209 GetWindowRect 30770->30772 30773 436216 GetWindowLongA 30771->30773 30772->30773 30774 436251 30773->30774 30775 43622b GetWindowLongA 30773->30775 30774->30755 30775->30774 30776 43623f ScreenToClient ScreenToClient 30775->30776 30776->30774 30778 41c740 30777->30778 30779 41c60d 30777->30779 30781 403fbc 11 API calls 30778->30781 30794 41b91c RtlEnterCriticalSection 30779->30794 30783 41c760 30781->30783 30782 41c721 30798 41b928 RtlLeaveCriticalSection 30782->30798 30783->30757 30785 41c617 30785->30782 30795 407c1c 30785->30795 30786 41c738 30786->30757 30788 41c712 CreateFontIndirectA 30788->30782 30789 41c6ae 30789->30788 30790->30749 30791->30736 30792->30746 30793->30767 30794->30785 30796 407c29 30795->30796 30797 407c41 CompareStringA 30796->30797 30797->30789 30798->30786 30799 44eb58 30804 44eac0 PeekMessageA 30799->30804 30802 44eb74 30805 44eb4a 30804->30805 30806 44eadc 30804->30806 30805->30802 30816 44f438 135 API calls 30805->30816 30806->30805 30817 44ea20 30806->30817 30815 44eb3c TranslateMessage DispatchMessageA 30815->30805 30816->30802 30818 44ea34 30817->30818 30819 44ea4b 30817->30819 30818->30819 30841 44f990 8 API calls 30818->30841 30819->30805 30821 44e918 30819->30821 30822 44e962 30821->30822 30823 44e928 30821->30823 30822->30805 30825 44e968 30822->30825 30823->30822 30824 44e94f TranslateMDISysAccel 30823->30824 30824->30822 30826 44e980 30825->30826 30827 44ea19 30825->30827 30826->30827 30828 44e98b GetCapture 30826->30828 30827->30805 30838 44e8f4 30827->30838 30829 44e9ec GetWindowLongA 30828->30829 30833 44e996 30828->30833 30829->30827 30830 44e9fc SendMessageA 30829->30830 30830->30827 30837 44e9e8 30830->30837 30832 44e9a7 30835 44e9cd SendMessageA 30832->30835 30833->30832 30834 44e9c7 30833->30834 30836 44e9b0 GetParent 30833->30836 30842 42c6e0 7 API calls 30833->30842 30834->30832 30834->30835 30835->30827 30835->30837 30836->30833 30837->30827 30839 44e914 30838->30839 30840 44e907 IsDialogMessage 30838->30840 30839->30805 30839->30815 30840->30839 30841->30819 30842->30833

    Executed Functions

    Function 00405228 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184registrystringlibraryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 00405244
    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405262
    • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405280
    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 0040529E
    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,0040532D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 004052E7
    • RegQueryValueExA.ADVAPI32(?,00405494,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,0040532D,?,80000001), ref: 00405305
    • RegCloseKey.ADVAPI32(?,00405334,00000000,00000000,00000005,00000000,0040532D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405327
    • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405344
    • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405351
    • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00405357
    • lstrlen.KERNEL32(00000000), ref: 00405382
    • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 004053C9
    • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 004053D9
    • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 00405401
    • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 00405411
    • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 00405437
    • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 00405447
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
    • String ID: .$Software\Borland\Delphi\Locales$Software\Borland\Locales
    • API String ID: 1759228003-3917250287
    • Opcode ID: c1828d4c632c105ec37adc80877d736d352c149a478bcd9e0579c22d9dca4334
    • Instruction ID: f7beb9eaf6cdd640989f2263926a89276fb56c0972561b2e295e32785d48044f
    • Opcode Fuzzy Hash: c1828d4c632c105ec37adc80877d736d352c149a478bcd9e0579c22d9dca4334
    • Instruction Fuzzy Hash: 17516471A4064C7AEB21D6A49C86FEF77ACDB04744F4001FABA04F61C2D6BC9E448F65
    Function 0044DF9C Relevance: 26.7, APIs: 13, Strings: 2, Instructions: 401COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 25 44df9c-44dfd0 26 44e004-44e019 call 44de50 25->26 27 44dfd2-44dfd3 25->27 33 44e0cd-44e0d2 26->33 34 44e01f 26->34 28 44dfd5-44dff1 call 413890 27->28 51 44e000-44e002 28->51 52 44dff3-44dffb 28->52 35 44e0d4 33->35 36 44e123-44e128 33->36 37 44e025-44e028 34->37 38 44e56b-44e580 call 44f0bc 34->38 43 44e443-44e44b 35->43 44 44e0da-44e0df 35->44 40 44e149-44e14e 36->40 41 44e12a 36->41 45 44e094-44e097 37->45 46 44e02a 37->46 59 44e64c-44e654 38->59 56 44e154-44e15a 40->56 57 44e5be-44e5c5 40->57 53 44e585-44e58c 41->53 54 44e130-44e135 41->54 58 44e451-44e45c call 435f60 43->58 43->59 60 44e0e1 44->60 61 44e10a-44e10f 44->61 49 44e0b6-44e0b9 45->49 50 44e099 45->50 47 44e330-44e337 46->47 48 44e030-44e033 46->48 47->59 78 44e33d-44e347 47->78 62 44e645-44e646 call 44df14 48->62 63 44e039 48->63 66 44e0bf-44e0c2 49->66 67 44e1fb-44e209 call 44e6a0 49->67 64 44e60f-44e620 call 44d454 call 44df14 50->64 65 44e09f-44e0a2 50->65 51->26 51->28 73 44e66b-44e671 52->73 68 44e5a6-44e5b9 call 44ebd8 53->68 69 44e58e-44e5a1 call 44eb7c 53->69 79 44e52c-44e53a IsIconic 54->79 80 44e13b-44e13e 54->80 81 44e400-44e41c call 44fff8 56->81 82 44e160 56->82 74 44e5c7-44e5d6 57->74 75 44e5d8-44e5e7 57->75 58->59 110 44e462-44e471 call 435f60 IsWindowEnabled 58->110 59->73 71 44e0e7-44e0ec 60->71 72 44e4dc-44e4e7 60->72 76 44e504-44e50f 61->76 77 44e115-44e118 61->77 108 44e64b 62->108 63->45 64->59 85 44e0a8-44e0ab 65->85 86 44e5e9-44e60d call 43a73c call 44dea8 call 44df14 65->86 88 44e34c-44e358 66->88 89 44e0c8 66->89 67->59 68->59 69->59 94 44e165-44e175 71->94 95 44e0ee-44e0f4 71->95 72->59 100 44e4ed-44e4ff 72->100 74->59 75->59 76->59 83 44e515-44e527 76->83 97 44e421-44e42e call 44ea54 77->97 98 44e11e 77->98 78->59 79->59 84 44e540-44e54b GetFocus 79->84 80->38 99 44e144 80->99 81->59 82->62 83->59 84->59 102 44e551-44e55a call 445dd4 84->102 103 44e0b1 85->103 104 44e22f-44e250 call 44df14 85->104 86->59 88->59 115 44e35e-44e368 88->115 89->62 116 44e177-44e17c 94->116 117 44e180-44e188 call 44e6bc 94->117 111 44e304-44e32b SendMessageA 95->111 112 44e0fa-44e0ff 95->112 97->59 139 44e434-44e43e 97->139 98->62 99->62 100->59 102->59 148 44e560-44e566 SetFocus 102->148 103->62 149 44e274-44e291 call 44dda4 PostMessageA 104->149 150 44e252-44e26f call 44ddb4 PostMessageA 104->150 108->59 110->59 151 44e477-44e486 call 435f60 IsWindowVisible 110->151 111->59 128 44e105 112->128 129 44e622-44e62e call 428184 call 428264 112->129 115->59 131 44e36e-44e378 115->131 119 44e18d-44e195 call 44e76c 116->119 120 44e17e-44e1a1 call 44df14 116->120 117->59 119->59 120->59 128->62 129->59 169 44e630-44e63a call 428184 call 4282c0 129->169 143 44e3f3-44e3fb 131->143 144 44e37a-44e396 call 40cd3c 131->144 139->59 143->59 166 44e3d8-44e3ee GetLastError 144->166 167 44e398-44e3ba GetProcAddress 144->167 148->59 149->59 150->59 151->59 170 44e48c-44e4d7 GetFocus call 435f60 SetFocus call 430998 SetFocus 151->170 166->59 167->59 168 44e3c0-44e3d3 167->168 168->59 169->59 170->59
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID: RegisterAutomation$vcltest3.dll
    • API String ID: 0-2963190186
    • Opcode ID: 35324ef3bf25de509dd4b552b29c95d66d8a57b7c3fa430b3937596d4f1e97dd
    • Instruction ID: 5218b6c7c194d7282e0911990a4eb54b163a4fb2108c6bbb8cf652ae73199777
    • Opcode Fuzzy Hash: 35324ef3bf25de509dd4b552b29c95d66d8a57b7c3fa430b3937596d4f1e97dd
    • Instruction Fuzzy Hash: 57E14C74A00204EFF710DBAAC586A5EB7B5BF18314F6A81E6E4059B352C738EE41DB0D
    Function 0044AFC4 Relevance: 23.2, APIs: 12, Strings: 1, Instructions: 407windowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 180 44afc4-44afea 181 44afec-44aff6 180->181 182 44b019-44b042 call 44f6e8 180->182 181->182 183 44aff8-44b014 call 405ac8 call 40b304 call 4039d4 181->183 188 44b048-44b052 182->188 189 44b4f9-44b510 182->189 183->182 191 44b3f4-44b43a call 403444 188->191 192 44b058-44b09d call 403444 188->192 203 44b446-44b450 191->203 204 44b43c-44b441 call 44a170 191->204 201 44b0bf-44b0c9 192->201 202 44b09f-44b0a9 192->202 207 44b103-44b117 call 44c85c 201->207 208 44b0cb-44b0e2 call 42f204 201->208 205 44b176-44b187 202->205 206 44b0af-44b0b9 202->206 210 44b452-44b45a call 4334b8 203->210 211 44b45f-44b469 203->211 204->203 217 44b18d-44b19f 205->217 218 44b25b-44b25d 205->218 206->201 206->205 239 44b11c-44b12e call 44c850 207->239 240 44b119 207->240 235 44b0e4 208->235 236 44b0e7-44b0fc call 42f248 208->236 210->189 212 44b48a-44b49d call 435f60 GetActiveWindow 211->212 213 44b46b-44b488 call 435f60 SetWindowPos 211->213 249 44b4c0-44b4c2 212->249 250 44b49f-44b4af call 435f60 IsIconic 212->250 213->189 219 44b1a1-44b1b4 call 4033d4 217->219 220 44b1bc-44b1be 217->220 224 44b300-44b314 218->224 225 44b263-44b26d 218->225 219->220 255 44b1b6-44b1b9 219->255 230 44b1c0-44b1cb 220->230 231 44b1e8-44b1fc call 44c85c 220->231 233 44b3cf-44b3ef call 435f60 ShowWindow 224->233 234 44b31a-44b324 224->234 237 44b2a7-44b2bb call 44c88c 225->237 238 44b26f-44b286 call 42f204 225->238 243 44b1d0-44b1de 230->243 244 44b1cd 230->244 277 44b201-44b213 call 44c850 231->277 278 44b1fe 231->278 233->189 251 44b326-44b35a call 435f60 SendMessageA call 435f60 ShowWindow 234->251 252 44b35c-44b3a8 call 435f60 ShowWindow call 435f60 CallWindowProcA call 42fa50 234->252 235->236 275 44b133-44b135 236->275 276 44b0fe-44b101 236->276 272 44b2c0-44b2d2 call 44c880 237->272 273 44b2bd 237->273 269 44b288 238->269 270 44b28b-44b2a0 call 42f248 238->270 239->275 279 44b130 239->279 240->239 257 44b1e0 243->257 258 44b1e3-44b1e6 243->258 244->243 266 44b4c4-44b4e7 call 435f60 SetWindowPos SetActiveWindow 249->266 267 44b4e9-44b4f4 call 435f60 ShowWindow 249->267 250->249 292 44b4b1-44b4be call 435f60 call 445dd4 250->292 311 44b3ad-44b3ca SendMessageA 251->311 252->311 255->220 257->258 274 44b218-44b21a 258->274 266->189 267->189 269->270 306 44b2d7-44b2d9 270->306 307 44b2a2-44b2a5 270->307 272->306 308 44b2d4 272->308 273->272 288 44b21c 274->288 289 44b21e-44b220 274->289 290 44b137 275->290 291 44b139-44b13b 275->291 276->275 277->274 309 44b215 277->309 278->277 279->275 288->289 298 44b224-44b248 289->298 299 44b222 289->299 290->291 300 44b13d 291->300 301 44b13f-44b163 291->301 292->249 298->224 319 44b24e-44b256 call 449420 298->319 299->298 300->301 301->224 320 44b169-44b171 call 449420 301->320 312 44b2dd-44b2df 306->312 313 44b2db 306->313 307->306 308->306 309->274 311->189 317 44b2e1 312->317 318 44b2e3-44b2f8 312->318 313->312 317->318 318->224 319->224 320->224
    APIs
    • SendMessageA.USER32(?,00000223,00000000,00000000), ref: 0044B345
      • Part of subcall function 00405AC8: LoadStringA.USER32(00000000,00010000,?,00000400), ref: 00405AF9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: LoadMessageSendString
    • String ID: XGD
    • API String ID: 1946433856-1399323217
    • Opcode ID: dfa1af7a0cc38e123e80a16589669d823468f62b688a80da2c82d2cdf10b7709
    • Instruction ID: 0668078093fc183e66de85c235ad988ec1f2911ab67d680ec52ba28628e37f03
    • Opcode Fuzzy Hash: dfa1af7a0cc38e123e80a16589669d823468f62b688a80da2c82d2cdf10b7709
    • Instruction Fuzzy Hash: 78F13A34A00604EFEB01DFA9C995B9E77F4EB08305F2541F6E5049B3A2D779EE009B98
    Function 00433974 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Capture
    • String ID:
    • API String ID: 1145282425-3916222277
    • Opcode ID: 1203fbb6b2c226813223ca5270aef35f703abd97615a003a8168cb938f4ba580
    • Instruction ID: b8caa9239dabfac692b2ffed2cc1bef5ca9bbc03452c712afbc58531a6d077e4
    • Opcode Fuzzy Hash: 1203fbb6b2c226813223ca5270aef35f703abd97615a003a8168cb938f4ba580
    • Instruction Fuzzy Hash: 4731AD703002008BC620FE39888571B63959F8C71AF18A93FB496CB792DABDDE099749
    Function 00430A64 Relevance: 3.1, APIs: 2, Instructions: 129COMMON
    Download Yara Rule
    APIs
    • GetKeyboardState.USER32(?), ref: 00430B99
    • KiUserCallbackDispatcher.NTDLL ref: 00430BEC
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CallbackDispatcherKeyboardStateUser
    • String ID:
    • API String ID: 4281813569-0
    • Opcode ID: ca2ac82300db1998a27cf1e1ef2b6aa33c743d62a4831350e44c6b5e084548f8
    • Instruction ID: 17373eac9bae0b6b74ea094e4db06ac8de2d5c37fcb0c92600ae8c6e8cc7e929
    • Opcode Fuzzy Hash: ca2ac82300db1998a27cf1e1ef2b6aa33c743d62a4831350e44c6b5e084548f8
    • Instruction Fuzzy Hash: 1341C3347046058BDB20DFA8D5987AFF7A4AB0D308F1412ABD405DB396C778EE45CB9A
    Function 00413440 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
    Download Yara Rule
    APIs
    • FindResourceA.KERNEL32(?,00000000,0000000A), ref: 00413462
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: FindResource
    • String ID:
    • API String ID: 1635176832-0
    • Opcode ID: d336943d96f5de877602073a831ea8f9dd2d19d3bc60c01a3a98d462da734ac2
    • Instruction ID: d52a3f1eaabe00b9d7bf48c349a9c15dd64b7550f29fa8166f519327b7f56f6a
    • Opcode Fuzzy Hash: d336943d96f5de877602073a831ea8f9dd2d19d3bc60c01a3a98d462da734ac2
    • Instruction Fuzzy Hash: BC01F731300700AFD711EF5AEC82D9AB7ADDB85759B11407EF500D7391DA399D01865C
    Function 0043ADD0 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
    Download Yara Rule
    APIs
    • GetVersion.KERNEL32(00000000,0043AE56), ref: 0043ADEA
      • Part of subcall function 0043AB9C: GetCurrentProcessId.KERNEL32(?,00000000,0043AD14), ref: 0043ABBD
      • Part of subcall function 0043AB9C: GlobalAddAtomA.KERNEL32(00000000), ref: 0043ABF0
      • Part of subcall function 0043AB9C: GetCurrentThreadId.KERNEL32 ref: 0043AC0B
      • Part of subcall function 0043AB9C: GlobalAddAtomA.KERNEL32(00000000), ref: 0043AC41
      • Part of subcall function 0043AB9C: RegisterClipboardFormatA.USER32(00000000), ref: 0043AC57
      • Part of subcall function 0043AB9C: GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,0043AD14), ref: 0043ACDB
      • Part of subcall function 0043AB9C: GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 0043ACEC
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: AtomCurrentGlobal$AddressClipboardFormatHandleModuleProcProcessRegisterThreadVersion
    • String ID:
    • API String ID: 3775504709-0
    • Opcode ID: 552a8bf72eca3bb832aa8470692a02fb78c0c4464220621faf16aaa34da67ff5
    • Instruction ID: 72ae4f42b5771aaefea14303de2cc1c84d85bc134ba7b08472dfa1a5e01663e7
    • Opcode Fuzzy Hash: 552a8bf72eca3bb832aa8470692a02fb78c0c4464220621faf16aaa34da67ff5
    • Instruction Fuzzy Hash: E6F04F34384600AFC211EF25EC4395537A5E74A7567D05836E84043677C739FDA28B8F
    Function 0044DF14 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
    Download Yara Rule
    APIs
    • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 0044DF3E
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: NtdllProc_Window
    • String ID:
    • API String ID: 4255912815-0
    • Opcode ID: 50a58cb764629b85462eef6be68e564f5d351410297d012f444c097f237695d0
    • Instruction ID: ea629bdc5506786fa2aff2d8aef0cc4f83d968ae4f5f651a9e1a0c602be7a469
    • Opcode Fuzzy Hash: 50a58cb764629b85462eef6be68e564f5d351410297d012f444c097f237695d0
    • Instruction Fuzzy Hash: 51F0C579205608AFCB40DF9DC588D4AFBE8BB4C260B058195BD88CB321C234FD90CF90
    Function 0043AB9C Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 103registrylibraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetCurrentProcessId.KERNEL32(?,00000000,0043AD14), ref: 0043ABBD
    • GlobalAddAtomA.KERNEL32(00000000), ref: 0043ABF0
    • GetCurrentThreadId.KERNEL32 ref: 0043AC0B
    • GlobalAddAtomA.KERNEL32(00000000), ref: 0043AC41
    • RegisterClipboardFormatA.USER32(00000000), ref: 0043AC57
      • Part of subcall function 00413AA4: RtlInitializeCriticalSection.NTDLL(004115E0), ref: 00413AC3
      • Part of subcall function 0043A7A0: SetErrorMode.KERNEL32(00008000), ref: 0043A7B9
      • Part of subcall function 0043A7A0: GetModuleHandleA.KERNEL32(USER32,00000000,0043A906,?,00008000), ref: 0043A7DD
      • Part of subcall function 0043A7A0: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 0043A7EA
      • Part of subcall function 0043A7A0: LoadLibraryA.KERNEL32(imm32.dll,00000000,0043A906,?,00008000), ref: 0043A806
      • Part of subcall function 0043A7A0: GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 0043A828
      • Part of subcall function 0043A7A0: GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 0043A83D
      • Part of subcall function 0043A7A0: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 0043A852
      • Part of subcall function 0043A7A0: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 0043A867
      • Part of subcall function 0043A7A0: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 0043A87C
      • Part of subcall function 0043A7A0: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 0043A891
      • Part of subcall function 0043A7A0: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 0043A8A6
      • Part of subcall function 0043A7A0: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 0043A8BB
      • Part of subcall function 0043A7A0: GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 0043A8D0
      • Part of subcall function 0043A7A0: GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 0043A8E5
      • Part of subcall function 0043A7A0: SetErrorMode.KERNEL32(?,0043A90D,00008000), ref: 0043A900
      • Part of subcall function 0044C630: GetKeyboardLayout.USER32(00000000), ref: 0044C675
      • Part of subcall function 0044C630: 73A0A570.USER32(00000000,?,?,00000000,?,0043AC96,00000000,00000000,?,?,00000000,0043AD14), ref: 0044C6CA
      • Part of subcall function 0044D714: LoadIconA.USER32(00400000,MAINICON), ref: 0044D7F9
      • Part of subcall function 0044D714: GetModuleFileNameA.KERNEL32(00400000,?,00000100,?,?,?,0043ACAC,00000000,00000000,?,?,00000000,0043AD14), ref: 0044D82B
      • Part of subcall function 0044D714: OemToCharA.USER32(?,?), ref: 0044D83E
      • Part of subcall function 0044D714: CharLowerA.USER32(?,00400000,?,00000100,?,?,?,0043ACAC,00000000,00000000,?,?,00000000,0043AD14), ref: 0044D87E
    • GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,0043AD14), ref: 0043ACDB
    • GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 0043ACEC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: AddressProc$Module$AtomCharCurrentErrorGlobalHandleLoadMode$A570ClipboardCriticalFileFormatIconInitializeKeyboardLayoutLibraryLowerNameProcessRegisterSectionThread
    • String ID: ,ZD$AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
    • API String ID: 715191208-1731191852
    • Opcode ID: ba600930fb086085ce01c38aef2be4d652043c1f37846bf905245dba44463eb4
    • Instruction ID: 5c120ece09b689a7d862418242dbb6b4e74008c6399f3a212920f7f089f496a9
    • Opcode Fuzzy Hash: ba600930fb086085ce01c38aef2be4d652043c1f37846bf905245dba44463eb4
    • Instruction Fuzzy Hash: B7414174A402059FC700FF65D882A8E77B5AB4834AF50453BF401E73A3DB39AA14CB6D
    Function 0044DA1C Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 132windowregistryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
      • Part of subcall function 0041A2C0: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0041A2DE
    • GetClassInfoA.USER32(00400000,0044D704,?), ref: 0044DA7B
    • RegisterClassA.USER32(00451D14), ref: 0044DA93
      • Part of subcall function 00405AC8: LoadStringA.USER32(00000000,00010000,?,00000400), ref: 00405AF9
    • SetWindowLongA.USER32(0000000E,000000FC,10940000), ref: 0044DB2F
    • SendMessageA.USER32(0000000E,00000080,00000001,00000000), ref: 0044DB51
    • SetClassLongA.USER32(0000000E,000000F2,00000000), ref: 0044DB64
    • GetSystemMenu.USER32(0000000E,00000000,0000000E,000000FC,10940000,00445B04), ref: 0044DB6F
    • DeleteMenu.USER32(00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,00445B04), ref: 0044DB7E
    • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,00445B04), ref: 0044DB8B
    • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,00445B04), ref: 0044DBA2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Menu$ClassDelete$Long$AllocInfoLoadMessageRegisterSendStringSystemVirtualWindow
    • String ID: H0E$c@
    • API String ID: 2103932818-2527060295
    • Opcode ID: 8f855f7bc19f2ecec0d4bf15bbb8f4b1198635f04baba18d819990f42b6d7680
    • Instruction ID: 31212b3e5b893ca59a369cae3d929e5ae4ee7d367fb59bab2e3239c555ad3166
    • Opcode Fuzzy Hash: 8f855f7bc19f2ecec0d4bf15bbb8f4b1198635f04baba18d819990f42b6d7680
    • Instruction Fuzzy Hash: 4C412170A403406FE710EF69DC82F6A37A8AB05709F554476FE01EB2E3D678E814876C
    Function 00432F18 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 396 432f18-432f4f 398 432f51-432f58 396->398 399 432fc4-432fe9 GetClassInfoA 396->399 398->399 402 432f5a-432f5f 398->402 400 432feb-432ff6 399->400 401 432ff8-432ffa 399->401 400->401 403 433029-433046 call 4330e8 400->403 404 433009-433022 RegisterClassA 401->404 405 432ffc-433004 UnregisterClassA 401->405 406 432f61-432f65 402->406 407 432f84-432fbf call 405ac8 call 40b340 call 4039d4 402->407 417 433048 call 40c714 403->417 418 43304d-433060 GetWindowLongA 403->418 404->403 409 433024 call 40c714 404->409 405->404 406->407 408 432f67-432f76 call 4033d4 406->408 407->399 408->407 422 432f78-432f82 call 435f60 408->422 409->403 417->418 419 433083-43309c call 4085f4 call 4361cc call 41c5d8 418->419 420 433062-433072 GetWindowLongA 418->420 433 4330a1-4330b3 call 430998 419->433 420->419 424 433074-43307e SetWindowLongA 420->424 422->399 424->419 436 4330c0-4330d8 call 403f98 433->436 437 4330b5-4330bb call 403444 433->437 437->436
    APIs
    • GetClassInfoA.USER32(?,?,?), ref: 00432FDC
    • UnregisterClassA.USER32(?,?), ref: 00433004
    • RegisterClassA.USER32(?), ref: 0043301A
    • GetWindowLongA.USER32(00000000,000000F0), ref: 00433056
    • GetWindowLongA.USER32(00000000,000000F4), ref: 0043306B
    • SetWindowLongA.USER32(00000000,000000F4,00000000), ref: 0043307E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: ClassLongWindow$InfoRegisterUnregister
    • String ID: @
    • API String ID: 717780171-2766056989
    • Opcode ID: bce89339ea04d40ec3f10de52aa73c461cfb78f4843b8571fd5ba0d6598c14e4
    • Instruction ID: 7cf4722bd28ae84bf3e28bb84929a5bb032b4c874454fddb0d97283ab743fe64
    • Opcode Fuzzy Hash: bce89339ea04d40ec3f10de52aa73c461cfb78f4843b8571fd5ba0d6598c14e4
    • Instruction Fuzzy Hash: 945190306007149BDB24DF69CC81B9AB7F9AF09308F10456AF445E7292DB78AE45CB58
    Function 0044EE7C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 132windowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 442 44ee7c-44eec4 GetActiveWindow 445 44ef26-44ef42 call 445c84 call 445ba0 call 44de20 442->445 446 44eec6-44eefe GetWindowRect 442->446 458 44ef44 445->458 459 44ef4a-44ef7d MessageBoxA 445->459 451 44ef00 446->451 452 44ef03-44ef10 446->452 451->452 453 44ef15-44ef21 SetWindowPos 452->453 454 44ef12 452->454 453->445 454->453 458->459 460 44efb7-44efd0 call 445d38 SetActiveWindow call 445ba8 459->460 461 44ef7f-44ef8f 459->461 463 44ef94-44efa1 461->463 464 44ef91 461->464 466 44efa6-44efb2 SetWindowPos 463->466 467 44efa3 463->467 464->463 466->460 467->466
    APIs
    • GetActiveWindow.USER32 ref: 0044EE8F
    • GetWindowRect.USER32(?,?), ref: 0044EEE9
    • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,?), ref: 0044EF21
    • MessageBoxA.USER32(?,?,?,?), ref: 0044EF62
    • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,0044EFD8), ref: 0044EFB2
    • SetActiveWindow.USER32(?,0044EFD8), ref: 0044EFC3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Window$Active$MessageRect
    • String ID: (
    • API String ID: 3147912190-3887548279
    • Opcode ID: c55a9a22bcb39223800f7bda5a7d57f8a856ca360eb5f3ddf395b61c32afa2e1
    • Instruction ID: 1b3dbf809c81d70942251af540491d62d4262842fd4d2506e443129a22d571ee
    • Opcode Fuzzy Hash: c55a9a22bcb39223800f7bda5a7d57f8a856ca360eb5f3ddf395b61c32afa2e1
    • Instruction Fuzzy Hash: 8F412C75E00208AFEB04DBA9DD85FAEB7F9FB48304F554469F501EB391D678AD008B54
    Function 0044D714 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 125windowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • LoadIconA.USER32(00400000,MAINICON), ref: 0044D7F9
    • GetModuleFileNameA.KERNEL32(00400000,?,00000100,?,?,?,0043ACAC,00000000,00000000,?,?,00000000,0043AD14), ref: 0044D82B
    • OemToCharA.USER32(?,?), ref: 0044D83E
    • CharLowerA.USER32(?,00400000,?,00000100,?,?,?,0043ACAC,00000000,00000000,?,?,00000000,0043AD14), ref: 0044D87E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Char$FileIconLoadLowerModuleName
    • String ID: ,0E$40E$MAINICON
    • API String ID: 3935243913-1394781420
    • Opcode ID: 5fc5cde21c2b0d6c5e431a542182b62e3ad506543aa475ca2b55093f68bbfa8a
    • Instruction ID: 0f6a6e605f853bbc4fd51d21610afd668d1f6bf7d30f8f7b1c9378d9abdc2876
    • Opcode Fuzzy Hash: 5fc5cde21c2b0d6c5e431a542182b62e3ad506543aa475ca2b55093f68bbfa8a
    • Instruction Fuzzy Hash: 58514270A042449FE700EF79C885B857BE5AB15308F4481FAE848DF397D7B9D988CB69
    Function 0044CE0C Relevance: 10.6, APIs: 7, Instructions: 89COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 0044CE60
    • CreateFontIndirectA.GDI32(?), ref: 0044CE6D
    • GetStockObject.GDI32(0000000D), ref: 0044CE83
      • Part of subcall function 0041C864: MulDiv.KERNEL32(00000000,?,00000048), ref: 0041C871
    • SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 0044CEAC
    • CreateFontIndirectA.GDI32(?), ref: 0044CEBC
    • CreateFontIndirectA.GDI32(?), ref: 0044CED5
    • GetStockObject.GDI32(0000000D), ref: 0044CEFB
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CreateFontIndirect$InfoObjectParametersStockSystem
    • String ID:
    • API String ID: 2891467149-0
    • Opcode ID: 4417cf13216f5eac561df164cc1ae5806d44352776ac030f060b2d80846d9956
    • Instruction ID: 68a43d64b3bd12ba8499a259b57552975cb3a7a984f48c4c5299a6f0e0cec89f
    • Opcode Fuzzy Hash: 4417cf13216f5eac561df164cc1ae5806d44352776ac030f060b2d80846d9956
    • Instruction Fuzzy Hash: CA31C8306442449BEB50FB65CC91B9A33E5AB44305F4440B6B90CDB2D7DF7C9949CB2D
    Function 0042C5F4 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 539 42c5f4-42c631 SetWindowLongA GetWindowLongA 540 42c633-42c640 GetWindowLongA 539->540 541 42c651-42c690 SetPropA * 2 539->541 540->541 542 42c642-42c64c SetWindowLongA 540->542 544 42c69a call 41a296 541->544 545 42c69a call 41a298 541->545 542->541 543 42c6a0-42c6a8 544->543 545->543
    APIs
    • SetWindowLongA.USER32(?,000000FC,?), ref: 0042C61C
    • GetWindowLongA.USER32(?,000000F0), ref: 0042C627
    • GetWindowLongA.USER32(?,000000F4), ref: 0042C639
    • SetWindowLongA.USER32(?,000000F4,?), ref: 0042C64C
    • SetPropA.USER32(?,00000000,00000000), ref: 0042C663
    • SetPropA.USER32(?,00000000,00000000), ref: 0042C67A
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: LongWindow$Prop
    • String ID:
    • API String ID: 3887896539-0
    • Opcode ID: 90f5519d2ddd6d6634bf4c2caae3f52a5b998bdac4ebe88b2b75cd707796d6c4
    • Instruction ID: 223de257047c42ff72fad93ec256e46627669740c6bae7c34d97aecc74042ea8
    • Opcode Fuzzy Hash: 90f5519d2ddd6d6634bf4c2caae3f52a5b998bdac4ebe88b2b75cd707796d6c4
    • Instruction Fuzzy Hash: EE11DDB5100214BFCB00DF99DD85EEA37ECAB08355F104226B918DB2A2D734ED50DB64
    Function 00447B54 Relevance: 7.7, APIs: 5, Instructions: 171COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 546 447b54-447bad call 432864 call 431fc0 550 447bb2-447bbc 546->550 551 447bc2-447bcc 550->551 552 447d1e-447d29 550->552 551->552 553 447bd2-447bdc 551->553 554 447d35-447d40 552->554 555 447d2b-447d30 call 42f21c 552->555 556 447c21-447c47 call 447edc 553->556 557 447bde-447bf0 553->557 559 447d42-447d47 call 42f260 554->559 560 447d4c-447d5d 554->560 555->554 556->552 570 447c4d-447c78 call 4471b4 call 435a24 556->570 557->556 563 447bf2-447c1c call 41c7a4 MulDiv call 41c7ac 557->563 559->560 561 447d83-447da9 call 430998 call 43286c 560->561 562 447d5f-447d7e call 4471b4 call 435a24 560->562 562->561 563->556 582 447c9d-447ca7 570->582 583 447c7a-447c97 MulDiv 570->583 584 447ccc-447cd6 582->584 585 447ca9-447cc6 MulDiv 582->585 583->582 584->552 586 447cd8-447d18 MulDiv * 2 584->586 585->584 586->552
    APIs
    • MulDiv.KERNEL32(00000000,?,00000000), ref: 00447C13
    • MulDiv.KERNEL32(?,00000000,00000000), ref: 00447C8F
    • MulDiv.KERNEL32(?,00000000,00000000), ref: 00447CBE
    • MulDiv.KERNEL32(?,00000000,00000000), ref: 00447CED
    • MulDiv.KERNEL32(?,00000000,00000000), ref: 00447D10
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 1f4dd101e78d1123d58b1d01d8c3bd87972181bdf11e6372f86b40c1f25385fb
    • Instruction ID: 6b98af41ae13baf1ccb26d0bcd5025a99b038d98a5d8f20a3e1cc80b8858522e
    • Opcode Fuzzy Hash: 1f4dd101e78d1123d58b1d01d8c3bd87972181bdf11e6372f86b40c1f25385fb
    • Instruction Fuzzy Hash: 9471D574A04104EFDB04DBA9C989FAAB3F5AF48304F2941F5E808DB362C775AE459B44
    Function 0042922C Relevance: 7.6, APIs: 5, Instructions: 110COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • OffsetRect.USER32(?,00000001,00000001), ref: 004292C6
    • DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 004292FE
    • OffsetRect.USER32(?,000000FF,000000FF), ref: 00429308
    • DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 00429340
    • DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 00429367
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: DrawText$OffsetRect
    • String ID:
    • API String ID: 1886049697-0
    • Opcode ID: 1dd480ce0cf73243ced3fac953a8c8dc1023b56f750d401deb0dba619d021372
    • Instruction ID: dfc67ea9de4e464d93c999f342c5e4f5ff43d82913e9498903ff5891f3c8c98d
    • Opcode Fuzzy Hash: 1dd480ce0cf73243ced3fac953a8c8dc1023b56f750d401deb0dba619d021372
    • Instruction Fuzzy Hash: 6731C670700114BFDB11FB69CC86F8B77E8AF89318F5540BAF904EB292CB789D048668
    Function 00403595 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 630 403595-4036f3 632 4036f9-403705 630->632 633 40380c-403811 630->633 634 403775-40377c 632->634 635 403707-403715 call 403184 632->635 637 40379c-4037c4 RtlUnwind call 405d34 634->637 638 40377e-403785 634->638 635->633 642 40371b-40371f 635->642 643 4037c9-4037ea call 403650 637->643 638->637 641 403787-40379a UnhandledExceptionFilter 638->641 641->633 641->637 642->633 647 403725-403733 642->647 643->633 648 403735-403741 call 403600 647->648 649 40376c-403772 647->649 648->649 652 403743-40374a 648->652 649->634 652->649 653 40374c-40375b UnhandledExceptionFilter 652->653 653->633 654 403761-40376a 653->654 654->637
    APIs
    • UnhandledExceptionFilter.KERNEL32(00000006,00000000), ref: 00403752
    • UnhandledExceptionFilter.KERNEL32(?,?,?,?), ref: 0040378F
    • RtlUnwind.KERNEL32(?,?,?,00000000,?,?,?,?), ref: 004037BA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled$Unwind
    • String ID: 7@
    • API String ID: 1141220122-48919864
    • Opcode ID: 7a2f560e3c8578be18d3d2bffa844a8fd8abcc3b349f5ea86b842f2202be25cb
    • Instruction ID: dc8d6599d211b75bd229378007c2d3a73e186684281d5d64ed4d8d6c6692cc67
    • Opcode Fuzzy Hash: 7a2f560e3c8578be18d3d2bffa844a8fd8abcc3b349f5ea86b842f2202be25cb
    • Instruction Fuzzy Hash: 4A314FB5604341AFD721DF11C885B2B7FE9EB84716F14C5BAF444A72E1C638ED44CA29
    Function 004490AC Relevance: 6.1, APIs: 4, Instructions: 148windowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 655 4490ac-4490ce 656 449140-449148 655->656 657 4490d0-4490dd call 44c8dc 655->657 659 449151-449155 656->659 660 44914a-44914c call 442be4 656->660 657->656 665 4490df-4490e3 657->665 662 449157-449159 659->662 663 449161 659->663 660->659 666 449163-44916b 662->666 667 44915b-44915f 662->667 663->666 668 4490e5-4490f7 call 44c8c8 665->668 669 449176-449178 666->669 670 44916d-449171 call 419300 666->670 667->663 667->666 679 4490f9-449107 call 44c8c8 668->679 680 44913a-44913e 668->680 673 44917e-449182 669->673 674 449229-449232 call 4361c0 669->674 670->669 677 449184-44918b 673->677 678 449191-44919b 673->678 685 449234-44923e call 435f60 SetMenu 674->685 686 449243-44924a 674->686 677->674 677->678 682 4491a6-4491aa 678->682 683 44919d-4491a4 678->683 679->680 698 449109-449135 call 405ac8 call 40b340 call 4039d4 679->698 680->656 680->668 687 4491ac-4491b5 call 4361c0 682->687 688 449204-44920b 682->688 683->682 683->687 685->686 692 449255-449271 call 448fe4 call 403f98 686->692 693 44924c-449250 call 44a170 686->693 687->686 701 4491bb-4491d7 call 435f60 GetMenu 687->701 688->686 689 44920d-449216 call 4361c0 688->689 689->686 706 449218-449227 call 435f60 SetMenu 689->706 693->692 698->680 717 4491f2-449202 call 435f60 call 442be4 701->717 718 4491d9-4491ed call 435f60 SetMenu 701->718 706->686 717->686 718->717
    APIs
    • GetMenu.USER32(00000000), ref: 004491D0
    • SetMenu.USER32(00000000,00000000), ref: 004491ED
    • SetMenu.USER32(00000000,00000000), ref: 00449222
    • SetMenu.USER32(00000000,00000000), ref: 0044923E
      • Part of subcall function 00405AC8: LoadStringA.USER32(00000000,00010000,?,00000400), ref: 00405AF9
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Menu$LoadString
    • String ID:
    • API String ID: 3688185913-0
    • Opcode ID: 96647837d8cc770f3376861dc7d1a8cabea5637391d45b0d36ad9049dd30e674
    • Instruction ID: a49d4a58b57a9a5d5b91ca001e090ecc83ecc2cc9de08e8b309696363b7ee16b
    • Opcode Fuzzy Hash: 96647837d8cc770f3376861dc7d1a8cabea5637391d45b0d36ad9049dd30e674
    • Instruction Fuzzy Hash: 2551B030A002056BFB51AF6A8D8AB5B77A4AF04308F0844BBFC049B397CA7CDD45979C
    Function 0041A37C Relevance: 6.1, APIs: 4, Instructions: 59registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 726 41a37c-41a3aa GetClassInfoA 727 41a3b6-41a3b8 726->727 728 41a3ac-41a3b4 726->728 730 41a3cb-41a3d0 RegisterClassA 727->730 731 41a3ba-41a3c6 UnregisterClassA 727->731 728->727 729 41a3d5-41a3fe call 4068e8 728->729 733 41a403-41a40a 729->733 730->729 731->730 734 41a420-41a426 733->734 735 41a40c-41a41b call 41a2c0 SetWindowLongA 733->735 735->734
    APIs
    • GetClassInfoA.USER32(00400000,0041A36C,?), ref: 0041A39D
    • UnregisterClassA.USER32(0041A36C,00400000), ref: 0041A3C6
    • RegisterClassA.USER32(004513F0), ref: 0041A3D0
    • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041A41B
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Class$InfoLongRegisterUnregisterWindow
    • String ID:
    • API String ID: 4025006896-0
    • Opcode ID: 8107e7ed0f661bc431a24e329a109b217a89d133708975af0a1b6ec4f392ee82
    • Instruction ID: 51801598484dabbdab155e9cd1df119a00e2851362cbc21881ff9941b53010c2
    • Opcode Fuzzy Hash: 8107e7ed0f661bc431a24e329a109b217a89d133708975af0a1b6ec4f392ee82
    • Instruction Fuzzy Hash: 03015E712002046BCA10EFA89D81F9A739DE70935AF108136F905E73E3D779D964876D
    Function 0044DC9C Relevance: 6.1, APIs: 4, Instructions: 57COMMON
    Download Yara Rule
    APIs
    • EnumWindows.USER32(Function_0004DC2C), ref: 0044DCD1
    • GetWindow.USER32(?,00000003), ref: 0044DCE9
    • GetWindowLongA.USER32(00000000,000000EC), ref: 0044DCF6
    • SetWindowPos.USER32(00000000,000000EC,00000000,00000000,00000000,00000000,00000213,00000000,000000EC,?,00000003,Function_0004DC2C), ref: 0044DD35
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Window$EnumLongWindows
    • String ID:
    • API String ID: 4191631535-0
    • Opcode ID: 68d72c8342ace2c8e7323b550c0a7c9a41958ba4dc3d5272652d4d318ed99e6c
    • Instruction ID: 01334f1865a3f060a981d2212c8632f7097e576ba7c96b0edc5c5f0c6148e5c6
    • Opcode Fuzzy Hash: 68d72c8342ace2c8e7323b550c0a7c9a41958ba4dc3d5272652d4d318ed99e6c
    • Instruction Fuzzy Hash: 14117070E04210AFE710AF29DC86FAA73D4AB45729F15017AF958AF2D7C3789C40C759
    Function 004019FC Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
    Download Yara Rule
    APIs
    • RtlInitializeCriticalSection.NTDLL(004535C8), ref: 00401A12
    • RtlEnterCriticalSection.NTDLL(004535C8), ref: 00401A25
    • LocalAlloc.KERNEL32(00000000,00000FF8,00000000,00401AB2), ref: 00401A4F
    • RtlLeaveCriticalSection.NTDLL(004535C8), ref: 00401AAC
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
    • String ID:
    • API String ID: 730355536-0
    • Opcode ID: 3b1e3a6bdd0056be1461d6068ebfd5ea7143707b73bc7b2b0349f35756a9e961
    • Instruction ID: 583259e4f94697a40e83840c9e2eea04b7f2e278474bb0a0f48a6d649071c1b5
    • Opcode Fuzzy Hash: 3b1e3a6bdd0056be1461d6068ebfd5ea7143707b73bc7b2b0349f35756a9e961
    • Instruction Fuzzy Hash: 6101C4703443847EE326AF6998067193AC0E749B8BF40847FF801A6BF3D67C8A548B1D
    Function 004036E6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
    Download Yara Rule
    APIs
    • UnhandledExceptionFilter.KERNEL32(00000006,00000000), ref: 00403752
    • UnhandledExceptionFilter.KERNEL32(?,?,?,?), ref: 0040378F
    • RtlUnwind.KERNEL32(?,?,?,00000000,?,?,?,?), ref: 004037BA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled$Unwind
    • String ID: 7@
    • API String ID: 1141220122-48919864
    • Opcode ID: 175c351f8405b4a6abe59d5b5870e9e72847ee723eb0437b1520eee776f6aedf
    • Instruction ID: 534b490c66e516f029478dbb3dbfacff936f2b4e755ba76214a54c3a17ab909c
    • Opcode Fuzzy Hash: 175c351f8405b4a6abe59d5b5870e9e72847ee723eb0437b1520eee776f6aedf
    • Instruction Fuzzy Hash: 69215EB0604301AFD320EF15C885F27BFA9EB88716F15C57AF408672A1C738ED40CA69
    Function 004239FC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
    Download Yara Rule
    APIs
    • GetSystemMetrics.USER32(?), ref: 00423A5E
      • Part of subcall function 00423914: GetProcAddress.KERNEL32(75A50000,00000000), ref: 00423994
    • KiUserCallbackDispatcher.NTDLL(?), ref: 00423A24
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: AddressCallbackDispatcherMetricsProcSystemUser
    • String ID: GetSystemMetrics
    • API String ID: 54681038-96882338
    • Opcode ID: dbe17d65a29cd4461b18b1b2af3dcf433689dcde27356c890c73619d7e012486
    • Instruction ID: 8b6d816eff4015df0610ae27c21616e19ed32740a3a86f36240285cbb9419dde
    • Opcode Fuzzy Hash: dbe17d65a29cd4461b18b1b2af3dcf433689dcde27356c890c73619d7e012486
    • Instruction Fuzzy Hash: BFF0C2707002646ACB045E38BC8122635A993463B3FE06633F5A2466E1C23CCF81431C
    Function 0044EAC0 Relevance: 4.6, APIs: 3, Instructions: 59windowCOMMON
    Download Yara Rule
    APIs
    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0044EAD3
    • TranslateMessage.USER32 ref: 0044EB3D
    • DispatchMessageA.USER32 ref: 0044EB43
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Message$DispatchPeekTranslate
    • String ID:
    • API String ID: 4217535847-0
    • Opcode ID: 2091fcb2c6691bf58ed2ff2e06ce92d0e4ae7ddd6a12b40418f9b3fca2d6dde7
    • Instruction ID: 50c4e3767dc840fb4eeb8d6573e670cae315c91e4d23696e8c239976c4aa670e
    • Opcode Fuzzy Hash: 2091fcb2c6691bf58ed2ff2e06ce92d0e4ae7ddd6a12b40418f9b3fca2d6dde7
    • Instruction Fuzzy Hash: F801B920300A4056FA31A62B484676BD685AFD171CF14452FF897A7382CA6DAC46836E
    Function 004020E8 Relevance: 3.1, APIs: 2, Instructions: 124COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004019FC: RtlInitializeCriticalSection.NTDLL(004535C8), ref: 00401A12
      • Part of subcall function 004019FC: RtlEnterCriticalSection.NTDLL(004535C8), ref: 00401A25
      • Part of subcall function 004019FC: LocalAlloc.KERNEL32(00000000,00000FF8,00000000,00401AB2), ref: 00401A4F
      • Part of subcall function 004019FC: RtlLeaveCriticalSection.NTDLL(004535C8), ref: 00401AAC
    • RtlEnterCriticalSection.NTDLL(004535C8), ref: 00402133
    • RtlLeaveCriticalSection.NTDLL(004535C8), ref: 0040225E
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
    • String ID:
    • API String ID: 2227675388-0
    • Opcode ID: b6204e15c76fdf11d91032c6b3b3378c335b289e1b42dfee736d17722581e8bd
    • Instruction ID: 2ffd8368130c4560c5623319e7cb71359c0d6a98c49d206e805a1eded635daba
    • Opcode Fuzzy Hash: b6204e15c76fdf11d91032c6b3b3378c335b289e1b42dfee736d17722581e8bd
    • Instruction Fuzzy Hash: D841E2B2A04704AFD725CF69DD8522977A0FB4535AB2541BED402E73E2E378DA41CB4C
    Function 0044C630 Relevance: 3.1, APIs: 2, Instructions: 99COMMON
    Download Yara Rule
    APIs
    • GetKeyboardLayout.USER32(00000000), ref: 0044C675
    • 73A0A570.USER32(00000000,?,?,00000000,?,0043AC96,00000000,00000000,?,?,00000000,0043AD14), ref: 0044C6CA
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: A570KeyboardLayout
    • String ID:
    • API String ID: 3858012219-0
    • Opcode ID: 1a4863058fc6bf990e7db27412d98f5ad2adba4b2ade4db5f91abc980ded029d
    • Instruction ID: d141e58b160a95a9971bb9c52db43ab83f149a9ca41ae475b91e41191fbc22c3
    • Opcode Fuzzy Hash: 1a4863058fc6bf990e7db27412d98f5ad2adba4b2ade4db5f91abc980ded029d
    • Instruction Fuzzy Hash: 7031F871641200AFD380EF6AD8C1B997BE5AB15318F4480BAE909DF3A6DB3998448B59
    Function 00427598 Relevance: 3.0, APIs: 2, Instructions: 47timeCOMMON
    Download Yara Rule
    APIs
    • KillTimer.USER32(?,00000001,00000000,00427617,?,?,?,00000000), ref: 004275B5
    • SetTimer.USER32(?,00000001,?,00000000), ref: 004275D7
      • Part of subcall function 00405AC8: LoadStringA.USER32(00000000,00010000,?,00000400), ref: 00405AF9
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Timer$KillLoadString
    • String ID:
    • API String ID: 1423459280-0
    • Opcode ID: a575a02a05c5294d007f4aa00f1c3cbdad9818d92bd121ec3cc6409b28054144
    • Instruction ID: 92c97347fcdcd037fdde37c7e7cddec5b166fd414151da7dfa3f11a39dd26e6d
    • Opcode Fuzzy Hash: a575a02a05c5294d007f4aa00f1c3cbdad9818d92bd121ec3cc6409b28054144
    • Instruction Fuzzy Hash: 3701D430708610ABDB15EF65DC82B5A3BACFB05718F910466FD00AB2D2D6BAAD40CB5C
    Function 004029E4 Relevance: 3.0, APIs: 2, Instructions: 37COMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,0044F308,?,00450424,00000040), ref: 00402A08
    • GetCommandLineA.KERNEL32(?,?,?,0044F308,?,00450424,00000040), ref: 00402A1A
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CommandFileLineModuleName
    • String ID:
    • API String ID: 2151003578-0
    • Opcode ID: 9f92e44a086866d1a54f686d4457ba513672dda316bb3cb1ca171301071f8386
    • Instruction ID: ef75cab301882057ec912ba7fc71ebc1038616b2d77fcc341c514bc21e2e30e7
    • Opcode Fuzzy Hash: 9f92e44a086866d1a54f686d4457ba513672dda316bb3cb1ca171301071f8386
    • Instruction Fuzzy Hash: 94F0A022B016102BC371656D0D8A76F21894BC97A9F55013FB989FB3C2EDBCCC05579E
    Function 0044C9EC Relevance: 3.0, APIs: 2, Instructions: 37COMMON
    Download Yara Rule
    APIs
    • LoadCursorA.USER32(00000000,00007F00), ref: 0044C9F9
    • LoadCursorA.USER32(00000000,00000000), ref: 0044CA28
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CursorLoad
    • String ID:
    • API String ID: 3238433803-0
    • Opcode ID: 946b507f89712c7b4da3f1bcc2e68504f509ed5c02bd14799d0971aca992e493
    • Instruction ID: 42318a22ceff13984c51b4f9d45916f6bb261499e4dba2e409f48ac372f64972
    • Opcode Fuzzy Hash: 946b507f89712c7b4da3f1bcc2e68504f509ed5c02bd14799d0971aca992e493
    • Instruction Fuzzy Hash: 09F0A7217022081AAAA0993E5CC0F3B72949F81375B25033BF93EE73D1CA2A5C0542A9
    Function 00406860 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Global$Alloc
    • String ID:
    • API String ID: 2558781224-0
    • Opcode ID: a91d873cc96961059f0ff57fc0c7ac3617c9ee3aa2e20b9fa74691af3b7816ce
    • Instruction ID: 5cad6465f3f68d4b87defad640e66c30e4223c025fc79113f1a96eedb349490d
    • Opcode Fuzzy Hash: a91d873cc96961059f0ff57fc0c7ac3617c9ee3aa2e20b9fa74691af3b7816ce
    • Instruction Fuzzy Hash: 939002C88C070028DC10F2B20C0AC2B001C58D47493C2C86E3446F2082883C84284038
    Function 00401514 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,0040181D), ref: 00401543
    • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,0040181D), ref: 0040156A
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 7beb91561f0efeeed9f0ab8d64cb148c1d0bf66b57a63e85dfba3f1b6ffcb385
    • Instruction ID: cf75af8544afd07ba48e58c64b50c9c68db351cba55f46329150e649f8581782
    • Opcode Fuzzy Hash: 7beb91561f0efeeed9f0ab8d64cb148c1d0bf66b57a63e85dfba3f1b6ffcb385
    • Instruction Fuzzy Hash: D7F08272F0062037EB605AAA5C81B535A849B85BA1F1540B6FE09FF3E9D6B58D0142AD
    Function 0040BB54 Relevance: 1.6, APIs: 1, Instructions: 77COMMON
    Download Yara Rule
    APIs
    • 74D31540.VERSION(?,0040BC3C,?,?,00000000,?,00000000,?,00000000,0040BC0D,?,00000000,?,00000000,0040BC2A), ref: 0040BBE5
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: D31540
    • String ID:
    • API String ID: 877547627-0
    • Opcode ID: 70dc671eab7e8021efdf159997ee0a53fb36400572a46f7e41e609046fffc598
    • Instruction ID: fe5c05a776472b7a48512a3f08e2f2ddd74b9b174366871c1cd30cd734216185
    • Opcode Fuzzy Hash: 70dc671eab7e8021efdf159997ee0a53fb36400572a46f7e41e609046fffc598
    • Instruction Fuzzy Hash: B8216071A04349AFDB00EFA6CC918AEB7FCEB48704B51447AB510F36C1DB389910CA68
    Function 0040BB52 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
    Download Yara Rule
    APIs
    • 74D31540.VERSION(?,0040BC3C,?,?,00000000,?,00000000,?,00000000,0040BC0D,?,00000000,?,00000000,0040BC2A), ref: 0040BBE5
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: D31540
    • String ID:
    • API String ID: 877547627-0
    • Opcode ID: 9d0832efcbe92e415bc80ae49fe5a5e99190bee102a933d321a8b4df8e3d751b
    • Instruction ID: 1f6e83d7888c51a49567384e01e72ccaa5c6c471d1b2e471869e821ada321808
    • Opcode Fuzzy Hash: 9d0832efcbe92e415bc80ae49fe5a5e99190bee102a933d321a8b4df8e3d751b
    • Instruction Fuzzy Hash: DD214FB1A00249AFDB00EFA6CC819AEB7FCEB48300B51447AB510F37D1DB38DD108A68
    Function 0044F6E8 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
    Download Yara Rule
    APIs
    • IsChild.USER32(00000000,00000000), ref: 0044F746
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Child
    • String ID:
    • API String ID: 3815930669-0
    • Opcode ID: 05eec89d258b462de2ce5b06a1b32d65c82f13c5080944e4a764b8d00691f69d
    • Instruction ID: abe84b5dc14711c47949da6383b790c69994b20b74d60d61dd6cf421e13155f2
    • Opcode Fuzzy Hash: 05eec89d258b462de2ce5b06a1b32d65c82f13c5080944e4a764b8d00691f69d
    • Instruction Fuzzy Hash: 8101B1316052045BFB10BA7A9C86B9AB388AB0435AF1514BFE804C7223DA6CAC0D836C
    Function 00445C84 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
    Download Yara Rule
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00445CD3
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CurrentThread
    • String ID:
    • API String ID: 2882836952-0
    • Opcode ID: 85acf6f3b726396569288a9a19543c0d6a1cc384ebdcd83b785ef04d5aa1e6a0
    • Instruction ID: c1a660ff195ec006c18f537c4c2f0086d1d0571b9a038ecdcba900b461bb4d22
    • Opcode Fuzzy Hash: 85acf6f3b726396569288a9a19543c0d6a1cc384ebdcd83b785ef04d5aa1e6a0
    • Instruction Fuzzy Hash: 6F0196B4A48B08AFE716CF75EC51A56BBF8E749711B31C4B6F804D37A1FA359810CA18
    Function 004068E6 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
    Download Yara Rule
    APIs
    • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00406927
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CreateWindow
    • String ID:
    • API String ID: 716092398-0
    • Opcode ID: 0f791f5ec92d7411cc98720ed8fc28380d029dde8c53ca6ab55f4098cc804929
    • Instruction ID: a1ea4f537def597f0d8eafb2af3ec7fe264bd959d4d79f8b4be7ffa4cc5ae198
    • Opcode Fuzzy Hash: 0f791f5ec92d7411cc98720ed8fc28380d029dde8c53ca6ab55f4098cc804929
    • Instruction Fuzzy Hash: 5DF097B2700118BF9B54DE9DDD85EDB77ECEB4C264B054129FA0CD3241D674ED118BA4
    Function 004068E8 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
    Download Yara Rule
    APIs
    • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00406927
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CreateWindow
    • String ID:
    • API String ID: 716092398-0
    • Opcode ID: 85e4eb90c000c236c85eadefe313f4ffd22fa3105f9eac2d859ba02dd15c19cb
    • Instruction ID: 8761abcc5e0de4f36270b4d166460707e36bed0b94037eac86428746de3cac8e
    • Opcode Fuzzy Hash: 85e4eb90c000c236c85eadefe313f4ffd22fa3105f9eac2d859ba02dd15c19cb
    • Instruction Fuzzy Hash: EDF097B2700118BF8B54DE9DDD85EDB77ECEB4C264B054129FA0CD3241D674ED118BA4
    Function 00406940 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
    Download Yara Rule
    APIs
    • CreateWindowExA.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 0040697D
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CreateWindow
    • String ID:
    • API String ID: 716092398-0
    • Opcode ID: d0f946a022014cc29194e441e8b5c77c45096e0facff00cf9c5014c6900ae325
    • Instruction ID: affc1f74db55f877845228fcc478fb201e6c98128e2172a54fe4ea5c36da1ff9
    • Opcode Fuzzy Hash: d0f946a022014cc29194e441e8b5c77c45096e0facff00cf9c5014c6900ae325
    • Instruction Fuzzy Hash: B4F0A4B2704118BFDB94EE9EDD85E9B77ECEB4C2A4B01412ABA0CD7241D574ED108BB4
    Function 004080F0 Relevance: 1.5, APIs: 1, Instructions: 33fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,00411B90,00415A7D,00000000,00415AF1,?,?,00411B90), ref: 0040813E
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 6af1f91ef60771e283218e7d165db757e6a16e3fb76ec51ca416dff53a4648fe
    • Instruction ID: 73556818595afda8fb428cee9c4b05ae840671127ddee3e579885866755d1736
    • Opcode Fuzzy Hash: 6af1f91ef60771e283218e7d165db757e6a16e3fb76ec51ca416dff53a4648fe
    • Instruction Fuzzy Hash: 4EE09BB278061426F630799D9CC2F4B514DCB857A9F154136F254FB3D1C8BCDD025678
    Function 0042F67C Relevance: 1.5, APIs: 1, Instructions: 31COMMON
    Download Yara Rule
    APIs
    • KiUserCallbackDispatcher.NTDLL(?,?), ref: 0042F6B7
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CallbackDispatcherUser
    • String ID:
    • API String ID: 2492992576-0
    • Opcode ID: 3e450580647ac04c52fe3c9217b9489fe8f4b0b89d3e34e1a1c747df32f352d3
    • Instruction ID: 2b489bd349fd00ef9accd65a6c2d7a08998cef0b38985eff922cf8e7109b24d4
    • Opcode Fuzzy Hash: 3e450580647ac04c52fe3c9217b9489fe8f4b0b89d3e34e1a1c747df32f352d3
    • Instruction Fuzzy Hash: CDF0D4362042019FC704DF5CC8C498ABBE5FF89255F0446A8FA89CB356DA32E814CB92
    Function 004081CC Relevance: 1.5, APIs: 1, Instructions: 27COMMON
    Download Yara Rule
    APIs
    • SetFilePointer.KERNEL32(?,?,?), ref: 004081EE
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: FilePointer
    • String ID:
    • API String ID: 973152223-0
    • Opcode ID: 9362e36b477b8d2f17d95f0d2542597c349892a5c242623c80db0aca9ff87367
    • Instruction ID: e48b9c177319662518f7a72fe2d25d3797070b996332b7201b101041160d20e9
    • Opcode Fuzzy Hash: 9362e36b477b8d2f17d95f0d2542597c349892a5c242623c80db0aca9ff87367
    • Instruction Fuzzy Hash: 16E07D7690521CBF9B40DE98D881DDEB7FCEB4C220F208166F958E7341E671AF509B94
    Function 0041D280 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
    Download Yara Rule
    APIs
    • GetTextExtentPoint32A.GDI32(?,00000000,00000000), ref: 0041D2B4
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: ExtentPoint32Text
    • String ID:
    • API String ID: 223599850-0
    • Opcode ID: 1e4441b65be6b2a42cd1bba153a450048c21cc7b057b599ad6549f92e5a533eb
    • Instruction ID: 2882c629fec5398937431efbce616a3475be225555e6d3541e794ac00559207f
    • Opcode Fuzzy Hash: 1e4441b65be6b2a42cd1bba153a450048c21cc7b057b599ad6549f92e5a533eb
    • Instruction Fuzzy Hash: 51E046A27002502B8340BA7E5C819AAAADD8E8922930584BEB658D3202D978CC044324
    Function 00404FEC Relevance: 1.5, APIs: 1, Instructions: 26COMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040500A
      • Part of subcall function 00405228: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 00405244
      • Part of subcall function 00405228: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405262
      • Part of subcall function 00405228: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405280
      • Part of subcall function 00405228: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 0040529E
      • Part of subcall function 00405228: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,0040532D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 004052E7
      • Part of subcall function 00405228: RegQueryValueExA.ADVAPI32(?,00405494,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,0040532D,?,80000001), ref: 00405305
      • Part of subcall function 00405228: RegCloseKey.ADVAPI32(?,00405334,00000000,00000000,00000005,00000000,0040532D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405327
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Open$FileModuleNameQueryValue$Close
    • String ID:
    • API String ID: 2796650324-0
    • Opcode ID: d5427904652f5ba8a3bc9bd566ca1c4e364c2d2597e34f47e06bac7b8aae90ef
    • Instruction ID: 601c43af1b86a5baf1f7ade5755026d7888983744c97b2d85ddea5032360f8e0
    • Opcode Fuzzy Hash: d5427904652f5ba8a3bc9bd566ca1c4e364c2d2597e34f47e06bac7b8aae90ef
    • Instruction Fuzzy Hash: F8E06D71A007109BCB10DE98A8C1A4733D8EF08754F0009A6EC58EF386D375DD208FD4
    Function 00408174 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
    Download Yara Rule
    APIs
    • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00408188
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: FileRead
    • String ID:
    • API String ID: 2738559852-0
    • Opcode ID: cdbd4e96fc96bc0da3afc34a471d300ea2477a13cbb8478637ae784473a0f48c
    • Instruction ID: 8e3de12ffa6bea3e6f7817845d45a5381e060ccc960286a9b3d50130fb25ae55
    • Opcode Fuzzy Hash: cdbd4e96fc96bc0da3afc34a471d300ea2477a13cbb8478637ae784473a0f48c
    • Instruction Fuzzy Hash: 4AD05B723081107AE220965B9D44DAB6BDCCFC6771F11473EB698D71C0D6308C05C375
    Function 00407C1C Relevance: 1.5, APIs: 1, Instructions: 23COMMON
    Download Yara Rule
    APIs
    • CompareStringA.KERNEL32(00000400,00000001,00000000,00000000,00000000,00000000,?,?,00407C63,?,?,00407FED), ref: 00407C49
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CompareString
    • String ID:
    • API String ID: 1825529933-0
    • Opcode ID: 4d98ac596bbc3095024863dd18117834260709a08ba0ea580757958ad6e2b3c0
    • Instruction ID: d8a946469fb4c662e8264f08439ecf30c1e5bf11c0e10fcb1e9cca435003de85
    • Opcode Fuzzy Hash: 4d98ac596bbc3095024863dd18117834260709a08ba0ea580757958ad6e2b3c0
    • Instruction Fuzzy Hash: 32D09ED13805502AD650757E0D8AF5A028C4F9865AB02417EB718F62C3C9BC8D190279
    Function 0041A2C0 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0041A2DE
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 47654bf4f5749e86cfb5fe69795fd4011a080b9ae9994a9bd7d44c1c5a3f31a3
    • Instruction ID: 22e07e2940b26a1af496465efa429a2871ea212a909c9859423be3a212b3051a
    • Opcode Fuzzy Hash: 47654bf4f5749e86cfb5fe69795fd4011a080b9ae9994a9bd7d44c1c5a3f31a3
    • Instruction Fuzzy Hash: 9C115A742007059FD715EF19C880B86FBE4EF48391F10C63AE9589B386D3B4E9548BA9
    Function 0040173C Relevance: 1.3, APIs: 1, Instructions: 48COMMON
    Download Yara Rule
    APIs
    • VirtualFree.KERNEL32(?,?,00004000,?,?,?,00000000,00004003,004019A3), ref: 00401796
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: FreeVirtual
    • String ID:
    • API String ID: 1263568516-0
    • Opcode ID: ada4bc285c6c62f61a6e6082d261e86dbd4f7ef44073bc39e1a310c80ee1332f
    • Instruction ID: 8df49091f02a2cf288e6fad50a234c35812bb7961e79dbf4db4e080adeca5516
    • Opcode Fuzzy Hash: ada4bc285c6c62f61a6e6082d261e86dbd4f7ef44073bc39e1a310c80ee1332f
    • Instruction Fuzzy Hash: 1301F77AA443045FC3119E29DCC0E2A77E8EBC4365F15057EDE84A73A1D23BAC0187E8
    Function 00408204 Relevance: 1.3, APIs: 1, Instructions: 3COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: 9c0b31670a7f2ec1ee81bf4c84056285455acb279aff4a6396ab197fca55fdb3
    • Instruction ID: bc94f687e7423355d4e12469526eecf85db425b74c2c873efbd4b41d98e7edd6
    • Opcode Fuzzy Hash: 9c0b31670a7f2ec1ee81bf4c84056285455acb279aff4a6396ab197fca55fdb3
    • Instruction Fuzzy Hash:

    Non-executed Functions

    Function 0043A7A0 Relevance: 50.8, APIs: 15, Strings: 14, Instructions: 95libraryloaderCOMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNEL32(00008000), ref: 0043A7B9
    • GetModuleHandleA.KERNEL32(USER32,00000000,0043A906,?,00008000), ref: 0043A7DD
    • GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 0043A7EA
    • LoadLibraryA.KERNEL32(imm32.dll,00000000,0043A906,?,00008000), ref: 0043A806
    • GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 0043A828
    • GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 0043A83D
    • GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 0043A852
    • GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 0043A867
    • GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 0043A87C
    • GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 0043A891
    • GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 0043A8A6
    • GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 0043A8BB
    • GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 0043A8D0
    • GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 0043A8E5
    • SetErrorMode.KERNEL32(?,0043A90D,00008000), ref: 0043A900
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: AddressProc$ErrorMode$HandleLibraryLoadModule
    • String ID: @7E$ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$imm32.dll
    • API String ID: 3397921170-148836244
    • Opcode ID: a9a9ac582f1bd7c89cd02ce3a85eb950d47a7874c4c69b6c2442a75a7848d9ff
    • Instruction ID: e8554e0b627726343e32b6e08ccfda68c50dcdefd18f55bd79cbcabf07128018
    • Opcode Fuzzy Hash: a9a9ac582f1bd7c89cd02ce3a85eb950d47a7874c4c69b6c2442a75a7848d9ff
    • Instruction Fuzzy Hash: 073145B06C0300AED700DF65AC56F263698EB08746F52583BB051A72A7D67DE5208B5D
    Function 00405070 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 136stringlibraryfileCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0040508D
    • GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 0040509E
    • lstrcpyn.KERNEL32(?,?,?), ref: 004050CE
    • lstrcpyn.KERNEL32(?,?,?,kernel32.dll), ref: 00405132
    • lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll), ref: 00405167
    • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 0040517A
    • FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00405187
    • lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00405193
    • lstrcpyn.KERNEL32(0000005D,?,00000104), ref: 004051C7
    • lstrlen.KERNEL32(?,0000005D,?,00000104), ref: 004051D3
    • lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104), ref: 004051F5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
    • String ID: GetLongPathNameA$\$kernel32.dll
    • API String ID: 3245196872-1565342463
    • Opcode ID: e1de133ecb55c43d091dd051b632632334fece42b1a5a6105119b7ec3bf489dd
    • Instruction ID: 32ab80cfc78f5bf0c64f2175c92c8e29f71a1a1f7e74dea58a60de59f633f843
    • Opcode Fuzzy Hash: e1de133ecb55c43d091dd051b632632334fece42b1a5a6105119b7ec3bf489dd
    • Instruction Fuzzy Hash: ED419272D00659ABDB10EAA8CD85BDFB3ACEF44304F1440FAA549F7281D6389E458F98
    Function 004361CC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64windowCOMMON
    Download Yara Rule
    APIs
    • IsIconic.USER32(?), ref: 004361DB
    • GetWindowPlacement.USER32(?,0000002C), ref: 004361F8
    • GetWindowRect.USER32(?), ref: 00436211
    • GetWindowLongA.USER32(?,000000F0), ref: 0043621F
    • GetWindowLongA.USER32(?,000000F8), ref: 00436234
    • ScreenToClient.USER32(00000000), ref: 00436241
    • ScreenToClient.USER32(00000000,?), ref: 0043624C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Window$ClientLongScreen$IconicPlacementRect
    • String ID: ,
    • API String ID: 2266315723-3772416878
    • Opcode ID: f0ed54b1b27eb46e811045cb129cd6c16bdbe48144f3efa4e2f0a40d374c6ca5
    • Instruction ID: 813438136666737145db1d4a260c9b17d68db7091041a6d90b35632f79bc6c60
    • Opcode Fuzzy Hash: f0ed54b1b27eb46e811045cb129cd6c16bdbe48144f3efa4e2f0a40d374c6ca5
    • Instruction Fuzzy Hash: 5B11EE31500201BBCB11EF6DC884A8B37D8AF08314F06497EFE18EB286DB39D9048B66
    Function 00443268 Relevance: 9.4, APIs: 6, Instructions: 405nativeCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: RestoreSave$NtdllProc_Window
    • String ID:
    • API String ID: 2725519021-0
    • Opcode ID: 2d871ba3934afbcf8d48dae0cdee270a09160f412a7f047e13a888090b2e32e4
    • Instruction ID: 154c7de8d6bdea138f76814c390ab6c8f983a4a0d2a2389cf46189ad799c1483
    • Opcode Fuzzy Hash: 2d871ba3934afbcf8d48dae0cdee270a09160f412a7f047e13a888090b2e32e4
    • Instruction Fuzzy Hash: 32E180B4A00605DFEB10EF6AC58199EF3F5FF48705B2185AAE845A7361C738EE41CB58
    Function 0044E76C Relevance: 9.1, APIs: 6, Instructions: 86windownativeCOMMON
    Download Yara Rule
    APIs
    • IsIconic.USER32(?), ref: 0044E774
    • SetActiveWindow.USER32(?,?,?,?,0044E195,00000000,0044E656), ref: 0044E785
    • IsWindowEnabled.USER32(00000000), ref: 0044E7A8
    • NtdllDefWindowProc_A.NTDLL(?,00000112,0000F120,00000000,00000000,?,?,?,?,0044E195,00000000,0044E656), ref: 0044E7C1
    • SetWindowPos.USER32(?,00000000,00000000,?,?,0044E195,00000000,0044E656), ref: 0044E807
    • SetFocus.USER32(00000000,?,00000000,00000000,?,?,0044E195,00000000,0044E656), ref: 0044E84C
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Window$ActiveEnabledFocusIconicNtdllProc_
    • String ID:
    • API String ID: 3996302123-0
    • Opcode ID: d8ac0e9ef5ec2683f48534681ade00927c0669d7ea8462f4431d28e1c539b204
    • Instruction ID: d257087fd99ad4de64d3cea04299af3b36631589040be4d862ab99e6ae330fc3
    • Opcode Fuzzy Hash: d8ac0e9ef5ec2683f48534681ade00927c0669d7ea8462f4431d28e1c539b204
    • Instruction Fuzzy Hash: 2D31CC74B002409BFB15AB6ACD86B5A2798BB05718F4904AAFE009F2D7DA7DEC548718
    Function 0043594C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
    Download Yara Rule
    APIs
    • IsIconic.USER32(?), ref: 0043598B
    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 004359A9
    • GetWindowPlacement.USER32(?,0000002C), ref: 004359DF
    • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00435A03
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Window$Placement$Iconic
    • String ID: ,
    • API String ID: 568898626-3772416878
    • Opcode ID: 7dcac491238cddc0acbb4fb3798620641f25ee4f3d7f3dfcfb6f103face442d8
    • Instruction ID: e860f45a2e969000e563e108db693ff127cfe206aa3da96e72ba50377dabb23d
    • Opcode Fuzzy Hash: 7dcac491238cddc0acbb4fb3798620641f25ee4f3d7f3dfcfb6f103face442d8
    • Instruction Fuzzy Hash: B5215371600204ABCF14EF69D8C0A9A77ACAF0C354F45856BFE14EF346D679DD048BA4
    Function 00423B14 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00423914: GetProcAddress.KERNEL32(75A50000,00000000), ref: 00423994
    • MonitorFromWindow.USER32(?,?), ref: 00423B44
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: AddressFromMonitorProcWindow
    • String ID: MonitorFromWindow
    • API String ID: 2184870004-2842599566
    • Opcode ID: a75f521b5342c3e22b66ed093e56f2c3951a3ffe26e4ddcaf08912a358faf18a
    • Instruction ID: bb66c74ad9e66c4ab9a1a8fec230f689b0396d767df2fc7cf7049587ee4b9b74
    • Opcode Fuzzy Hash: a75f521b5342c3e22b66ed093e56f2c3951a3ffe26e4ddcaf08912a358faf18a
    • Instruction Fuzzy Hash: D8018F616042286A8B00EE50AC419AEB7BCDA05357B84406BF911A7243D72CEB0187AD
    Function 0044840C Relevance: 7.8, APIs: 5, Instructions: 284windowCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: RestoreSave$Focus
    • String ID:
    • API String ID: 1675357626-0
    • Opcode ID: 39ed9cd04f37311b6c6bdb4b81e9a7179f9dc40c14bbb0b039258bb6e6d72abd
    • Instruction ID: 73e4117cf831d58173642d20c02f31a76e27b0a57a726d9ab8565119d18195d6
    • Opcode Fuzzy Hash: 39ed9cd04f37311b6c6bdb4b81e9a7179f9dc40c14bbb0b039258bb6e6d72abd
    • Instruction Fuzzy Hash: 2FB18430A00108DFEB10EF69C995AAEB7F5EF09304F6545AEE404A7351DB38EE41DB58
    Function 0044E6BC Relevance: 7.6, APIs: 5, Instructions: 59nativewindowCOMMON
    Download Yara Rule
    APIs
    • IsIconic.USER32(?), ref: 0044E6C4
    • SetActiveWindow.USER32(?,?,?,?,0044E188,00000000,0044E656), ref: 0044E6DC
    • IsWindowEnabled.USER32(00000000), ref: 0044E6FF
    • SetWindowPos.USER32(?,00000000,?,?,?,00000000,00000040,00000000,?,?,?,?,0044E188,00000000,0044E656), ref: 0044E728
    • NtdllDefWindowProc_A.NTDLL(?,00000112,0000F020,00000000,?,00000000,?,?,?,00000000,00000040,00000000,?,?,?,?), ref: 0044E73D
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Window$ActiveEnabledIconicNtdllProc_
    • String ID:
    • API String ID: 1720852555-0
    • Opcode ID: 7ce38c4c53a597dff927f36443eded2fb005bea3f30c0c1a6d74c25db8e7f529
    • Instruction ID: 39eec5619d8bffe5c553bddcddf3fc8c38b3374419c232c7e5f4b6671eae5355
    • Opcode Fuzzy Hash: 7ce38c4c53a597dff927f36443eded2fb005bea3f30c0c1a6d74c25db8e7f529
    • Instruction Fuzzy Hash: 3311DD717402409BEB54EE6AC9C6B9637ACBF08718F4804AABE05DF287D679EC408759
    Function 0042A4B4 Relevance: 6.0, APIs: 4, Instructions: 46sleepCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00429F14: WinHelpA.USER32(00000000,00429F2C,00000002,00000000), ref: 00429F23
    • GetTickCount.KERNEL32 ref: 0042A4D2
    • Sleep.KERNEL32(00000000,00000000,0042A531,?,?,00000000,00000000,?,0042A4AA), ref: 0042A4DB
    • GetTickCount.KERNEL32 ref: 0042A4E0
    • WinHelpA.USER32(00000000,?,?,00000000), ref: 0042A516
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CountHelpTick$Sleep
    • String ID:
    • API String ID: 2438605093-0
    • Opcode ID: 4b10cf1d18a78cc21a49a51c54597e51f0b9c6f8cfbf515c64f7568651dc44bd
    • Instruction ID: 6fbce531bc7bf88d24e7bb523d1e33f8b8955584aed35bfc68a92d0fef039e1b
    • Opcode Fuzzy Hash: 4b10cf1d18a78cc21a49a51c54597e51f0b9c6f8cfbf515c64f7568651dc44bd
    • Instruction Fuzzy Hash: F4018470700614AFD711FB69DC46B1EB2A8DB44708F924477F901E71C2DA7C9E14856A
    Function 00420314 Relevance: 4.6, APIs: 3, Instructions: 51fileclipboardCOMMON
    Download Yara Rule
    APIs
    • GetClipboardData.USER32(0000000E), ref: 00420321
    • CopyEnhMetaFileA.GDI32(00000000,00000000), ref: 00420343
    • GetEnhMetaFileHeader.GDI32(?,00000064,?,00000000,00000000), ref: 00420355
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: FileMeta$ClipboardCopyDataHeader
    • String ID:
    • API String ID: 1752724394-0
    • Opcode ID: 7407c8c8bdb3c255a238e6906a4016c4863d512d73a95de6031de39b8089aa36
    • Instruction ID: 94472f3101070d35b7cdf10e71838857ef5b6f77e697f5751602546332722c82
    • Opcode Fuzzy Hash: 7407c8c8bdb3c255a238e6906a4016c4863d512d73a95de6031de39b8089aa36
    • Instruction Fuzzy Hash: 6A112A726002048FC710DFAAC885A9AB7F8AF49314F11466EE909DB252DB75EC45CB99
    Function 0044D50C Relevance: 4.5, APIs: 3, Instructions: 33synchronizationthreadCOMMON
    Download Yara Rule
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 0044D518
    • GetCursorPos.USER32(?), ref: 0044D535
    • WaitForSingleObject.KERNEL32(00000000,00000064), ref: 0044D555
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CurrentCursorObjectSingleThreadWait
    • String ID:
    • API String ID: 1359611202-0
    • Opcode ID: 3fb02e9b05a035f0aecbfaefe7891d72cb8d59223b6c2831fd8b07511d182553
    • Instruction ID: e92f64c9389dab36428b7d9f1e828ab217b6203fe6e95c1fec9ddce136cb4ea6
    • Opcode Fuzzy Hash: 3fb02e9b05a035f0aecbfaefe7891d72cb8d59223b6c2831fd8b07511d182553
    • Instruction Fuzzy Hash: F4F0B431904228FBEB10EB65D886B5A73D8EB0030AF8000B7E010962D2DB7CE944CA1F
    Function 00435098 Relevance: 3.1, APIs: 2, Instructions: 63windowCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CaptureIconic
    • String ID:
    • API String ID: 2277910766-0
    • Opcode ID: 1e297c99bc5affc33b4593401cfab3bd46b02390cf52101aadf033a02d5e3431
    • Instruction ID: be768ef6ac9ad2b8ffaf65abbe255814b6cd76f30897db0477a4f68445f52483
    • Opcode Fuzzy Hash: 1e297c99bc5affc33b4593401cfab3bd46b02390cf52101aadf033a02d5e3431
    • Instruction Fuzzy Hash: 90114631B106099BDF20EB59CD86A6EB3E4DF08314F5550BAE814DB352E738EE409758
    Function 0041D7B4 Relevance: 3.0, APIs: 2, Instructions: 46windowCOMMON
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(00000000,0041D850), ref: 0041D7D4
    • FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,0041D850), ref: 0041D7FA
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: ErrorFormatLastMessage
    • String ID:
    • API String ID: 3479602957-0
    • Opcode ID: 8cf83e3c6ada4876192301a36bf0605c3fc60ea9f55e2c5a3a33174157af54a3
    • Instruction ID: 8c37f5d550bad34c11754dd30513464a1b97941377409642831275732d511a47
    • Opcode Fuzzy Hash: 8cf83e3c6ada4876192301a36bf0605c3fc60ea9f55e2c5a3a33174157af54a3
    • Instruction Fuzzy Hash: C30188B06446056FE711FB618D92BD673ACDB44708F5040BBB654A65C1DAB8AD80CA1D
    Function 0040C134 Relevance: 3.0, APIs: 2, Instructions: 37COMMON
    Download Yara Rule
    APIs
    • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,0040C198), ref: 0040C15A
    • GetACP.KERNEL32(?,?,00001004,?,00000007,00000000,0040C198), ref: 0040C173
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: InfoLocale
    • String ID:
    • API String ID: 2299586839-0
    • Opcode ID: ee2fab115f8687fac73c35570367009386dfd1b154f348e0981f9ef9d1b9c5d2
    • Instruction ID: 07a1b3fce52b177ef8279c32e6a430d0e66312ab345bf7b9ef37491bb852e3e8
    • Opcode Fuzzy Hash: ee2fab115f8687fac73c35570367009386dfd1b154f348e0981f9ef9d1b9c5d2
    • Instruction Fuzzy Hash: 1BF0C271E04308BBEB00EBA2C84299EB7AEE785718F50C57AF210A66C1EA7C65008A54
    Function 00408346 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
    Download Yara Rule
    APIs
    • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 00408369
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: DiskFreeSpace
    • String ID:
    • API String ID: 1705453755-0
    • Opcode ID: f8dd739078b4624cf5fca54cbf40b77d5ce2f2456b579b96362938f31c303257
    • Instruction ID: 436aa2b06ad58a720c87e537466718e0de9daa25dabbe8f17d8733a7d1af51ad
    • Opcode Fuzzy Hash: f8dd739078b4624cf5fca54cbf40b77d5ce2f2456b579b96362938f31c303257
    • Instruction Fuzzy Hash: 8B1112B5E00209AFDB40DFA9C881DAFF7F9EFC8704F14C56AA508E7250E6319E018B90
    Function 00427524 Relevance: 1.5, APIs: 1, Instructions: 41nativeCOMMON
    Download Yara Rule
    APIs
    • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 00427589
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: NtdllProc_Window
    • String ID:
    • API String ID: 4255912815-0
    • Opcode ID: 218368ee20a9e2f5f8d9164dcc30399d92ec565abb901183afada6ed0f41338b
    • Instruction ID: 8d04940811669ba0e0444b3513b6e35f609a7234159bf5d1f45cb49d88ff1585
    • Opcode Fuzzy Hash: 218368ee20a9e2f5f8d9164dcc30399d92ec565abb901183afada6ed0f41338b
    • Instruction Fuzzy Hash: 48F06276608214AFD704DF9AE881C56F7ECEB4D76035140B6F908D7641D275AD10CA74
    Function 00405B1E Relevance: 1.5, APIs: 1, Instructions: 38COMMON
    Download Yara Rule
    APIs
    • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00405B86), ref: 00405B46
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: InfoLocale
    • String ID:
    • API String ID: 2299586839-0
    • Opcode ID: 4a3d0c2de42bc9e4544f9e1dfe0e3a704045e608a02a4d7d326a1b51dab8bf87
    • Instruction ID: cbfe1b62841b36e542c5a0f2b31f55533fad3090201fd3294c7f176ff4a9690e
    • Opcode Fuzzy Hash: 4a3d0c2de42bc9e4544f9e1dfe0e3a704045e608a02a4d7d326a1b51dab8bf87
    • Instruction Fuzzy Hash: A8F0A430A04609AFEB14EEA1CC46AAEB3BAE784714F40857BA510B21D0E6B83A04CA44
    Function 00405B20 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
    Download Yara Rule
    APIs
    • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00405B86), ref: 00405B46
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: InfoLocale
    • String ID:
    • API String ID: 2299586839-0
    • Opcode ID: 2b2773e68033bbb7cb866f34e8f42dbf43533885d54775da5670f4e6b80250d7
    • Instruction ID: 35628c492a7f7a3c11830339a7ae898e6201b0d3f3bdc9fcd9fbf6c6ec766dfb
    • Opcode Fuzzy Hash: 2b2773e68033bbb7cb866f34e8f42dbf43533885d54775da5670f4e6b80250d7
    • Instruction Fuzzy Hash: E1F0A430A04609AFEB14EE91CC46AAEB37AE784714F40857BA510721D0E6B83A04CA44
    Function 0041DD44 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
    Download Yara Rule
    APIs
    • GetSystemInfo.KERNEL32(?), ref: 0041DD54
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: InfoSystem
    • String ID:
    • API String ID: 31276548-0
    • Opcode ID: 9e3804b1a4b06ce6b57f35de0f9f82d1d7d8b9b3e42480d3e5bc8b329ff95824
    • Instruction ID: d28fa08f1383536b75c649ccff6a03afbdc51829f21584285e7bcdcbc45279e1
    • Opcode Fuzzy Hash: 9e3804b1a4b06ce6b57f35de0f9f82d1d7d8b9b3e42480d3e5bc8b329ff95824
    • Instruction Fuzzy Hash: F0F0F6F1D0050C9FCB14DF9CC4888DCBBB4FB56301B4042AAD404EB342EB35A594CB84
    Function 0040AB48 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
    Download Yara Rule
    APIs
    • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040AB66
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: InfoLocale
    • String ID:
    • API String ID: 2299586839-0
    • Opcode ID: 95a87924bef47ad41ae53b87f4b714ca11c352d0c73136811e2d0075a499b398
    • Instruction ID: c1770d655aa7e8f83f5c3bb2ade041fa1b7a4d3370412cbf003192fda0ec5592
    • Opcode Fuzzy Hash: 95a87924bef47ad41ae53b87f4b714ca11c352d0c73136811e2d0075a499b398
    • Instruction Fuzzy Hash: 38E09272B0421417D710A55D5C829E6736C9758320F00427FBE05E73C1EDB4AD9486EE
    Function 0040AB94 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
    Download Yara Rule
    APIs
    • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040C446,00000000,0040C65F,?,?,00000000,00000000), ref: 0040ABA7
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: InfoLocale
    • String ID:
    • API String ID: 2299586839-0
    • Opcode ID: 6eb7ba542849f082dc089c9024fde26e057a43fa601d78d8854a4a03e1bfba95
    • Instruction ID: 5aeafe4434829eb1bf6dbe4da96db9261571707baec4f5b0ea3bfb478d0b1998
    • Opcode Fuzzy Hash: 6eb7ba542849f082dc089c9024fde26e057a43fa601d78d8854a4a03e1bfba95
    • Instruction Fuzzy Hash: 96D02E2230E2402AF220800A2C80CBB5AACCAC53A4F00407EB688C2341C2208C0A93BA
    Function 00409648 Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: LocalTime
    • String ID:
    • API String ID: 481472006-0
    • Opcode ID: 579d1b5cdaff9e3ea50d9a3d598de332f0a570b269abbad5dbbd894a2a2abded
    • Instruction ID: 03f39763fc62f683665fa4f7e0fe12eed4f103352792b934aac55f21a932d788
    • Opcode Fuzzy Hash: 579d1b5cdaff9e3ea50d9a3d598de332f0a570b269abbad5dbbd894a2a2abded
    • Instruction Fuzzy Hash: 33A0120844480101D14033180C0335530005900624FC40754A8B9103D1E92E013041DB
    Function 0041ACFF Relevance: .3, Instructions: 294COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 1a6af1359c4516ea8e95aa0ba036f5c62bd2855a878ed21cd0e5a24fcaf8cd77
    • Instruction ID: 6bd630d264d5d46a8cce89f220bed60b5460791444afd49c44aa55ce852a720c
    • Opcode Fuzzy Hash: 1a6af1359c4516ea8e95aa0ba036f5c62bd2855a878ed21cd0e5a24fcaf8cd77
    • Instruction Fuzzy Hash: 2291D2A148E3C14FE3078770596A691BFB0AE13215B1E45DBC4C68F4B3E29C899BC766
    Function 004257CC Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(uxtheme.dll,00000000,00425B7F), ref: 00425802
    • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0042581A
    • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0042582C
    • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0042583E
    • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 00425850
    • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 00425862
    • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 00425874
    • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 00425886
    • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 00425898
    • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 004258AA
    • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 004258BC
    • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 004258CE
    • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 004258E0
    • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 004258F2
    • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 00425904
    • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 00425916
    • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 00425928
    • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0042593A
    • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0042594C
    • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0042595E
    • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 00425970
    • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 00425982
    • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 00425994
    • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 004259A6
    • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 004259B8
    • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 004259CA
    • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 004259DC
    • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 004259EE
    • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00425A00
    • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 00425A12
    • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 00425A24
    • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 00425A36
    • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 00425A48
    • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 00425A5A
    • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 00425A6C
    • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 00425A7E
    • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 00425A90
    • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 00425AA2
    • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 00425AB4
    • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 00425AC6
    • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 00425AD8
    • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 00425AEA
    • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 00425AFC
    • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 00425B0E
    • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 00425B20
    • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 00425B32
    • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 00425B44
    • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 00425B56
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: AddressProc$LibraryLoad
    • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
    • API String ID: 2238633743-2910565190
    • Opcode ID: a4a7c27e6ad2ccefee509df2c9dbb4bf33c24a06d89330d3b706cd4c7d501bc3
    • Instruction ID: e4be9a1a18049ea359d0c7c3ded1a3f1108440e27e61905d936a7f758b31fe06
    • Opcode Fuzzy Hash: a4a7c27e6ad2ccefee509df2c9dbb4bf33c24a06d89330d3b706cd4c7d501bc3
    • Instruction Fuzzy Hash: E5A120F0B40B20AFDB00EF61FC96B263BA8EF05746391157AB402DF296D679D9108B5D
    Function 0040D740 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
    Download Yara Rule
    APIs
    • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 0040D749
      • Part of subcall function 0040D714: GetProcAddress.KERNEL32(00000000), ref: 0040D72D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: AddressHandleModuleProc
    • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
    • API String ID: 1646373207-1918263038
    • Opcode ID: 5361ce127a3f0a0e0b7e3ecf26240c9b9e2793cdf1f7ef479dfad4df87ba6312
    • Instruction ID: cda3cf11f299e8f1e5b28a449d932980519ab1e636251842e730ca73760f7342
    • Opcode Fuzzy Hash: 5361ce127a3f0a0e0b7e3ecf26240c9b9e2793cdf1f7ef479dfad4df87ba6312
    • Instruction Fuzzy Hash: 9941B1E5E04304ABD3046BEE684142AB7D9D68875A364C13FF404BB6D6DB38E94D8A2D
    Function 0041DA00 Relevance: 24.2, APIs: 16, Instructions: 248windowCOMMON
    Download Yara Rule
    APIs
    • SelectObject.GDI32(?,?), ref: 0041DA58
    • MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,0041DAD3,?,?), ref: 0041DAA7
    • SelectObject.GDI32(?,?), ref: 0041DAC1
    • DeleteObject.GDI32(?), ref: 0041DACD
    • SelectObject.GDI32(?,?), ref: 0041DB17
    • StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 0041DB96
    • StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 0041DBB8
    • SetTextColor.GDI32(?,00000000), ref: 0041DBC0
    • SetBkColor.GDI32(?,00FFFFFF), ref: 0041DBCE
    • StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 0041DBFA
    • StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 0041DC1F
    • SetTextColor.GDI32(?,?), ref: 0041DC29
    • SetBkColor.GDI32(?,?), ref: 0041DC33
    • SelectObject.GDI32(?,00000000), ref: 0041DC46
    • DeleteObject.GDI32(?), ref: 0041DC4F
    • DeleteDC.GDI32(?), ref: 0041DC7A
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Object$ColorSelectStretch$Delete$Text$Mask
    • String ID:
    • API String ID: 326492243-0
    • Opcode ID: 61ae2559b68903642da75c86d5775cd6a391e76b41fdc2090bc4cae6d3b7719d
    • Instruction ID: 0c97e7ebce996a1e3762e0487e1a416f173aaa700fd936b9a04e1448c6e0831c
    • Opcode Fuzzy Hash: 61ae2559b68903642da75c86d5775cd6a391e76b41fdc2090bc4cae6d3b7719d
    • Instruction Fuzzy Hash: 0E8197B1A00209AFDB50EE99CC81FAF77FCAB0D754F110569F619E7281C278ED508B68
    Function 00406998 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61registryclipboardwindowCOMMON
    Download Yara Rule
    APIs
    • FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 004069B0
    • RegisterClipboardFormatA.USER32(MSWHEEL_ROLLMSG), ref: 004069BC
    • RegisterClipboardFormatA.USER32(MSH_WHEELSUPPORT_MSG), ref: 004069CB
    • RegisterClipboardFormatA.USER32(MSH_SCROLL_LINES_MSG), ref: 004069D7
    • SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 004069EF
    • SendMessageA.USER32(00000000,?,00000000,00000000), ref: 00406A13
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: ClipboardFormatRegister$MessageSend$FindWindow
    • String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
    • API String ID: 1416857345-3736581797
    • Opcode ID: eaf0cc27c34a3b8818a66baa3e8bd767fbe560e8a889b937ba4057a2d70313a3
    • Instruction ID: 08ad03a50b6306462e6a451d26b983610495a1189d41c22a205bba5a348aafc5
    • Opcode Fuzzy Hash: eaf0cc27c34a3b8818a66baa3e8bd767fbe560e8a889b937ba4057a2d70313a3
    • Instruction Fuzzy Hash: 79112471344305AFE310AF55DC41B6AB7E8EF46714F22803AF9467B2C1D6785D618F68
    Function 00421020 Relevance: 18.2, APIs: 12, Instructions: 194windowCOMMON
    Download Yara Rule
    APIs
    • GetObjectA.GDI32(?,00000054,?), ref: 00421043
    • 73A0A570.USER32(00000000,00000000,0042121B,?,?,00000054,?), ref: 00421071
    • SelectObject.GDI32(?,00000000), ref: 004210B7
    • PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 004210D9
    • SelectObject.GDI32(?), ref: 0042112F
    • SetBkColor.GDI32(?), ref: 0042116A
    • SetBkColor.GDI32(?,00000000), ref: 00421198
    • SelectObject.GDI32(?,00000000), ref: 004211AB
    • DeleteObject.GDI32 ref: 004211B7
    • DeleteDC.GDI32(?), ref: 004211CD
    • SelectObject.GDI32(?,00000000), ref: 004211E8
    • DeleteDC.GDI32(00000000), ref: 00421204
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Object$Select$Delete$Color$A570
    • String ID:
    • API String ID: 3306858847-0
    • Opcode ID: 171adaf9eaeb69219755ee49634f76150d0d5e48ec1355a7403fa916829af483
    • Instruction ID: ee625322e8445226d798d51b6d525e5fc6ee0d549d1c78041b309c34d4e8dd05
    • Opcode Fuzzy Hash: 171adaf9eaeb69219755ee49634f76150d0d5e48ec1355a7403fa916829af483
    • Instruction Fuzzy Hash: A8513E71F00218ABDB10EBE9DC45FAFB7FCAB08304F51446AB615FB291D6789950CB68
    Function 00423EC0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109COMMON
    Download Yara Rule
    APIs
    • EnumDisplayMonitors.USER32(?,?,?,?), ref: 00423EF9
    • GetSystemMetrics.USER32(00000000), ref: 00423F1E
    • GetSystemMetrics.USER32(00000001), ref: 00423F29
    • GetClipBox.GDI32(?,?), ref: 00423F3B
    • GetDCOrgEx.GDI32(?,?), ref: 00423F48
    • OffsetRect.USER32(?,?,?), ref: 00423F61
    • IntersectRect.USER32(?,?,?), ref: 00423F72
    • IntersectRect.USER32(?,?,?), ref: 00423F88
      • Part of subcall function 00423914: GetProcAddress.KERNEL32(75A50000,00000000), ref: 00423994
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Rect$IntersectMetricsSystem$AddressClipDisplayEnumMonitorsOffsetProc
    • String ID: EnumDisplayMonitors
    • API String ID: 362875416-2491903729
    • Opcode ID: 573bd073579c5c32dbebffd44f3c03b289e474a2d18996b864b227d7d476a02f
    • Instruction ID: 5970e0cb35586a24e85327ddb9c021f6054884a795b7ddb856094fd1c318320f
    • Opcode Fuzzy Hash: 573bd073579c5c32dbebffd44f3c03b289e474a2d18996b864b227d7d476a02f
    • Instruction Fuzzy Hash: C93101B1E00219AFDB10DFA5E944AEFB7BCAF09302F414526F915E2241E77CDB058BA5
    Function 00436C1C Relevance: 16.7, APIs: 11, Instructions: 224COMMON
    Download Yara Rule
    APIs
    • GetClientRect.USER32(00000000,?), ref: 00436C73
    • GetWindowRect.USER32(00000000,?), ref: 00436C85
    • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00436C9B
    • OffsetRect.USER32(?,?,?), ref: 00436CB0
    • ExcludeClipRect.GDI32(?,?,?,?,?,?,?,?,00000000,00000000,?,00000002,00000000,?,00000000,00436E82), ref: 00436CC9
    • InflateRect.USER32(?,00000000,00000000), ref: 00436CE7
    • GetWindowLongA.USER32(00000000,000000F0), ref: 00436D3D
    • DrawEdge.USER32(?,?,00000000,00000008), ref: 00436E09
    • IntersectClipRect.GDI32(?,?,?,?,?), ref: 00436E22
    • OffsetRect.USER32(?,?,?), ref: 00436E41
    • FillRect.USER32(?,?,00000000), ref: 00436E5D
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Rect$Window$ClipOffset$ClientDrawEdgeExcludeFillInflateIntersectLongPoints
    • String ID:
    • API String ID: 1573515177-0
    • Opcode ID: 528ddfec3f697f70db95cbed1739c299ff14c521407c313a39d1db89e632b07f
    • Instruction ID: 461cb31777a908b1ffa82996ca537ac2fa9ff50f78119ae891535b192d91b9f6
    • Opcode Fuzzy Hash: 528ddfec3f697f70db95cbed1739c299ff14c521407c313a39d1db89e632b07f
    • Instruction Fuzzy Hash: 95910671E00609AFDB41DBA9C985FEEB7F9AF09304F1580A6F504E7252C779AE04CB64
    Function 004028F8 Relevance: 16.6, APIs: 9, Strings: 2, Instructions: 109COMMON
    Download Yara Rule
    APIs
    • CharNextA.USER32(00000000,?,00000000,00000000,?,00402A2A,?,?,?,0044F308,?,00450424,00000040), ref: 0040292F
    • CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,00402A2A,?,?,?,0044F308,?,00450424,00000040), ref: 00402939
    • CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,00402A2A,?,?,?,0044F308,?,00450424,00000040), ref: 00402956
    • CharNextA.USER32(00000000,?,00000000,00000000,?,00402A2A,?,?,?,0044F308,?,00450424,00000040), ref: 00402960
    • CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,00402A2A,?,?,?,0044F308,?,00450424,00000040), ref: 00402989
    • CharNextA.USER32(00000000,00000000,00000000,?,00000000,00000000,?,00402A2A,?,?,?,0044F308,?,00450424,00000040), ref: 00402993
    • CharNextA.USER32(00000000,00000000,00000000,?,00000000,00000000,?,00402A2A,?,?,?,0044F308,?,00450424,00000040), ref: 004029B7
    • CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,00402A2A,?,?,?,0044F308,?,00450424,00000040), ref: 004029C1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CharNext
    • String ID: "$"
    • API String ID: 3213498283-3758156766
    • Opcode ID: 48a65b1d8f16a37fc12f24272fccf5f985d10cb81850c5d716dd89aa59418870
    • Instruction ID: a1d330bb4e253f7c8f70a6e03e6d83f6500e4c391f012be234453f25f5c1cc4a
    • Opcode Fuzzy Hash: 48a65b1d8f16a37fc12f24272fccf5f985d10cb81850c5d716dd89aa59418870
    • Instruction Fuzzy Hash: 1821F4C878439529DB3169B90AC83667B854B6B314F2814BB9582BB3CBD4FC4847832E
    Function 00433D6C Relevance: 15.2, APIs: 10, Instructions: 177windowCOMMON
    Download Yara Rule
    APIs
    • RectVisible.GDI32(?,?), ref: 00433E25
    • SaveDC.GDI32(?), ref: 00433E3B
    • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00433E5E
    • RestoreDC.GDI32(?,?), ref: 00433E79
    • CreateSolidBrush.GDI32(00000000), ref: 00433EFA
    • FrameRect.USER32(?,?,?), ref: 00433F2D
    • DeleteObject.GDI32(?), ref: 00433F37
    • CreateSolidBrush.GDI32(00000000), ref: 00433F47
    • FrameRect.USER32(?,?,00000000), ref: 00433F7A
    • DeleteObject.GDI32(00000000), ref: 00433F84
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
    • String ID:
    • API String ID: 375863564-0
    • Opcode ID: 0baabeed71c4289d3f6b1286eed3de4eb1ccecd8c4f8cf050f409b6051f6441d
    • Instruction ID: 6593791ecfcffbe8605f99502f7dcb8041c959929ea05799a837397fda0ad5a8
    • Opcode Fuzzy Hash: 0baabeed71c4289d3f6b1286eed3de4eb1ccecd8c4f8cf050f409b6051f6441d
    • Instruction Fuzzy Hash: FB516E716042449FDB54EF29C8C4B5B77E8AF88318F04445EFD85CB287D639E885CB59
    Function 00428794 Relevance: 15.1, APIs: 10, Instructions: 142COMMON
    Download Yara Rule
    APIs
    • GetWindowLongA.USER32(00000000,000000EC), ref: 004287AF
    • GetWindowRect.USER32(00000000,?), ref: 004287CA
    • OffsetRect.USER32(?,?,?), ref: 004287DF
    • GetWindowLongA.USER32(00000000,000000F0), ref: 0042881E
    • GetSystemMetrics.USER32(00000002), ref: 00428833
    • GetSystemMetrics.USER32(00000003), ref: 0042883C
    • InflateRect.USER32(?,000000FE,000000FE), ref: 0042884B
    • GetSysColorBrush.USER32(0000000F), ref: 00428878
    • FillRect.USER32(?,?,00000000), ref: 00428886
    • ExcludeClipRect.GDI32(?,?,?,?,?,00000000,004288EF,?,00000000,?,?,?,00000000,?), ref: 004288AB
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Rect$Window$LongMetricsSystem$BrushClipColorExcludeFillInflateOffset
    • String ID:
    • API String ID: 239630386-0
    • Opcode ID: 3c323ba9f3ce31125427f7e80e94f7f8a5cb44f5a72cd1f5d6d80708632841a6
    • Instruction ID: 51d47e166aaf29dc06c17b8b119cd2c96a80e5fc996fe7a0cbab13b4e9691ef3
    • Opcode Fuzzy Hash: 3c323ba9f3ce31125427f7e80e94f7f8a5cb44f5a72cd1f5d6d80708632841a6
    • Instruction Fuzzy Hash: 28416571A00119AFDB00EBA9DD42EDFB7BDEF49314F54012AF505F7295CA78AE018768
    Function 0044A588 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON
    Download Yara Rule
    APIs
    • GetSystemMenu.USER32(00000000,00000000), ref: 0044A5D3
    • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 0044A5F1
    • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0044A5FE
    • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0044A60B
    • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0044A618
    • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 0044A625
    • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 0044A632
    • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 0044A63F
    • EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 0044A65D
    • EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 0044A679
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Menu$Delete$EnableItem$System
    • String ID:
    • API String ID: 3985193851-0
    • Opcode ID: 6a17aa1db43e6e786e8cd01b0543cf74a8dc2d3285b4fc26e91f94657030147b
    • Instruction ID: 2967b34473d138a12f09d88b5d5027ae7975cb84dc91336d3c5ab847378540a0
    • Opcode Fuzzy Hash: 6a17aa1db43e6e786e8cd01b0543cf74a8dc2d3285b4fc26e91f94657030147b
    • Instruction Fuzzy Hash: 56215E747C03047BE320AA64CCCEF597AD95B04B19F1A40A6BA457F2D3C6B8E990865C
    Function 00421D3C Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 351COMMON
    Download Yara Rule
    APIs
    • 73A0A570.USER32(00000000,?,00000000,00422259,?,?), ref: 00421FA6
    • SelectObject.GDI32(?,00000000), ref: 0042202A
    • GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,004220E3,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 00422098
    • SelectObject.GDI32(?,?), ref: 004220D7
    • DeleteObject.GDI32(00000000), ref: 004220DD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Object$Select$A570DeleteErrorLast
    • String ID: ($BM
    • API String ID: 2612784382-2980357723
    • Opcode ID: a5a7a6550463fd4ea8fa3ad57729f65e77c40c1defce879520878cc2bbf5d2f3
    • Instruction ID: 5fc19b5cf8c2ccf3554bc3956a743efe9ccd0b22bdb5006a2aca2dc110d89ef3
    • Opcode Fuzzy Hash: a5a7a6550463fd4ea8fa3ad57729f65e77c40c1defce879520878cc2bbf5d2f3
    • Instruction Fuzzy Hash: 6FD16F70E00218AFDF14DFA9D985AAEBBF5EF48304F41846AF914E7395D7789840CB68
    Function 00419090 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 109threadCOMMON
    Download Yara Rule
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 0041909B
    • GetCurrentThreadId.KERNEL32 ref: 004190AA
      • Part of subcall function 00419068: ResetEvent.KERNEL32(0000017C,004190E5), ref: 0041906E
    • RtlEnterCriticalSection.NTDLL(00453868), ref: 004190EF
    • InterlockedExchange.KERNEL32(004513E8,?), ref: 0041910B
    • RtlLeaveCriticalSection.NTDLL(00453868), ref: 00419164
    • RtlEnterCriticalSection.NTDLL(00453868), ref: 004191C3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CriticalSection$CurrentEnterThread$EventExchangeInterlockedLeaveReset
    • String ID: 00E$` A
    • API String ID: 2189153385-1388186709
    • Opcode ID: c46fc84f408ed32b6dd4356979a4ce3ab341d66c1b22277d7da3549eee815548
    • Instruction ID: bf845a8b9de53569e00c5e500b716022f29aeb1e157ee833e6d830e15d943e29
    • Opcode Fuzzy Hash: c46fc84f408ed32b6dd4356979a4ce3ab341d66c1b22277d7da3549eee815548
    • Instruction Fuzzy Hash: 41319630A04705BFE701DF66C866AAA77F9EB49704F6184B6F80092691D77C5D80CB29
    Function 0040B23C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 56filewindowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0040B0B4: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040B0D1
      • Part of subcall function 0040B0B4: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040B0F5
      • Part of subcall function 0040B0B4: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040B110
      • Part of subcall function 0040B0B4: LoadStringA.USER32(00000000,0000FFE8,?,00000100), ref: 0040B1A6
    • CharToOemA.USER32(?,?), ref: 0040B273
    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 0040B290
    • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000), ref: 0040B296
    • GetStdHandle.KERNEL32(000000F4,0040B300,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000), ref: 0040B2AB
    • WriteFile.KERNEL32(00000000,000000F4,0040B300,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000), ref: 0040B2B1
    • LoadStringA.USER32(00000000,0000FFE9,?,00000040), ref: 0040B2D3
    • MessageBoxA.USER32(00000000,?,?,00002010), ref: 0040B2E9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
    • String ID: H0E
    • API String ID: 185507032-1480099462
    • Opcode ID: 028f76ab970f76de253ee2a2508557fc937d0c7dadacbabfbab0c8f6829db294
    • Instruction ID: 5c375c7a0ac08cf3ac5bd9c0daf61a32ddea54c7da29d467be082cd44f0efade
    • Opcode Fuzzy Hash: 028f76ab970f76de253ee2a2508557fc937d0c7dadacbabfbab0c8f6829db294
    • Instruction Fuzzy Hash: 81119EB21443046AD300E795CC46F8F77ECAB44704F40053FB755E61E2DA78D94487AE
    Function 0042F40C Relevance: 13.6, APIs: 9, Instructions: 150COMMON
    Download Yara Rule
    APIs
    • MulDiv.KERNEL32(?,?,?), ref: 0042F445
    • MulDiv.KERNEL32(?,?,?), ref: 0042F45F
    • MulDiv.KERNEL32(?,?,?), ref: 0042F48D
    • MulDiv.KERNEL32(?,?,?), ref: 0042F4A3
    • MulDiv.KERNEL32(?,?,?), ref: 0042F4DB
    • MulDiv.KERNEL32(?,?,?), ref: 0042F4F3
    • MulDiv.KERNEL32(?,?,0000001F), ref: 0042F53D
    • MulDiv.KERNEL32(?,?,0000001F), ref: 0042F566
    • MulDiv.KERNEL32(00000000,?,0000001F), ref: 0042F58C
      • Part of subcall function 0041C864: MulDiv.KERNEL32(00000000,?,00000048), ref: 0041C871
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: cac0e95c246653da4ad046b40ce4972f83bcd5d37c22cee2142a35bcc91e0425
    • Instruction ID: a2a6052f85f8bbcf773df6fc78b0c2f5e26ac017b36d150ba9b025d49877fefa
    • Opcode Fuzzy Hash: cac0e95c246653da4ad046b40ce4972f83bcd5d37c22cee2142a35bcc91e0425
    • Instruction Fuzzy Hash: 8A516C71204360AFC320EF29D840B6BB7F8AF59304F84483EB9D6C7352C679E8498B19
    Function 0041D86C Relevance: 13.6, APIs: 9, Instructions: 131windowCOMMON
    Download Yara Rule
    APIs
    • GetObjectA.GDI32(?,00000018,?), ref: 0041D8AD
    • 73A0A570.USER32(00000000,00000000,0041D9BA,?,00000000,00000000), ref: 0041D8D0
    • SelectObject.GDI32(?,?), ref: 0041D93E
    • SelectObject.GDI32(?,00000000), ref: 0041D94D
    • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 0041D979
    • SelectObject.GDI32(?,00000000), ref: 0041D987
    • SelectObject.GDI32(?,00000000), ref: 0041D995
    • DeleteDC.GDI32(?), ref: 0041D9AB
    • DeleteDC.GDI32(?), ref: 0041D9B4
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Object$Select$Delete$A570Stretch
    • String ID:
    • API String ID: 1268976527-0
    • Opcode ID: cf9e3ee18b84cfd96052a47c3a0dbb205d01d7eb58bc50ed3d306f4bc43565b8
    • Instruction ID: cc75461bed9a9e2a94bb207805bdc0c1ad6ea047782176cbcaa7b9721108b351
    • Opcode Fuzzy Hash: cf9e3ee18b84cfd96052a47c3a0dbb205d01d7eb58bc50ed3d306f4bc43565b8
    • Instruction Fuzzy Hash: B141ECB1E50209BFDB40EBE9CC42FAFB7BCEB08704F510466B615F7281D67899518B68
    Function 0040C394 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
    Download Yara Rule
    APIs
    • GetThreadLocale.KERNEL32(00000000,0040C65F,?,?,00000000,00000000), ref: 0040C3CA
      • Part of subcall function 0040AB48: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040AB66
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Locale$InfoThread
    • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
    • API String ID: 4232894706-2493093252
    • Opcode ID: 6d92eb5d8cb05820afe96425183957b3f70e7ae01f9445d0d040eee452c92f0b
    • Instruction ID: 9a39f8be3da4d7a4340a79cce75a88bd8809a7e02b61bbefb273a60d75a0db29
    • Opcode Fuzzy Hash: 6d92eb5d8cb05820afe96425183957b3f70e7ae01f9445d0d040eee452c92f0b
    • Instruction Fuzzy Hash: DA619870B00244ABCB11EBA5D881B9EB7B69B49305F50953FF600BB3C7CA3DDA158759
    Function 0040E8C0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139COMMON
    Download Yara Rule
    APIs
    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040E959
    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040E975
    • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0040E9AE
    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040EA2B
    • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0040EA44
    • VariantCopy.OLEAUT32(?), ref: 0040EA79
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: ArraySafe$BoundIndex$CopyCreateVariant
    • String ID:
    • API String ID: 351091851-3916222277
    • Opcode ID: e097b3cb944edf1d61b756a614b49b7133427e9fd4d59051032893853cdbf4c2
    • Instruction ID: c6a08b385ef5cbfae3ff86d5f830bf50d6e55d5f2fffb66103f3660abb78837c
    • Opcode Fuzzy Hash: e097b3cb944edf1d61b756a614b49b7133427e9fd4d59051032893853cdbf4c2
    • Instruction Fuzzy Hash: BA510E759006199BCB22DB5AC881BD9B3BCBF4C304F0045EAF508B7352D638AF958F69
    Function 0041FC16 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123fileCOMMON
    Download Yara Rule
    APIs
    • MulDiv.KERNEL32(?,000009EC,00000000), ref: 0041FCBA
    • MulDiv.KERNEL32(?,000009EC,00000000), ref: 0041FCD7
    • SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 0041FD03
    • GetEnhMetaFileHeader.GDI32(00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 0041FD23
    • DeleteEnhMetaFile.GDI32(00000016), ref: 0041FD44
    • SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC), ref: 0041FD57
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: FileMeta$Bits$DeleteHeader
    • String ID: `
    • API String ID: 1990453761-2679148245
    • Opcode ID: 0020777ecf9393a82d72ae9f18524c06381199c8e1ed1e637345e6f7d56c1686
    • Instruction ID: 85d352a1b7d3298886819fb919cbe7035100533bdaf40bb729614545a9717ab3
    • Opcode Fuzzy Hash: 0020777ecf9393a82d72ae9f18524c06381199c8e1ed1e637345e6f7d56c1686
    • Instruction Fuzzy Hash: 05412EB5E00208AFDB00DFA9C485AEEB7F9EF48710F11846AF904E7241E7399D45CB69
    Function 0041FC18 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 122fileCOMMON
    Download Yara Rule
    APIs
    • MulDiv.KERNEL32(?,000009EC,00000000), ref: 0041FCBA
    • MulDiv.KERNEL32(?,000009EC,00000000), ref: 0041FCD7
    • SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 0041FD03
    • GetEnhMetaFileHeader.GDI32(00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 0041FD23
    • DeleteEnhMetaFile.GDI32(00000016), ref: 0041FD44
    • SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC), ref: 0041FD57
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: FileMeta$Bits$DeleteHeader
    • String ID: `
    • API String ID: 1990453761-2679148245
    • Opcode ID: d1fe5b1c2cff583f36c361e0435ce0ca1491e7204adfbffc2ae6b8ed417e3424
    • Instruction ID: 5659dbb8be3b28947d23d12c0fb9f483e4a62372c1a918e6e0701602fa5e5fbe
    • Opcode Fuzzy Hash: d1fe5b1c2cff583f36c361e0435ce0ca1491e7204adfbffc2ae6b8ed417e3424
    • Instruction Fuzzy Hash: 17412DB5E00208AFDB00DFA9C485AEEB7F9EF48710F11846AF904E7241E7399D45CB69
    Function 00423C44 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68stringCOMMON
    Download Yara Rule
    APIs
    • GetMonitorInfoA.USER32(?,?), ref: 00423C75
    • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00423C9C
    • GetSystemMetrics.USER32(00000000), ref: 00423CB1
    • GetSystemMetrics.USER32(00000001), ref: 00423CBC
    • lstrcpy.KERNEL32(?,DISPLAY), ref: 00423CE6
      • Part of subcall function 00423914: GetProcAddress.KERNEL32(75A50000,00000000), ref: 00423994
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: System$InfoMetrics$AddressMonitorParametersProclstrcpy
    • String ID: DISPLAY$GetMonitorInfo
    • API String ID: 1539801207-1633989206
    • Opcode ID: a55e565f93d14cf2e0d7aa03361575755d5409ed5bb4588cd0a892f34a8f5d7e
    • Instruction ID: 24e5faf81e2e64aea71bdebed69ae28ce505a3cfc74c1674a4fc1e25d7b0174f
    • Opcode Fuzzy Hash: a55e565f93d14cf2e0d7aa03361575755d5409ed5bb4588cd0a892f34a8f5d7e
    • Instruction Fuzzy Hash: 3511E1B27013246FD7209F22AC44BA7B7F8EB05753F40443BEC55A7241D3B9AA40CBA8
    Function 00423DEC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68stringCOMMON
    Download Yara Rule
    APIs
    • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00423E44
    • GetSystemMetrics.USER32(00000000), ref: 00423E59
    • GetSystemMetrics.USER32(00000001), ref: 00423E64
    • lstrcpy.KERNEL32(?,DISPLAY), ref: 00423E8E
      • Part of subcall function 00423914: GetProcAddress.KERNEL32(75A50000,00000000), ref: 00423994
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: System$Metrics$AddressInfoParametersProclstrcpy
    • String ID: DISPLAY$GetMonitorInfoW$=B
    • API String ID: 2545840971-3475336188
    • Opcode ID: a3e67da5812309343a8a4106efca2d1c915d5171edd257396032a09b27a495a5
    • Instruction ID: acc7ac6b310763ad35e75d1d86b5d945733f29dbb0bc5af4ce255b3e229641f6
    • Opcode Fuzzy Hash: a3e67da5812309343a8a4106efca2d1c915d5171edd257396032a09b27a495a5
    • Instruction Fuzzy Hash: EF11E4B17013105FD720DF61AC447A7B7F9EB09317F41053AE8559B281D3B8AB4887AC
    Function 00403E1C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
    Download Yara Rule
    APIs
    • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403EEA,?,?,?,?,?,?,?,00403F8A,004027CB), ref: 00403E55
    • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403EEA,?,?,?,?,?,?,?,00403F8A), ref: 00403E5B
    • GetStdHandle.KERNEL32(000000F5,00403EA4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403EEA), ref: 00403E70
    • WriteFile.KERNEL32(00000000,000000F5,00403EA4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403EEA), ref: 00403E76
    • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403E94
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: FileHandleWrite$Message
    • String ID: Error$Runtime error at 00000000
    • API String ID: 1570097196-2970929446
    • Opcode ID: 68a86c8d39183926d9bb9c81152f495fdd9e817a8c598226a0959e0f4ae26b5b
    • Instruction ID: 4cf903770852a5396ba7191deda7ea4c56af92e8aaae8c01a8600728a10e7ba7
    • Opcode Fuzzy Hash: 68a86c8d39183926d9bb9c81152f495fdd9e817a8c598226a0959e0f4ae26b5b
    • Instruction Fuzzy Hash: 4BF096A168038075E620BB909D06F9B255C4744F1BF20467FB614B84F387BC8AC4D6AD
    Function 00421524 Relevance: 12.2, APIs: 8, Instructions: 217windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00421AB4: 73A0A570.USER32(00000000,?,?,?,?,004206EB,00000000,00420777), ref: 00421B0A
      • Part of subcall function 00421AB4: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,004206EB,00000000,00420777), ref: 00421B4D
    • GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 004215C9
    • SetStretchBltMode.GDI32(?,00000004), ref: 004215D7
    • SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 004215EF
    • SetStretchBltMode.GDI32(00000000,00000003), ref: 0042160C
    • SelectObject.GDI32(?,?), ref: 00421681
    • SelectObject.GDI32(?,00000000), ref: 004216E0
    • DeleteDC.GDI32(00000000), ref: 004216EF
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: BrushModeObjectSelectStretch$A570CreateDeleteHalftonePalette
    • String ID:
    • API String ID: 3467007361-0
    • Opcode ID: 280a463f4a94407293de95febdc67321c0321e6e6b6bf04c508c2415172af9fc
    • Instruction ID: 1677615865fb4f5af4c0d18f9eed75ce0ccf391ec7539f464a28728e9f5001b3
    • Opcode Fuzzy Hash: 280a463f4a94407293de95febdc67321c0321e6e6b6bf04c508c2415172af9fc
    • Instruction Fuzzy Hash: 9D715975B00205AFCB00EFA9C985F9EBBF8AB48304F5145AAF509E7391D638ED10CB58
    Function 0044B8AC Relevance: 12.1, APIs: 8, Instructions: 144windowCOMMON
    Download Yara Rule
    APIs
    • GetCapture.USER32 ref: 0044B91D
    • GetCapture.USER32 ref: 0044B92C
    • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 0044B932
    • ReleaseCapture.USER32 ref: 0044B937
    • GetActiveWindow.USER32 ref: 0044B95E
    • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 0044B9F4
    • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 0044BA61
    • GetActiveWindow.USER32 ref: 0044BA70
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CaptureMessageSend$ActiveWindow$Release
    • String ID:
    • API String ID: 862346643-0
    • Opcode ID: 7001e335174ec45a3f10cfc0f5bb7da064186b8bfd290c8b10a69dd5ae272c84
    • Instruction ID: 676236072a164cf1ab46e6eaf4f4d0eb06904e6227c158a83859b597119f2426
    • Opcode Fuzzy Hash: 7001e335174ec45a3f10cfc0f5bb7da064186b8bfd290c8b10a69dd5ae272c84
    • Instruction Fuzzy Hash: 86514D34A006449FEB10EF6AC956B5D77F5EB48708F5540BAF400AB3A2DB38EE00CB58
    Function 00433F9C Relevance: 12.1, APIs: 8, Instructions: 123COMMON
    Download Yara Rule
    APIs
    • SaveDC.GDI32 ref: 00433FB2
      • Part of subcall function 0042E13C: GetWindowOrgEx.GDI32(?), ref: 0042E14A
      • Part of subcall function 0042E13C: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0042E160
    • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00433FD3
    • GetWindowLongA.USER32(00000000,000000EC), ref: 00433FE9
    • GetWindowLongA.USER32(00000000,000000F0), ref: 0043400B
    • SetRect.USER32(?,00000000,00000000,?,?), ref: 00434037
    • DrawEdge.USER32(?,?,?,00000000), ref: 00434046
    • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0043406B
    • RestoreDC.GDI32(?,?), ref: 004340DC
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Window$Rect$ClipIntersectLong$DrawEdgeRestoreSave
    • String ID:
    • API String ID: 2976466617-0
    • Opcode ID: 7865263365b708612aeb296a31e29f30f4653d35ac99ea6db40664d08a060680
    • Instruction ID: 7d8a0e6c9353c39dd604ca307df3eaa6e0b905883564679ab33f03307adfc471
    • Opcode Fuzzy Hash: 7865263365b708612aeb296a31e29f30f4653d35ac99ea6db40664d08a060680
    • Instruction Fuzzy Hash: 69416471B001146BDB14EAA9CC81FEE73B8AF89314F10416AFA05EB3C6D67DED018768
    Function 0043F188 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 187windowCOMMON
    Download Yara Rule
    APIs
    • InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 0043F334
    • GetVersion.KERNEL32(00000000,0043F3E3), ref: 0043F224
      • Part of subcall function 0043F698: CreatePopupMenu.USER32 ref: 0043F6B3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Menu$CreateInsertItemPopupVersion
    • String ID: ,$?
    • API String ID: 133695497-2308483597
    • Opcode ID: 10e412ae38db9777a65fac132c1394d0d02fc323354addcf283d493f4f271d71
    • Instruction ID: 17ccd59ff00657f35601d129e370f79eca0f44da145fa68b757dceb52f58e21a
    • Opcode Fuzzy Hash: 10e412ae38db9777a65fac132c1394d0d02fc323354addcf283d493f4f271d71
    • Instruction Fuzzy Hash: 4261E130E002459BDB10EF79D88169A7BF5AF4D304F0564BAED40E73A7E639D84ACB18
    Function 0041E38C Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
    Download Yara Rule
    APIs
    • GetObjectA.GDI32(?,00000018,?), ref: 0041E47E
    • GetObjectA.GDI32(?,00000018,?), ref: 0041E48D
    • GetBitmapBits.GDI32(?,?,?), ref: 0041E4DE
    • GetBitmapBits.GDI32(?,?,?), ref: 0041E4EC
    • DeleteObject.GDI32(?), ref: 0041E4F5
    • DeleteObject.GDI32(?), ref: 0041E4FE
    • CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041E520
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Object$BitmapBitsDelete$CreateIcon
    • String ID:
    • API String ID: 1030595962-0
    • Opcode ID: 41c0f65fbf37ca35fa22e3d4b9a8d829fc8d719dec4bc45429c71143e91d4eb9
    • Instruction ID: 9716cce6a1d43ed9754e30ec8c0adeae1a6ae2e5ee4d860a484e04380394c771
    • Opcode Fuzzy Hash: 41c0f65fbf37ca35fa22e3d4b9a8d829fc8d719dec4bc45429c71143e91d4eb9
    • Instruction Fuzzy Hash: 0E61F475A00219AFCB40DFA9C885DEEBBF9FF49304B114466F904EB352D638AD91CB64
    Function 0043743C Relevance: 10.7, APIs: 7, Instructions: 156COMMON
    Download Yara Rule
    APIs
    • SetWindowPos.USER32(00000000,000000FF,?,?,?,?,00000010,00000000,00437615), ref: 00437521
    • GetTickCount.KERNEL32 ref: 00437526
    • SystemParametersInfoA.USER32(00001016,00000000,?,00000000), ref: 00437561
    • SystemParametersInfoA.USER32(00001018,00000000,00000000,00000000), ref: 00437579
    • AnimateWindow.USER32(00000000,00000064,00000001), ref: 004375BF
    • ShowWindow.USER32(00000000,00000004,00000000,000000FF,?,?,?,?,00000010,00000000,00437615), ref: 004375E2
      • Part of subcall function 0043A690: GetCursorPos.USER32(?), ref: 0043A694
    • GetTickCount.KERNEL32 ref: 004375FC
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Window$CountInfoParametersSystemTick$AnimateCursorShow
    • String ID:
    • API String ID: 3024527889-0
    • Opcode ID: ed6118b2f143ad30902a04e574f8db1574b5dea4348f0d3882b887728c46449a
    • Instruction ID: 3604d95d97341dd923933266ffb2e0cfce05a766bb8de8e25c1f616f68a05db1
    • Opcode Fuzzy Hash: ed6118b2f143ad30902a04e574f8db1574b5dea4348f0d3882b887728c46449a
    • Instruction Fuzzy Hash: 7E515174A00205EFDB10EFA9C986F9EB7F5AF49304F20456AE540E7356C778AE40DB58
    Function 004340F0 Relevance: 10.6, APIs: 7, Instructions: 133COMMON
    Download Yara Rule
    APIs
    • 73A0A570.USER32(00000000), ref: 0043413B
    • SelectObject.GDI32(00000000,?), ref: 00434181
    • BeginPaint.USER32(00000000,?,00000000,00434242,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 004341A3
    • EndPaint.USER32(00000000,?,00000000,00000000,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 00434210
    • SelectObject.GDI32(00000000,?), ref: 0043422A
    • DeleteDC.GDI32(00000000), ref: 00434233
    • DeleteObject.GDI32(?), ref: 0043423C
      • Part of subcall function 00433C14: BeginPaint.USER32(00000000,?), ref: 00433C3A
      • Part of subcall function 00433C14: EndPaint.USER32(00000000,?,00433D3B), ref: 00433D2E
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Paint$Object$BeginDeleteSelect$A570
    • String ID:
    • API String ID: 3982538872-0
    • Opcode ID: daa97e5b9b75ed434fabb78430e039a57ffd9fe914323e4ae742aa64d1541e20
    • Instruction ID: 1d7a927d5924c4258a53f9db8f04520d8736abfbdfcfe5d8044c8abadf566d1e
    • Opcode Fuzzy Hash: daa97e5b9b75ed434fabb78430e039a57ffd9fe914323e4ae742aa64d1541e20
    • Instruction Fuzzy Hash: A4412275B00204AFDB00EBA9CD85B9EB7F8EB4D704F1054BAB905EB381DA78ED058B54
    Function 0044CACC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 125registryCOMMON
    Download Yara Rule
    APIs
    • GetKeyboardLayoutList.USER32(00000040,?,00000000,0044CC77,?,021212E8,?,0044CCD9,00000000,?,00431D9B), ref: 0044CB22
    • RegOpenKeyExA.ADVAPI32(80000002,00000000), ref: 0044CB8A
    • RegQueryValueExA.ADVAPI32(?,layout text,00000000,00000000,?,00000100,00000000,0044CC33,?,80000002,00000000), ref: 0044CBC4
    • RegCloseKey.ADVAPI32(?,0044CC3A,00000000,?,00000100,00000000,0044CC33,?,80000002,00000000), ref: 0044CC2D
    Strings
    • layout text, xrefs: 0044CBBB
    • System\CurrentControlSet\Control\Keyboard Layouts\%.8x, xrefs: 0044CB74
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CloseKeyboardLayoutListOpenQueryValue
    • String ID: System\CurrentControlSet\Control\Keyboard Layouts\%.8x$layout text
    • API String ID: 1703357764-2652665750
    • Opcode ID: d548f5e38767376c019a45c8819f3edb9b9c888c61683a6b872d6bc09a5e3946
    • Instruction ID: 42de186f8e7e7459910d7ce9570c06a6171b511bf2e2257150886b1d595d97c2
    • Opcode Fuzzy Hash: d548f5e38767376c019a45c8819f3edb9b9c888c61683a6b872d6bc09a5e3946
    • Instruction Fuzzy Hash: 73414A74A01209AFEB50DF95C9C5B9EB7F8EB48304F9440A6E904A7391D738AE40CF69
    Function 004302A0 Relevance: 10.6, APIs: 7, Instructions: 122windowCOMMON
    Download Yara Rule
    APIs
    • GetDesktopWindow.USER32 ref: 004302D7
    • SelectObject.GDI32(?,00000000), ref: 0043030D
    • PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 00430333
    • PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 00430355
    • PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 00430374
    • PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0043038E
    • SelectObject.GDI32(?,?), ref: 0043039B
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: ObjectSelect$DesktopWindow
    • String ID:
    • API String ID: 2666862715-0
    • Opcode ID: a7d7e0f77347c24edc8819047763955c44260c36af180235df792cc1840eaf41
    • Instruction ID: 9641c210b25c5c82272c7aabe8a00960feae40dc4ea532cbbceabbeee1662bd0
    • Opcode Fuzzy Hash: a7d7e0f77347c24edc8819047763955c44260c36af180235df792cc1840eaf41
    • Instruction Fuzzy Hash: 1D312D76A00219BFDB00DEEDCC89DAFBBBCEF09704B414569B514F7280C6B9AD008B64
    Function 004201CC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99COMMON
    Download Yara Rule
    APIs
    • MulDiv.KERNEL32(?,?,000009EC), ref: 0042021E
    • MulDiv.KERNEL32(?,?,000009EC), ref: 00420235
    • 73A0A570.USER32(00000000,?,?,000009EC,?,?,000009EC), ref: 0042024C
    • GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?,00000000,00420307,?,00000000,?,?,000009EC,?,?,000009EC), ref: 00420270
    • GetWinMetaFileBits.GDI32(?,?,?,00000008,?,00000000,004202E7,?,?,00000000,00000000,00000008,?,00000000,00420307), ref: 004202A3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: BitsFileMeta$A570
    • String ID: `
    • API String ID: 2497453717-2679148245
    • Opcode ID: 056bb58244fb476ab68757026ffa16eb1b9f70615486c4ffa2e93fe4aaf0b379
    • Instruction ID: 856e7ea02e290948a5282cf371cf5cb742a4fdd59c663b12fe23be4783d2529d
    • Opcode Fuzzy Hash: 056bb58244fb476ab68757026ffa16eb1b9f70615486c4ffa2e93fe4aaf0b379
    • Instruction Fuzzy Hash: 37316374A00218EBDB00DFD5C886AAEB7F8EF48704F5144AAF904EB281D6789E40D769
    Function 0041908E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70threadCOMMON
    Download Yara Rule
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 0041909B
    • GetCurrentThreadId.KERNEL32 ref: 004190AA
    • RtlEnterCriticalSection.NTDLL(00453868), ref: 004190EF
    • InterlockedExchange.KERNEL32(004513E8,?), ref: 0041910B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CurrentThread$CriticalEnterExchangeInterlockedSection
    • String ID: 00E$` A
    • API String ID: 2380408948-1388186709
    • Opcode ID: f305ec1ca999679d38b70ab7fa82528bcc7e1c0989ab01a55fba29a11a13da2a
    • Instruction ID: 349c32b01d6f96dda6392af8d7cc216ba0213b1564d9764565bf64509d98f92c
    • Opcode Fuzzy Hash: f305ec1ca999679d38b70ab7fa82528bcc7e1c0989ab01a55fba29a11a13da2a
    • Instruction Fuzzy Hash: 2121B330A04209BFE701DBA5CD65BAB7BF8DB09704F6144B6F800A2292D77C9D84CB69
    Function 00423D18 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68stringCOMMON
    Download Yara Rule
    APIs
    • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00423D70
    • GetSystemMetrics.USER32(00000000), ref: 00423D85
    • GetSystemMetrics.USER32(00000001), ref: 00423D90
    • lstrcpy.KERNEL32(?,DISPLAY), ref: 00423DBA
      • Part of subcall function 00423914: GetProcAddress.KERNEL32(75A50000,00000000), ref: 00423994
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: System$Metrics$AddressInfoParametersProclstrcpy
    • String ID: DISPLAY$GetMonitorInfoA
    • API String ID: 2545840971-1370492664
    • Opcode ID: 583dc1688553441e14405861f67246eecaa017788148555e1a34f1e69f1a6a9a
    • Instruction ID: 983e12a5c0a7d420817018238723cfa7b00a397f031080161c41ffe4463912ec
    • Opcode Fuzzy Hash: 583dc1688553441e14405861f67246eecaa017788148555e1a34f1e69f1a6a9a
    • Instruction Fuzzy Hash: FB11E4717117245FD720DF61AC44BA7BBF8EF05753F40442BED5597281D2B8EA408BA8
    Function 0044CD7C Relevance: 10.6, APIs: 7, Instructions: 57threadwindowCOMMON
    Download Yara Rule
    APIs
    • GetCursorPos.USER32 ref: 0044CD97
    • WindowFromPoint.USER32(?,?), ref: 0044CDA4
    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0044CDB2
    • GetCurrentThreadId.KERNEL32 ref: 0044CDB9
    • SendMessageA.USER32(00000000,00000084,00000000,00000000), ref: 0044CDD2
    • SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 0044CDE9
    • SetCursor.USER32(00000000), ref: 0044CDFB
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
    • String ID:
    • API String ID: 1770779139-0
    • Opcode ID: 555ab2344d87311df070fde4577a6daa1be8fa8157f3f0e6f25cee1ff0ca64b0
    • Instruction ID: e7ab3f495136f32e37951899dc7a8e01c30ad735d875c5a355a2de6b7e6ffa9b
    • Opcode Fuzzy Hash: 555ab2344d87311df070fde4577a6daa1be8fa8157f3f0e6f25cee1ff0ca64b0
    • Instruction Fuzzy Hash: 6201D46260221026E620363A4C86B3F2959DB81B58F15013FB605BB2C3EA3D9C1012AE
    Function 004488D0 Relevance: 9.2, APIs: 6, Instructions: 150COMMON
    Download Yara Rule
    APIs
    • FillRect.USER32(?,?), ref: 00448949
    • GetClientRect.USER32(00000000,?), ref: 00448974
    • FillRect.USER32(?,?,00000000), ref: 00448993
      • Part of subcall function 00448844: CallWindowProcA.USER32(?,?,?,?,?), ref: 0044887E
    • BeginPaint.USER32(?,?), ref: 00448A0B
    • GetWindowRect.USER32(?,?), ref: 00448A38
    • EndPaint.USER32(?,?,00448AAC), ref: 00448A98
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Rect$FillPaintWindow$BeginCallClientProc
    • String ID:
    • API String ID: 901200654-0
    • Opcode ID: 4caaca47aef12cb24d410d2dff8d5c99e3febda0cb6e98d1dc67b62cf7ba3770
    • Instruction ID: 2617f0800810acdf7ad71431d6f8bbf5d10a55f080e2594231a6af4d4941c073
    • Opcode Fuzzy Hash: 4caaca47aef12cb24d410d2dff8d5c99e3febda0cb6e98d1dc67b62cf7ba3770
    • Instruction Fuzzy Hash: C351FF75A00508EFDB00DB99C989EADB7F8AF48314F5581AAF404E7352DB38AE45DF08
    Function 00401AC0 Relevance: 9.1, APIs: 6, Instructions: 62COMMON
    Download Yara Rule
    APIs
    • RtlEnterCriticalSection.NTDLL(004535C8), ref: 00401AED
    • LocalFree.KERNEL32(0073FA80,00000000,00401B96), ref: 00401AFF
    • VirtualFree.KERNEL32(?,00000000,00008000,0073FA80,00000000,00401B96), ref: 00401B1E
    • LocalFree.KERNEL32(0073D2D8,?,00000000,00008000,0073FA80,00000000,00401B96), ref: 00401B5D
    • RtlLeaveCriticalSection.NTDLL(004535C8), ref: 00401B86
    • RtlDeleteCriticalSection.NTDLL(004535C8), ref: 00401B90
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
    • String ID:
    • API String ID: 3782394904-0
    • Opcode ID: 418af33a2ce99893fef64c2123e8b22c2f96b970e5f632a7478c788abf3af0cc
    • Instruction ID: 0d58bb05f89e5d7700ab004c9a201182d2209ad35ffff74c7c4d0d5a84214d0e
    • Opcode Fuzzy Hash: 418af33a2ce99893fef64c2123e8b22c2f96b970e5f632a7478c788abf3af0cc
    • Instruction Fuzzy Hash: 521181706007487AE716AF669841B1A37E4A745B8BF5050BBF800A76F3F77DEA44871C
    Function 0041D630 Relevance: 9.0, APIs: 6, Instructions: 43COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0041CDC4: CreateBrushIndirect.GDI32(?), ref: 0041CE6E
    • UnrealizeObject.GDI32(00000000), ref: 0041D63C
    • SelectObject.GDI32(?,00000000), ref: 0041D64E
    • SetBkColor.GDI32(?,00000000), ref: 0041D671
    • SetBkMode.GDI32(?,00000002), ref: 0041D67C
    • SetBkColor.GDI32(?,00000000), ref: 0041D697
    • SetBkMode.GDI32(?,00000001), ref: 0041D6A2
      • Part of subcall function 0041C104: GetSysColor.USER32(?), ref: 0041C10E
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
    • String ID:
    • API String ID: 3527656728-0
    • Opcode ID: 882def16c15ed7cc8666e44c690eee56ded741615b5cb28312a7142fe00d7077
    • Instruction ID: a0ca9fa6ff3596c7d6a8c58a4c6c303cf8d904130391b4f5a081a1649536d854
    • Opcode Fuzzy Hash: 882def16c15ed7cc8666e44c690eee56ded741615b5cb28312a7142fe00d7077
    • Instruction Fuzzy Hash: 54F06BB5680100ABCA00FFBAEDC7A5A6B985F0430970544BEB909DF197CA7DD8605739
    Function 00405BE9 Relevance: 9.0, APIs: 6, Instructions: 41threadCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00403090: GetKeyboardType.USER32(00000000), ref: 00403095
      • Part of subcall function 00403090: GetKeyboardType.USER32(00000001), ref: 004030A1
    • GetCommandLineA.KERNEL32 ref: 00405C4F
    • GetVersion.KERNEL32 ref: 00405C63
    • GetVersion.KERNEL32 ref: 00405C74
    • GetCurrentThreadId.KERNEL32 ref: 00405CB0
      • Part of subcall function 004030C0: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004030E2
      • Part of subcall function 004030C0: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00403131,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403115
      • Part of subcall function 004030C0: RegCloseKey.ADVAPI32(?,00403138,00000000,?,00000004,00000000,00403131,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040312B
    • GetThreadLocale.KERNEL32 ref: 00405C90
      • Part of subcall function 00405B20: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00405B86), ref: 00405B46
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: KeyboardLocaleThreadTypeVersion$CloseCommandCurrentInfoLineOpenQueryValue
    • String ID:
    • API String ID: 3734044017-0
    • Opcode ID: 8d9a5eaf7ce2526fa274e1559021833dc38aad65412e974d69086b0400b0c997
    • Instruction ID: 397764ca14bdaf6197418095bc87989f1932c7aec48550f986921276a810a759
    • Opcode Fuzzy Hash: 8d9a5eaf7ce2526fa274e1559021833dc38aad65412e974d69086b0400b0c997
    • Instruction Fuzzy Hash: 320121B480578599E711BF72A81A3463A60AB0178BF1054BFD541BA2F7EB3CC3489F5E
    Function 0040B0B4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102COMMON
    Download Yara Rule
    APIs
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040B0D1
    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040B0F5
    • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040B110
    • LoadStringA.USER32(00000000,0000FFE8,?,00000100), ref: 0040B1A6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: FileModuleName$LoadQueryStringVirtual
    • String ID: \n@
    • API String ID: 3990497365-390400383
    • Opcode ID: 98bca6d81908aa3ae5aa5c850fcaf77767871eaf567bda18c6af4316814543ea
    • Instruction ID: ef8044d5d4df3e6e2e3dbdf30d9db27fc901f1ae8f7f6f207a29a878e723bca8
    • Opcode Fuzzy Hash: 98bca6d81908aa3ae5aa5c850fcaf77767871eaf567bda18c6af4316814543ea
    • Instruction Fuzzy Hash: 1F4145709002589BDB21DB55CD85BDAB7FC9B58344F0040FAA548F7392D7789F948F58
    Function 0040B0B2 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101COMMON
    Download Yara Rule
    APIs
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040B0D1
    • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040B0F5
    • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040B110
    • LoadStringA.USER32(00000000,0000FFE8,?,00000100), ref: 0040B1A6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: FileModuleName$LoadQueryStringVirtual
    • String ID: \n@
    • API String ID: 3990497365-390400383
    • Opcode ID: f193987cd0f8c109f3bf0eb20e4fc2d4a6e7b9abd8999e454860dd93216e7473
    • Instruction ID: f48a134e96e6538b88d8d9fa87e96f0fbf961e1444cd1e6591899f08bc9f60e5
    • Opcode Fuzzy Hash: f193987cd0f8c109f3bf0eb20e4fc2d4a6e7b9abd8999e454860dd93216e7473
    • Instruction Fuzzy Hash: 27414370A002589BDB21DB59CD85BDAB7FC9B58345F0000FAA548FB392DB789F948F58
    Function 0043D5EC Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 80libraryloaderCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0040BB54: 74D31540.VERSION(?,0040BC3C,?,?,00000000,?,00000000,?,00000000,0040BC0D,?,00000000,?,00000000,0040BC2A), ref: 0040BBE5
    • GetModuleHandleA.KERNEL32(comctl32.dll), ref: 0043D620
    • GetProcAddress.KERNEL32(00000000,ImageList_WriteEx), ref: 0043D631
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: AddressD31540HandleModuleProc
    • String ID: ImageList_WriteEx$comctl32.dll$comctl32.dll
    • API String ID: 1396334358-3125200627
    • Opcode ID: a5940407faa6fe19f076acb3d6e02211cb447e62c07a666fc648ee3462541a3b
    • Instruction ID: f71e1243184c320c8c9db3facbfba2a585250f0f87318cbf85741c4d5b146a36
    • Opcode Fuzzy Hash: a5940407faa6fe19f076acb3d6e02211cb447e62c07a666fc648ee3462541a3b
    • Instruction Fuzzy Hash: 47218130A00600ABD301AF76AD47B2A76A89B49749F10643AF819E72E3DA79ED00875C
    Function 00442978 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58windowCOMMON
    Download Yara Rule
    APIs
    • GetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 004429C6
    • SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 00442A18
    • DrawMenuBar.USER32(00000000), ref: 00442A25
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Menu$InfoItem$Draw
    • String ID: @7E$P
    • API String ID: 3227129158-536842293
    • Opcode ID: 5f15fc215f718deda88ce9ffcb50d2ed44d3893b88c21bff5cc39cf8c42abcec
    • Instruction ID: 7bbaad96db14382909082f5e08ff3f13ba3555b94c3110dfca77ece096fe1f83
    • Opcode Fuzzy Hash: 5f15fc215f718deda88ce9ffcb50d2ed44d3893b88c21bff5cc39cf8c42abcec
    • Instruction Fuzzy Hash: 871123306052006FE320DF28CD81B4BB6D4AF84324F54863AF494DB3D6E7B8C944C79A
    Function 004030C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
    Download Yara Rule
    APIs
    • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004030E2
    • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00403131,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403115
    • RegCloseKey.ADVAPI32(?,00403138,00000000,?,00000004,00000000,00403131,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040312B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CloseOpenQueryValue
    • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
    • API String ID: 3677997916-4173385793
    • Opcode ID: 8d42df49e10ef56bd80bcc718af2185d0c0a7ef5b2c5648d147224ac3ada84f4
    • Instruction ID: 6eaef0ee8b78cfba7cc6ded7dec6fd44dd65717642ade35e850767b8c0b6b78a
    • Opcode Fuzzy Hash: 8d42df49e10ef56bd80bcc718af2185d0c0a7ef5b2c5648d147224ac3ada84f4
    • Instruction Fuzzy Hash: 1E017975A40348B9DB11DF91CC42FAE77BCE709B01F5001B6B910F65D1E6785650C75C
    Function 00410424 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 42COMMON
    Download Yara Rule
    APIs
    • RtlInitializeCriticalSection.NTDLL(00453824), ref: 004104B2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CriticalInitializeSection
    • String ID: ,@$T@$T@$d@
    • API String ID: 32694325-91845537
    • Opcode ID: 8bd1ba3b5a17da11f5964cf2d098480c7dd8007196f43e4cb355311eb715f5f9
    • Instruction ID: e84e80de5e57017f915321748629eb8443e0fc9796ab4d1c03754abbcb31484f
    • Opcode Fuzzy Hash: 8bd1ba3b5a17da11f5964cf2d098480c7dd8007196f43e4cb355311eb715f5f9
    • Instruction Fuzzy Hash: 7E0122B42003419FC305EF2AA841611BBE0E78A746320C837E804DB7A2E378D995CB9D
    Function 00427EDC Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32COMMON
    Download Yara Rule
    APIs
    • FreeLibrary.KERNEL32(00000000,00000000,00427F4B), ref: 00427F04
    • FreeLibrary.KERNEL32(00000000,00000000,00427F4B), ref: 00427F18
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: FreeLibrary
    • String ID: (~B$(~B$@~B
    • API String ID: 3664257935-2884500598
    • Opcode ID: efff4393f7aeeaca1419cdad04bb9b65d46fca0fcae007ee49523e970bf8c742
    • Instruction ID: a60171f47cbbefd8faf65afa729fae67ccabe660db8de2cbbb52d4321568c2e0
    • Opcode Fuzzy Hash: efff4393f7aeeaca1419cdad04bb9b65d46fca0fcae007ee49523e970bf8c742
    • Instruction Fuzzy Hash: 8EF06DB130C2008BDB11DB26FD217237368E745382B924437F54093AA2C27CDC10CB5C
    Function 0043F728 Relevance: 7.7, APIs: 5, Instructions: 162COMMON
    Download Yara Rule
    APIs
    • DrawEdge.USER32(00000000,?,00000006,00000002), ref: 0043F7F7
    • OffsetRect.USER32(?,00000001,00000001), ref: 0043F848
    • DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 0043F87D
    • OffsetRect.USER32(?,000000FF,000000FF), ref: 0043F88A
    • DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 0043F8F1
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Draw$OffsetRectText$Edge
    • String ID:
    • API String ID: 3610532707-0
    • Opcode ID: 3b71f4d6dc448624b4fa823f486c38016e270cf47ec9967aadd52eae51c86d0f
    • Instruction ID: fd02ea2ab1721e6e9937fb1676e051b31e9928bff6f156ca000a6992dd96d476
    • Opcode Fuzzy Hash: 3b71f4d6dc448624b4fa823f486c38016e270cf47ec9967aadd52eae51c86d0f
    • Instruction Fuzzy Hash: 17517170E00644AFDB14FBA9C882B9EB7E5AF49318F15917BF910A7392C73C9D448B19
    Function 00433C14 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
    Download Yara Rule
    APIs
    • BeginPaint.USER32(00000000,?), ref: 00433C3A
    • SaveDC.GDI32(?), ref: 00433C6E
    • ExcludeClipRect.GDI32(?,?,?,?,?,?), ref: 00433CD0
    • RestoreDC.GDI32(?,?), ref: 00433CFA
    • EndPaint.USER32(00000000,?,00433D3B), ref: 00433D2E
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Paint$BeginClipExcludeRectRestoreSave
    • String ID:
    • API String ID: 3808407030-0
    • Opcode ID: 1dd22401903dda4a549b55ae81e43acede69b946069867d4a090c0c996a66e4d
    • Instruction ID: 9e09de6a48b8ceef7b231df3eaee22a2232a4fce0d6fb87f59ad99b5aba792c4
    • Opcode Fuzzy Hash: 1dd22401903dda4a549b55ae81e43acede69b946069867d4a090c0c996a66e4d
    • Instruction Fuzzy Hash: 8C418E71A002489FC700DF99C885F9EB7F9EF48305F1590AAE505A7362D7389E40CB18
    Function 0043F568 Relevance: 7.6, APIs: 5, Instructions: 77COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 4240fb9c08d848206c8e071a47468f83931e701fe80fb63d20f552efa9dd9c87
    • Instruction ID: 61f38f3686a14f1564ecc18bd640ed71b662c80add9353a073f3eedcfdebc66f
    • Opcode Fuzzy Hash: 4240fb9c08d848206c8e071a47468f83931e701fe80fb63d20f552efa9dd9c87
    • Instruction Fuzzy Hash: F811A221F013546ADB20AE7A9D06B5F26888F59709F44303BBC01AB3A3DA3CCC1F825C
    Function 0044E968 Relevance: 7.6, APIs: 5, Instructions: 73windowCOMMON
    Download Yara Rule
    APIs
    • GetCapture.USER32 ref: 0044E98B
    • SendMessageA.USER32(00000000,-0000BBEE,021216DC,?), ref: 0044E9DF
    • GetWindowLongA.USER32(00000000,000000FA), ref: 0044E9EF
    • SendMessageA.USER32(00000000,-0000BBEE,021216DC,?), ref: 0044EA0E
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: MessageSend$CaptureLongWindow
    • String ID:
    • API String ID: 1158686931-0
    • Opcode ID: 4047daf9bed829ac047af30d2fc94ea0019122afb18e2dae3c12c99785fdd61f
    • Instruction ID: 8233e4d8b5a52c2e8c693fea4fd449999d7c193b5812d84b276360317f6a8c14
    • Opcode Fuzzy Hash: 4047daf9bed829ac047af30d2fc94ea0019122afb18e2dae3c12c99785fdd61f
    • Instruction Fuzzy Hash: B81154B12042099FF660FA9B9940E17B3DCBB14359B15043BF95AE3382E629EC10826C
    Function 00420850 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0041DFF0: GetObjectA.GDI32(?,00000004), ref: 0041E007
    • 73A0A570.USER32(00000000), ref: 0042088E
    • SelectObject.GDI32(?), ref: 004208A7
    • SetDIBColorTable.GDI32(?,00000000,00000000,?,00000000,004208FF,?,?,?,?,00000000), ref: 004208CB
    • SelectObject.GDI32(?,?), ref: 004208E5
    • DeleteDC.GDI32(?), ref: 004208EE
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Object$Select$A570ColorDeleteTable
    • String ID:
    • API String ID: 1418124628-0
    • Opcode ID: 8e5e13cf5924926d1862d1d7b31d2d9ae6698e7aa16779188513cc5a79cb63b5
    • Instruction ID: a4f4b057f7bcb3f3b51deb35690037e14f6cb12306aab41e875dbc4aad2aff31
    • Opcode Fuzzy Hash: 8e5e13cf5924926d1862d1d7b31d2d9ae6698e7aa16779188513cc5a79cb63b5
    • Instruction Fuzzy Hash: E01127B1E002196BDB10EBE9DC51AAEB7FCEB04704F5144BAF505E7282D6789D508758
    Function 0040ADD0 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
    Download Yara Rule
    APIs
    • GetThreadLocale.KERNEL32(?,00000000,0040AE67,?,?,00000000), ref: 0040ADE8
      • Part of subcall function 0040AB48: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040AB66
    • GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040AE67,?,?,00000000), ref: 0040AE18
    • EnumCalendarInfoA.KERNEL32(Function_0000AD1C,00000000,00000000,00000004), ref: 0040AE23
    • GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040AE67,?,?,00000000), ref: 0040AE41
    • EnumCalendarInfoA.KERNEL32(Function_0000AD58,00000000,00000000,00000003), ref: 0040AE4C
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Locale$InfoThread$CalendarEnum
    • String ID:
    • API String ID: 4102113445-0
    • Opcode ID: 1f0c53ef493b06e159ca760c3884b5263a1c071753658ea3af3bbcd7ef423747
    • Instruction ID: c2e92ace8b35af2e1dd5d0c6f6c97078b2f6837e4eefb5e69604788106485d64
    • Opcode Fuzzy Hash: 1f0c53ef493b06e159ca760c3884b5263a1c071753658ea3af3bbcd7ef423747
    • Instruction Fuzzy Hash: E501F2716807046EE711BB75CC13B5F725CDB46B18F610577F601B66C1DA7CAE2082AE
    Function 0044D620 Relevance: 7.5, APIs: 5, Instructions: 25synchronizationthreadCOMMON
    Download Yara Rule
    APIs
    • UnhookWindowsHookEx.USER32(00000000), ref: 0044D62F
    • SetEvent.KERNEL32(00000000,0044F9AE), ref: 0044D64A
    • GetCurrentThreadId.KERNEL32 ref: 0044D64F
    • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0044F9AE), ref: 0044D664
    • CloseHandle.KERNEL32(00000000,00000000,0044F9AE), ref: 0044D66F
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CloseCurrentEventHandleHookObjectSingleThreadUnhookWaitWindows
    • String ID:
    • API String ID: 2429646606-0
    • Opcode ID: f0709bb572572156b18cf4c7f5c11f015519a1af42b2ded02a5efc28ba0813fa
    • Instruction ID: d38fa028042cb23b8c86e1fe4b9f779cf268ef090a528f5aea881ecbbbe2affc
    • Opcode Fuzzy Hash: f0709bb572572156b18cf4c7f5c11f015519a1af42b2ded02a5efc28ba0813fa
    • Instruction Fuzzy Hash: CDF098B190035A9AD761EFA9DC45A0632A8A714787B11453AE125D71E3D638F6418F1C
    Function 0043A1E0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 287COMMON
    Download Yara Rule
    APIs
    • GetCursorPos.USER32(?), ref: 0043A420
    • SetCursor.USER32(00000000,?,00000000,0043A5B8), ref: 0043A4B2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Cursor
    • String ID: XGD
    • API String ID: 3268636600-1399323217
    • Opcode ID: 83b5c7f961a2d0536f59069332701a72704962d9eae694d95b31030eb452c661
    • Instruction ID: 93340573daf02cc04de1aa720b7366baef2cb2e8a5f656ce79f98eb75a70de95
    • Opcode Fuzzy Hash: 83b5c7f961a2d0536f59069332701a72704962d9eae694d95b31030eb452c661
    • Instruction Fuzzy Hash: 5DC1C032A00218DFCF10DFA9C98599EB7F4BF08304F549666E841AB351C778EE51CB8A
    Function 0040AE80 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
    Download Yara Rule
    APIs
    • GetThreadLocale.KERNEL32(?,00000000,0040B04A,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040AEAF
      • Part of subcall function 0040AB48: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040AB66
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Locale$InfoThread
    • String ID: eeee$ggg$yyyy
    • API String ID: 4232894706-1253427255
    • Opcode ID: 4a18675c78275ac99e4690041280f4db0cab0715c9e3d199ea224a6aa04dc3cf
    • Instruction ID: 9304ba22366313c48458aa4bd2659bb2d68ddecf3c953af22d57b240e37c8d20
    • Opcode Fuzzy Hash: 4a18675c78275ac99e4690041280f4db0cab0715c9e3d199ea224a6aa04dc3cf
    • Instruction Fuzzy Hash: 1441F6B070420A4BC711EA7988816BFB2A6DBC5304B20447BF552B37C6D73CDD06A29E
    Function 00429DC8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
    Download Yara Rule
    APIs
    • WinHelpA.USER32(00000000), ref: 00429E98
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Help
    • String ID: IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")$d6E$|BB
    • API String ID: 2830496658-57538504
    • Opcode ID: 33f08927c7016032c91da6cd4c71189c88f8f45643c325da597efa705691f4c5
    • Instruction ID: 6e7903a24451c728da17b536f54819142729fc4393764454afe773f21af52618
    • Opcode Fuzzy Hash: 33f08927c7016032c91da6cd4c71189c88f8f45643c325da597efa705691f4c5
    • Instruction Fuzzy Hash: 63314670B002559BDB04EF65D841A9EBBB9EF48308F91447EF804A73C2DB799E44CB69
    Function 0044F438 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 81threadwindowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0044F3C0: GetCursorPos.USER32 ref: 0044F3C9
    • GetCurrentThreadId.KERNEL32 ref: 0044F504
    • WaitMessage.USER32(00000000,0044F548,?,?,?,021216DC), ref: 0044F528
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CurrentCursorMessageThreadWait
    • String ID: 00E$tD
    • API String ID: 535285469-2876072399
    • Opcode ID: 0ece002c92e7f912f308247725d401911e6d3bbbe7be86a5c51d770e5746f2bf
    • Instruction ID: b6e914e0454d95ba0130732dfd8b394ca9db5fcbf3ff084d1738b48b4aad5d45
    • Opcode Fuzzy Hash: 0ece002c92e7f912f308247725d401911e6d3bbbe7be86a5c51d770e5746f2bf
    • Instruction Fuzzy Hash: 6E319A70A04244EFEB11DFA5C946B9FB7F5EB55304F5144BAE80097392D7786E48CB18
    Function 0040C7FC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040D265,00000000,0040D278), ref: 0040C802
    • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0040C813
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: AddressHandleModuleProc
    • String ID: GetDiskFreeSpaceExA$kernel32.dll
    • API String ID: 1646373207-3712701948
    • Opcode ID: ab12deef9042a945e668ae7a58af36d82006793b8b7b261b5619ccd9e3909b1e
    • Instruction ID: 6a27d76d4bbfedcf223ecda20bf0449f1f5fe993d3d362d15b9cf35814a1e3f3
    • Opcode Fuzzy Hash: ab12deef9042a945e668ae7a58af36d82006793b8b7b261b5619ccd9e3909b1e
    • Instruction Fuzzy Hash: C2D0A772650701CEDB00BBB05CC1B0625C8A784747F40B27F6941762E7D77DC800874C
    Function 0042D710 Relevance: 6.2, APIs: 4, Instructions: 204COMMON
    Download Yara Rule
    APIs
    • GetDesktopWindow.USER32 ref: 0042D784
    • GetDesktopWindow.USER32 ref: 0042D8A9
    • SetCursor.USER32(00000000), ref: 0042D8FE
      • Part of subcall function 00437A00: ShowCursor.USER32(000000FF,00000000,?,0042D8D9), ref: 00437A37
    • SetCursor.USER32(00000000), ref: 0042D8E9
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Cursor$DesktopWindow$Show
    • String ID:
    • API String ID: 110329033-0
    • Opcode ID: e8e820170140884acac0ab6d1887056430e3d6f65850c06b56ead15835cef8f6
    • Instruction ID: f99f711e6bfaa5382fd807a170e057cbda10dd74b17dcec8fd35be492ba70168
    • Opcode Fuzzy Hash: e8e820170140884acac0ab6d1887056430e3d6f65850c06b56ead15835cef8f6
    • Instruction Fuzzy Hash: B1914DB86003A18FC714EF29E884A06B7E1BF88346F54817AE94587367C738FD44CB49
    Function 0043C858 Relevance: 6.2, APIs: 4, Instructions: 170COMMON
    Download Yara Rule
    APIs
    • SetTextColor.GDI32(00000000,00FFFFFF), ref: 0043C9A5
    • SetBkColor.GDI32(00000000,00000000), ref: 0043C9AD
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Color$Text
    • String ID:
    • API String ID: 657580467-0
    • Opcode ID: 8c1e278c8e9a95bef9c2cf34907b8bc026ee788d273cc0e7c708f06f99319980
    • Instruction ID: fc92355e660ed51630bc30c817b8cf5bdb885d685ac55673d81dfe7addadf012
    • Opcode Fuzzy Hash: 8c1e278c8e9a95bef9c2cf34907b8bc026ee788d273cc0e7c708f06f99319980
    • Instruction Fuzzy Hash: 15512A71700214ABCB40FF6DDDC2F9E37E8AF48704F10116AB905EB286CA78ED418B69
    Function 0042D174 Relevance: 6.1, APIs: 4, Instructions: 139threadCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0042D5C4: WindowFromPoint.USER32(0042D39E,00453B54,00000000,0042D18E,?,-0000000C,?), ref: 0042D5CA
      • Part of subcall function 0042D5C4: GetParent.USER32(00000000), ref: 0042D5E1
    • GetWindow.USER32(00000000,00000004), ref: 0042D196
    • GetCurrentThreadId.KERNEL32 ref: 0042D26A
    • GetWindowRect.USER32(00000000,?), ref: 0042D287
    • IntersectRect.USER32(?,?,?), ref: 0042D2F5
      • Part of subcall function 0042C6E0: GetWindowThreadProcessId.USER32(?), ref: 0042C6ED
      • Part of subcall function 0042C6E0: GetCurrentProcessId.KERNEL32(?,?,?,00000000,00000000,0042D1B0,?,-0000000C,?), ref: 0042C6F6
      • Part of subcall function 0042C6E0: GlobalFindAtomA.KERNEL32(00000000), ref: 0042C70B
      • Part of subcall function 0042C6E0: GetPropA.USER32(?,00000000), ref: 0042C722
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Window$CurrentProcessRectThread$AtomFindFromGlobalIntersectParentPointProp
    • String ID:
    • API String ID: 2049660638-0
    • Opcode ID: 31e87e554bc4f99819a06559e814ebf8e36af0bb9433d3f52e4ade19ec06658a
    • Instruction ID: 9102e59c82a56334a26e70bbe6f677e034bc4a8db58be8c95b08655d458dfad9
    • Opcode Fuzzy Hash: 31e87e554bc4f99819a06559e814ebf8e36af0bb9433d3f52e4ade19ec06658a
    • Instruction Fuzzy Hash: DE515D35B002199FCB10DFA9D885AAEB7E4BF08354F544166E805EB351D738EE41CBA9
    Function 0040E620 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
    Download Yara Rule
    APIs
    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040E6CF
    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040E6EB
    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040E762
    • VariantClear.OLEAUT32(?), ref: 0040E78B
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: ArraySafe$Bound$ClearIndexVariant
    • String ID:
    • API String ID: 920484758-0
    • Opcode ID: 222dfd55f4586741cf6c642e18797c671bdcc356e7018be82b80e885789c82a2
    • Instruction ID: cac6a3568871e46d576a1dca847699b47e180278be80bb09b63fa0c6341688ab
    • Opcode Fuzzy Hash: 222dfd55f4586741cf6c642e18797c671bdcc356e7018be82b80e885789c82a2
    • Instruction Fuzzy Hash: D3411F75A012199FCB61DB5ACC90AC9B3BCAF58304F0045EAE648B7352DA38AF958F54
    Function 0040C220 Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
    Download Yara Rule
    APIs
    • GetStringTypeA.KERNEL32(00000C00,00000002,?,00000080,?), ref: 0040C314
    • GetThreadLocale.KERNEL32 ref: 0040C24A
      • Part of subcall function 0040C1A8: GetCPInfo.KERNEL32(00000000,?), ref: 0040C1C1
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: InfoLocaleStringThreadType
    • String ID:
    • API String ID: 1505017576-0
    • Opcode ID: 0d4bb6e4656e2b97efa633d4ee60de4b88883a89c1bdb7976dccee70aa2cc167
    • Instruction ID: 66825550166bc09e821f92b94792eec207715da037231450b9cded8c3aa3e82e
    • Opcode Fuzzy Hash: 0d4bb6e4656e2b97efa633d4ee60de4b88883a89c1bdb7976dccee70aa2cc167
    • Instruction Fuzzy Hash: 743166E0D40344DBE320DB65AC813563798EB46787F44C2BBD984AB3D3D63C9A448B2E
    Function 00442FD0 Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
    Download Yara Rule
    APIs
    • GetMenuState.USER32(?,?,?), ref: 00442FF3
    • GetSubMenu.USER32(?,?), ref: 00442FFE
    • GetMenuItemID.USER32(?,?), ref: 00443017
    • GetMenuStringA.USER32(?,?,?,?,?), ref: 0044306A
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Menu$ItemStateString
    • String ID:
    • API String ID: 306270399-0
    • Opcode ID: 3dd919b4153f2caf816f9ee3f7abcb0285f7bf006103d844c591cc330a88b3dc
    • Instruction ID: c5e5c2e0bb21b0a671e1f0832726842fb766c7043fb182428b25107c19dd9122
    • Opcode Fuzzy Hash: 3dd919b4153f2caf816f9ee3f7abcb0285f7bf006103d844c591cc330a88b3dc
    • Instruction Fuzzy Hash: AA11B131200118BFD710EE2DCC849AF77E89F4A764B10452EF819E7386DA38DE019768
    Function 0044BFF0 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
    Download Yara Rule
    APIs
    • GetWindowLongA.USER32(00000000,000000EC), ref: 0044C024
    • SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 0044C056
    • SetLayeredWindowAttributes.USER32(00000000,?,?,00000000,00000000,000000EC,?,?,00449BE4), ref: 0044C090
    • SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 0044C0A9
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Window$Long$AttributesLayered
    • String ID:
    • API String ID: 2169480361-0
    • Opcode ID: 1aa4e2510563a4e46f0d20a716560331819b3dc0cedd6313e857086391c3451f
    • Instruction ID: 2cf8b848698ca983316dbd4e8c01eb0c9e6f9ce5239c5bbe058faeab7f2cacb1
    • Opcode Fuzzy Hash: 1aa4e2510563a4e46f0d20a716560331819b3dc0cedd6313e857086391c3451f
    • Instruction Fuzzy Hash: CD113A60A4638066EB50ABB94CC8B5A268C1B09318F1C197ABD45EB2D7CA3CC804C75C
    Function 0041DF4C Relevance: 6.1, APIs: 4, Instructions: 55COMMON
    Download Yara Rule
    APIs
    • SelectObject.GDI32(00000000,00000000), ref: 0041DF6E
    • GetDIBColorTable.GDI32(00000000,00000000,00000100,?,00000000,00000000,00000000,00000000,?,?,00421AFF,?,?,?,?,004206EB), ref: 0041DF82
    • SelectObject.GDI32(00000000,00000000), ref: 0041DF8E
    • DeleteDC.GDI32(00000000), ref: 0041DF94
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: ObjectSelect$ColorDeleteTable
    • String ID:
    • API String ID: 3862836420-0
    • Opcode ID: 2fdd3d6d84374230630783b99acc41978a54998e953eaa98536dad554baa33f7
    • Instruction ID: 3b2216fbc6e9e9eebc56daa5f74febf94c55c3e0e4d5ed8692c6375544e1f1fd
    • Opcode Fuzzy Hash: 2fdd3d6d84374230630783b99acc41978a54998e953eaa98536dad554baa33f7
    • Instruction Fuzzy Hash: B601B9B160431066D61077668C43F9B72BC8FC0758F05C92FB58A9B2C2E67CCD95839E
    Function 00415E28 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
    Download Yara Rule
    APIs
    • FindResourceA.KERNEL32(?,?,?), ref: 00415E3F
    • LoadResource.KERNEL32(?,00415ECC,?,?,?,00411CFC,?,00000001,00000000,?,00415D98,?), ref: 00415E59
    • SizeofResource.KERNEL32(?,00415ECC,?,00415ECC,?,?,?,00411CFC,?,00000001,00000000,?,00415D98,?), ref: 00415E73
    • LockResource.KERNEL32(00415B90,00000000,?,00415ECC,?,00415ECC,?,?,?,00411CFC,?,00000001,00000000,?,00415D98,?), ref: 00415E7D
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Resource$FindLoadLockSizeof
    • String ID:
    • API String ID: 3473537107-0
    • Opcode ID: 5550ac92b63ffdb90e59573ab5b8615e914841700f445db7d9a75b32e1e90cfb
    • Instruction ID: ba041cb83a24abbe2c1954882cf7e9d3ded93106236a38fda582a81d01cd260f
    • Opcode Fuzzy Hash: 5550ac92b63ffdb90e59573ab5b8615e914841700f445db7d9a75b32e1e90cfb
    • Instruction Fuzzy Hash: B9F06DB2605604AF9744EF5DA881DDB77DCDE89264310042FF908DB346DA39ED51477C
    Function 0042D564 Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON
    Download Yara Rule
    APIs
    • GetWindowThreadProcessId.USER32(00000000), ref: 0042D571
    • GetCurrentProcessId.KERNEL32(?,-0000000C,00000000,0042D5DC,0042D39E,00453B54,00000000,0042D18E,?,-0000000C,?), ref: 0042D57A
    • GlobalFindAtomA.KERNEL32(00000000), ref: 0042D58F
    • GetPropA.USER32(00000000,00000000), ref: 0042D5A6
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Process$AtomCurrentFindGlobalPropThreadWindow
    • String ID:
    • API String ID: 2582817389-0
    • Opcode ID: 69e4012416e60fa78b836d1f24d3e1c04310436707ba926b4d6ffff7a09d3f41
    • Instruction ID: 2786827e565dc108da5be0574dd4e40cca5e92818b2a7c2f558666e02ce7dabe
    • Opcode Fuzzy Hash: 69e4012416e60fa78b836d1f24d3e1c04310436707ba926b4d6ffff7a09d3f41
    • Instruction Fuzzy Hash: 27F0EC51B01631B796207B767C41E7F629C9D0035A785413BFC01D129FDA2CCD9181BD
    Function 0042C6E0 Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON
    Download Yara Rule
    APIs
    • GetWindowThreadProcessId.USER32(?), ref: 0042C6ED
    • GetCurrentProcessId.KERNEL32(?,?,?,00000000,00000000,0042D1B0,?,-0000000C,?), ref: 0042C6F6
    • GlobalFindAtomA.KERNEL32(00000000), ref: 0042C70B
    • GetPropA.USER32(?,00000000), ref: 0042C722
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Process$AtomCurrentFindGlobalPropThreadWindow
    • String ID:
    • API String ID: 2582817389-0
    • Opcode ID: 0dc5b5328d7161f651a468f1342afc3118d4541a2ee8a732f6e3f52b332222ec
    • Instruction ID: 6eaf7b9833e1697c8055ace256cf3bd8335329dc1ce0c2095d113ec755c473dd
    • Opcode Fuzzy Hash: 0dc5b5328d7161f651a468f1342afc3118d4541a2ee8a732f6e3f52b332222ec
    • Instruction Fuzzy Hash: 2CF0379170123266DA10BB767CC5C6F659C89543D67810537F941E7247DA2DCC1186BD
    Function 0044D5AC Relevance: 6.0, APIs: 4, Instructions: 34threadCOMMON
    Download Yara Rule
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 0044D5C4
    • SetWindowsHookExA.USER32(00000003,0044D568,00000000,00000000), ref: 0044D5D4
    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0044D5EF
    • CreateThread.KERNEL32(00000000,000003E8,0044D50C,00000000,00000000), ref: 0044D613
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CreateThread$CurrentEventHookWindows
    • String ID:
    • API String ID: 1195359707-0
    • Opcode ID: cfc92b23f942eac910387b27b59b18feef752a9dce931b48204979f89b513aa8
    • Instruction ID: 3922fde0ec631aaa248612f49fa4f65538fbd98d0e86cbc8fe14adad6c9a663d
    • Opcode Fuzzy Hash: cfc92b23f942eac910387b27b59b18feef752a9dce931b48204979f89b513aa8
    • Instruction Fuzzy Hash: A4F0D070A8530A7EF7215F219C06F163694A315F9BF10007AF114791D3CAB866408F2D
    Function 00406870 Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON
    Download Yara Rule
    APIs
    • GlobalHandle.KERNEL32 ref: 00406873
    • GlobalUnWire.KERNEL32(00000000), ref: 0040687A
    • GlobalReAlloc.KERNEL32(00000000), ref: 0040687F
    • GlobalFix.KERNEL32(00000000), ref: 00406885
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Global$AllocHandleWire
    • String ID:
    • API String ID: 2210401237-0
    • Opcode ID: 12c31064beb9c0d1e1d5bb3fc420e02b111f226ff6da3f7fc0f00632f81f9461
    • Instruction ID: 6374437210f81cd735a48f26abef8ec6ea5491a8cbc18c6e87c739c73483e694
    • Opcode Fuzzy Hash: 12c31064beb9c0d1e1d5bb3fc420e02b111f226ff6da3f7fc0f00632f81f9461
    • Instruction Fuzzy Hash: 95B009E88D070438EC64FBB24C4BE3F005E989578D3D2896E7A4BF2182D87CB828003D
    Function 0041C5D8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 123COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0041B91C: RtlEnterCriticalSection.NTDLL(?), ref: 0041B920
    • CreateFontIndirectA.GDI32(?), ref: 0041C716
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CreateCriticalEnterFontIndirectSection
    • String ID: MS Sans Serif$Default
    • API String ID: 2931345757-2137701257
    • Opcode ID: 36577cda41ee768fbf0a860133e0a03b97ba4653c157d707b78c2af42e487b35
    • Instruction ID: 1fc12fa0c273ddcba888787b12eae85097bee248ace1a88aff0a871757610c8b
    • Opcode Fuzzy Hash: 36577cda41ee768fbf0a860133e0a03b97ba4653c157d707b78c2af42e487b35
    • Instruction Fuzzy Hash: 84519474A44248DFDB01DFA8C981BCDBBF5EF49304F2540AAE400A7392D3789E85DB69
    Function 0040B718 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
    Download Yara Rule
    APIs
    • VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040B8D3), ref: 0040B783
    • GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0040B8D3), ref: 0040B7A5
      • Part of subcall function 00405AC8: LoadStringA.USER32(00000000,00010000,?,00000400), ref: 00405AF9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: FileLoadModuleNameQueryStringVirtual
    • String ID: k@
    • API String ID: 902310565-350512992
    • Opcode ID: 0955dfceea0870f8ca237a7f1e7632650471422f55c7cc97de5cbb8b27d544ba
    • Instruction ID: 823e15908abffe11b2a95de8c594994e798a4bf8e0ec192a7cdbb96525cd5e17
    • Opcode Fuzzy Hash: 0955dfceea0870f8ca237a7f1e7632650471422f55c7cc97de5cbb8b27d544ba
    • Instruction Fuzzy Hash: EB41E930900618DFDB61DF65CC85BDAB7F8EB49305F4041EAE508AB291D778AE84CF99
    Function 00442854 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84keyboardCOMMON
    Download Yara Rule
    APIs
    • GetKeyState.USER32(00000010), ref: 00442878
    • GetKeyState.USER32(00000011), ref: 0044288A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: State
    • String ID:
    • API String ID: 1649606143-3916222277
    • Opcode ID: a8e99c91679a4876d658b3824ac6d1a11e3c3a1e90e5882a91526d3e3fe0fe94
    • Instruction ID: cf302855d2db167ef550e7afacedb3e0055fe9fe5d09ebc9feee8caad3367bd0
    • Opcode Fuzzy Hash: a8e99c91679a4876d658b3824ac6d1a11e3c3a1e90e5882a91526d3e3fe0fe94
    • Instruction Fuzzy Hash: B1310871B04608AFEB15DFA5D9517ADF7F5EF44304F9184BAF800A7291E7B85E00C629
    Function 00409918 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74threadCOMMON
    Download Yara Rule
    APIs
    • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,004099F6), ref: 0040999E
    • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,004099F6), ref: 004099A4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: DateFormatLocaleThread
    • String ID: yyyy
    • API String ID: 3303714858-3145165042
    • Opcode ID: c4914673265330b43653198641b48cf4360900e07e8a9b013e955ab42707dad3
    • Instruction ID: cb7c86f15852faa209befa6eb5390e3f73c687ebfa11eebe853fb7a5962bf888
    • Opcode Fuzzy Hash: c4914673265330b43653198641b48cf4360900e07e8a9b013e955ab42707dad3
    • Instruction Fuzzy Hash: EA2162B4600109ABDB11EF59C842A9EB3B8EF48344F51407BF905F73D2D6789E00C769
    Function 0040EA94 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
    Download Yara Rule
    APIs
    • VariantCopy.OLEAUT32(?), ref: 0040EAB5
      • Part of subcall function 0040E79C: VariantClear.OLEAUT32(?), ref: 0040E7AB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Variant$ClearCopy
    • String ID: T@
    • API String ID: 274517740-1813571376
    • Opcode ID: 499b31a723a69cbebc3e4889e36ff46778afd50dd1c8ed2c087899baf298fa8b
    • Instruction ID: 3b30b6363dfcadca5d7c16ad87c053f7e44f83d927b064b983a0c7530abf8f2d
    • Opcode Fuzzy Hash: 499b31a723a69cbebc3e4889e36ff46778afd50dd1c8ed2c087899baf298fa8b
    • Instruction Fuzzy Hash: CD119E2070020087C721AB2BC9C695777A9EF893547208C7BF44BAB396CA3DDC51C66A
    Function 0042FBAC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Rect$EqualIntersect
    • String ID: @
    • API String ID: 3291753422-2766056989
    • Opcode ID: b666409ccef8e3d4f665121aa357ed55abb43275caab0345646cece8603eb116
    • Instruction ID: 67d2a9f2e1172f2bf6087cc8e6e90c2942f6b169ad4c07ace25c847d25289920
    • Opcode Fuzzy Hash: b666409ccef8e3d4f665121aa357ed55abb43275caab0345646cece8603eb116
    • Instruction Fuzzy Hash: B7118F31A042595BC701DAADC884BDF7BE8AF48318F8446B6FC05DB342D779DD098794
    Function 0040E79C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: ClearVariant
    • String ID: T@
    • API String ID: 1473721057-1813571376
    • Opcode ID: 1b444da2fe2cd50029376fe2de99ad16848bc96116cc887f4c88defcd7634ed0
    • Instruction ID: 40aa48186f1559167464bcafe2ff886e73c7b43e511aec1cac4acc0411c00488
    • Opcode Fuzzy Hash: 1b444da2fe2cd50029376fe2de99ad16848bc96116cc887f4c88defcd7634ed0
    • Instruction Fuzzy Hash: 36F0446570410046C6247B6799855A9639C9F85748750CCBBF006BB2E6CB3ECC66E22F
    Function 00423BAC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
    Download Yara Rule
    APIs
    • GetSystemMetrics.USER32(00000000), ref: 00423BFA
    • GetSystemMetrics.USER32(00000001), ref: 00423C0C
      • Part of subcall function 00423914: GetProcAddress.KERNEL32(75A50000,00000000), ref: 00423994
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: MetricsSystem$AddressProc
    • String ID: MonitorFromPoint
    • API String ID: 1792783759-1072306578
    • Opcode ID: cc61ae4a64ffd11c464b61c9cf5420250a07476ba04e9e30ba84c016f53f6d08
    • Instruction ID: 7886ea3d561a044236f80cbd900de3cebb944c34ea8d40cd4efeedd27981c532
    • Opcode Fuzzy Hash: cc61ae4a64ffd11c464b61c9cf5420250a07476ba04e9e30ba84c016f53f6d08
    • Instruction Fuzzy Hash: DB01AC723013186FD7105F56EC4475ABBB4D744357F808026F95497213C27CDF81AB68
    Function 00423A84 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
    Download Yara Rule
    APIs
    • GetSystemMetrics.USER32(00000000), ref: 00423AD5
    • GetSystemMetrics.USER32(00000001), ref: 00423AE1
      • Part of subcall function 00423914: GetProcAddress.KERNEL32(75A50000,00000000), ref: 00423994
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3262666611.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.3262651945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262666611.000000000045F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3262734775.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: MetricsSystem$AddressProc
    • String ID: MonitorFromRect
    • API String ID: 1792783759-4033241945
    • Opcode ID: 4050b15e94a3f0c45f63fd3d479f8550dd2d01ab8d69447c85da3e971c44d703
    • Instruction ID: 6b603925a10842c43b02190002e21ec27b34ae4d2fb0917ddc09631bdff2295a
    • Opcode Fuzzy Hash: 4050b15e94a3f0c45f63fd3d479f8550dd2d01ab8d69447c85da3e971c44d703
    • Instruction Fuzzy Hash: 7F012C713002249BDB109F14E886B56BBB8E745397F844076F9848B302C6FDDE818BA8