Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
skZwfU6wMR.exe

Overview

General Information

Sample name:skZwfU6wMR.exe
renamed because original name is a hash value
Original sample name:9caaa34fa5fab572695f49cc496820dc5e4df6d8866b3f89a49e2dab1a6f85d2.exe
Analysis ID:1543064
MD5:339e94bff01e66552e855e9ade023163
SHA1:55ff23f6f35ce96592d41723a933bc928f3afe50
SHA256:9caaa34fa5fab572695f49cc496820dc5e4df6d8866b3f89a49e2dab1a6f85d2
Tags:exegurt-duna-uauser-JAMESWT_MHT
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found large amount of non-executed APIs
PE file contains an invalid checksum
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • skZwfU6wMR.exe (PID: 7328 cmdline: "C:\Users\user\Desktop\skZwfU6wMR.exe" MD5: 339E94BFF01E66552E855E9ADE023163)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: skZwfU6wMR.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: skZwfU6wMR.exeVirustotal: Detection: 45%Perma Link
Source: skZwfU6wMR.exeReversingLabs: Detection: 52%
Source: skZwfU6wMR.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: skZwfU6wMR.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: dccw.pdbGCTL source: skZwfU6wMR.exe
Source: Binary string: dccw.pdb source: skZwfU6wMR.exe
Source: C:\Users\user\Desktop\skZwfU6wMR.exeCode function: 0_2_0033EDC2 GetObjectW,GetLastError,GetWindowRect,GetLastError,GetDC,GetLastError,CreateCompatibleDC,GetLastError,SelectObject,CreateCompatibleDC,GetLastError,SetStretchBltMode,GetLastError,CreateCompatibleBitmap,GetLastError,SelectObject,StretchBlt,GetLastError,SendMessageW,DeleteObject,ReleaseDC,DeleteDC,DeleteDC,DeleteObject,0_2_0033EDC2
Source: C:\Users\user\Desktop\skZwfU6wMR.exeCode function: 0_2_003361660_2_00336166
Source: C:\Users\user\Desktop\skZwfU6wMR.exeCode function: 0_2_003352450_2_00335245
Source: skZwfU6wMR.exeBinary or memory string: OriginalFilename vs skZwfU6wMR.exe
Source: skZwfU6wMR.exe, 00000000.00000000.1286934071.0000000000343000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedccw.exej% vs skZwfU6wMR.exe
Source: skZwfU6wMR.exe, 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedccw.exej% vs skZwfU6wMR.exe
Source: skZwfU6wMR.exeBinary or memory string: OriginalFilenamedccw.exej% vs skZwfU6wMR.exe
Source: skZwfU6wMR.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal56.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\skZwfU6wMR.exeCode function: 0_2_0034002C FormatMessageW,LocalFree,GetLastError,0_2_0034002C
Source: C:\Users\user\Desktop\skZwfU6wMR.exeCode function: 0_2_00340138 CoCreateInstance,SysAllocString,WinSqmAddToStream,SysFreeString,0_2_00340138
Source: C:\Users\user\Desktop\skZwfU6wMR.exeCode function: 0_2_0033F117 FindResourceW,GetLastError,LoadResource,GetLastError,SizeofResource,LockResource,0_2_0033F117
Source: C:\Users\user\Desktop\skZwfU6wMR.exeMutant created: \Sessions\1\BaseNamedObjects\Local\DCCW Startup Mutex
Source: C:\Users\user\Desktop\skZwfU6wMR.exeCommand line argument: strg0_2_00333BBD
Source: skZwfU6wMR.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\skZwfU6wMR.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: skZwfU6wMR.exeVirustotal: Detection: 45%
Source: skZwfU6wMR.exeReversingLabs: Detection: 52%
Source: C:\Users\user\Desktop\skZwfU6wMR.exeSection loaded: dxva2.dllJump to behavior
Source: C:\Users\user\Desktop\skZwfU6wMR.exeSection loaded: mscms.dllJump to behavior
Source: C:\Users\user\Desktop\skZwfU6wMR.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\skZwfU6wMR.exeSection loaded: coloradapterclient.dllJump to behavior
Source: C:\Users\user\Desktop\skZwfU6wMR.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\skZwfU6wMR.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\skZwfU6wMR.exeSection loaded: duser.dllJump to behavior
Source: C:\Users\user\Desktop\skZwfU6wMR.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Users\user\Desktop\skZwfU6wMR.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Users\user\Desktop\skZwfU6wMR.exeSection loaded: textshaping.dllJump to behavior
Source: skZwfU6wMR.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: skZwfU6wMR.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: skZwfU6wMR.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: skZwfU6wMR.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: skZwfU6wMR.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: skZwfU6wMR.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: skZwfU6wMR.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: skZwfU6wMR.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: dccw.pdbGCTL source: skZwfU6wMR.exe
Source: Binary string: dccw.pdb source: skZwfU6wMR.exe
Source: skZwfU6wMR.exeStatic PE information: real checksum: 0x2100c should be: 0x79d41
Source: C:\Users\user\Desktop\skZwfU6wMR.exeCode function: 0_2_00331D0C pushad ; retf 0_2_00331D0D
Source: C:\Users\user\Desktop\skZwfU6wMR.exeCode function: 0_2_00340DD1 push ecx; ret 0_2_00340DE4
Source: C:\Users\user\Desktop\skZwfU6wMR.exeAPI coverage: 5.2 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\skZwfU6wMR.exeCode function: 0_2_0033F7EE mov esi, dword ptr fs:[00000030h]0_2_0033F7EE
Source: C:\Users\user\Desktop\skZwfU6wMR.exeCode function: 0_2_0033F8CD GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,0_2_0033F8CD
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\skZwfU6wMR.exeCode function: 0_2_00340A80 SetUnhandledExceptionFilter,0_2_00340A80
Source: C:\Users\user\Desktop\skZwfU6wMR.exeCode function: 0_2_003407FD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_003407FD
Source: C:\Users\user\Desktop\skZwfU6wMR.exeCode function: 0_2_00340CC9 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00340CC9

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
DLL Side-Loading		1
DLL Side-Loading		OS Credential Dumping1
System Time Discovery		Remote Services1
Screen Capture		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Obfuscated Files or Information		LSASS Memory1
Security Software Discovery		Remote Desktop Protocol1
Archive Collected Data		Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager2
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
skZwfU6wMR.exe45%VirustotalBrowse
skZwfU6wMR.exe53%ReversingLabsWin32.Dropper.Lumma
skZwfU6wMR.exe100%AviraDR/AVI.Lumma.ecpqm

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1543064
Start date and time:2024-10-27 07:36:05 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 3m 59s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:7
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:skZwfU6wMR.exe
renamed because original name is a hash value
Original Sample Name:9caaa34fa5fab572695f49cc496820dc5e4df6d8866b3f89a49e2dab1a6f85d2.exe
Detection:MAL
Classification:mal56.winEXE@1/0@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 8
  • Number of non-executed functions: 70
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.375842623435884
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:skZwfU6wMR.exe
File size:458'699 bytes
MD5:339e94bff01e66552e855e9ade023163
SHA1:55ff23f6f35ce96592d41723a933bc928f3afe50
SHA256:9caaa34fa5fab572695f49cc496820dc5e4df6d8866b3f89a49e2dab1a6f85d2
SHA512:652b3dc0e38bf071f0e20b60a5abd8a5538c16708a9d5a45d630bce72073a360f67b531b54b5abbbdf915982b5c3c755977b4f631e78c342f4ab34b7afab1dfd
SSDEEP:6144:NLj3gPQYfLQzXGkr1lpLj3gPQYfLQzXGkr1lMLj3gPQYfLQzXGkr1lpLj3gPQYft:ht9t+t9twt
TLSH:39A4D61136454025EEAB16BB112CBC74E2ADB3323F1084E7B3648695A4722D5DFB1FAF
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........[..a...a...a.......a...b...a...e...a...d...a...`...a...`.[.a...i...a.......a...c...a.Rich..a.........PE..L.....g............

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x410670
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:0x1B679987 [Fri Jul 27 11:05:43 1984 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:10
OS Version Minor:0
File Version Major:10
File Version Minor:0
Subsystem Version Major:10
Subsystem Version Minor:0
Import Hash:491393967a8d093caa31d224e1563ec2

Entrypoint Preview

Instruction
call 00007FAAF4F612D9h
jmp 00007FAAF4F609F4h
int3
int3
int3
int3
int3
int3
cmp ecx, dword ptr [00412074h]
jne 00007FAAF4F60C85h
retn 0000h
jmp 00007FAAF4F60E22h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov edi, edi
push ebp
mov ebp, esp
push dword ptr [ebp+14h]
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
push 00410680h
push 00412074h
call 00007FAAF4F613B0h
add esp, 18h
pop ebp
ret
int3
int3
int3
int3
int3
int3
jmp dword ptr [004133B4h]
int3
int3
int3
int3
int3
int3
push 00000014h
push 00411010h
call 00007FAAF4F6132Eh
and dword ptr [ebp-24h], 00000000h
mov eax, dword ptr [004128DCh]
mov dword ptr [ebp-1Ch], eax
cmp eax, FFFFFFFFh
jne 00007FAAF4F60C98h
push dword ptr [ebp+08h]
mov esi, dword ptr [00413350h]
mov ecx, esi
call dword ptr [004133DCh]
call esi
pop ecx
jmp 00007FAAF4F60CD6h
push 00000008h
call 00007FAAF4F6136Bh
pop ecx
and dword ptr [ebp-04h], 00000000h
mov eax, dword ptr [004128DCh]
mov dword ptr [ebp-1Ch], eax
mov eax, dword ptr [004128D8h]
mov dword ptr [ebp-20h], eax
lea eax, dword ptr [ebp-20h]
push eax
lea eax, dword ptr [ebp-1Ch]
push eax
push dword ptr [ebp+08h]
call 00007FAAF4F6135Eh
add esp, 00000000h

Rich Headers

Programming Language:
  • [IMP] VS2008 SP1 build 30729

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x133e40x118.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x150000xad8.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x160000x1100.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x36ec0x54.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1a180xc0.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x130000x3dc.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x100740x10200a0f29a9cfdb6ce8a5e5b661d4c75fdddFalse0.4699763808139535data6.213626139783662IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0x120000x9400x600e13e04f6d2fb4da4268ddcbfffc6f9caFalse0.2903645833333333data2.5070998695029845IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata0x130000x1a880x1c00d1d54d4ebc4341b577fa01ca1ae5cd84False0.41322544642857145data5.362229922857188IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0x150000xad80xc00f6912cbbd83d4fc3adab01bc338a72ffFalse0.396484375data4.422366166757536IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x160000x11000x12003f96f8b6178ac65c1972f0c44dfe3d56False0.7999131944444444data6.534591735538366IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
MUI0x159d00x108dataEnglishUnited States0.5681818181818182
RT_VERSION0x156400x390dataEnglishUnited States0.46600877192982454
RT_MANIFEST0x150f00x54bXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4154981549815498

Imports

DLLImport
ADVAPI32.dllRegCloseKey, RegQueryInfoKeyW, RegEnumKeyExW, RegOpenKeyExW, RegSetValueExW, RegCreateKeyExW, RegDeleteValueW, EventRegister, EventUnregister, EventWrite, RegQueryValueExW
KERNEL32.dllCreateMutexW, HeapSetInformation, InitializeCriticalSection, GetModuleFileNameW, FindResourceExW, LoadResource, SizeofResource, WaitForSingleObject, lstrcmpiW, GetModuleHandleW, LoadLibraryExW, GetProcAddress, FreeLibrary, GetLastError, ReleaseMutex, CloseHandle, CreateFileW, GetCurrentProcessId, LockResource, FindResourceW, GlobalFree, GlobalUnlock, GlobalLock, GlobalAlloc, LocalFree, FormatMessageW, GetSystemDirectoryW, WriteFile, WideCharToMultiByte, GetSystemTime, CopyFileW, MultiByteToWideChar, EnterCriticalSection, LeaveCriticalSection, RaiseException, DeleteCriticalSection, GetSystemTimeAsFileTime, GetCurrentThreadId, GetTickCount, OutputDebugStringA, TerminateProcess, SetUnhandledExceptionFilter, HeapFree, VirtualFree, GetCurrentProcess, VirtualAlloc, LoadLibraryExA, EncodePointer, HeapAlloc, DecodePointer, IsProcessorFeaturePresent, GetProcessHeap, FlushInstructionCache, InterlockedPushEntrySList, InterlockedPopEntrySList, Sleep, GetStartupInfoW, UnhandledExceptionFilter, QueryPerformanceCounter
GDI32.dllStretchBlt, CreateCompatibleBitmap, SetStretchBltMode, SelectObject, CreateCompatibleDC, GetObjectW, GetTextExtentPoint32W, SetDeviceGammaRamp, GetDeviceGammaRamp, GetStockObject, SetBkMode, SetBkColor, SetTextColor, CreateSolidBrush, GetDeviceCaps, CreateDCW, DeleteDC, DeleteObject
USER32.dllLoadStringW, GetWindow, ShowWindow, MessageBoxW, ReleaseDC, GetWindowTextW, GetWindowTextLengthW, GetDC, KillTimer, SetTimer, SetWindowTextW, PostMessageW, MapDialogRect, EnumChildWindows, DisplayConfigGetDeviceInfo, QueryDisplayConfig, GetDisplayConfigBufferSizes, EnumDisplayDevicesW, ShowCursor, LoadCursorW, SetCursor, GetMonitorInfoW, EnumDisplayMonitors, MonitorFromWindow, GetParent, InvalidateRect, MapWindowPoints, GetWindowRect, GetDlgItem, DefWindowProcW, SendMessageW, CallWindowProcW, SetWindowPos, SetForegroundWindow, OpenIcon, SetWindowLongW, GetWindowLongW, MonitorFromRect, SendMessageTimeoutW, AllowSetForegroundWindow, GetWindowThreadProcessId, FindWindowW, RegisterWindowMessageW, GetActiveWindow, GetSystemMetrics, CharNextW, DestroyWindow, UnregisterClassA, MoveWindow
msvcrt.dll_ftol2, memcpy, _controlfp, ?terminate@@YAXXZ, realloc, _errno, _onexit, __dllonexit, _unlock, _lock, _except_handler4_common, _wcmdln, _initterm, __setusermatherr, __p__fmode, _cexit, _exit, exit, __set_app_type, __wgetmainargs, _amsg_exit, __p__commode, _XcptFilter, _callnewh, swscanf_s, wcsstr, _wcsupr, _purecall, memcpy_s, malloc, wcsncpy_s, free, _ftol2_sse, _vsnwprintf, towlower, iswupper, _CIpow, memset
ntdll.dllWinSqmAddToStream
dxva2.dllGetNumberOfPhysicalMonitorsFromHMONITOR, GetPhysicalMonitorsFromHMONITOR, DestroyPhysicalMonitors, GetMonitorBrightness, SetMonitorBrightness, GetMonitorContrast, SetMonitorContrast, GetVCPFeatureAndVCPFeatureReply, SetVCPFeature
mscms.dllGetColorProfileFromHandle, UninstallColorProfileW, WcsCreateIccProfile, GetColorDirectoryW, InstallColorProfileW, CloseColorProfile, DccwSetDisplayProfileAssociationList, WcsGetUsePerUserProfiles, WcsGetDefaultColorProfile, WcsOpenColorProfileW, DccwGetGamutSize, DccwCreateDisplayProfileAssociationList, DccwGetDisplayProfileAssociationList, WcsGetCalibrationManagementState, SetColorProfileElement, SetColorProfileElementSize, DccwReleaseDisplayProfileAssociationList, WcsDisassociateColorProfileFromDevice, WcsSetCalibrationManagementState, WcsSetDefaultColorProfile
SHELL32.dllShellExecuteW
GDIPLUS.dllGdipCreateHBITMAPFromBitmap, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipFree, GdipCreateLineBrushI, GdipFillRectangleI, GdipCloneBrush, GdipAlloc, GdipDeleteBrush, GdipCreateSolidFill, GdipDeleteGraphics, GdipCreateFromHDC, GdiplusShutdown, GdiplusStartup
COMCTL32.dllTaskDialogIndirect, DestroyPropertySheetPage, CreatePropertySheetPageW, PropertySheetW
OLEAUT32.dllSysFreeString, VarUI4FromStr, SysAllocString
api-ms-win-core-com-l1-1-0.dllCoTaskMemRealloc, CoTaskMemFree, CreateStreamOnHGlobal, CoTaskMemAlloc, StringFromCLSID, CoCreateInstance

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

General

Target ID:0
Start time:02:37:02
Start date:27/10/2024
Path:C:\Users\user\Desktop\skZwfU6wMR.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\skZwfU6wMR.exe"
Imagebase:0x330000
File size:458'699 bytes
MD5 hash:339E94BFF01E66552E855E9ADE023163
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:5.7%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:15.2%
    Total number of Nodes:1556
    Total number of Limit Nodes:24
    execution_graph 5074 33d230 5075 33d248 5074->5075 5076 33d2ff 5074->5076 5077 33d253 5075->5077 5078 33d265 5075->5078 5095 33d96e 5077->5095 5079 33d28d 5078->5079 5080 33d26d 5078->5080 5083 33d2a3 5079->5083 5084 33d295 5079->5084 5100 33da3b 5080->5100 5086 33d2ca 5083->5086 5087 33d2a8 5083->5087 5107 33dbd9 5084->5107 5089 33d2cf 5086->5089 5093 33d307 5086->5093 5115 33dc75 5087->5115 5127 33de5a 5089->5127 5090 33d260 5090->5076 5134 3371e0 5090->5134 5093->5090 5143 33aaed GetWindowLongW 5093->5143 5146 337443 5095->5146 5098 33d985 6 API calls 5099 33da07 5098->5099 5099->5090 5102 33da5a 5100->5102 5101 33dbaa 5101->5090 5102->5101 5104 33db12 SendMessageW 5102->5104 5105 33daf9 SendMessageW 5102->5105 5106 33daf4 5102->5106 5103 33e9dc 13 API calls 5103->5101 5104->5106 5105->5106 5106->5101 5106->5103 5108 33dbf8 5107->5108 5110 33dc0e 5108->5110 5189 33e07c SendMessageW 5108->5189 5112 33dc3b 5110->5112 5190 33e07c SendMessageW 5110->5190 5113 33dc68 5112->5113 5191 33e07c SendMessageW 5112->5191 5113->5090 5116 33de43 5115->5116 5117 33dc99 5115->5117 5118 340680 4 API calls 5116->5118 5117->5116 5192 3374d3 5117->5192 5120 33de50 5118->5120 5120->5090 5122 33dcc4 GetWindowRect 5122->5116 5123 33dcdc GetWindowRect 5122->5123 5123->5116 5124 33dcf4 _ftol2_sse _ftol2_sse _ftol2_sse 5123->5124 5125 33dd74 8 API calls 5124->5125 5126 33dd6e 5124->5126 5125->5116 5126->5125 5129 33de7f GdipCreateSolidFill GdipCreateFromHDC GdipFillRectangleI 5127->5129 5130 33def2 5129->5130 5251 33c8b1 GdipCreateLineBrushI 5130->5251 5132 33df2c GdipFillRectangleI GdipDeleteBrush GdipDeleteGraphics GdipDeleteBrush 5132->5090 5135 3371f4 5134->5135 5142 33722e 5134->5142 5136 337200 5135->5136 5137 33723c 5135->5137 5138 337443 26 API calls 5136->5138 5139 3374d3 40 API calls 5137->5139 5141 33720d 5137->5141 5138->5141 5139->5141 5141->5142 5252 3370f2 5141->5252 5142->5076 5144 33ab07 SetTextColor SetBkColor 5143->5144 5145 33ab25 5143->5145 5144->5145 5145->5090 5155 33a94c GetWindowLongW 5146->5155 5149 337457 GetDlgItem 5150 3374c2 5149->5150 5151 33746f 5149->5151 5150->5098 5150->5099 5161 33ec08 5151->5161 5153 337490 5153->5150 5154 3374aa GetDlgItem 5153->5154 5154->5150 5156 33a96e 5155->5156 5157 33a981 EnumChildWindows 5156->5157 5158 33a9b4 5157->5158 5159 337451 5158->5159 5160 33a9bc EnumChildWindows 5158->5160 5159->5149 5159->5150 5160->5159 5181 33f117 FindResourceW 5161->5181 5164 33ec37 GlobalAlloc 5165 33ec65 GlobalLock 5164->5165 5166 33ec48 GetLastError 5164->5166 5167 33ec72 GetLastError 5165->5167 5168 33ec8f memcpy CreateStreamOnHGlobal 5165->5168 5169 33ec54 5166->5169 5170 33ec7e 5167->5170 5171 33ecb1 GlobalUnlock GlobalFree 5168->5171 5172 33ecc4 GlobalUnlock 5168->5172 5169->5165 5173 33ed72 5169->5173 5170->5168 5170->5173 5171->5173 5174 33eccf GetLastError 5172->5174 5175 33ecec GdipAlloc 5172->5175 5173->5153 5176 33ecdb 5174->5176 5175->5173 5177 33ed00 GdipCreateBitmapFromStream GdipCreateHBITMAPFromBitmap 5175->5177 5176->5173 5176->5175 5178 33ed39 5177->5178 5178->5173 5179 33ed5d GetObjectW 5178->5179 5179->5173 5180 33ed86 GetLastError 5179->5180 5180->5173 5182 33f164 LoadResource 5181->5182 5183 33f14b GetLastError 5181->5183 5185 33f172 GetLastError 5182->5185 5186 33f18b SizeofResource LockResource 5182->5186 5184 33f157 5183->5184 5184->5182 5187 33ec29 5184->5187 5188 33f17e 5185->5188 5186->5187 5187->5164 5187->5173 5188->5186 5188->5187 5189->5110 5190->5112 5191->5113 5193 3374f4 5192->5193 5194 3376b9 5192->5194 5193->5194 5195 3374fe GetWindowRect 5193->5195 5196 340680 4 API calls 5194->5196 5197 337513 GetWindowRect 5195->5197 5198 3376ac InvalidateRect 5195->5198 5199 3376c6 GetWindowRect 5196->5199 5197->5198 5200 33752b GetWindowRect 5197->5200 5198->5194 5199->5116 5199->5122 5200->5198 5201 337543 MapWindowPoints MapWindowPoints MapWindowPoints 5200->5201 5202 3375d1 5201->5202 5203 33760b _ftol2_sse _ftol2_sse 5202->5203 5204 3375f8 _ftol2_sse 5202->5204 5205 337638 MoveWindow 5203->5205 5204->5205 5209 33edc2 5205->5209 5208 3376a7 5208->5198 5210 33edf3 5209->5210 5211 33f03f 5209->5211 5210->5211 5212 33ee03 GetObjectW 5210->5212 5213 340680 4 API calls 5211->5213 5214 33ee33 GetLastError 5212->5214 5217 33ee25 5212->5217 5215 33767f InvalidateRect 5213->5215 5214->5217 5215->5208 5216 33ee50 GetWindowRect 5218 33ee78 GetLastError 5216->5218 5219 33ee5f 5216->5219 5217->5211 5217->5216 5218->5219 5219->5211 5220 33ee95 GetDC 5219->5220 5221 33eec2 CreateCompatibleDC 5220->5221 5222 33eea5 GetLastError 5220->5222 5224 33eecf GetLastError 5221->5224 5225 33eeec SelectObject 5221->5225 5223 33eeb1 5222->5223 5223->5221 5226 33f02e 5223->5226 5227 33eedb 5224->5227 5228 33ef94 5225->5228 5229 33eefe CreateCompatibleDC 5225->5229 5226->5211 5232 33f036 DeleteObject 5226->5232 5227->5225 5227->5228 5236 33f015 5228->5236 5237 33f00b ReleaseDC 5228->5237 5230 33ef2e SetStretchBltMode 5229->5230 5231 33ef0e GetLastError 5229->5231 5234 33ef3b GetLastError 5230->5234 5235 33ef58 CreateCompatibleBitmap 5230->5235 5233 33ef1a 5231->5233 5232->5211 5233->5228 5233->5230 5242 33ef47 5234->5242 5238 33ef86 SelectObject 5235->5238 5239 33ef6d GetLastError 5235->5239 5240 33f020 5236->5240 5241 33f019 DeleteDC 5236->5241 5237->5236 5238->5228 5245 33ef9b StretchBlt 5238->5245 5243 33ef79 5239->5243 5240->5226 5244 33f027 DeleteDC 5240->5244 5241->5240 5242->5228 5242->5235 5243->5228 5243->5238 5244->5226 5246 33efc0 GetLastError 5245->5246 5247 33efd9 SendMessageW 5245->5247 5248 33efcc 5246->5248 5249 33eff6 5247->5249 5248->5228 5248->5247 5249->5228 5250 33effd DeleteObject 5249->5250 5250->5228 5251->5132 5253 337105 5252->5253 5256 3371aa 5252->5256 5254 337120 5253->5254 5255 337110 5253->5255 5258 337142 5254->5258 5259 337125 5254->5259 5257 33a94c 3 API calls 5255->5257 5256->5142 5263 33711e 5257->5263 5261 33714a SetTextColor SetBkColor 5258->5261 5262 33716f 5258->5262 5266 33a9ed 5259->5266 5261->5263 5262->5263 5264 33aaed 3 API calls 5262->5264 5263->5256 5275 33771c 5263->5275 5264->5263 5267 33aa13 MapDialogRect 5266->5267 5268 33aa24 5266->5268 5267->5268 5269 33aad6 5268->5269 5270 33aa35 GetWindowRect 5268->5270 5272 340680 4 API calls 5269->5272 5270->5269 5271 33aa50 5270->5271 5271->5269 5274 33aa60 EnumChildWindows InvalidateRect 5271->5274 5273 33aae3 5272->5273 5273->5263 5274->5269 5276 337728 5275->5276 5278 337743 5275->5278 5276->5278 5279 33776c 5276->5279 5278->5256 5280 33777f GetParent 5279->5280 5281 33778a 5279->5281 5280->5281 5281->5278 5066 33e430 5069 33e84a RegOpenKeyExW 5066->5069 5070 33e876 RegSetValueExW 5069->5070 5071 33e88e 5069->5071 5070->5071 5072 33e894 RegCloseKey 5071->5072 5073 33e44e 5071->5073 5072->5073 5893 33e130 5894 33e7a1 4 API calls 5893->5894 5895 33e146 5894->5895 5282 340a30 5283 340a6d 5282->5283 5285 340a42 5282->5285 5284 340a67 ?terminate@ 5284->5283 5285->5283 5285->5284 5286 340e32 OutputDebugStringA 5287 340680 4 API calls 5286->5287 5288 340ed6 5287->5288 5897 333b35 5902 33434f 5897->5902 5909 340d8c 5902->5909 5904 33435b InitializeCriticalSection 5905 333b3a 5904->5905 5906 340780 5905->5906 5910 3406d7 5906->5910 5909->5904 5911 3406e3 5910->5911 5912 3406f4 _onexit 5911->5912 5913 34070a _lock __dllonexit 5911->5913 5916 333b44 5912->5916 5917 340771 _unlock 5913->5917 5917->5916 5295 33e220 5298 33e7a1 RegOpenKeyExW 5295->5298 5299 33e7d6 RegQueryValueExW 5298->5299 5303 33e81e 5298->5303 5302 33e7f2 5299->5302 5299->5303 5300 33e826 RegCloseKey 5301 33e239 5300->5301 5302->5303 5304 33e802 RegQueryValueExW 5302->5304 5303->5300 5303->5301 5304->5303 5289 33cc20 5292 33cfbf SetVCPFeature 5289->5292 5293 33cfda GetLastError 5292->5293 5294 33cc2f 5292->5294 5293->5294 5305 334220 5308 334313 5305->5308 5315 3342e0 EnterCriticalSection 5308->5315 5310 334324 5311 334338 5310->5311 5312 33432d DeleteCriticalSection 5310->5312 5318 33427d 5311->5318 5312->5311 5314 334340 5316 33427d ctype 5 API calls 5315->5316 5317 3342fc LeaveCriticalSection 5316->5317 5317->5310 5319 3342b8 5318->5319 5324 33428c 5318->5324 5321 334247 ctype 2 API calls 5319->5321 5320 3342c4 5329 335d67 RaiseException 5320->5329 5322 3342bf 5321->5322 5322->5314 5324->5319 5324->5320 5325 3342ce EnterCriticalSection 5327 33427d ctype 3 API calls 5325->5327 5328 3342fc LeaveCriticalSection 5327->5328 5328->5314 5329->5325 5330 337a20 5333 33a843 5330->5333 5332 337a2d 5334 33a854 DeleteObject 5333->5334 5335 33a85d ctype 5333->5335 5334->5335 5336 33a880 5335->5336 5337 33f9a5 ctype 10 API calls 5335->5337 5336->5332 5337->5336 5338 33ca20 GetMonitorBrightness 5339 33ca42 GetLastError 5338->5339 5340 33ca4e 5338->5340 5339->5340 5921 33e520 5922 33e7a1 4 API calls 5921->5922 5923 33e53f 5922->5923 5924 33e7a1 4 API calls 5923->5924 5926 33e5cc 5923->5926 5950 33e792 5923->5950 5925 33e575 5924->5925 5927 33e7a1 4 API calls 5925->5927 5925->5950 5928 33e7a1 4 API calls 5926->5928 5932 33e61e 5926->5932 5926->5950 5929 33e592 5927->5929 5930 33e601 5928->5930 5931 33e7a1 4 API calls 5929->5931 5929->5950 5934 33e7a1 4 API calls 5930->5934 5930->5950 5933 33e5af 5931->5933 5936 33e7a1 4 API calls 5932->5936 5940 33e6f1 5932->5940 5932->5950 5935 33e7a1 4 API calls 5933->5935 5933->5950 5934->5932 5935->5926 5937 33e656 5936->5937 5938 33e7a1 4 API calls 5937->5938 5937->5950 5939 33e675 5938->5939 5941 33e7a1 4 API calls 5939->5941 5939->5950 5945 33e7a1 4 API calls 5940->5945 5940->5950 5942 33e694 5941->5942 5943 33e7a1 4 API calls 5942->5943 5942->5950 5944 33e6b3 5943->5944 5947 33e7a1 4 API calls 5944->5947 5944->5950 5946 33e779 5945->5946 5949 33e7a1 4 API calls 5946->5949 5946->5950 5948 33e6d2 5947->5948 5948->5950 5951 33e7a1 4 API calls 5948->5951 5949->5950 5951->5940 5350 33ce10 5353 33cf80 GetVCPFeatureAndVCPFeatureReply 5350->5353 5354 33ce21 5353->5354 5355 33cf9d GetLastError 5353->5355 5355->5354 5356 333e10 5359 337b1e 5356->5359 5358 333e1d 5360 33a030 ctype 6 API calls 5359->5360 5361 337b30 ctype 5360->5361 5361->5358 5365 33f200 GdipCloneImage 5366 33f221 GdipAlloc 5365->5366 5367 33f21e 5365->5367 5368 33f22d 5366->5368 5367->5366 5963 338d00 CopyFileW 5964 338d33 GetLastError 5963->5964 5965 338d3f 5963->5965 5964->5965 5966 339b02 10 API calls 5965->5966 5967 338e4d 5965->5967 5968 338d5f 5966->5968 5969 340680 4 API calls 5967->5969 5968->5967 5979 339c43 5968->5979 5971 338e5c 5969->5971 5975 338d97 WcsSetCalibrationManagementState 5976 338da3 GetLastError 5975->5976 5977 338daf 5975->5977 5976->5977 5977->5967 5977->5977 5978 338e24 EventWrite 5977->5978 5978->5967 5980 339c5f 5979->5980 5989 338d76 5979->5989 5981 339c79 WcsDisassociateColorProfileFromDevice 5980->5981 5980->5989 5982 339c88 GetLastError 5981->5982 5983 339caf WcsGetUsePerUserProfiles 5981->5983 5982->5983 5986 339c95 5982->5986 5984 339cc5 GetLastError 5983->5984 5985 339cd1 5983->5985 5984->5985 5987 339ce4 WcsDisassociateColorProfileFromDevice 5985->5987 5985->5989 5986->5983 5986->5989 5988 339cf4 GetLastError 5987->5988 5987->5989 5988->5989 5989->5967 5990 339a8d 5989->5990 5991 339aa3 5990->5991 5996 338d8d 5990->5996 5992 339c43 6 API calls 5991->5992 5991->5996 5993 339ac2 5992->5993 5994 339ac8 UninstallColorProfileW 5993->5994 5993->5996 5995 339ad8 GetLastError 5994->5995 5994->5996 5995->5996 5996->5967 5996->5975 5955 33cb00 SetMonitorContrast 5956 33cb18 GetLastError 5955->5956 5957 33cb24 5955->5957 5956->5957 5958 33c900 GdipCloneBrush 5959 33c922 5958->5959 5960 33c924 GdipAlloc 5958->5960 5959->5960 5961 33c932 5960->5961 5962 33c945 GdipDeleteBrush 5960->5962 5962->5961 5369 33f60f 5370 33f665 5369->5370 5372 33f61d DeleteCriticalSection 5369->5372 5372->5370 5373 33ca70 SetMonitorBrightness 5374 33ca88 GetLastError 5373->5374 5375 33ca94 5373->5375 5374->5375 5376 338070 5378 338086 5376->5378 5377 338090 5378->5377 5380 3398d9 5378->5380 5383 339905 5380->5383 5381 340680 4 API calls 5382 339a81 5381->5382 5382->5377 5384 3399ea _CIpow _ftol2 5383->5384 5385 33991e 5383->5385 5384->5383 5384->5385 5385->5381 5393 338e70 5394 338e94 5393->5394 5394->5394 5395 338eb3 EventWrite 5394->5395 5396 338ef1 5395->5396 5397 33e9dc 13 API calls 5396->5397 5398 338f08 5396->5398 5397->5398 5399 33e9dc 13 API calls 5398->5399 5401 338f2f 5398->5401 5399->5401 5400 338f5c 5402 340680 4 API calls 5400->5402 5401->5400 5403 33e9dc 13 API calls 5401->5403 5404 338f72 5402->5404 5403->5400 5405 33f270 5406 33f285 5405->5406 5418 33f2fd 5405->5418 5407 33f2c2 5406->5407 5408 33f28e 5406->5408 5410 33f301 5407->5410 5411 33f2c8 5407->5411 5409 33a94c 3 API calls 5408->5409 5412 33f29b 5409->5412 5413 340138 3 API calls 5410->5413 5414 33f2b8 5410->5414 5411->5414 5426 340138 5411->5426 5412->5414 5420 33f489 5412->5420 5413->5414 5417 3370f2 17 API calls 5414->5417 5414->5418 5417->5418 5421 33f492 GetWindowLongW 5420->5421 5422 33f4a4 GetParent 5421->5422 5423 33f4ad GetWindow 5421->5423 5424 33f4b6 5422->5424 5423->5424 5424->5421 5425 33f2ae ShowWindow 5424->5425 5425->5414 5427 340161 5426->5427 5428 340167 SysAllocString 5427->5428 5431 340178 SysFreeString 5427->5431 5429 34017f WinSqmAddToStream 5428->5429 5428->5431 5429->5431 5431->5414 6000 33b370 6003 33c192 6000->6003 6004 33c1a7 DeleteObject 6003->6004 6005 33c1ae 6003->6005 6004->6005 5432 340670 5435 340cc9 5432->5435 5434 340675 5434->5434 5436 340cf2 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 5435->5436 5437 340cee 5435->5437 5438 340d41 5436->5438 5437->5436 5437->5438 5438->5434 6009 34057e 6010 340592 _exit 6009->6010 6011 340599 6009->6011 6010->6011 6012 3405a2 _cexit 6011->6012 6013 3405ad 6011->6013 6012->6013 6014 33f562 PostMessageW 5463 33ce60 5466 33cf06 5463->5466 5467 33cf2e 5466->5467 5467->5467 5468 33cf37 GetDeviceGammaRamp 5467->5468 5469 33cf49 SetDeviceGammaRamp 5468->5469 5471 33cf5b 5468->5471 5469->5471 5470 340680 4 API calls 5472 33cead 5470->5472 5471->5470 5447 337860 5449 3378c0 5447->5449 5448 337930 5449->5448 5450 33791d SetWindowLongW 5449->5450 5450->5448 5439 33ba60 5442 33ba87 5439->5442 5443 33ba95 5442->5443 5444 33ba9f DeleteObject 5443->5444 5445 33bab0 DeleteObject 5443->5445 5446 33bac2 5443->5446 5444->5443 5445->5443 6020 33cb60 6021 33cfbf 2 API calls 6020->6021 6022 33cb73 6021->6022 6016 337f60 6018 337f76 6016->6018 6017 337f80 6018->6017 6019 3398d9 6 API calls 6018->6019 6019->6017 6015 33f360 GetParent PostMessageW GetParent SendMessageW 5454 336a60 5455 336a71 ReleaseMutex CloseHandle 5454->5455 5456 336a8a 5454->5456 5455->5456 5457 336a95 OpenIcon SetForegroundWindow SetWindowPos 5456->5457 5458 336abe CallWindowProcW 5456->5458 5459 336ad4 5457->5459 5458->5459 5473 33f66e DeleteCriticalSection 6023 34056a _XcptFilter 5474 337e50 5475 337e66 5474->5475 5476 337e70 5475->5476 5478 339724 5475->5478 5481 33974e 5478->5481 5479 3397da _CIpow 5480 33980d _ftol2 5479->5480 5480->5480 5480->5481 5481->5479 5482 339863 5481->5482 5483 340680 4 API calls 5482->5483 5484 33989b 5483->5484 5484->5476 6024 33e150 6025 33e84a 3 API calls 6024->6025 6026 33e16e 6025->6026 6027 337350 6028 33fe77 3 API calls 6027->6028 6029 337385 6028->6029 6030 3373dc ctype 6029->6030 6031 3373b3 EventWrite 6029->6031 6032 340680 4 API calls 6030->6032 6031->6030 6033 3373ed 6032->6033 6034 333b55 6035 33434f InitializeCriticalSection 6034->6035 6036 333b5a 6035->6036 6037 340780 4 API calls 6036->6037 6038 333b6f 6037->6038 5491 338a40 5492 338a56 5491->5492 5493 338a6d 5492->5493 5494 33e9dc 13 API calls 5492->5494 5494->5493 6045 338540 6047 33856f 6045->6047 6046 338591 _ftol2 6048 3385b4 6046->6048 6047->6046 6054 338628 6047->6054 6049 3385c8 6048->6049 6050 3385bc GetLastError 6048->6050 6051 3385ef _ftol2 6049->6051 6056 3386b0 6049->6056 6050->6049 6052 338612 6051->6052 6053 33861c GetLastError 6052->6053 6052->6054 6053->6054 6055 339724 6 API calls 6054->6055 6054->6056 6055->6056 6039 33cb40 6040 33cf80 2 API calls 6039->6040 6041 33cb4f 6040->6041 6060 340340 6061 340345 6060->6061 6069 340b1a GetModuleHandleW 6061->6069 6063 340351 __set_app_type __p__fmode __p__commode 6064 340389 6063->6064 6065 340392 __setusermatherr 6064->6065 6066 34039e 6064->6066 6065->6066 6071 340d67 _controlfp 6066->6071 6068 3403a3 6070 340b2b 6069->6070 6070->6063 6071->6068 5498 33cab0 GetMonitorContrast 5499 33cad2 GetLastError 5498->5499 5500 33cade 5498->5500 5499->5500 6072 33b9b0 6073 33b9c4 6072->6073 6082 33b9fe 6072->6082 6074 33b9d0 6073->6074 6075 33ba0c 6073->6075 6083 33bad1 6074->6083 6076 33b9dd 6075->6076 6077 33ba15 GetWindowLongW 6075->6077 6079 3370f2 17 API calls 6076->6079 6076->6082 6080 33ba42 GetStockObject 6077->6080 6081 33ba2d SetTextColor SetBkMode 6077->6081 6079->6082 6080->6076 6081->6080 6084 33a94c 3 API calls 6083->6084 6088 33baea 6084->6088 6085 33bb81 6085->6076 6086 33bafe GetDlgItem 6086->6088 6087 33ec08 21 API calls 6087->6088 6088->6085 6088->6086 6088->6087 6089 33bb4f SendMessageW 6088->6089 6090 33edc2 28 API calls 6088->6090 6089->6088 6091 33bb67 DeleteObject 6089->6091 6090->6088 6091->6088 6092 335fb0 6093 335fc7 6092->6093 6095 335fe9 6092->6095 6094 335fdd 6093->6094 6098 3368be 6093->6098 6094->6095 6106 336c45 6094->6106 6101 3368e7 6098->6101 6103 336968 6098->6103 6099 340680 4 API calls 6100 336a50 6099->6100 6100->6094 6102 336927 MonitorFromRect 6101->6102 6104 3369a9 6101->6104 6102->6103 6103->6099 6104->6103 6105 3369e6 MonitorFromRect 6104->6105 6105->6103 6107 336c54 6106->6107 6111 336c6b 6106->6111 6108 336c72 6107->6108 6109 336c5e 6107->6109 6108->6111 6112 336c93 SendMessageW 6108->6112 6113 336d65 CallWindowProcW 6109->6113 6111->6095 6112->6111 6114 336d91 6113->6114 6115 336dc6 6113->6115 6114->6115 6116 336da7 SendMessageW 6114->6116 6115->6111 6116->6115 6117 336dbd DestroyWindow 6116->6117 6117->6115 6118 33f3b0 GetDC 6119 33f3f1 GetLastError 6118->6119 6120 33f3d5 EnumDisplayMonitors ReleaseDC 6118->6120 6121 33f3fb 6119->6121 6120->6121 6122 33f436 GetParent PostMessageW 6121->6122 6123 33f468 6121->6123 6124 33f489 3 API calls 6122->6124 6127 33e9dc 13 API calls 6123->6127 6125 33f45c ShowWindow 6124->6125 6126 33f479 6125->6126 6127->6126 4660 3403b0 __wgetmainargs 6128 340fb0 6131 33f68c 6128->6131 6132 33f69d 6131->6132 6133 33f698 6131->6133 6133->6132 6134 33f6cc 6133->6134 6135 33f700 6133->6135 6138 33f6b7 UnregisterClassA 6133->6138 6136 33f6d3 free 6134->6136 6137 33f6e1 DeleteCriticalSection 6134->6137 6141 335d67 RaiseException 6135->6141 6136->6137 6137->6132 6138->6133 6138->6134 6140 33f70a 6141->6140 6142 3407b2 6143 3407e6 realloc 6142->6143 6144 3407bc 6142->6144 6144->6143 6145 3407c8 _errno 6144->6145 6146 3407df 6145->6146 5508 336ea1 5509 336eb0 5508->5509 5510 336f23 CallWindowProcW 5509->5510 5511 336f3b GetWindowLongW CallWindowProcW 5509->5511 5514 336f8a 5509->5514 5510->5514 5512 336f6d GetWindowLongW 5511->5512 5511->5514 5513 336f7c SetWindowLongW 5512->5513 5512->5514 5513->5514 5515 338aa1 5516 338aa9 5515->5516 5517 338ab8 5515->5517 5546 339d26 5517->5546 5520 338b07 WcsCreateIccProfile 5523 338b28 5520->5523 5524 338b1c GetLastError 5520->5524 5521 338b3c 5522 338b4a GetColorProfileFromHandle 5521->5522 5545 338b6a 5521->5545 5525 338b66 5522->5525 5526 338b5b GetLastError 5522->5526 5523->5521 5572 33a1b6 5523->5572 5524->5523 5531 338ba5 GetColorProfileFromHandle 5525->5531 5525->5545 5526->5525 5527 338cc5 5530 338ccd CloseColorProfile 5527->5530 5532 338cd4 ctype 5527->5532 5528 338cbb CloseColorProfile 5528->5527 5530->5532 5533 338bd3 CreateFileW 5531->5533 5534 338bb6 GetLastError 5531->5534 5536 338c19 WriteFile 5533->5536 5537 338bfc GetLastError 5533->5537 5535 338bc2 5534->5535 5535->5533 5535->5545 5538 338c41 GetLastError 5536->5538 5539 338c30 5536->5539 5540 338c08 5537->5540 5538->5539 5541 338c5a CloseHandle InstallColorProfileW 5539->5541 5542 338ca8 5539->5542 5540->5536 5540->5545 5544 338c77 GetLastError 5541->5544 5541->5545 5543 338cad CloseHandle 5542->5543 5542->5545 5543->5545 5544->5545 5545->5527 5545->5528 5547 33fe77 3 API calls 5546->5547 5548 339d6d 5547->5548 5549 339d8c 5548->5549 5550 33fe77 3 API calls 5548->5550 5551 339dab 5549->5551 5552 33fe77 3 API calls 5549->5552 5550->5549 5553 33fe77 3 API calls 5551->5553 5555 339dd1 5551->5555 5552->5551 5553->5555 5554 339de6 GetSystemTime 5593 33ff30 5554->5593 5555->5554 5559 339fe2 ctype 5555->5559 5557 339e1c 5558 34002c 5 API calls 5557->5558 5557->5559 5564 339e44 5558->5564 5560 340680 4 API calls 5559->5560 5562 338afb 5560->5562 5561 33fcc2 2 API calls 5563 339f6a 5561->5563 5562->5520 5562->5521 5563->5559 5565 339f95 WcsOpenColorProfileW 5563->5565 5564->5559 5567 339eb4 _CIpow _CIpow _CIpow 5564->5567 5570 339f4b ctype 5564->5570 5565->5559 5566 339fd6 GetLastError 5565->5566 5566->5559 5568 33ff30 3 API calls 5567->5568 5569 339f37 5568->5569 5569->5570 5596 33fcc2 5569->5596 5570->5559 5570->5561 5573 33fe77 3 API calls 5572->5573 5574 33a1ea 5573->5574 5575 33a208 5574->5575 5577 33fe77 3 API calls 5574->5577 5576 33a226 5575->5576 5578 33fe77 3 API calls 5575->5578 5579 33a240 WideCharToMultiByte 5576->5579 5583 33a2bf 5576->5583 5577->5575 5578->5576 5580 33a262 GetLastError 5579->5580 5582 33a26e 5579->5582 5580->5582 5581 33a28a ctype 5581->5521 5582->5581 5582->5583 5584 33a296 WideCharToMultiByte 5582->5584 5583->5581 5586 33a333 memset memcpy 5583->5586 5584->5583 5585 33a2b3 GetLastError 5584->5585 5585->5583 5591 33a371 5586->5591 5587 33a436 SetColorProfileElementSize 5588 33a464 SetColorProfileElement 5587->5588 5589 33a44b GetLastError 5587->5589 5588->5581 5590 33a484 GetLastError 5588->5590 5592 33a457 5589->5592 5590->5581 5591->5587 5591->5591 5592->5581 5592->5588 5600 33ff75 5593->5600 5595 33ff43 ctype 5595->5557 5597 33fce6 5596->5597 5599 33fd30 ctype 5596->5599 5598 3402fe ctype 2 API calls 5597->5598 5597->5599 5598->5599 5599->5570 5601 3402fe ctype 2 API calls 5600->5601 5604 33ff8c 5601->5604 5602 33ffab _vsnwprintf 5602->5604 5603 34000c 5603->5595 5604->5602 5604->5603 5605 3402fe ctype 2 API calls 5604->5605 5605->5604 5612 33b2a0 5613 33b2b6 5612->5613 5614 33b319 5612->5614 5615 33b2d4 5613->5615 5616 33b2bf 5613->5616 5618 33b2da 5615->5618 5621 33b321 5615->5621 5624 33b66d 5616->5624 5630 33b6c3 5618->5630 5623 33b2cd 5621->5623 5665 33b87e 5621->5665 5623->5614 5643 33b130 5623->5643 5671 33c3fe 5624->5671 5627 33b680 GetDlgItem 5628 33b698 5627->5628 5629 33b69d SendMessageW 5627->5629 5628->5623 5629->5628 5631 33b867 5630->5631 5632 33b6e4 5630->5632 5634 340680 4 API calls 5631->5634 5632->5631 5633 33b6ee GetWindowRect 5632->5633 5633->5631 5635 33b703 GetWindowRect 5633->5635 5636 33b874 5634->5636 5635->5631 5637 33b71b GetWindowRect 5635->5637 5636->5623 5637->5631 5638 33b733 MoveWindow _ftol2_sse 5637->5638 5639 33b7ba MoveWindow MoveWindow 5638->5639 5640 33b7b8 5638->5640 5641 33b80e MoveWindow MoveWindow InvalidateRect 5639->5641 5642 33b80c 5639->5642 5640->5639 5641->5631 5642->5641 5644 33b188 5643->5644 5645 33b148 5643->5645 5644->5614 5646 33b193 5645->5646 5647 33b154 5645->5647 5648 33b1bb 5646->5648 5649 33b19a 5646->5649 5650 33c3fe 33 API calls 5647->5650 5652 33b200 5648->5652 5662 33b1c2 5648->5662 5680 33c48f 5649->5680 5660 33b161 5650->5660 5653 33b205 5652->5653 5654 33b229 5652->5654 5691 33c605 5653->5691 5656 33b251 5654->5656 5657 33b22e 5654->5657 5659 33b25c 5656->5659 5656->5660 5702 33c710 5657->5702 5663 33aaed 3 API calls 5659->5663 5660->5644 5661 3371e0 76 API calls 5660->5661 5661->5644 5662->5660 5688 33c832 5662->5688 5663->5644 5666 33b89a 5665->5666 5709 33eba9 _ftol2 5666->5709 5668 33b8a8 5669 33c832 SendMessageW 5668->5669 5670 33b8c4 5669->5670 5670->5623 5672 337443 26 API calls 5671->5672 5673 33c41b 5672->5673 5674 33c421 GetDlgItem 5673->5674 5679 33c465 5673->5679 5675 33c439 GetDlgItem 5674->5675 5674->5679 5677 33c451 GetWindowRect 5675->5677 5675->5679 5676 340680 4 API calls 5678 33b67a 5676->5678 5677->5679 5678->5627 5678->5628 5679->5676 5681 33c5d6 5680->5681 5683 33c4bd 5680->5683 5681->5660 5682 33c4d0 5682->5681 5684 33e9dc 13 API calls 5682->5684 5683->5681 5683->5682 5685 33c57f SendMessageW 5683->5685 5686 33c55f 5683->5686 5684->5681 5685->5682 5686->5682 5687 33c564 SendMessageW 5686->5687 5687->5682 5689 33c840 SendMessageW 5688->5689 5689->5660 5692 33c626 5691->5692 5693 33c6f9 5691->5693 5692->5693 5696 3374d3 40 API calls 5692->5696 5694 340680 4 API calls 5693->5694 5695 33c706 5694->5695 5695->5660 5697 33c63c GetWindowRect 5696->5697 5697->5693 5698 33c651 GetWindowRect 5697->5698 5698->5693 5699 33c669 GetWindowRect 5698->5699 5699->5693 5700 33c67d MoveWindow MoveWindow 5699->5700 5700->5693 5703 33c825 5702->5703 5704 33c72d GdipCreateFromHDC GdipCreateSolidFill GdipFillRectangleI 5702->5704 5703->5660 5708 33c8b1 GdipCreateLineBrushI 5704->5708 5707 33c7e2 GdipFillRectangleI GdipDeleteBrush GdipDeleteBrush GdipDeleteGraphics 5707->5703 5708->5707 5709->5668 6150 33dfa0 GetDC GetWindowTextLengthW 6151 33dfe2 6150->6151 6152 33e035 ReleaseDC 6151->6152 6153 33dfe9 GetWindowTextW GetTextExtentPoint32W MoveWindow 6151->6153 6154 33e034 6153->6154 6154->6152 6155 33b3a0 6156 33b3d1 6155->6156 6157 33b3e5 6156->6157 6158 33b3d9 6156->6158 6160 33fe77 3 API calls 6157->6160 6166 33c1c0 6158->6166 6164 33b40a 6160->6164 6161 33b3e0 ctype 6162 340680 4 API calls 6161->6162 6163 33b59f 6162->6163 6164->6161 6164->6164 6165 33b48d EventWrite 6164->6165 6165->6161 6167 33fe77 3 API calls 6166->6167 6168 33c1f9 6167->6168 6169 33c298 ctype 6168->6169 6172 33c24b EventWrite 6168->6172 6170 340680 4 API calls 6169->6170 6171 33c2ab 6170->6171 6171->6161 6172->6169 6173 33c3a0 KillTimer 5710 3406a0 _except_handler4_common 6174 33ad90 6175 33adb8 6174->6175 6176 33ad9e 6174->6176 6176->6175 6177 333e92 4 API calls 6176->6177 6177->6175 6178 33bf90 6179 33c001 6178->6179 6180 33bfa6 6178->6180 6181 33c009 6180->6181 6182 33bfaf 6180->6182 6188 33bfdb 6181->6188 6189 33c047 6181->6189 6183 337443 26 API calls 6182->6183 6184 33bfbd 6183->6184 6187 33bfc3 GetDlgItem 6184->6187 6184->6188 6185 3371e0 76 API calls 6185->6179 6187->6188 6188->6179 6188->6185 6190 33c105 6189->6190 6191 33c068 6189->6191 6192 340680 4 API calls 6190->6192 6191->6190 6193 3374d3 40 API calls 6191->6193 6194 33c112 6192->6194 6195 33c07e GetWindowRect 6193->6195 6194->6188 6195->6190 6196 33c08f GetWindowRect 6195->6196 6196->6190 6197 33c0a3 GetWindowRect 6196->6197 6197->6190 6198 33c0b7 MoveWindow 6197->6198 6198->6190 5717 33c880 GdipDeleteBrush 5718 33c8a4 5717->5718 5719 33c89d GdipFree 5717->5719 5719->5718 5720 33ac80 GetWindowRect 5721 33acd3 5720->5721 5722 33acbe MapWindowPoints 5720->5722 5723 340680 4 API calls 5721->5723 5722->5721 5724 33ad13 5723->5724 5725 338a80 5728 339b02 WcsSetCalibrationManagementState 5725->5728 5729 339b22 GetLastError 5728->5729 5730 339b2e 5728->5730 5729->5730 5733 339b59 WcsSetDefaultColorProfile 5730->5733 5738 339b7a 5730->5738 5731 339b90 WcsGetUsePerUserProfiles 5732 339ba6 GetLastError 5731->5732 5737 339bb2 5731->5737 5732->5737 5735 339b6e GetLastError 5733->5735 5733->5738 5734 339c12 WcsSetCalibrationManagementState 5736 339c1f GetLastError 5734->5736 5739 338a8d 5734->5739 5735->5738 5736->5739 5737->5734 5737->5739 5740 339be3 WcsSetDefaultColorProfile 5737->5740 5738->5731 5738->5739 5740->5734 5741 339bf9 GetLastError 5740->5741 5742 339c05 5741->5742 5742->5734 5742->5739 6278 337b80 MonitorFromWindow 6279 337ba6 6278->6279 6280 337b9e 6278->6280 6282 3391d3 LoadCursorW SetCursor ShowCursor 6280->6282 6283 339222 6282->6283 6307 339212 6282->6307 6287 339257 GetNumberOfPhysicalMonitorsFromHMONITOR 6283->6287 6283->6307 6284 3394ab ShowCursor LoadCursorW SetCursor 6285 340680 4 API calls 6284->6285 6286 3394d7 6285->6286 6286->6279 6288 33927a 6287->6288 6287->6307 6289 339290 DeleteDC 6288->6289 6290 339299 EnumDisplayMonitors 6288->6290 6288->6307 6289->6290 6291 3392c7 GetDeviceCaps 6290->6291 6290->6307 6292 3392df 6291->6292 6291->6307 6314 3394e3 GetMonitorInfoW 6292->6314 6295 3392f0 GetPhysicalMonitorsFromHMONITOR 6296 339303 6295->6296 6296->6307 6331 33905d WcsGetUsePerUserProfiles 6296->6331 6301 339382 6301->6284 6303 3393c0 DccwGetDisplayProfileAssociationList 6301->6303 6304 3393ad DccwCreateDisplayProfileAssociationList 6301->6304 6301->6307 6306 3393d6 6303->6306 6303->6307 6305 3393be 6304->6305 6304->6307 6305->6303 6308 3393f3 DccwGetDisplayProfileAssociationList 6306->6308 6309 3393e2 DccwCreateDisplayProfileAssociationList 6306->6309 6307->6284 6308->6307 6310 33940a 6308->6310 6309->6307 6309->6308 6358 33963a GetColorDirectoryW 6310->6358 6312 339411 6312->6307 6312->6312 6313 33947b EventWrite 6312->6313 6313->6307 6315 339523 GetLastError 6314->6315 6316 339540 EnumDisplayDevicesW 6314->6316 6319 33952f 6315->6319 6317 339561 GetLastError 6316->6317 6318 33957e StringFromCLSID 6316->6318 6320 33956d 6317->6320 6321 339596 _wcsupr wcsstr 6318->6321 6322 339609 6318->6322 6319->6316 6319->6322 6320->6318 6320->6322 6321->6322 6323 3395bf 6321->6323 6324 339623 6322->6324 6325 339617 CoTaskMemFree 6322->6325 6326 33fdd6 ctype 2 API calls 6323->6326 6327 340680 4 API calls 6324->6327 6325->6324 6329 3395c8 6326->6329 6328 3392e6 6327->6328 6328->6295 6328->6307 6329->6322 6330 3395e6 swscanf_s 6329->6330 6330->6322 6332 3390b0 6331->6332 6333 3390a4 GetLastError 6331->6333 6334 3390cc WcsGetDefaultColorProfile 6332->6334 6347 339198 6332->6347 6333->6332 6335 3390f1 GetLastError 6334->6335 6336 3390fd 6334->6336 6335->6336 6339 33910e WcsOpenColorProfileW 6336->6339 6336->6347 6337 3391b5 CloseColorProfile 6338 3391bc 6337->6338 6342 340680 4 API calls 6338->6342 6340 339160 DccwGetGamutSize 6339->6340 6341 339147 GetLastError 6339->6341 6345 339174 6340->6345 6340->6347 6343 339153 6341->6343 6344 3391cb 6342->6344 6343->6340 6343->6347 6344->6284 6348 33a6a6 memset 6344->6348 6346 33eb17 2 API calls 6345->6346 6345->6347 6346->6347 6347->6337 6347->6338 6349 33a6d8 6348->6349 6355 33a71b 6348->6355 6371 33a4cc 6349->6371 6350 340680 4 API calls 6352 33936b 6350->6352 6352->6301 6356 33eb17 memset TaskDialogIndirect 6352->6356 6354 33a6eb DisplayConfigGetDeviceInfo 6354->6355 6355->6350 6357 33eb83 6356->6357 6357->6301 6359 339680 6358->6359 6360 339676 GetLastError 6358->6360 6361 33ff30 3 API calls 6359->6361 6370 33970d 6359->6370 6360->6359 6362 3396a7 6361->6362 6364 33ff30 3 API calls 6362->6364 6362->6370 6363 340680 4 API calls 6365 33971c 6363->6365 6366 3396ce 6364->6366 6365->6312 6367 33ff30 3 API calls 6366->6367 6366->6370 6368 3396ec 6367->6368 6369 33ff30 3 API calls 6368->6369 6368->6370 6369->6370 6370->6363 6386 3401e0 6371->6386 6374 33a512 GetDisplayConfigBufferSizes 6375 33a551 6374->6375 6378 33a530 6374->6378 6376 340680 4 API calls 6375->6376 6377 33a69e 6376->6377 6377->6354 6377->6355 6378->6375 6379 33a588 QueryDisplayConfig 6378->6379 6380 33a5c3 6379->6380 6381 33a5a5 GetLastError 6379->6381 6380->6375 6382 33a5d8 DisplayConfigGetDeviceInfo 6380->6382 6384 3401e0 8 API calls 6380->6384 6385 33a636 lstrcmpiW 6380->6385 6381->6375 6382->6380 6383 33a605 EnumDisplayDevicesW 6382->6383 6383->6380 6384->6380 6385->6375 6385->6380 6391 33a4f6 6386->6391 6393 3401fa 6386->6393 6387 340204 iswupper 6388 340222 towlower 6387->6388 6389 340233 iswupper 6387->6389 6388->6389 6390 34023f towlower 6389->6390 6389->6393 6390->6393 6391->6374 6391->6375 6392 34026a iswupper 6394 340294 iswupper 6392->6394 6395 340283 towlower 6392->6395 6393->6387 6393->6391 6393->6392 6394->6393 6396 3402a0 towlower 6394->6396 6395->6394 6396->6393 6267 337980 6268 3379dd 6267->6268 6270 337990 6267->6270 6269 3370f2 17 API calls 6269->6268 6270->6268 6270->6269 6271 336b80 6272 336b9a WcsSetCalibrationManagementState 6271->6272 6274 336bcb 6272->6274 6275 336bab GetLastError 6272->6275 6276 336bb5 6275->6276 6277 33e9dc 13 API calls 6276->6277 6277->6274 6253 338f80 6254 338f92 6253->6254 6254->6254 6255 338fd6 6254->6255 6256 338fbe 6254->6256 6257 338fad DccwSetDisplayProfileAssociationList 6254->6257 6256->6255 6258 338fc8 DccwSetDisplayProfileAssociationList 6256->6258 6257->6255 6257->6256 6258->6255 6203 33b980 6206 33bc48 6203->6206 6207 33bc5e 6206->6207 6208 33bc63 DeleteObject 6207->6208 6209 33bc73 6207->6209 6208->6207 6242 33af80 6243 33afad 6242->6243 6244 33afb7 6243->6244 6245 33afc9 GetDlgItem SendMessageW 6243->6245 6248 33e9dc 13 API calls 6244->6248 6246 33afc4 6245->6246 6247 33afec GetSystemDirectoryW 6245->6247 6249 340680 4 API calls 6246->6249 6247->6246 6251 33b003 6247->6251 6248->6246 6250 33b065 6249->6250 6251->6246 6252 33b033 ShellExecuteW 6251->6252 6252->6246 6210 33cb80 GetDeviceGammaRamp 6211 33cb98 GetLastError 6210->6211 6212 33cba4 6210->6212 6211->6212 6216 33d780 6217 33d7af 6216->6217 6235 33e04f SendMessageW 6217->6235 6219 33d7cb SendMessageW 6220 33d804 6219->6220 6221 33d95f 6220->6221 6236 33e07c SendMessageW 6220->6236 6223 33d821 6237 33e04f SendMessageW 6223->6237 6225 33d85e SendMessageW 6226 33d89a 6225->6226 6226->6221 6238 33e07c SendMessageW 6226->6238 6228 33d8b7 6239 33e04f SendMessageW 6228->6239 6230 33d8f4 SendMessageW 6231 33d930 6230->6231 6231->6221 6240 33e07c SendMessageW 6231->6240 6233 33d949 SetTimer 6241 33ab40 GetParent PostMessageW GetParent SendMessageW 6233->6241 6235->6219 6236->6223 6237->6225 6238->6228 6239->6230 6240->6233 6241->6221 6263 33cd80 6264 33cd96 6263->6264 6265 33cd8f 6263->6265 6266 33cfbf 2 API calls 6264->6266 6266->6265 5746 340a80 SetUnhandledExceptionFilter 6403 33d1f0 6404 33d207 6403->6404 6405 33d221 6404->6405 6406 33e9dc 13 API calls 6404->6406 6407 33d21e 6406->6407 6408 338ff0 6409 339012 GetMonitorInfoW 6408->6409 6410 33903d 6408->6410 6409->6410 6411 33902a CreateDCW 6409->6411 6412 340680 4 API calls 6410->6412 6411->6410 6413 339051 6412->6413 5783 33b8e0 5784 33b8f4 5783->5784 5787 33b92e 5783->5787 5785 33b900 5784->5785 5786 33b93c 5784->5786 5792 33bc83 5785->5792 5789 33b90d 5786->5789 5800 33bd3d 5786->5800 5789->5787 5790 3370f2 17 API calls 5789->5790 5790->5787 5793 33a94c 3 API calls 5792->5793 5794 33bca1 ctype 5793->5794 5795 33bd24 5794->5795 5798 33fe77 3 API calls 5794->5798 5799 33bcfd GetDlgItem SetWindowTextW 5794->5799 5796 340680 4 API calls 5795->5796 5797 33bd33 5796->5797 5797->5789 5798->5794 5799->5794 5801 33a9ed 8 API calls 5800->5801 5811 33bd60 5801->5811 5802 33bdaa GetDlgItem 5803 33ec08 21 API calls 5802->5803 5803->5811 5804 33bde3 GetWindowRect 5806 33bdf5 MapWindowPoints 5804->5806 5807 33be08 GetLastError 5804->5807 5805 33bf59 DeleteObject 5805->5811 5806->5811 5807->5811 5808 33bf71 5809 340680 4 API calls 5808->5809 5810 33bf7e 5809->5810 5810->5789 5811->5802 5811->5804 5811->5805 5811->5808 5812 33be37 _ftol2_sse 5811->5812 5813 33be7b MoveWindow 5811->5813 5815 33edc2 28 API calls 5811->5815 5816 33bec8 InvalidateRect GetDlgItem GetWindowRect 5811->5816 5819 33bf1a MoveWindow 5811->5819 5812->5813 5813->5811 5814 33be90 GetLastError 5813->5814 5814->5811 5815->5811 5817 33bef1 MapWindowPoints 5816->5817 5818 33bf04 GetLastError 5816->5818 5817->5819 5818->5811 5819->5811 5820 33bf4a GetLastError 5819->5820 5820->5811 5778 33aee0 GetParent PostMessageW 5779 33af09 GetDlgItem SendMessageW 5778->5779 5780 33af2c 5778->5780 5779->5780 5781 33e9dc 13 API calls 5780->5781 5782 33af6f 5780->5782 5781->5782 5753 3372e0 5756 337307 5753->5756 5755 3372ed 5757 337323 5756->5757 5758 33731c DeleteObject 5756->5758 5759 337334 5757->5759 5760 33732d DeleteObject 5757->5760 5758->5757 5761 33a854 DeleteObject 5759->5761 5763 33a85d ctype 5759->5763 5760->5759 5761->5763 5762 33a880 5762->5755 5763->5762 5764 33f9a5 ctype 10 API calls 5763->5764 5764->5762 5777 336ae0 SendMessageW 6414 336de0 6415 336e25 6414->6415 6416 336deb 6414->6416 6423 337057 EnterCriticalSection 6416->6423 6418 336df1 6427 336fee 6418->6427 6421 333e63 free 6422 336e04 GetWindowLongW SetWindowLongW 6421->6422 6422->6415 6424 3370a1 LeaveCriticalSection 6423->6424 6425 337074 GetCurrentThreadId 6423->6425 6424->6418 6426 33707e 6425->6426 6426->6424 6428 337004 6427->6428 6429 337016 6428->6429 6436 33f8cd GetProcessHeap HeapAlloc 6428->6436 6435 336dfd 6429->6435 6445 33f934 6429->6445 6435->6421 6437 33f8e7 6436->6437 6438 33f8eb 6436->6438 6437->6429 6455 33faac 6438->6455 6440 33f8f1 6442 33f900 6440->6442 6469 33f711 6440->6469 6443 33f92a 6442->6443 6444 33f919 GetProcessHeap HeapFree 6442->6444 6443->6429 6444->6437 6446 33f941 6445->6446 6450 337025 6445->6450 6447 33f97a 6446->6447 6448 33f94d GetCurrentProcess FlushInstructionCache 6446->6448 6446->6450 6488 33fb5e 6447->6488 6448->6450 6451 33f884 6450->6451 6452 33f892 6451->6452 6454 33702d SetWindowLongW 6451->6454 6452->6454 6502 33f9fa 6452->6502 6454->6435 6456 33fabb DecodePointer 6455->6456 6457 33fac9 LoadLibraryExA 6455->6457 6456->6440 6458 33fb53 6457->6458 6459 33fae2 6457->6459 6458->6440 6460 33f857 ctype 2 API calls 6459->6460 6461 33faf3 6460->6461 6461->6458 6462 33f857 ctype 2 API calls 6461->6462 6463 33fb08 6462->6463 6463->6458 6464 33f857 ctype 2 API calls 6463->6464 6465 33fb1d 6464->6465 6465->6458 6466 33f857 ctype 2 API calls 6465->6466 6467 33fb32 6466->6467 6467->6458 6468 33fb36 DecodePointer 6467->6468 6468->6458 6470 33f71c 6469->6470 6476 33f721 6469->6476 6481 33f7ee IsProcessorFeaturePresent 6470->6481 6472 33f742 InterlockedPopEntrySList 6474 33f75b VirtualAlloc 6472->6474 6480 33f74f 6472->6480 6473 33f72f GetProcessHeap HeapAlloc 6473->6480 6475 33f776 InterlockedPopEntrySList 6474->6475 6474->6480 6477 33f78a VirtualFree 6475->6477 6478 33f79c 6475->6478 6476->6472 6476->6473 6476->6480 6477->6480 6479 33f7a2 InterlockedPushEntrySList 6478->6479 6479->6479 6479->6480 6480->6442 6482 33f801 GetPEB 6481->6482 6483 33f7fa 6481->6483 6484 33f812 GetProcessHeap HeapAlloc 6482->6484 6485 33f845 6482->6485 6483->6476 6484->6485 6486 33f82b 6484->6486 6485->6476 6486->6485 6487 33f835 GetProcessHeap HeapFree 6486->6487 6487->6485 6489 33fb7b LoadLibraryExA 6488->6489 6490 33fb6d DecodePointer 6488->6490 6491 33fb94 6489->6491 6493 33fc05 6489->6493 6490->6450 6492 33f857 ctype 2 API calls 6491->6492 6494 33fba5 6492->6494 6493->6450 6494->6493 6495 33f857 ctype 2 API calls 6494->6495 6496 33fbba 6495->6496 6496->6493 6497 33f857 ctype 2 API calls 6496->6497 6498 33fbcf 6497->6498 6498->6493 6499 33f857 ctype 2 API calls 6498->6499 6500 33fbe4 6499->6500 6500->6493 6501 33fbe8 DecodePointer 6500->6501 6501->6493 6503 33fa17 LoadLibraryExA 6502->6503 6504 33fa09 DecodePointer 6502->6504 6505 33faa1 6503->6505 6506 33fa30 6503->6506 6504->6454 6505->6454 6507 33f857 ctype 2 API calls 6506->6507 6508 33fa41 6507->6508 6508->6505 6509 33f857 ctype 2 API calls 6508->6509 6510 33fa56 6509->6510 6510->6505 6511 33f857 ctype 2 API calls 6510->6511 6512 33fa6b 6511->6512 6512->6505 6513 33f857 ctype 2 API calls 6512->6513 6514 33fa80 6513->6514 6514->6505 6515 33fa84 DecodePointer 6514->6515 6515->6505 5765 33d0e0 5766 33d1a0 5765->5766 5767 33d0f4 5765->5767 5769 33d15a 5767->5769 5770 33d11d 5767->5770 5771 33d14c 5767->5771 5768 3370f2 17 API calls 5768->5766 5769->5771 5773 33e9dc 13 API calls 5769->5773 5770->5771 5772 33e9dc 13 API calls 5770->5772 5771->5766 5771->5768 5772->5771 5773->5771 5774 3360e0 5775 336107 ctype 13 API calls 5774->5775 5776 3360ed 5775->5776 4661 3403e9 4676 340d8c 4661->4676 4663 3403f5 GetStartupInfoW 4664 340412 4663->4664 4665 340427 4664->4665 4666 34042e Sleep 4664->4666 4667 340446 _amsg_exit 4665->4667 4669 340450 4665->4669 4666->4664 4667->4669 4668 340492 _initterm 4671 3404ad __IsNonwritableInCurrentImage 4668->4671 4669->4668 4670 340473 4669->4670 4669->4671 4671->4670 4672 340599 4671->4672 4675 34054a exit 4671->4675 4677 333bbd HeapSetInformation 4671->4677 4672->4670 4673 3405a2 _cexit 4672->4673 4673->4670 4675->4671 4676->4663 4722 335f21 4677->4722 4680 333c20 4888 33fe77 4680->4888 4681 333c8d GetSystemMetrics 4682 333caf 4681->4682 4683 333c9c 4681->4683 4710 333ca1 4682->4710 4727 33f064 RegOpenKeyExW 4682->4727 4910 33e996 4683->4910 4686 333c45 4690 333c76 ctype 4686->4690 4894 34002c FormatMessageW 4686->4894 4688 333dc5 4693 333dd7 EventUnregister 4688->4693 4694 333ddf 4688->4694 4689 333dbb GdiplusShutdown 4689->4688 4690->4681 4693->4694 4875 335e92 EnterCriticalSection 4694->4875 4695 333cf3 4698 3402fe ctype 2 API calls 4695->4698 4696 333cc4 4915 3402fe 4696->4915 4701 333cfd 4698->4701 4705 333ceb 4701->4705 4706 333d04 memset 4701->4706 4705->4710 4732 336036 memset 4705->4732 4709 337aa8 6 API calls 4706->4709 4707 333cd5 memset 4919 337aa8 4707->4919 4709->4705 4710->4688 4710->4689 4712 333d40 4733 336166 CreateMutexW 4712->4733 4714 333d49 4715 333da0 4714->4715 4716 333d4f GetActiveWindow 4714->4716 4923 336107 4715->4923 4717 333d63 4716->4717 4866 333e92 4717->4866 4720 333d8c PropertySheetW 4872 333e63 4720->4872 4723 335f5d GetCurrentThreadId 4722->4723 4726 335f3a 4722->4726 4724 3402fe ctype 2 API calls 4723->4724 4725 333be7 EventRegister GdiplusStartup 4724->4725 4725->4680 4725->4681 4726->4723 4728 33f0a0 RegQueryValueExW 4727->4728 4729 33f0c1 4727->4729 4728->4729 4730 33f0d3 RegCloseKey 4729->4730 4731 333cc0 4729->4731 4730->4731 4731->4695 4731->4696 4732->4712 4734 3361b2 RegisterWindowMessageW 4733->4734 4735 336194 GetLastError 4733->4735 4737 33fe77 3 API calls 4734->4737 4735->4734 4736 3361a1 WaitForSingleObject 4735->4736 4736->4734 4738 3361e0 FindWindowW 4737->4738 4739 3361f4 GetWindowThreadProcessId AllowSetForegroundWindow SendMessageTimeoutW 4738->4739 4740 33622b 4738->4740 4739->4740 4741 336865 4740->4741 4742 3402fe ctype 2 API calls 4740->4742 4743 336893 4741->4743 4744 336879 ReleaseMutex CloseHandle 4741->4744 4746 3368a9 ctype 4741->4746 4745 33625d 4742->4745 4743->4746 4750 33e9dc 13 API calls 4743->4750 4744->4743 4747 33627e 4745->4747 4927 33a74b memset 4745->4927 4746->4714 4931 336bd5 4747->4931 4750->4746 4752 3402fe ctype 2 API calls 4753 3362a4 4752->4753 4754 3362c2 4753->4754 4755 33a74b 5 API calls 4753->4755 4756 336bd5 3 API calls 4754->4756 4755->4754 4757 3362d4 4756->4757 4757->4741 4758 3402fe ctype 2 API calls 4757->4758 4759 3362e8 4758->4759 4760 33631e 4759->4760 4940 33bbd9 4759->4940 4762 336bd5 3 API calls 4760->4762 4763 336330 4762->4763 4763->4741 4764 3402fe ctype 2 API calls 4763->4764 4765 336344 4764->4765 4766 336371 4765->4766 4943 33c11c 4765->4943 4768 336bd5 3 API calls 4766->4768 4769 336383 4768->4769 4769->4741 4770 3402fe ctype 2 API calls 4769->4770 4771 336397 4770->4771 4772 3363b5 4771->4772 4773 33a74b 5 API calls 4771->4773 4774 336bd5 3 API calls 4772->4774 4773->4772 4775 3363c7 4774->4775 4775->4741 4776 3402fe ctype 2 API calls 4775->4776 4777 3363db 4776->4777 4778 336411 4777->4778 4779 33bbd9 5 API calls 4777->4779 4780 336bd5 3 API calls 4778->4780 4779->4778 4781 336423 4780->4781 4781->4741 4782 3402fe ctype 2 API calls 4781->4782 4783 336437 4782->4783 4784 33645f 4783->4784 4946 337276 4783->4946 4786 336bd5 3 API calls 4784->4786 4787 336471 4786->4787 4787->4741 4788 3402fe ctype 2 API calls 4787->4788 4789 336485 4788->4789 4790 3364bb 4789->4790 4791 33bbd9 5 API calls 4789->4791 4792 336bd5 3 API calls 4790->4792 4791->4790 4793 3364cd 4792->4793 4793->4741 4794 3402fe ctype 2 API calls 4793->4794 4795 3364e1 4794->4795 4796 33650c 4795->4796 4797 337276 5 API calls 4795->4797 4798 336bd5 3 API calls 4796->4798 4797->4796 4799 33651e 4798->4799 4799->4741 4800 3402fe ctype 2 API calls 4799->4800 4801 336532 4800->4801 4802 33655f 4801->4802 4803 33c11c 6 API calls 4801->4803 4804 336bd5 3 API calls 4802->4804 4803->4802 4805 336571 4804->4805 4805->4741 4806 3402fe ctype 2 API calls 4805->4806 4807 336585 4806->4807 4808 3365b2 4807->4808 4809 33c11c 6 API calls 4807->4809 4810 336bd5 3 API calls 4808->4810 4809->4808 4811 3365c4 4810->4811 4811->4741 4812 3402fe ctype 2 API calls 4811->4812 4813 3365d8 4812->4813 4814 3365f9 4813->4814 4815 33a74b 5 API calls 4813->4815 4816 336bd5 3 API calls 4814->4816 4815->4814 4817 33660b 4816->4817 4817->4741 4818 3402fe ctype 2 API calls 4817->4818 4819 33661f 4818->4819 4820 33664d 4819->4820 4821 337276 5 API calls 4819->4821 4822 336bd5 3 API calls 4820->4822 4821->4820 4823 336666 4822->4823 4823->4741 4824 3402fe ctype 2 API calls 4823->4824 4825 33667a 4824->4825 4826 33669b 4825->4826 4827 33a74b 5 API calls 4825->4827 4828 336bd5 3 API calls 4826->4828 4827->4826 4829 3366ad 4828->4829 4829->4741 4830 3402fe ctype 2 API calls 4829->4830 4831 3366c1 4830->4831 4833 3366d9 4831->4833 4949 33d35d 4831->4949 4834 336bd5 3 API calls 4833->4834 4835 3366e5 4834->4835 4835->4741 4836 3402fe ctype 2 API calls 4835->4836 4837 3366f9 4836->4837 4838 336718 4837->4838 4839 33ae9f 5 API calls 4837->4839 4840 336bd5 3 API calls 4838->4840 4839->4838 4841 33672a 4840->4841 4841->4741 4842 3402fe ctype 2 API calls 4841->4842 4843 33673e 4842->4843 4844 33675d 4843->4844 4937 33ae9f 4843->4937 4846 336bd5 3 API calls 4844->4846 4847 33676f 4846->4847 4847->4741 4848 3402fe ctype 2 API calls 4847->4848 4849 336783 4848->4849 4850 3367a7 4849->4850 4851 33a74b 5 API calls 4849->4851 4852 336bd5 3 API calls 4850->4852 4851->4850 4854 3367b9 4852->4854 4853 3367c5 RegisterWindowMessageW 4853->4854 4855 3367ec GetLastError 4853->4855 4854->4741 4854->4853 4856 3367e8 4854->4856 4855->4856 4856->4741 4857 336801 WcsGetCalibrationManagementState 4856->4857 4858 336812 GetLastError 4857->4858 4859 33683b WcsSetCalibrationManagementState 4857->4859 4860 33681e 4858->4860 4859->4746 4861 336847 GetLastError 4859->4861 4952 33e9dc 4860->4952 4863 336853 4861->4863 4864 33e9dc 13 API calls 4863->4864 4864->4741 4865 336830 4865->4741 4865->4859 4867 333ea0 4866->4867 4868 333ed9 4866->4868 4867->4868 4869 333ea7 GetCurrentThreadId EnterCriticalSection LeaveCriticalSection 4867->4869 4976 335d67 RaiseException 4868->4976 4869->4720 4871 333ee3 4871->4720 4873 333e83 4872->4873 4874 333e76 free 4872->4874 4873->4715 4874->4873 4876 335ee0 LeaveCriticalSection 4875->4876 4877 335eb8 4875->4877 4977 335d22 4876->4977 4879 335ece 4877->4879 4880 335ebe DestroyWindow 4877->4880 4879->4876 4986 335d41 4879->4986 4880->4879 4883 335f0b 4980 335e10 4883->4980 4887 335ed9 4887->4876 4889 3402fe ctype 2 API calls 4888->4889 4892 33fe90 4889->4892 4890 33fe92 LoadStringW 4891 33fed7 ctype 4890->4891 4890->4892 4891->4686 4892->4890 4892->4891 4893 3402fe ctype 2 API calls 4892->4893 4893->4892 4895 34007d GetLastError 4894->4895 4896 34005f 4894->4896 4898 333c64 4895->4898 4995 33fdd6 4896->4995 4898->4690 4901 33e8e3 4898->4901 4899 34006a 4899->4898 4900 340072 LocalFree 4899->4900 4900->4898 4902 33e902 EventWrite 4901->4902 4904 33fe77 3 API calls 4902->4904 4905 33e968 4904->4905 4906 33e979 ctype 4905->4906 4907 33e96c MessageBoxW 4905->4907 4999 340680 4906->4999 4907->4906 4909 33e98e 4909->4690 4911 33fe77 3 API calls 4910->4911 4912 33e9be 4911->4912 4913 33e9cc ctype 4912->4913 4914 33e8e3 9 API calls 4912->4914 4913->4710 4914->4913 4916 340313 malloc 4915->4916 4917 340306 _callnewh 4916->4917 4918 333cce 4916->4918 4917->4916 4917->4918 4918->4705 4918->4707 4920 337b04 4919->4920 4920->4920 5005 33a030 4920->5005 4924 336129 4923->4924 5023 336d13 4924->5023 4928 33fe77 3 API calls 4927->4928 4929 33a7f5 CreateSolidBrush 4928->4929 4929->4747 4932 336bef 4931->4932 4933 336290 4931->4933 4932->4933 4934 336bff 4932->4934 4933->4741 4933->4752 4970 336cb7 CreatePropertySheetPageW 4934->4970 4938 33a74b 5 API calls 4937->4938 4939 33aeba 4938->4939 4939->4844 4941 33a74b 5 API calls 4940->4941 4942 33bbf3 4941->4942 4942->4760 4944 337276 5 API calls 4943->4944 4945 33c13b CreateSolidBrush 4944->4945 4945->4766 4947 33a74b 5 API calls 4946->4947 4948 33728f 4947->4948 4948->4784 4950 337276 5 API calls 4949->4950 4951 33d384 CreateSolidBrush 4950->4951 4951->4833 4953 33ea04 4952->4953 4966 33ea42 ctype 4952->4966 4954 33fe77 3 API calls 4953->4954 4955 33ea1f 4954->4955 4956 33ea47 FormatMessageW 4955->4956 4957 33ea39 4955->4957 4955->4966 4959 33ea6a 4956->4959 4958 33e8e3 9 API calls 4957->4958 4958->4966 4960 33fe77 3 API calls 4959->4960 4961 33eaa0 4960->4961 4962 33eaa4 FormatMessageW 4961->4962 4963 33eae8 4961->4963 4964 33ead7 4962->4964 4965 33eacc 4962->4965 4963->4966 4967 33eaef LocalFree 4963->4967 4964->4963 4969 33eade LocalFree 4964->4969 4968 33e8e3 9 API calls 4965->4968 4966->4865 4967->4966 4968->4964 4969->4963 4971 336cd0 4970->4971 4972 336c08 4970->4972 4973 336cd9 SendMessageW 4971->4973 4974 336cec 4971->4974 4972->4933 4973->4974 4974->4972 4975 336cfe DestroyPropertySheetPage 4974->4975 4975->4972 4976->4871 4978 335d39 4977->4978 4979 335d2d LeaveCriticalSection 4977->4979 4978->4883 4989 334247 4978->4989 4979->4978 4981 335d7b 4980->4981 4981->4980 4982 333ded 4981->4982 4985 335da2 4981->4985 4994 335d67 RaiseException 4981->4994 4982->4671 4983 335ded DeleteCriticalSection 4983->4982 4985->4983 4987 335d57 4986->4987 4988 335d4b free 4986->4988 4987->4887 4988->4987 4990 334251 free 4989->4990 4991 33425d 4989->4991 4990->4991 4992 334263 free 4991->4992 4993 334271 4991->4993 4992->4993 4993->4883 4994->4981 4996 33fdea 4995->4996 4998 33fe18 ctype 4995->4998 4997 3402fe ctype 2 API calls 4996->4997 4997->4998 4998->4899 5000 340688 4999->5000 5001 34068b 4999->5001 5000->4909 5004 3407fd SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 5001->5004 5003 340939 5003->4909 5004->5003 5006 33a046 5005->5006 5007 33a05a 5005->5007 5006->5007 5008 33a04e DestroyPhysicalMonitors 5006->5008 5009 33a072 5007->5009 5010 33a069 DeleteDC 5007->5010 5008->5007 5011 33a147 DccwReleaseDisplayProfileAssociationList DccwReleaseDisplayProfileAssociationList 5009->5011 5012 33a15f 5009->5012 5010->5009 5011->5012 5013 33fdd6 ctype 2 API calls 5012->5013 5014 33a179 5013->5014 5015 33fdd6 ctype 2 API calls 5014->5015 5016 33a185 5015->5016 5017 33fdd6 ctype 2 API calls 5016->5017 5018 33a191 5017->5018 5019 33fdd6 ctype 2 API calls 5018->5019 5020 33a19d 5019->5020 5021 33fdd6 ctype 2 API calls 5020->5021 5022 337b14 5021->5022 5022->4705 5024 336d20 5023->5024 5025 336d3b 5023->5025 5027 336d54 5024->5027 5028 336d29 DestroyPropertySheetPage 5024->5028 5026 335d41 ctype free 5025->5026 5029 336d43 5026->5029 5043 335d67 RaiseException 5027->5043 5028->5024 5028->5025 5031 33615b 5029->5031 5034 33f9a5 5029->5034 5031->4710 5032 336d5e 5035 33f9b2 5034->5035 5036 33f9ef 5034->5036 5037 33f9df GetProcessHeap HeapFree 5035->5037 5038 33f9c5 5035->5038 5039 33f9be 5035->5039 5036->5031 5037->5036 5049 33fc10 5038->5049 5044 33f7c1 5039->5044 5042 33f9c3 5042->5037 5043->5032 5045 33f7e7 5044->5045 5046 33f7c5 5044->5046 5045->5042 5047 33f7e0 InterlockedPushEntrySList 5046->5047 5048 33f7d0 GetProcessHeap HeapFree 5046->5048 5047->5045 5048->5042 5050 33fc1f DecodePointer 5049->5050 5051 33fc2d LoadLibraryExA 5049->5051 5050->5042 5052 33fcb7 5051->5052 5053 33fc46 5051->5053 5052->5042 5063 33f857 GetProcAddress 5053->5063 5056 33f857 ctype 2 API calls 5057 33fc6c 5056->5057 5057->5052 5058 33f857 ctype 2 API calls 5057->5058 5059 33fc81 5058->5059 5059->5052 5060 33f857 ctype 2 API calls 5059->5060 5061 33fc96 5060->5061 5061->5052 5062 33fc9a DecodePointer 5061->5062 5062->5052 5064 33f868 5063->5064 5065 33f86c EncodePointer 5063->5065 5064->5052 5064->5056 5065->5064 5824 3376d0 MoveWindow 5825 33f4d0 5826 33f4e0 5825->5826 5828 33f51d 5825->5828 5830 33f514 5826->5830 5831 33f583 5826->5831 5827 3370f2 17 API calls 5827->5828 5830->5827 5830->5828 5832 33f5a1 5831->5832 5833 33f5f0 5832->5833 5834 33f5a9 GetParent PostMessageW 5832->5834 5837 33e9dc 13 API calls 5833->5837 5835 33f489 3 API calls 5834->5835 5836 33f5ce ShowWindow 5835->5836 5838 33f5ea 5836->5838 5837->5838 5838->5830 6519 33add0 6520 337057 3 API calls 6519->6520 6522 33addb 6520->6522 6521 33ae3d 6522->6521 6523 33ae08 6522->6523 6524 33f8cd 22 API calls 6522->6524 6525 33f934 7 API calls 6523->6525 6526 33ae17 6523->6526 6524->6523 6525->6526 6527 33f884 5 API calls 6526->6527 6528 33ae1f SetWindowLongW 6527->6528 6528->6521 5851 338ac0 5852 339d26 17 API calls 5851->5852 5853 338afb 5852->5853 5854 338b07 WcsCreateIccProfile 5853->5854 5855 338b3c 5853->5855 5857 338b28 5854->5857 5858 338b1c GetLastError 5854->5858 5856 338b4a GetColorProfileFromHandle 5855->5856 5864 338b6a 5855->5864 5859 338b5b GetLastError 5856->5859 5865 338b66 5856->5865 5857->5855 5862 33a1b6 13 API calls 5857->5862 5858->5857 5859->5865 5860 338cc5 5863 338ccd CloseColorProfile 5860->5863 5867 338cd4 ctype 5860->5867 5861 338cbb CloseColorProfile 5861->5860 5862->5855 5863->5867 5864->5860 5864->5861 5865->5864 5866 338ba5 GetColorProfileFromHandle 5865->5866 5868 338bd3 CreateFileW 5866->5868 5869 338bb6 GetLastError 5866->5869 5871 338c19 WriteFile 5868->5871 5872 338bfc GetLastError 5868->5872 5870 338bc2 5869->5870 5870->5864 5870->5868 5873 338c41 GetLastError 5871->5873 5874 338c30 5871->5874 5875 338c08 5872->5875 5873->5874 5876 338c5a CloseHandle InstallColorProfileW 5874->5876 5877 338ca8 5874->5877 5875->5864 5875->5871 5876->5864 5879 338c77 GetLastError 5876->5879 5877->5864 5878 338cad CloseHandle 5877->5878 5878->5864 5879->5864 5848 3370c0 5849 3370f2 17 API calls 5848->5849 5850 3370e3 5849->5850 5880 33c2c0 5881 33c2e1 SendMessageW SendMessageW 5880->5881 5883 33c34c 5881->5883 5884 33c354 5883->5884 5885 33c37a 5883->5885 5887 33c832 SendMessageW 5884->5887 5886 33e9dc 13 API calls 5885->5886 5890 33c376 5886->5890 5888 33c361 SetTimer 5887->5888 5891 33ab40 GetParent PostMessageW GetParent SendMessageW 5888->5891 5891->5890 6535 33f1c0 GdipDisposeImage 6536 33f1e4 6535->6536 6537 33f1dd GdipFree 6535->6537 6537->6536 6541 33cbc0 SetDeviceGammaRamp 6542 33cbd8 GetLastError 6541->6542 6543 33cbe4 6541->6543 6542->6543

    Executed Functions

    Function 00336166 Relevance: 39.1, APIs: 16, Strings: 6, Instructions: 627synchronizationwindowregistryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 336166-336192 CreateMutexW 1 3361b2-3361f2 RegisterWindowMessageW call 33fe77 FindWindowW 0->1 2 336194-33619f GetLastError 0->2 6 3361f4-336229 GetWindowThreadProcessId AllowSetForegroundWindow SendMessageTimeoutW 1->6 7 33623d-33624d 1->7 2->1 3 3361a1-3361ac WaitForSingleObject 2->3 3->1 6->7 8 33622b-336232 6->8 9 336253-336265 call 3402fe 7->9 10 33686d 7->10 8->7 12 336234-336239 8->12 19 336267-336279 call 33a74b 9->19 20 336286 9->20 11 336870-336877 10->11 14 336893-336895 11->14 15 336879-33688c ReleaseMutex CloseHandle 11->15 12->7 17 336897-33689a 14->17 18 3368a9-3368b7 call 33ff06 14->18 15->14 17->18 22 33689c-3368a4 call 33e9dc 17->22 25 33627e-336284 19->25 21 336288-336294 call 336bd5 20->21 21->10 30 33629a-3362a9 call 3402fe 21->30 22->18 25->21 33 3362ab-3362c8 call 33a74b 30->33 34 3362ca 30->34 36 3362cc-3362d8 call 336bd5 33->36 34->36 36->10 40 3362de-3362ed call 3402fe 36->40 43 336326 40->43 44 3362ef-336324 call 33bbd9 40->44 46 336328-336334 call 336bd5 43->46 44->46 46->10 50 33633a-336349 call 3402fe 46->50 53 33634b-336377 call 33c11c 50->53 54 336379 50->54 55 33637b-336387 call 336bd5 53->55 54->55 55->10 60 33638d-33639c call 3402fe 55->60 63 33639e-3363bb call 33a74b 60->63 64 3363bd 60->64 66 3363bf-3363cb call 336bd5 63->66 64->66 66->10 70 3363d1-3363e0 call 3402fe 66->70 73 3363e2-336417 call 33bbd9 70->73 74 336419 70->74 76 33641b-336427 call 336bd5 73->76 74->76 76->10 80 33642d-33643c call 3402fe 76->80 83 336467 80->83 84 33643e-336465 call 337276 80->84 86 336469-336475 call 336bd5 83->86 84->86 86->10 90 33647b-33648a call 3402fe 86->90 93 3364c3 90->93 94 33648c-3364c1 call 33bbd9 90->94 96 3364c5-3364d1 call 336bd5 93->96 94->96 96->10 100 3364d7-3364e6 call 3402fe 96->100 103 336514 100->103 104 3364e8-336512 call 337276 100->104 105 336516-336522 call 336bd5 103->105 104->105 105->10 110 336528-336537 call 3402fe 105->110 113 336567 110->113 114 336539-336565 call 33c11c 110->114 116 336569-336575 call 336bd5 113->116 114->116 116->10 120 33657b-33658a call 3402fe 116->120 123 3365ba 120->123 124 33658c-3365b8 call 33c11c 120->124 126 3365bc-3365c8 call 336bd5 123->126 124->126 126->10 130 3365ce-3365dd call 3402fe 126->130 133 336601 130->133 134 3365df-3365ff call 33a74b 130->134 135 336603-33660f call 336bd5 133->135 134->135 135->10 140 336615-336624 call 3402fe 135->140 143 336626-33665a call 337276 140->143 144 33665c 140->144 146 33665e-33666a call 336bd5 143->146 144->146 146->10 150 336670-33667f call 3402fe 146->150 153 3366a3 150->153 154 336681-3366a1 call 33a74b 150->154 156 3366a5-3366b1 call 336bd5 153->156 154->156 156->10 160 3366b7-3366c4 call 3402fe 156->160 163 3366c6-3366d9 call 33d35d 160->163 164 3366db 160->164 166 3366dd-3366e9 call 336bd5 163->166 164->166 166->10 170 3366ef-3366fe call 3402fe 166->170 173 336720 170->173 174 336700-33671e call 33ae9f 170->174 176 336722-33672e call 336bd5 173->176 174->176 176->10 180 336734-336743 call 3402fe 176->180 183 336765 180->183 184 336745-336758 call 33ae9f 180->184 185 336767-336773 call 336bd5 183->185 187 33675d-336763 184->187 185->10 190 336779-336788 call 3402fe 185->190 187->185 193 33678a-3367ad call 33a74b 190->193 194 3367af 190->194 196 3367b1-3367bd call 336bd5 193->196 194->196 196->10 200 3367c3 196->200 201 3367c5-3367de RegisterWindowMessageW 200->201 202 3367e0-3367e6 201->202 203 3367ec-3367f6 GetLastError 201->203 202->201 204 3367e8-3367ea 202->204 205 3367f8-3367fd 203->205 206 3367ff 203->206 207 336801-336810 WcsGetCalibrationManagementState 204->207 205->206 206->10 206->207 208 336812-33681c GetLastError 207->208 209 33683b-336845 WcsSetCalibrationManagementState 207->209 210 336823-336834 call 33e9dc 208->210 211 33681e-336821 208->211 209->18 212 336847-336851 GetLastError 209->212 210->11 219 336836 210->219 211->210 214 336853-336856 212->214 215 336858-336869 call 33e9dc 212->215 214->215 215->18 220 33686b 215->220 219->209 220->11
    APIs
    • CreateMutexW.KERNELBASE(00000000,00000001,Local\DCCW Startup Mutex,00000000,00000000,00000000,?,?,?,?,?,00333D49,00000000), ref: 00336185
    • GetLastError.KERNEL32(?,?,?,?,?,00333D49,00000000), ref: 00336194
    • WaitForSingleObject.KERNEL32(00002710,?,?,?,?,?,00333D49,00000000), ref: 003361AC
    • RegisterWindowMessageW.USER32(Microsoft.Windows.ICM.DCCW.Activate,?,?,?,?,?,00333D49,00000000), ref: 003361B7
    • FindWindowW.USER32(NativeHWNDHost,003428C8), ref: 003361E8
    • GetWindowThreadProcessId.USER32(00000000,I=3), ref: 003361FC
    • AllowSetForegroundWindow.USER32(I=3), ref: 00336205
    • SendMessageTimeoutW.USER32(00000000,00000000,00000000,00000002,00002710,?), ref: 00336221
    • RegisterWindowMessageW.USER32(003323E8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 003367CB
    • GetLastError.KERNEL32 ref: 003367EC
    • WcsGetCalibrationManagementState.MSCMS(?), ref: 00336808
    • GetLastError.KERNEL32 ref: 00336812
    • WcsSetCalibrationManagementState.MSCMS(00000000), ref: 0033683D
    • GetLastError.KERNEL32 ref: 00336847
    • ReleaseMutex.KERNEL32(000001D8), ref: 0033687A
    • CloseHandle.KERNEL32 ref: 00336886
      • Part of subcall function 003402FE: malloc.MSVCRT ref: 00340316
      • Part of subcall function 0033C11C: CreateSolidBrush.GDI32(00787878), ref: 0033C179
      • Part of subcall function 003402FE: _callnewh.MSVCRT ref: 00340309
      • Part of subcall function 0033A74B: memset.MSVCRT ref: 0033A772
      • Part of subcall function 0033A74B: CreateSolidBrush.GDI32(00AAAAAA), ref: 0033A80B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: Window$ErrorLast$CreateMessage$BrushCalibrationManagementMutexRegisterSolidState$AllowCloseFindForegroundHandleObjectProcessReleaseSendSingleThreadTimeoutWait_callnewhmallocmemset
    • String ID: I=3$Local\DCCW Startup Mutex$Microsoft.Windows.ICM.DCCW.Activate$NativeHWNDHost$dccw$strg
    • API String ID: 2331678428-2446108083
    • Opcode ID: 773ad8733f262749d99bc1eb844bde2239dac146ce2a918296c1926d05ded5cf
    • Instruction ID: 6308e6e8a59cb9a637d25fca66df398429f74b8f2984c490828de87a3e5ef89f
    • Opcode Fuzzy Hash: 773ad8733f262749d99bc1eb844bde2239dac146ce2a918296c1926d05ded5cf
    • Instruction Fuzzy Hash: 4602E736B81B367FEB2B1A648C97F3EA5959B45B50F05822CBE42BF2C1DEA45C0047D1
    Function 00333BBD Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 171memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000), ref: 00333BD7
      • Part of subcall function 00335F21: GetCurrentThreadId.KERNEL32 ref: 00335F5D
    • EventRegister.ADVAPI32(00331F40,00000000,00000000,00342858), ref: 00333BF3
    • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00333C14
    • GetSystemMetrics.USER32(00001000), ref: 00333C92
    • memset.MSVCRT ref: 00333CDC
      • Part of subcall function 0034002C: FormatMessageW.KERNEL32(00000500,?,00000000,00000000,00000137,00000000,?,67727473,?,?,?,00333C64,?,?,00000000), ref: 00340052
      • Part of subcall function 0034002C: LocalFree.KERNEL32(00000000,00000137,?,?,?,00333C64,?,?,00000000), ref: 00340075
    • memset.MSVCRT ref: 00333D0B
    • GetActiveWindow.USER32 ref: 00333D4F
    • PropertySheetW.COMCTL32(?,?,?), ref: 00333D91
      • Part of subcall function 0033E8E3: EventWrite.ADVAPI32(00331F20,00000001,?,?,003368A9,00000000), ref: 0033E944
      • Part of subcall function 0033E8E3: MessageBoxW.USER32(00000000,00000000,003428C8,00000010), ref: 0033E973
    • GdiplusShutdown.GDIPLUS(?), ref: 00333DBF
    • EventUnregister.ADVAPI32(028E6100,0000002B), ref: 00333DD9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: Event$GdiplusMessagememset$ActiveCurrentFormatFreeHeapInformationLocalMetricsPropertyRegisterSheetShutdownStartupSystemThreadUnregisterWindowWrite
    • String ID: strg
    • API String ID: 299502029-3320446829
    • Opcode ID: c969197b2b5fcaa7401c42615d627ebc8a3688102183ec08f8b956aa4fc3d0e2
    • Instruction ID: b62eb620647c2ea3fd76081d6b4d7bc56b88e71a96ae825da50f2a1afb5059f7
    • Opcode Fuzzy Hash: c969197b2b5fcaa7401c42615d627ebc8a3688102183ec08f8b956aa4fc3d0e2
    • Instruction Fuzzy Hash: EF51C275908355AFC363AF65C8C595FB7E8EF80750F008A2DF885AB251DB34EE048B92
    Function 003403E9 Relevance: 10.6, APIs: 7, Instructions: 138sleepCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 283 3403e9-340410 call 340d8c GetStartupInfoW 286 340412-340421 283->286 287 340423-340425 286->287 288 34043b-34043d 286->288 289 340427-34042c 287->289 290 34042e-340439 Sleep 287->290 291 34043e-340444 288->291 289->291 290->286 292 340446-34044e _amsg_exit 291->292 293 340450-340456 291->293 294 34048a-340490 292->294 295 340484 293->295 296 340458-340471 call 3405ca 293->296 298 340492-3404a3 _initterm 294->298 299 3404ad-3404af 294->299 295->294 296->294 303 340473-34047f 296->303 298->299 301 3404b1-3404b8 299->301 302 3404ba-3404c1 299->302 301->302 304 3404e6-3404ef 302->304 305 3404c3-3404d0 call 340bc0 302->305 307 3405b4-3405c3 303->307 304->303 306 3404f1-3404f7 304->306 305->304 313 3404d2-3404e4 305->313 309 3404fa-340500 306->309 311 340551-340554 309->311 312 340502-340505 309->312 314 340556-34055f 311->314 315 340562-340568 311->315 316 340507-340509 312->316 317 340520-340524 312->317 313->304 314->315 315->309 319 340599-3405a0 315->319 316->311 320 34050b-34050e 316->320 321 340526-34052a 317->321 322 34052c-34052e 317->322 323 3405a2-3405a8 _cexit 319->323 324 3405ad 319->324 320->317 325 340510-340513 320->325 326 34052f-340548 call 333bbd 321->326 322->326 323->324 324->307 325->317 327 340515-34051e 325->327 326->319 330 34054a-34054b exit 326->330 327->320 330->311
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: CurrentImageInfoNonwritableSleepStartup_amsg_exit_inittermexit
    • String ID:
    • API String ID: 2849151604-0
    • Opcode ID: 32baadc548a4d78eaa0c456a153bb95060d97edbadc759ba2f71cea84ef29005
    • Instruction ID: 122d832a9dfcbef1ef98a90997f18360fd16dbe27ffcadf32c792203812b2b84
    • Opcode Fuzzy Hash: 32baadc548a4d78eaa0c456a153bb95060d97edbadc759ba2f71cea84ef29005
    • Instruction Fuzzy Hash: 8941DF7AB043018FDB2F9B65AC4476A76E8EB06760F50406AEB01AF290DF74B840CF50
    Function 0033F064 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 331 33f064-33f09e RegOpenKeyExW 332 33f0a0-33f0bf RegQueryValueExW 331->332 333 33f0ce-33f0d1 331->333 332->333 334 33f0c1-33f0c4 332->334 335 33f0d3-33f0d6 RegCloseKey 333->335 336 33f0dc-33f0ef 333->336 337 33f0c6-33f0c9 334->337 338 33f0cb-33f0cd 334->338 335->336 337->333 337->338 338->333
    APIs
    • RegOpenKeyExW.KERNELBASE(80000001,SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\DCCW\Simulator,00000000,00020019,00333CC0,00000000,00000000,00000000,?,?,?,00333CC0), ref: 0033F094
    • RegQueryValueExW.ADVAPI32(00333CC0,UseSimulator,00000000,?,?,?,?,?,?,00333CC0), ref: 0033F0B5
    • RegCloseKey.ADVAPI32(00333CC0,?,?,?,00333CC0), ref: 0033F0D6
    Strings
    • SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\DCCW\Simulator, xrefs: 0033F081
    • UseSimulator, xrefs: 0033F0AD
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: CloseOpenQueryValue
    • String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\DCCW\Simulator$UseSimulator
    • API String ID: 3677997916-1182467772
    • Opcode ID: 84f084e35a888c665b9400c4ce3740e7b55f28b3b8c0cdd5a9fd2740ee5a23a6
    • Instruction ID: 37f91c137d2428ecc4db2531fbca2746cd064d7fdde55826312cb38484e7fafe
    • Opcode Fuzzy Hash: 84f084e35a888c665b9400c4ce3740e7b55f28b3b8c0cdd5a9fd2740ee5a23a6
    • Instruction Fuzzy Hash: 37118B76D40218FFDB228B9A9C859DFBFBCEB44714F104277F501AA141D7B05A44CB90
    Function 0033A74B Relevance: 3.1, APIs: 2, Instructions: 67COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 339 33a74b-33a7f0 memset call 33fe77 341 33a7f5-33a7f7 339->341 342 33a806-33a83a CreateSolidBrush 341->342 343 33a7f9-33a803 341->343 343->342
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: BrushCreateSolidmemset
    • String ID:
    • API String ID: 1302505579-0
    • Opcode ID: e2b354c1bf322d34ca5d8df05175168e4ede46160567cf75f1ce5982b26064fb
    • Instruction ID: 38b6bed28c2c9be460a4afcbf82ffcde5fbef00a99c51d314f3b86197a65e71d
    • Opcode Fuzzy Hash: e2b354c1bf322d34ca5d8df05175168e4ede46160567cf75f1ce5982b26064fb
    • Instruction Fuzzy Hash: 2431E0B4A01B06BFD346CF2AD585681FBE4FF09314F50822AE558CBA50D7B0B464DBD0
    Function 003402FE Relevance: 3.0, APIs: 2, Instructions: 20COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 344 3402fe-340304 345 340313-340320 malloc 344->345 346 340306-340311 _callnewh 345->346 347 340322-340326 345->347 346->345 346->347
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: _callnewhmalloc
    • String ID:
    • API String ID: 2285944120-0
    • Opcode ID: 827a41add3e7882cda66cdcc4134e2c9379e0503a851913f5d561a6cac6c916e
    • Instruction ID: d4a5eb717ab3b4a074d30d3a2ae50445c9b594f4639b1745cfd976ab338ae807
    • Opcode Fuzzy Hash: 827a41add3e7882cda66cdcc4134e2c9379e0503a851913f5d561a6cac6c916e
    • Instruction Fuzzy Hash: 57D0A73A301129338A2B2D55EC0055A7FCCCA417B03154031FB48AE555DB31FC0046C0
    Function 0033FE77 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 348 33fe77-33fe90 call 3402fe 351 33fed0-33fed5 348->351 352 33fe92-33fea2 LoadStringW 351->352 353 33fed7 351->353 354 33fef2-33fefe call 3402e8 352->354 355 33fea4-33feab 352->355 356 33fedc-33fee0 353->356 354->356 358 33fee3-33fef0 call 33ff06 355->358 359 33fead-33fecf call 3402e8 call 3402fe 355->359 358->356 359->351
    APIs
      • Part of subcall function 003402FE: malloc.MSVCRT ref: 00340316
    • LoadStringW.USER32(003361E0,?,00000000,00000400), ref: 0033FE9A
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: LoadStringmalloc
    • String ID:
    • API String ID: 905986743-0
    • Opcode ID: 7296881d8fe89fa7b6d0611966828ed5ed4db439ddd6b7e6411f5aae4c82610f
    • Instruction ID: 73b667164bceb5bd6909cab84838b30e0805f0a682f36c8de77cc4cc77d4e83d
    • Opcode Fuzzy Hash: 7296881d8fe89fa7b6d0611966828ed5ed4db439ddd6b7e6411f5aae4c82610f
    • Instruction Fuzzy Hash: 54012B327410547FDB2B25289C4AE2F5A8C9F853A0F15813AFF09CE5F2D960D84052A4
    Function 003403B0 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 367 3403b0-3403e2 __wgetmainargs
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: __wgetmainargs
    • String ID:
    • API String ID: 1709950718-0
    • Opcode ID: 7cfbef598a6185d90ddff1b1f6b7323fbcf4edcc200b25789e9f8d9391d88296
    • Instruction ID: e293a1f273066811739078f68429ed507cbbaf35fde2d729db1354cd5373167c
    • Opcode Fuzzy Hash: 7cfbef598a6185d90ddff1b1f6b7323fbcf4edcc200b25789e9f8d9391d88296
    • Instruction Fuzzy Hash: 04D0C9B8A41200AB8707AF24AD26867BAF8AA03702BC000D8F4007E172EE623310CF52

    Non-executed Functions

    Function 0033EDC2 Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 227windowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 371 33edc2-33eded 372 33edf3-33edf5 371->372 373 33f048 371->373 372->373 374 33edfb-33edfd 372->374 375 33f04d-33f05b call 340680 373->375 374->373 376 33ee03-33ee23 GetObjectW 374->376 378 33ee33-33ee3d GetLastError 376->378 379 33ee25-33ee31 376->379 382 33ee4a 378->382 383 33ee3f-33ee48 378->383 381 33ee50-33ee5d GetWindowRect 379->381 385 33ee78-33ee82 GetLastError 381->385 386 33ee5f-33ee76 381->386 382->381 384 33f03f-33f046 382->384 383->382 384->375 388 33ee84-33ee87 385->388 389 33ee8f 385->389 387 33ee8d 386->387 387->389 388->387 389->384 390 33ee95-33eea3 GetDC 389->390 391 33eec2-33eecd CreateCompatibleDC 390->391 392 33eea5-33eeaf GetLastError 390->392 395 33eecf-33eed9 GetLastError 391->395 396 33eeec-33eef8 SelectObject 391->396 393 33eeb1-33eeba 392->393 394 33eebc 392->394 393->394 394->391 397 33f02e-33f030 394->397 398 33eee6 395->398 399 33eedb-33eee4 395->399 400 33ef94-33ef99 396->400 401 33eefe-33ef0c CreateCompatibleDC 396->401 397->384 402 33f032-33f034 397->402 398->396 403 33f004-33f009 398->403 399->398 400->403 404 33ef2e-33ef39 SetStretchBltMode 401->404 405 33ef0e-33ef18 GetLastError 401->405 402->384 406 33f036-33f03d DeleteObject 402->406 411 33f015-33f017 403->411 412 33f00b-33f00f ReleaseDC 403->412 409 33ef3b-33ef45 GetLastError 404->409 410 33ef58-33ef6b CreateCompatibleBitmap 404->410 407 33ef25 405->407 408 33ef1a-33ef23 405->408 406->384 407->403 417 33ef2b 407->417 408->407 418 33ef52 409->418 419 33ef47-33ef50 409->419 413 33ef86-33ef92 SelectObject 410->413 414 33ef6d-33ef77 GetLastError 410->414 415 33f020-33f025 411->415 416 33f019-33f01a DeleteDC 411->416 412->411 413->400 423 33ef9b-33efbe StretchBlt 413->423 420 33ef84 414->420 421 33ef79-33ef82 414->421 415->397 422 33f027-33f028 DeleteDC 415->422 416->415 417->404 418->403 418->410 419->418 420->403 420->413 421->420 422->397 424 33efc0-33efca GetLastError 423->424 425 33efd9-33effb SendMessageW call 33eba0 423->425 426 33efd7 424->426 427 33efcc-33efd5 424->427 425->403 430 33effd-33effe DeleteObject 425->430 426->403 426->425 427->426 430->403
    APIs
    • GetObjectW.GDI32(?,00000018,?), ref: 0033EE1B
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0033767F,?), ref: 0033EE33
    • GetWindowRect.USER32(?,?), ref: 0033EE55
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0033767F,?), ref: 0033EE78
    • GetDC.USER32(?), ref: 0033EE96
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0033767F,?), ref: 0033EEA5
    • CreateCompatibleDC.GDI32(00000000), ref: 0033EEC3
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0033767F,?), ref: 0033EECF
    • SelectObject.GDI32(00000000,?), ref: 0033EEF0
    • CreateCompatibleDC.GDI32(?), ref: 0033EF01
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0033767F,?), ref: 0033EF0E
    • SetStretchBltMode.GDI32(00000000,00000003), ref: 0033EF31
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0033767F,?), ref: 0033EF3B
    • CreateCompatibleBitmap.GDI32(?,?,?), ref: 0033EF61
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0033767F,?), ref: 0033EF6D
    • SelectObject.GDI32(?,00000000), ref: 0033EF8A
    • StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0033EFB6
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0033767F,?), ref: 0033EFC0
    • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0033EFE4
    • DeleteObject.GDI32(00000000), ref: 0033EFFE
    • ReleaseDC.USER32(?,?), ref: 0033F00F
    • DeleteDC.GDI32(00000000), ref: 0033F01A
    • DeleteDC.GDI32(?), ref: 0033F028
    • DeleteObject.GDI32(00000000), ref: 0033F037
    Strings
    • SendMessage(STM_SETIMAGE, 0x%08x) returned 0x%08x, xrefs: 0033EFEC
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: ErrorLast$Object$Delete$CompatibleCreate$SelectStretch$BitmapMessageModeRectReleaseSendWindow
    • String ID: SendMessage(STM_SETIMAGE, 0x%08x) returned 0x%08x
    • API String ID: 1596057509-2907994607
    • Opcode ID: c03f4c34fa3452d605b5088c8997368e34f6bf5f5c667065a7cd9256734841cb
    • Instruction ID: 1eacb724b5d3b094434cd77d3c6614de46e811a57b5cc2165807f01f2ba8f067
    • Opcode Fuzzy Hash: c03f4c34fa3452d605b5088c8997368e34f6bf5f5c667065a7cd9256734841cb
    • Instruction Fuzzy Hash: 45718D7AD006259FDB279FA9DDC4AAEBAB8BF08751F120124FD05F7251DB34DD008AA0
    Function 00335245 Relevance: 28.5, APIs: 12, Strings: 4, Instructions: 457registrystringCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 524 335245-335298 call 340f00 call 3350f7 529 335371-335387 call 340680 524->529 530 33529e-3352a4 524->530 532 335362 530->532 533 3352aa-3352d5 lstrcmpiW * 2 530->533 537 335366-335368 532->537 535 3352d7-3352d9 533->535 536 3352df-3352ed call 3350f7 533->536 535->536 538 33538a 535->538 536->532 545 3352ef-3352f4 536->545 537->529 540 33536a-33536b RegCloseKey 537->540 541 33538c-33539a lstrcmpiW 538->541 540->529 543 3353b0-3353be lstrcmpiW 541->543 544 33539c-3353ae call 3350f7 541->544 547 3353c4-3353d9 call 3350f7 543->547 548 3354bd-3354c9 call 334948 543->548 544->532 544->543 545->541 549 3352fa-335312 call 334948 545->549 547->532 560 3353db-3353e9 call 3350f7 547->560 558 3357dd-3357e2 548->558 559 3354cf-3354d2 548->559 557 335318-335320 call 334ea7 549->557 549->558 570 335322-335334 call 334f26 557->570 571 335338-33533c 557->571 558->537 562 3355e2-3355e6 559->562 563 3354d8-3354ee call 334ede 559->563 560->532 575 3353ef-3353f5 560->575 566 3355e8-335608 call 334ede 562->566 567 33560c 562->567 580 335551-335561 call 3350f7 563->580 581 3354f0-335502 call 334ede 563->581 574 335614-335617 566->574 588 33560a 566->588 567->574 570->571 571->541 578 33533e-33534c call 3350f7 571->578 582 33561b-335646 wcsncpy_s call 334e01 call 3350f7 574->582 575->558 576 3353fb-3353ff 575->576 583 335401-335434 call 334a7b 576->583 584 33543f-335443 576->584 578->532 601 33534e-33535c call 334e3a 578->601 580->532 599 335567-33556d 580->599 581->580 602 335504-335527 RegCreateKeyExW 581->602 582->532 614 33564c-33565a call 334e3a 582->614 583->537 606 33543a 583->606 593 335445-33544a 584->593 594 3354a4-3354a9 call 334e3a 584->594 588->582 593->594 600 33544c-33546f call 334ede 593->600 605 3354ae-3354b2 594->605 607 335589 599->607 608 33556f-335583 call 334a7b 599->608 627 3357b5-3357c3 call 3350e1 600->627 628 335475-33548a RegDeleteValueW 600->628 601->532 617 33558d-335593 601->617 611 335545 602->611 612 335529-33552f 602->612 605->532 615 3354b8 605->615 606->617 607->617 608->532 608->607 616 335549-33554b 611->616 621 335531-335535 RegCloseKey 612->621 622 33553b-335543 612->622 614->532 637 335660-335666 614->637 624 335783-335789 615->624 616->580 625 3357cf-3357d8 call 3350e1 616->625 617->624 629 335599-33559b 617->629 621->622 622->616 624->532 636 33578f-335793 624->636 625->537 627->532 645 3357c9-3357cd 627->645 633 335495-335497 628->633 634 33548c-33548f 628->634 635 33559e-3355a9 629->635 633->594 641 335499-3354a0 RegCloseKey 633->641 634->633 640 335798-3357a3 call 3350e1 634->640 635->635 642 3355ab-3355b2 635->642 636->533 643 335668-33566a 637->643 644 3356bd 637->644 640->532 655 3357a9 640->655 641->594 642->624 646 3355b8-3355cf call 335245 642->646 650 33566d-335678 643->650 648 3356c1-3356c8 644->648 651 3357aa-3357b0 RegCloseKey 645->651 646->532 657 3355d5-3355dd call 3350f7 646->657 648->624 654 3356ce-3356d0 648->654 650->650 656 33567a-335681 650->656 651->532 658 3356d2-3356d6 654->658 659 3356ea-3356ee 654->659 655->651 656->644 660 335683-33569a call 335245 656->660 657->605 658->624 662 3356dc-3356e5 call 3350e1 658->662 663 3356f0-3356f8 call 335009 659->663 664 33571f-33572b call 335009 659->664 674 3356a7-3356b5 call 3350f7 660->674 675 33569c-3356a1 660->675 662->532 663->664 678 3356fa-335706 call 334ea7 663->678 676 33574a 664->676 677 33572d-33573e RegCloseKey 664->677 674->532 686 3356bb 674->686 675->532 675->674 681 33574c-335751 676->681 677->625 680 335744-335748 677->680 678->624 688 335708-33570d 678->688 680->681 681->624 684 335753-335755 681->684 684->624 687 335757-33577d call 335046 684->687 686->648 687->624 687->662 688->624 690 33570f-33571d call 334f26 688->690 690->624
    APIs
      • Part of subcall function 003350F7: CharNextW.USER32(00000000,?,00000000,00000000,?,?,00335878,?,00000000,?,00000000,00000000,00000000), ref: 00335132
      • Part of subcall function 003350F7: CharNextW.USER32(00000000,?,00000000,00000000,?,?,00335878,?,00000000,?,00000000,00000000,00000000), ref: 0033514F
      • Part of subcall function 003350F7: CharNextW.USER32(00000000,?,00000000,00000000,?,?,00335878,?,00000000,?,00000000,00000000,00000000), ref: 00335162
      • Part of subcall function 003350F7: CharNextW.USER32(00000027,?,00000000,00000000,?,?,00335878,?,00000000,?,00000000,00000000,00000000), ref: 0033516D
    • lstrcmpiW.KERNEL32(?,Delete,?,?,00000000,00000000,?,00335944,?,00000000,00000000,00000000,?), ref: 003352B8
    • lstrcmpiW.KERNEL32(?,ForceRemove,?,00000000,00000000,?,00335944,?,00000000,00000000,00000000,?), ref: 003352CD
    • RegCloseKey.ADVAPI32(?,?,?,00000000,00000000,?,00335944,?,00000000,00000000,00000000,?), ref: 0033536B
    • lstrcmpiW.KERNEL32(?,NoRemove,?,?,00000000,00000000,?,00335944,?,00000000,00000000,00000000,?), ref: 00335392
    • lstrcmpiW.KERNEL32(?,Val,?,00000000,00000000,?,00335944,?,00000000,00000000,00000000,?), ref: 003353B6
    • RegDeleteValueW.ADVAPI32(?,?,?,00000000,00020006,?,?), ref: 00335482
    • RegCloseKey.ADVAPI32(?), ref: 0033549A
    • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,?,00020019,?,?,0002001F), ref: 0033551F
    • RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,00335944,?,00000000,00000000,00000000,?), ref: 00335535
    • wcsncpy_s.MSVCRT ref: 00335628
      • Part of subcall function 00335245: RegCloseKey.ADVAPI32(?,?,?), ref: 0033572E
      • Part of subcall function 00335245: RegCloseKey.ADVAPI32(?,?,00000000,00020006,?,?), ref: 003357AA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: Close$CharNextlstrcmpi$CreateDeleteValuewcsncpy_s
    • String ID: Delete$ForceRemove$NoRemove$Val
    • API String ID: 670805417-1781481701
    • Opcode ID: 40f58d2fcf05580231be0ed753b31bb9b7d904ef87dae33016089270cbe20a7b
    • Instruction ID: 2c4183fdea4bf7d5f1117a2108a170acb3656267d28d8d6ae49db2b98644237f
    • Opcode Fuzzy Hash: 40f58d2fcf05580231be0ed753b31bb9b7d904ef87dae33016089270cbe20a7b
    • Instruction Fuzzy Hash: 93E19E35A08B129BC726DF24C8D5A2FB7E8BF84B50F05491DF9469B241EB74DD40CB92
    Function 00340138 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 61commemoryCOMMON
    Download Yara Rule
    APIs
    • CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0(00333658,00000000,00000017,00333668,?,?,00000001), ref: 0034015B
    • SysAllocString.OLEAUT32(mshelp://windows/?id=27a2764a-ad05-4a52-96f4-eac32ae3c9e1), ref: 0034016C
    • WinSqmAddToStream.NTDLL(00000000,0000038F,00000001,00000053), ref: 00340199
    • SysFreeString.OLEAUT32(00000000), ref: 003401CD
    Strings
    • COLOR_MANAGEMENT_CALIBRATE_DISPLAY, xrefs: 00340182
    • mshelp://windows/?id=27a2764a-ad05-4a52-96f4-eac32ae3c9e1, xrefs: 00340167
    • P5w, xrefs: 0034015B
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: String$AllocCreateFreeInstanceStream
    • String ID: COLOR_MANAGEMENT_CALIBRATE_DISPLAY$P5w$mshelp://windows/?id=27a2764a-ad05-4a52-96f4-eac32ae3c9e1
    • API String ID: 148082582-2333206421
    • Opcode ID: 0514e88beada93f343f896ed76abd5faa3d597b5ab6017cfe5edf924c7137e44
    • Instruction ID: ede77c36ba5cb2b8cf1cff1bacbb56b08030d6e77cca92d3e9fc15f439a0b15a
    • Opcode Fuzzy Hash: 0514e88beada93f343f896ed76abd5faa3d597b5ab6017cfe5edf924c7137e44
    • Instruction Fuzzy Hash: 11117339740214BFD7169B54DC89DAE7BFCDB49B51F114059F905EB250CFB0AE008B50
    Function 0033F117 Relevance: 9.1, APIs: 6, Instructions: 59COMMON
    Download Yara Rule
    APIs
    • FindResourceW.KERNEL32(00330000,?,000001F4,?,00000000,?,?,?,0033EC29,?,?,?,00000000,?), ref: 0033F13C
    • GetLastError.KERNEL32(?,00000000,?,?,?,0033EC29,?,?,?,00000000,?), ref: 0033F14B
    • LoadResource.KERNEL32(00330000,00000000,?,00000000,?,?,?,0033EC29,?,?,?,00000000,?), ref: 0033F166
    • GetLastError.KERNEL32(?,00000000,?,?,?,0033EC29,?,?,?,00000000,?), ref: 0033F172
    • SizeofResource.KERNEL32(00330000,?,?,00000000,?,?,?,0033EC29,?,?,?,00000000,?), ref: 0033F18F
    • LockResource.KERNEL32(00000000,?,00000000,?,?,?,0033EC29,?,?,?,00000000,?), ref: 0033F19B
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: Resource$ErrorLast$FindLoadLockSizeof
    • String ID:
    • API String ID: 518650369-0
    • Opcode ID: c4d07cede180b4960a5d3adc23f6f93e5fe5ba8c365bad025ae5efd821aac5ba
    • Instruction ID: 4a43462ee38d3ceaf442f96add5ff85bde16af169de052947c455a7b7fffd53f
    • Opcode Fuzzy Hash: c4d07cede180b4960a5d3adc23f6f93e5fe5ba8c365bad025ae5efd821aac5ba
    • Instruction Fuzzy Hash: 4611217BD01225AFC7139BA9E94495ABABCAB89761F124125FD45DB310DA34DD00C7E0
    Function 003407FD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 13COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00340939, %4), ref: 00340804
    • UnhandledExceptionFilter.KERNEL32(94,?,00340939, %4), ref: 0034080D
    • GetCurrentProcess.KERNEL32(C0000409,?,00340939, %4), ref: 00340818
    • TerminateProcess.KERNEL32(00000000,?,00340939, %4), ref: 0034081F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
    • String ID: 94
    • API String ID: 3231755760-613239025
    • Opcode ID: b1e8f3b35d981182db483df76a0163b09ee80f0a9b46fd516c73109443f0403b
    • Instruction ID: ed95a1b8d8e100d9ea9a57a63a2537dc2c80b9e004bfeee98e88674c25069e95
    • Opcode Fuzzy Hash: b1e8f3b35d981182db483df76a0163b09ee80f0a9b46fd516c73109443f0403b
    • Instruction Fuzzy Hash: 72D01236000208BBCB023BF1ED0CA097F2CFB46312F584000F3098B020CF3266018B65
    Function 00340CC9 Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON
    Download Yara Rule
    APIs
    • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00340CF6
    • GetCurrentProcessId.KERNEL32 ref: 00340D05
    • GetCurrentThreadId.KERNEL32 ref: 00340D0E
    • GetTickCount.KERNEL32 ref: 00340D17
    • QueryPerformanceCounter.KERNEL32(?), ref: 00340D2C
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
    • String ID:
    • API String ID: 1445889803-0
    • Opcode ID: 9ee7b04cb4fa4f429cf3e2d26a865ebc904f7436530cfecf15eb3ee8caa559c4
    • Instruction ID: fe2ecdd4ce875750d172dbfcebe013f850639f1e2b5b45d622948ccae7277dfd
    • Opcode Fuzzy Hash: 9ee7b04cb4fa4f429cf3e2d26a865ebc904f7436530cfecf15eb3ee8caa559c4
    • Instruction Fuzzy Hash: 4511EC75E01608EBCB15DFF8EA4869FBBF8EF59311F610555E501EB264DA30AB04CB40
    Function 0033F7EE Relevance: 7.5, APIs: 5, Instructions: 37memoryCOMMON
    Download Yara Rule
    APIs
    • IsProcessorFeaturePresent.KERNEL32(0000000C,0033F721,00000000,00000000,0033F911,00000000,?,00000000,?,00336DFD,?), ref: 0033F7F0
    • GetProcessHeap.KERNEL32(00000008,00000008,00000000,?,00000000,?,00336DFD,?), ref: 0033F816
    • HeapAlloc.KERNEL32(00000000,?,00000000,?,00336DFD,?), ref: 0033F81D
    • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,?,00336DFD,?), ref: 0033F838
    • HeapFree.KERNEL32(00000000,?,00000000,?,00336DFD,?), ref: 0033F83F
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: Heap$Process$AllocFeatureFreePresentProcessor
    • String ID:
    • API String ID: 53968077-0
    • Opcode ID: 467dbe660533465fbc7b3eb5be803ea29ce54601c8ffb26540182c0c28d2232b
    • Instruction ID: d4ee86bc090ac9098440206df1a388adf7fc4c00e1608e70858df7733055570d
    • Opcode Fuzzy Hash: 467dbe660533465fbc7b3eb5be803ea29ce54601c8ffb26540182c0c28d2232b
    • Instruction Fuzzy Hash: 3DF06D79A016029FEB16AF689C08B1637EDBF46701F458438E686DF280EF30E840CB50
    Function 0033F8CD Relevance: 5.0, APIs: 4, Instructions: 40memoryCOMMON
    Download Yara Rule
    APIs
    • GetProcessHeap.KERNEL32(00000008,00000008,00000000,00337016,?,00000000,?,00336DFD,?), ref: 0033F8D4
    • HeapAlloc.KERNEL32(00000000,?,00000000,?,00336DFD,?), ref: 0033F8DB
    • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,?,00336DFD,?), ref: 0033F91B
    • HeapFree.KERNEL32(00000000,?,00000000,?,00336DFD,?), ref: 0033F922
      • Part of subcall function 0033F711: GetProcessHeap.KERNEL32(00000008,0000000D,00000000,00000000,0033F911,00000000,?,00000000,?,00336DFD,?), ref: 0033F733
      • Part of subcall function 0033F711: HeapAlloc.KERNEL32(00000000,?,00000000,?,00336DFD,?), ref: 0033F73A
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: Heap$Process$Alloc$Free
    • String ID:
    • API String ID: 1864747095-0
    • Opcode ID: 71cb304dc999a5f11e96c73d2416506a4a28c4b1165349effc5f8391a9e4dbe2
    • Instruction ID: a88fbf32700cefee1b24a482ed4a831ff25f28588228cd95db070b74581c1d0d
    • Opcode Fuzzy Hash: 71cb304dc999a5f11e96c73d2416506a4a28c4b1165349effc5f8391a9e4dbe2
    • Instruction Fuzzy Hash: F2F0BE7AA046116FCB633B787C4CB6A2A6CAFC2B91F524038F54ACF250DF30C8018B50
    Function 0034002C Relevance: 4.5, APIs: 3, Instructions: 42windowCOMMON
    Download Yara Rule
    APIs
    • FormatMessageW.KERNEL32(00000500,?,00000000,00000000,00000137,00000000,?,67727473,?,?,?,00333C64,?,?,00000000), ref: 00340052
    • LocalFree.KERNEL32(00000000,00000137,?,?,?,00333C64,?,?,00000000), ref: 00340075
    • GetLastError.KERNEL32(?,?,?,00333C64,?,?,00000000), ref: 0034007D
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: ErrorFormatFreeLastLocalMessage
    • String ID:
    • API String ID: 1365068426-0
    • Opcode ID: af06e8b9c4a54f9fd55657fc071834bea43216c8745775965e54875babacdaff
    • Instruction ID: 1bb5f6f46e06a503d0b81f55156a3b1d7ff7597bf0cde3d51d921fc6574f284b
    • Opcode Fuzzy Hash: af06e8b9c4a54f9fd55657fc071834bea43216c8745775965e54875babacdaff
    • Instruction Fuzzy Hash: 03014B76901128FBDB229B91CD08ADEBEBCEF05350F114066F901AB140EA30AF00DAE0
    Function 00340A80 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32(Function_00010A30), ref: 00340A85
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled
    • String ID:
    • API String ID: 3192549508-0
    • Opcode ID: a6d9835acd29bf017ccff0d62fc80bf92a6373940c8af9c844a35f7ba2579958
    • Instruction ID: 5d0cac319b67a7878f0c4975ffa0f57541348c16874e2d95cb72fe1666cd26d1
    • Opcode Fuzzy Hash: a6d9835acd29bf017ccff0d62fc80bf92a6373940c8af9c844a35f7ba2579958
    • Instruction Fuzzy Hash: 4B9002643612004646062B705D1994675D45A59702F950550E542CD054DF7061009511
    Function 0033BD3D Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 193COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 431 33bd3d-33bda7 call 33a9ed 434 33bdaa-33bdd5 GetDlgItem 431->434 435 33bdd6 call 33ec08 434->435 436 33bddb-33bddd 435->436 437 33bf53-33bf57 436->437 438 33bde3-33bdf3 GetWindowRect 436->438 439 33bf62-33bf6b 437->439 440 33bf59-33bf5c DeleteObject 437->440 441 33bdf5-33be06 MapWindowPoints 438->441 442 33be08-33be10 GetLastError 438->442 439->434 443 33bf71-33bf7f call 340680 439->443 440->439 444 33be22-33be35 441->444 445 33be12-33be1a 442->445 446 33be1c 442->446 451 33be72-33be78 444->451 452 33be37-33be70 _ftol2_sse 444->452 445->446 446->437 446->444 453 33be7b-33be8e MoveWindow 451->453 452->453 454 33be90-33be98 GetLastError 453->454 455 33beaa-33beba 453->455 456 33bea4 454->456 457 33be9a-33bea2 454->457 458 33bebb call 33edc2 455->458 456->455 459 33bf50 456->459 457->456 460 33bec0-33bec2 458->460 459->437 460->437 461 33bec8-33beef InvalidateRect GetDlgItem GetWindowRect 460->461 462 33bef1-33bf02 MapWindowPoints 461->462 463 33bf04-33bf0c GetLastError 461->463 464 33bf1a-33bf48 MoveWindow 462->464 465 33bf18 463->465 466 33bf0e-33bf16 463->466 464->459 467 33bf4a GetLastError 464->467 465->437 465->464 466->465 467->459
    APIs
      • Part of subcall function 0033A9ED: MapDialogRect.USER32(?,?), ref: 0033AA1C
      • Part of subcall function 0033A9ED: GetWindowRect.USER32(?,?), ref: 0033AA42
      • Part of subcall function 0033A9ED: EnumChildWindows.USER32(?,0033AD30), ref: 0033AABD
      • Part of subcall function 0033A9ED: InvalidateRect.USER32(?,00000000,00000001), ref: 0033AAC9
    • GetDlgItem.USER32(?,sx}), ref: 0033BDB1
      • Part of subcall function 0033EC08: GlobalAlloc.KERNEL32(00000002,?,?,?,?,00000000,?), ref: 0033EC3C
      • Part of subcall function 0033EC08: GetLastError.KERNEL32(?,00000000,?), ref: 0033EC48
      • Part of subcall function 0033EC08: GlobalLock.KERNEL32(00000000), ref: 0033EC66
      • Part of subcall function 0033EC08: GetLastError.KERNEL32(?,00000000,?), ref: 0033EC72
      • Part of subcall function 0033EC08: memcpy.MSVCRT(00000000,?,?,?,00000000,?), ref: 0033EC96
      • Part of subcall function 0033EC08: CreateStreamOnHGlobal.API-MS-WIN-CORE-COM-L1-1-0(00000000,00000001,00000000,?,00000000,?), ref: 0033ECA5
      • Part of subcall function 0033EC08: GlobalUnlock.KERNEL32(00000000), ref: 0033ECB2
      • Part of subcall function 0033EC08: GlobalFree.KERNEL32(00000000), ref: 0033ECB9
    • GetWindowRect.USER32(?,?), ref: 0033BDEB
    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0033BE00
    • GetLastError.KERNEL32(?,00000005,?,?,00000001,?), ref: 0033BE08
    • _ftol2_sse.MSVCRT ref: 0033BE6B
    • MoveWindow.USER32(?,?,?,?,?,00000000,?,00000005,?,?,00000001,?), ref: 0033BE86
    • GetLastError.KERNEL32(?,00000005,?,?,00000001,?), ref: 0033BE90
    • InvalidateRect.USER32(?,00000000,00000000,?,?,00000005,?,?,00000001,?), ref: 0033BECD
    • GetDlgItem.USER32(?,00000064), ref: 0033BEDA
    • GetWindowRect.USER32(00000000,?), ref: 0033BEE7
    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0033BEFC
    • GetLastError.KERNEL32(?,00000005,?,?,00000001,?), ref: 0033BF04
    • MoveWindow.USER32(00000000,?,?,?,?,00000001,?,00000005,?,?,00000001,?), ref: 0033BF40
    • GetLastError.KERNEL32(?,00000005,?,?,00000001,?), ref: 0033BF4A
    • DeleteObject.GDI32(00000000), ref: 0033BF5C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: Window$ErrorLastRect$Global$InvalidateItemMovePoints$AllocChildCreateDeleteDialogEnumFreeLockObjectStreamUnlockWindows_ftol2_ssememcpy
    • String ID: d$i$n$sx}$x$}
    • API String ID: 3487292329-3487999874
    • Opcode ID: f778df661839fb76838e426ecef993f51ada85c75c3c2d3b0be9479ee6dd88e3
    • Instruction ID: b024195d64f3a7aa5d9a925961b5eacddc68a74a5cd4c922709797c30eb299a9
    • Opcode Fuzzy Hash: f778df661839fb76838e426ecef993f51ada85c75c3c2d3b0be9479ee6dd88e3
    • Instruction Fuzzy Hash: 46711735A00219EFEB029FE5DD88BAEBBB9FF05740F114015EA05AB264CB74A915CF60
    Function 00338AC0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 181fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 468 338ac0-338b05 call 339d26 471 338b07-338b1a WcsCreateIccProfile 468->471 472 338b3e-338b44 468->472 475 338b35-338b3c call 33a1b6 471->475 476 338b1c-338b26 GetLastError 471->476 473 338cb4-338cb9 472->473 474 338b4a-338b59 GetColorProfileFromHandle 472->474 479 338cc5-338ccb 473->479 480 338cbb-338cbf CloseColorProfile 473->480 477 338b83-338b85 474->477 478 338b5b-338b64 GetLastError 474->478 475->472 481 338b33 476->481 482 338b28-338b31 476->482 477->473 485 338b8b-338b99 call 34032d 477->485 478->477 484 338b66-338b68 478->484 486 338cd4-338cec call 3402f3 call 33ff06 479->486 487 338ccd-338cce CloseColorProfile 479->487 480->479 481->472 481->475 482->481 489 338b74 484->489 490 338b6a-338b6f 484->490 497 338ba5-338bb4 GetColorProfileFromHandle 485->497 498 338b9b-338ba0 485->498 487->486 493 338b76-338b78 489->493 494 338b7a-338b7d 489->494 490->473 493->477 494->477 500 338bd3-338bfa CreateFileW 497->500 501 338bb6-338bc0 GetLastError 497->501 498->473 505 338c19-338c2e WriteFile 500->505 506 338bfc-338c06 GetLastError 500->506 503 338bc2-338bcb 501->503 504 338bcd 501->504 503->504 504->473 504->500 507 338c41-338c4b GetLastError 505->507 508 338c30-338c38 505->508 509 338c13 506->509 510 338c08-338c11 506->510 513 338c58 507->513 514 338c4d-338c50 507->514 511 338c56 508->511 512 338c3a-338c3f 508->512 509->473 509->505 510->509 511->513 512->511 515 338c5a-338c75 CloseHandle InstallColorProfileW 513->515 516 338ca8-338cab 513->516 514->511 518 338c90-338ca6 515->518 519 338c77-338c81 GetLastError 515->519 516->473 517 338cad-338cae CloseHandle 516->517 517->473 518->473 520 338c83-338c8c 519->520 521 338c8e 519->521 520->521 521->473 521->518
    APIs
      • Part of subcall function 00339D26: GetSystemTime.KERNEL32(?,000001F5,?,00000000), ref: 00339DEA
    • WcsCreateIccProfile.MSCMS(?,00000000,?,?), ref: 00338B0C
    • GetLastError.KERNEL32 ref: 00338B1C
    • GetColorProfileFromHandle.MSCMS(00000000,00000000,?,?,?), ref: 00338B51
    • GetLastError.KERNEL32 ref: 00338B5B
    • GetColorProfileFromHandle.MSCMS(00000000,00000000,?), ref: 00338BAC
    • GetLastError.KERNEL32 ref: 00338BB6
    • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00338BEF
    • GetLastError.KERNEL32 ref: 00338BFC
    • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00338C26
    • GetLastError.KERNEL32 ref: 00338C41
    • CloseHandle.KERNEL32(00000000), ref: 00338C5B
    • InstallColorProfileW.MSCMS(00000000,?), ref: 00338C6D
    • GetLastError.KERNEL32 ref: 00338C77
    • CloseHandle.KERNEL32(00000000), ref: 00338CAE
    • CloseColorProfile.MSCMS(00000000,?,?), ref: 00338CBF
    • CloseColorProfile.MSCMS(?,?,?), ref: 00338CCE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: ErrorLastProfile$Color$CloseHandle$CreateFileFrom$InstallSystemTimeWrite
    • String ID: strg
    • API String ID: 3772428985-3320446829
    • Opcode ID: 59dffb074dd3d30e09b0027b7eae9a294c359bcc175d3ef4f17790617558d073
    • Instruction ID: 9606379630af38168560aefdca3b7e62677d14672711f6e8f8f07c315341f8c3
    • Opcode Fuzzy Hash: 59dffb074dd3d30e09b0027b7eae9a294c359bcc175d3ef4f17790617558d073
    • Instruction Fuzzy Hash: 0E51057A1447029BD7139F258DC4B5BFAEAAFC4360F260929F955CB251EF70D9008AB1
    Function 0033A1B6 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 277COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 694 33a1b6-33a1f8 call 33fe77 697 33a20a-33a216 694->697 698 33a1fa-33a208 call 33fe77 694->698 699 33a218-33a22b call 33fe77 697->699 700 33a22e-33a23a 697->700 698->697 699->700 704 33a240-33a260 WideCharToMultiByte 700->704 705 33a2c8-33a2d4 700->705 709 33a262-33a26c GetLastError 704->709 710 33a277 704->710 706 33a2da-33a2e7 705->706 707 33a499-33a4c5 call 3402f3 * 2 call 33ff06 * 3 705->707 711 33a2f1-33a2f4 706->711 712 33a2e9-33a2ee 706->712 714 33a279 709->714 715 33a26e-33a271 709->715 710->714 717 33a2f7-33a301 711->717 712->711 714->705 718 33a27b-33a288 call 34032d 714->718 715->710 717->717 720 33a303-33a327 call 34032d 717->720 727 33a296-33a2b1 WideCharToMultiByte 718->727 728 33a28a-33a291 718->728 731 33a333-33a36e memset memcpy 720->731 732 33a329-33a32e 720->732 727->705 729 33a2b3-33a2bd GetLastError 727->729 728->707 729->705 733 33a2bf-33a2c2 729->733 735 33a371-33a37a 731->735 732->707 733->705 735->735 737 33a37c-33a396 735->737 739 33a3c1-33a3e0 737->739 740 33a398-33a3a0 737->740 741 33a3e3-33a3ed 739->741 743 33a3a3-33a3a7 740->743 741->741 746 33a3ef-33a3f3 741->746 744 33a3b7-33a3bc 743->744 745 33a3a9-33a3b2 743->745 744->743 748 33a3be 744->748 747 33a3b4 745->747 745->748 749 33a436-33a449 SetColorProfileElementSize 746->749 750 33a3f5-33a401 746->750 747->744 748->739 752 33a464-33a482 SetColorProfileElement 749->752 753 33a44b-33a455 GetLastError 749->753 751 33a403-33a418 750->751 755 33a41b-33a425 751->755 752->707 754 33a484-33a48e GetLastError 752->754 756 33a462 753->756 757 33a457-33a460 753->757 754->707 758 33a490-33a493 754->758 755->755 759 33a427-33a42e 755->759 756->707 756->752 757->756 758->707 759->751 760 33a430-33a433 759->760 760->749
    APIs
    • WideCharToMultiByte.KERNEL32(0000FDE9,00000080,?,000000FF,00000000,00000000,00000000,00000000,00330000,000001F7,00000000,00000000,00000000), ref: 0033A253
    • GetLastError.KERNEL32 ref: 0033A262
      • Part of subcall function 0033FE77: LoadStringW.USER32(003361E0,?,00000000,00000400), ref: 0033FE9A
    • WideCharToMultiByte.KERNEL32(0000FDE9,00000080,?,000000FF,00000000,00000000,00000000,00000000), ref: 0033A2A9
    • GetLastError.KERNEL32 ref: 0033A2B3
    • memset.MSVCRT ref: 0033A33A
    • memcpy.MSVCRT(00000004,?,?,00000000,00000000,?,00330000,000001F7,00000000,00000000,00000000), ref: 0033A35C
    • SetColorProfileElementSize.MSCMS(?,64657363,?,?,00330000,000001F7,00000000,00000000,00000000), ref: 0033A441
    • GetLastError.KERNEL32(?,00330000,000001F7,00000000,00000000,00000000), ref: 0033A44B
    • SetColorProfileElement.MSCMS(?,64657363,00000000,?,00000000,?,00330000,000001F7,00000000,00000000,00000000), ref: 0033A47A
    • GetLastError.KERNEL32(?,00330000,000001F7,00000000,00000000,00000000), ref: 0033A484
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: ErrorLast$ByteCharColorElementMultiProfileWide$LoadSizeStringmemcpymemset
    • String ID: strg$strg$strg$strg
    • API String ID: 139363455-4050408924
    • Opcode ID: 196760de31b2c6cc6e5e184ec521c567c7f687d60ef6b8b76398cd32fdeb0b41
    • Instruction ID: a5516cc7c66f6357cf5e0a0206d9e34e3dba28c83f5c986911027b625536fea6
    • Opcode Fuzzy Hash: 196760de31b2c6cc6e5e184ec521c567c7f687d60ef6b8b76398cd32fdeb0b41
    • Instruction Fuzzy Hash: C7A1C075E0021A9BCB06DFA9C8C1AEEBBF5FF48310F244129E941BB351DB71A901CB91
    Function 00339D26 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 235timeCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 761 339d26-339d77 call 33fe77 764 339d79-339d8c call 33fe77 761->764 765 339d8e-339d96 761->765 764->765 767 339db0-339dbc 765->767 768 339d98-339dae call 33fe77 765->768 771 339dd3-339de0 767->771 772 339dbe-339dd1 call 33fe77 767->772 768->767 775 339de6-339e26 GetSystemTime call 33ff30 771->775 776 339feb-33a01f call 33ff06 * 5 call 340680 771->776 772->771 775->776 783 339e2c-339e4b call 34002c 775->783 783->776 788 339e51-339e68 783->788 796 339e6e-339f3e call 3398a7 * 3 call 33ebd2 _CIpow * 3 call 33ff30 788->796 797 339f5d-339f6e call 33fcc2 788->797 817 339f40-339f4b call 33fcc2 796->817 818 339f4d-339f57 call 33ff06 796->818 797->776 805 339f70-339f86 797->805 807 339f89-339f93 805->807 807->807 809 339f95-339fd4 WcsOpenColorProfileW 807->809 809->776 811 339fd6-339fe0 GetLastError 809->811 811->776 813 339fe2-339fe5 811->813 813->776 817->818 818->776 818->797
    APIs
    • GetSystemTime.KERNEL32(?,000001F5,?,00000000), ref: 00339DEA
    • _CIpow.MSVCRT ref: 00339ED5
      • Part of subcall function 0033FE77: LoadStringW.USER32(003361E0,?,00000000,00000400), ref: 0033FE9A
    • _CIpow.MSVCRT ref: 00339EF3
    • _CIpow.MSVCRT ref: 00339F11
    • WcsOpenColorProfileW.MSCMS(00000002,?,00000000,00000001,00000001,00000003,00000000,</cdm:Calibration></cdm:ColorDeviceModel>), ref: 00339FC7
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00339FD6
    Strings
    • D65.camp, xrefs: 00339FA4
    • strg, xrefs: 00339E71
    • </cdm:Calibration></cdm:ColorDeviceModel>, xrefs: 00339F60
    • <?xml version="1.0" encoding="utf-16"?><cdm:ColorDeviceModel%txmlns:cdm="http://schemas.microsoft.com/windows/2005/02/color/Colo, xrefs: 00339E37
    • strg, xrefs: 00339F8F
    • strg, xrefs: 00339D4C
    • %4d-%02d-%02dT%02d:%02d:%02d, xrefs: 00339E11
    • <cal:AdapterGammaConfiguration><cal:ParameterizedCurves><wcs:RedTRC Gamma="%f" Gain="%f" Offset1="0.0"/><wcs:GreenT, xrefs: 00339F2C
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: Ipow$ColorErrorLastLoadOpenProfileStringSystemTime
    • String ID: </cdm:Calibration></cdm:ColorDeviceModel>$<cal:AdapterGammaConfiguration><cal:ParameterizedCurves><wcs:RedTRC Gamma="%f" Gain="%f" Offset1="0.0"/><wcs:GreenT$%4d-%02d-%02dT%02d:%02d:%02d$<?xml version="1.0" encoding="utf-16"?><cdm:ColorDeviceModel%txmlns:cdm="http://schemas.microsoft.com/windows/2005/02/color/Colo$D65.camp$strg$strg$strg
    • API String ID: 1408563361-1103866935
    • Opcode ID: 5ad8eb0a731f3d8cc10fe3a8952d095a0a0f4b75207e48b201a83b9407f7d21f
    • Instruction ID: f20c062719af0c6561fe824a75be454a18e0c8efa63b048299301e6482e40d9a
    • Opcode Fuzzy Hash: 5ad8eb0a731f3d8cc10fe3a8952d095a0a0f4b75207e48b201a83b9407f7d21f
    • Instruction Fuzzy Hash: 41915635D01219EBCB02EFA4D885AEEBBB5FF48700F514069F941BB265DB35A921CB90
    Function 003391D3 Relevance: 24.2, APIs: 16, Instructions: 245COMMON
    Download Yara Rule
    APIs
    • LoadCursorW.USER32(00000000,00007F02), ref: 003391F9
    • SetCursor.USER32(00000000), ref: 00339200
    • ShowCursor.USER32(00000001), ref: 00339208
    • GetNumberOfPhysicalMonitorsFromHMONITOR.DXVA2(?,?), ref: 00339266
    • ShowCursor.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?,00337BA6,00000000), ref: 003394AC
    • LoadCursorW.USER32(00000000,00007F00), ref: 003394BA
    • SetCursor.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?,00337BA6,00000000), ref: 003394C1
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: Cursor$LoadShow$FromMonitorsNumberPhysical
    • String ID:
    • API String ID: 1684749270-0
    • Opcode ID: cfd423c4c22d6a7f7e7f570cbd693d20844ee33db66efd15c4667508c1a3db4e
    • Instruction ID: 78b6c4268cde384f993b0bffd97f275088242f33867483874fe8b2675ec79d24
    • Opcode Fuzzy Hash: cfd423c4c22d6a7f7e7f570cbd693d20844ee33db66efd15c4667508c1a3db4e
    • Instruction Fuzzy Hash: 9581A579A00622DBC713DF75D88576AB7A9AF48720F05462AED02EB350DFB0ED418BD1
    Function 0033EC08 Relevance: 22.6, APIs: 15, Instructions: 149memorywindowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0033F117: FindResourceW.KERNEL32(00330000,?,000001F4,?,00000000,?,?,?,0033EC29,?,?,?,00000000,?), ref: 0033F13C
      • Part of subcall function 0033F117: GetLastError.KERNEL32(?,00000000,?,?,?,0033EC29,?,?,?,00000000,?), ref: 0033F14B
      • Part of subcall function 0033F117: LoadResource.KERNEL32(00330000,00000000,?,00000000,?,?,?,0033EC29,?,?,?,00000000,?), ref: 0033F166
      • Part of subcall function 0033F117: GetLastError.KERNEL32(?,00000000,?,?,?,0033EC29,?,?,?,00000000,?), ref: 0033F172
      • Part of subcall function 0033F117: SizeofResource.KERNEL32(00330000,?,?,00000000,?,?,?,0033EC29,?,?,?,00000000,?), ref: 0033F18F
      • Part of subcall function 0033F117: LockResource.KERNEL32(00000000,?,00000000,?,?,?,0033EC29,?,?,?,00000000,?), ref: 0033F19B
    • GlobalAlloc.KERNEL32(00000002,?,?,?,?,00000000,?), ref: 0033EC3C
    • GetLastError.KERNEL32(?,00000000,?), ref: 0033EC48
    • GlobalLock.KERNEL32(00000000), ref: 0033EC66
    • GetLastError.KERNEL32(?,00000000,?), ref: 0033EC72
    • memcpy.MSVCRT(00000000,?,?,?,00000000,?), ref: 0033EC96
    • CreateStreamOnHGlobal.API-MS-WIN-CORE-COM-L1-1-0(00000000,00000001,00000000,?,00000000,?), ref: 0033ECA5
    • GlobalUnlock.KERNEL32(00000000), ref: 0033ECB2
    • GlobalFree.KERNEL32(00000000), ref: 0033ECB9
    • GlobalUnlock.KERNEL32(00000000), ref: 0033ECC5
    • GetLastError.KERNEL32(?,00000000,?), ref: 0033ECCF
    • GdipAlloc.GDIPLUS(00000010,?,00000000,?), ref: 0033ECF0
    • GdipCreateBitmapFromStream.GDIPLUS(00000000,?,?,00000000,?), ref: 0033ED12
    • GdipCreateHBITMAPFromBitmap.GDIPLUS(00000000,00000110,FF000000,?,00000000,?), ref: 0033ED2D
    • GetObjectW.GDI32(00000110,00000018,?), ref: 0033ED68
    • GetLastError.KERNEL32(?,00000000,?), ref: 0033ED86
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: ErrorGlobalLast$Resource$CreateGdip$AllocBitmapFromLockStreamUnlock$FindFreeLoadObjectSizeofmemcpy
    • String ID:
    • API String ID: 4269010864-0
    • Opcode ID: 4e103d76b83c95fdcd2e96ca72f34f1f2f25ca39236bdfa89a1157431ed79fba
    • Instruction ID: 688f167735965951e57887facc76bfeba9e67069e76d6b427eac0365223d9967
    • Opcode Fuzzy Hash: 4e103d76b83c95fdcd2e96ca72f34f1f2f25ca39236bdfa89a1157431ed79fba
    • Instruction Fuzzy Hash: F051427BD00626AFC7239B9AC9847AEBAB8AF54711F124114ED55FB290DB30DE009B90
    Function 0033DC75 Relevance: 21.2, APIs: 14, Instructions: 155COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 003374D3: GetWindowRect.USER32(?,?), ref: 00337505
      • Part of subcall function 003374D3: GetWindowRect.USER32(?,?), ref: 0033751D
      • Part of subcall function 003374D3: GetWindowRect.USER32(?,?), ref: 00337535
      • Part of subcall function 003374D3: MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0033754E
      • Part of subcall function 003374D3: MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0033755F
      • Part of subcall function 003374D3: MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00337570
      • Part of subcall function 003374D3: _ftol2_sse.MSVCRT ref: 00337602
    • GetWindowRect.USER32(?,?), ref: 0033DCB6
    • GetWindowRect.USER32(?,?), ref: 0033DCCE
    • GetWindowRect.USER32(?,?), ref: 0033DCE6
    • _ftol2_sse.MSVCRT ref: 0033DD2C
    • _ftol2_sse.MSVCRT ref: 0033DD4B
    • _ftol2_sse.MSVCRT ref: 0033DD5F
    • _ftol2_sse.MSVCRT ref: 0033DD87
    • MoveWindow.USER32(?,00000000,?,?,?,00000001,?,00000000,00000000,00000001,?,?), ref: 0033DDA0
    • MoveWindow.USER32(?,00000000,?,?,?,00000001,?,00000000,00000000,00000001,?,?), ref: 0033DDB6
    • _ftol2_sse.MSVCRT ref: 0033DDCB
    • MoveWindow.USER32(?,00000000,?,?,?,00000001,?,00000000,00000000,00000001,?,?), ref: 0033DDED
    • MoveWindow.USER32(?,00000000,?,?,?,00000001,?,00000000,00000000,00000001,?,?), ref: 0033DE06
    • MoveWindow.USER32(?,00000000,?,?,?,00000001,?,00000000,00000000,00000001,?,?), ref: 0033DE27
    • MoveWindow.USER32(?,00000000,?,?,?,00000001,?,00000000,00000000,00000001,?,?), ref: 0033DE3D
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: Window$MoveRect_ftol2_sse$Points
    • String ID:
    • API String ID: 4142400812-0
    • Opcode ID: ca8a6af545d2684760c934b8ae4f52c314f4564b1cc476319a309abf3fe8a4c3
    • Instruction ID: 5279b1aae02c5f7bbb8a79f8a5f259ec7bc4cc646dffa8556a9b8c4989f0b0a8
    • Opcode Fuzzy Hash: ca8a6af545d2684760c934b8ae4f52c314f4564b1cc476319a309abf3fe8a4c3
    • Instruction Fuzzy Hash: EB514872E00208FFCB169FA0EC89AEEBBB9EF48700F154528F105A6274DB716961DF50
    Function 003394E3 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 103COMMON
    Download Yara Rule
    APIs
    • GetMonitorInfoW.USER32(?,00000068), ref: 00339519
    • GetLastError.KERNEL32(?,?,?), ref: 00339523
    • EnumDisplayDevicesW.USER32(?,00000000,?,00000000), ref: 00339557
    • GetLastError.KERNEL32(?,?,?), ref: 00339561
    • StringFromCLSID.API-MS-WIN-CORE-COM-L1-1-0(0033343C,?,?,?,?), ref: 0033958A
    • _wcsupr.MSVCRT ref: 0033959D
    • wcsstr.MSVCRT ref: 003395B0
    • swscanf_s.MSVCRT ref: 003395FB
    • CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(00000000,?,?,?), ref: 0033961D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: ErrorLast$DevicesDisplayEnumFreeFromInfoMonitorStringTask_wcsuprswscanf_swcsstr
    • String ID: %04d$h
    • API String ID: 4201562086-3314846054
    • Opcode ID: 3f0dadb6773f24ead64309c0aef219047606c9a0d9ec454436d2a7699048c08f
    • Instruction ID: 4109b8a58e9c46fe158c1d2dd466c878ea532fe50f0a0227e36f62a82e0a5144
    • Opcode Fuzzy Hash: 3f0dadb6773f24ead64309c0aef219047606c9a0d9ec454436d2a7699048c08f
    • Instruction Fuzzy Hash: CC31A07A801228DBDB239B64DC89BA9B7BCEF45714F024199ED05EB204DB74EE45CB90
    Function 003374D3 Relevance: 18.2, APIs: 12, Instructions: 169COMMON
    Download Yara Rule
    APIs
    • GetWindowRect.USER32(?,?), ref: 00337505
    • GetWindowRect.USER32(?,?), ref: 0033751D
    • GetWindowRect.USER32(?,?), ref: 00337535
    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0033754E
    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0033755F
    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00337570
    • _ftol2_sse.MSVCRT ref: 00337602
    • _ftol2_sse.MSVCRT ref: 00337617
    • _ftol2_sse.MSVCRT ref: 0033762E
    • MoveWindow.USER32(?,?,?,-00000001,?,00000000,?,00000001,?), ref: 00337661
    • InvalidateRect.USER32(?,00000000,00000000,?,?,00000001,?), ref: 00337689
    • InvalidateRect.USER32(?,00000000,00000001,?,00000001,?), ref: 003376B3
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: Window$Rect$Points_ftol2_sse$Invalidate$Move
    • String ID:
    • API String ID: 3848721580-0
    • Opcode ID: 6ab1dc1a6d8086405d1477e498152c8757e118da7b6aeae6152e5a061f9a071e
    • Instruction ID: 64cd422710f1c7ff20d9e1365295b0dc179ef5a86ff2c87fea5a3c82ae3e71ab
    • Opcode Fuzzy Hash: 6ab1dc1a6d8086405d1477e498152c8757e118da7b6aeae6152e5a061f9a071e
    • Instruction Fuzzy Hash: F4618F71A00208EFCF169FA4DD89BEDBFB9FF48300F058064E905AA1A5DB70A915CF50
    Function 0033596D Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 118libraryCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00000022), ref: 003359A8
    • FindResourceExW.KERNEL32(00000000,?,?,00000000), ref: 003359C5
    • FreeLibrary.KERNEL32(00000000), ref: 00335A89
      • Part of subcall function 00334658: GetLastError.KERNEL32(003359D6), ref: 00334658
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: Library$ErrorFindFreeLastLoadResource
    • String ID: Module$Module_Raw$REGISTRY
    • API String ID: 3418355812-549000027
    • Opcode ID: 328e546c606042ff23270da832daa735be5a68d0482736ebb5e2a816275d9de5
    • Instruction ID: 9f63c36b403cf176d0fb12155693a3986188ed85996f04ab8aa80a5289c1c394
    • Opcode Fuzzy Hash: 328e546c606042ff23270da832daa735be5a68d0482736ebb5e2a816275d9de5
    • Instruction Fuzzy Hash: 1C31A7B5A00519ABDB27DF148CC5BAE76B8DF45360F1142A9F606BB240DF309E819BA4
    Function 003401E0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 98COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: iswuppertowlower
    • String ID: {4D36E96E-E325-11CE-BFC1-08002BE10318}
    • API String ID: 2404469642-206008433
    • Opcode ID: dea506cde700180ea5759d0474e80f385dbf74d8a6644eccb304fd2bde7ddfcd
    • Instruction ID: 68a7b5ea6c72b2573637190ca6cd5f91c5db8132232d641b8b5ba02490d4a2ad
    • Opcode Fuzzy Hash: dea506cde700180ea5759d0474e80f385dbf74d8a6644eccb304fd2bde7ddfcd
    • Instruction Fuzzy Hash: 7031B17AB00211DBCB2A9FA9D8485BA77F8EF59311711046AF581DB2C0EFB4EE40D760
    Function 00335046 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 57libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(API-MS-Win-Core-LocalRegistry-L1-1-0.dll,?,00000000,?,?,00334FD9,?), ref: 00335061
    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00335071
    • LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000000,?,00334FD9,?), ref: 00335083
    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyW), ref: 00335093
    • GetLastError.KERNEL32(?,00000000,?,?,00334FD9,?), ref: 003350CE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: AddressProc$ErrorHandleLastLibraryLoadModule
    • String ID: API-MS-Win-Core-LocalRegistry-L1-1-0.dll$RegDeleteKeyExW$RegDeleteKeyW$advapi32.dll
    • API String ID: 856554993-2654589138
    • Opcode ID: 23aed4b53b1fe4957ebf6fdf7110c4003e22bf37b13e89ea49396d1e36f97cbb
    • Instruction ID: 8bc5f11f1101cf3deb4e1739a5e844debfe6537acca297cfe900f6de59aa68bb
    • Opcode Fuzzy Hash: 23aed4b53b1fe4957ebf6fdf7110c4003e22bf37b13e89ea49396d1e36f97cbb
    • Instruction Fuzzy Hash: 7A11A975600B05EF87376F21DCC586BBB6DEB81781B254429F44697520DE72EC00CB60
    Function 0033B6C3 Relevance: 15.2, APIs: 10, Instructions: 153COMMON
    Download Yara Rule
    APIs
    • GetWindowRect.USER32(?,?), ref: 0033B6F5
    • GetWindowRect.USER32(?,?), ref: 0033B70D
    • GetWindowRect.USER32(?,?), ref: 0033B725
    • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0033B778
    • _ftol2_sse.MSVCRT ref: 0033B796
    • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0033B7D3
    • MoveWindow.USER32(?,?,?,00000010,?,00000001), ref: 0033B7ED
    • MoveWindow.USER32(?,00000000,?,?,?,00000001), ref: 0033B82A
    • MoveWindow.USER32(?,00000000,?,?,?,00000001), ref: 0033B854
    • InvalidateRect.USER32(?,00000000,00000001), ref: 0033B861
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: Window$Move$Rect$Invalidate_ftol2_sse
    • String ID:
    • API String ID: 1052920605-0
    • Opcode ID: ecd404c58e9676b906a030a131321d3bea4900ddc91e63a8afca03a1bb69a10f
    • Instruction ID: a81dd40513472c695a669b7f119b1b565539dc8a156aefd9f531ff907a735278
    • Opcode Fuzzy Hash: ecd404c58e9676b906a030a131321d3bea4900ddc91e63a8afca03a1bb69a10f
    • Instruction Fuzzy Hash: BB511A75B00619AFDB198FB9DD89BADFBB9FF04310F044228F519A62A0DB71A851CB50
    Function 00339B02 Relevance: 15.1, APIs: 10, Instructions: 119COMMON
    Download Yara Rule
    APIs
    • WcsSetCalibrationManagementState.MSCMS(00000001,?,?,00000000), ref: 00339B18
    • GetLastError.KERNEL32(?,?,00000000), ref: 00339B22
    • WcsSetDefaultColorProfile.MSCMS(00000000,?,00000000,00000004,00000000,?,?,?,00000000), ref: 00339B64
    • GetLastError.KERNEL32(?,?,00000000), ref: 00339B6E
    • WcsGetUsePerUserProfiles.MSCMS(?,6D6E7472,?,?,?,00000000), ref: 00339B9C
    • GetLastError.KERNEL32(?,?,00000000), ref: 00339BA6
    • WcsSetDefaultColorProfile.MSCMS(00000001,?,00000000,00000004,00000000,?,?,?,00000000), ref: 00339BEF
    • GetLastError.KERNEL32(?,?,00000000), ref: 00339BF9
    • WcsSetCalibrationManagementState.MSCMS(00000000,?,?,00000000), ref: 00339C15
    • GetLastError.KERNEL32(?,?,00000000), ref: 00339C1F
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: ErrorLast$CalibrationColorDefaultManagementProfileState$ProfilesUser
    • String ID:
    • API String ID: 2534168751-0
    • Opcode ID: 610de486d92ac943d0c6bfd4fde26a69e16f9d8e9f66cd3c47f58506c6effd2d
    • Instruction ID: 4a86c6c5ae305fdaa6c3e69143eb227d50b46ce99333b3dda9cc43f3713e1f5a
    • Opcode Fuzzy Hash: 610de486d92ac943d0c6bfd4fde26a69e16f9d8e9f66cd3c47f58506c6effd2d
    • Instruction Fuzzy Hash: F431F63FE00135DBD7235B699CC47BBBAA8AF44711F168166ED41EF240EAB0ED0086E0
    Function 0033FC10 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 53libraryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • DecodePointer.KERNEL32(1C2474FF,?,0033F9CB,?,00000000,?,00336D51,00000000,?,00000000,0033615B,00000000,00000000,00000000,?,?), ref: 0033FC25
    • LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,00333DB7,1C2474FF,?,0033F9CB,?,00000000,?,00336D51,00000000,?,00000000,0033615B,00000000), ref: 0033FC3A
    • DecodePointer.KERNEL32(003428AC,003428B0,003428B4,003428BC,?,0033F9CB,?,00000000,?,00336D51,00000000,?,00000000,0033615B,00000000,00000000), ref: 0033FCAF
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: DecodePointer$LibraryLoad
    • String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
    • API String ID: 1423960858-1745123996
    • Opcode ID: 8f263c8c6395fbaddfbfe06679e1b3af4eaa1b493db32b1fbe30605b23bf976e
    • Instruction ID: 9657c97b558972b32bc32227ce38c8eabe35ca74ee55437a917e64034cbf302e
    • Opcode Fuzzy Hash: 8f263c8c6395fbaddfbfe06679e1b3af4eaa1b493db32b1fbe30605b23bf976e
    • Instruction Fuzzy Hash: 4A01B539B802486FDB1BA7209D876AE7A45CF92704F958068BC467F3D1CF60AE418685
    Function 0033F9FA Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 53libraryCOMMON
    Download Yara Rule
    APIs
    • DecodePointer.KERNEL32(?,?,0033F8A5,?,00000000,00000000,?,0033702D,?,?,00000000,00000000,?,00000000,?,00336DFD), ref: 0033FA0F
    • LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,?,?,?,0033F8A5,?,00000000,00000000,?,0033702D,?,?,00000000,00000000), ref: 0033FA24
    • DecodePointer.KERNEL32(003428AC,003428B0,003428B4,003428BC,?,?,0033F8A5,?,00000000,00000000,?,0033702D,?,?,00000000,00000000), ref: 0033FA99
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: DecodePointer$LibraryLoad
    • String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
    • API String ID: 1423960858-1745123996
    • Opcode ID: 61519fb563dcec7d4d68239b94ec1cda2a9a528729ed640e360251d6bef68d58
    • Instruction ID: 560e2c321d34471fc1e79fe8bb3938fb9a2bde700f6a9a813fd3b7731b35e957
    • Opcode Fuzzy Hash: 61519fb563dcec7d4d68239b94ec1cda2a9a528729ed640e360251d6bef68d58
    • Instruction Fuzzy Hash: B901B528B402947FEF1BE7109CC76AE3A458B82748F95407CF41A7F3D1CF60AE458A85
    Function 0033FAAC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 53libraryCOMMON
    Download Yara Rule
    APIs
    • DecodePointer.KERNEL32(?,?,0033F8F1,00000000,?,00000000,?,00336DFD,?), ref: 0033FAC1
    • LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,00000000,?,?,0033F8F1,00000000,?,00000000,?,00336DFD,?), ref: 0033FAD6
    • DecodePointer.KERNEL32(003428AC,003428B0,003428B4,003428BC,?,?,0033F8F1,00000000,?,00000000,?,00336DFD,?), ref: 0033FB4B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: DecodePointer$LibraryLoad
    • String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
    • API String ID: 1423960858-1745123996
    • Opcode ID: a1070530f38f919312bc3247a7ebc66f3704594e934f630f542d431be096d056
    • Instruction ID: eab13884b37b552367b624ef0e936ade9d83c103681c72a4c14388b7d652d7bf
    • Opcode Fuzzy Hash: a1070530f38f919312bc3247a7ebc66f3704594e934f630f542d431be096d056
    • Instruction Fuzzy Hash: 4901F564B002002FEB1BA720DC97AAF7B468B42708F99803CB41A7F3D1CF64AE018695
    Function 0033FB5E Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 53libraryCOMMON
    Download Yara Rule
    APIs
    • DecodePointer.KERNEL32(?,?,0033F980,00000000,00000000,?,00337025,?,00000000,00000000,?,00000000,?,00336DFD,?), ref: 0033FB73
    • LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,?,?,?,0033F980,00000000,00000000,?,00337025,?,00000000,00000000,?,00000000), ref: 0033FB88
    • DecodePointer.KERNEL32(003428AC,003428B0,003428B4,003428BC,?,0033F980,00000000,00000000,?,00337025,?,00000000,00000000,?,00000000), ref: 0033FBFD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: DecodePointer$LibraryLoad
    • String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
    • API String ID: 1423960858-1745123996
    • Opcode ID: 61b1dd098344ed18b1a67e3d400de6a6d5755f3420316efe24141254660c5db3
    • Instruction ID: 8460f7f443378383358ca1c900c4fd5f02cf2938fd76195992a181cefcf359cf
    • Opcode Fuzzy Hash: 61b1dd098344ed18b1a67e3d400de6a6d5755f3420316efe24141254660c5db3
    • Instruction Fuzzy Hash: 9401F964B402452FEB1B57108DCB69F3A458B42704F95403CB8023F3D1DF54DD028685
    Function 0033A4CC Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 146COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 003401E0: iswupper.MSVCRT ref: 00340217
      • Part of subcall function 003401E0: towlower.MSVCRT ref: 00340226
      • Part of subcall function 003401E0: iswupper.MSVCRT ref: 00340234
      • Part of subcall function 003401E0: towlower.MSVCRT ref: 00340240
      • Part of subcall function 003401E0: iswupper.MSVCRT ref: 00340278
      • Part of subcall function 003401E0: towlower.MSVCRT ref: 00340287
      • Part of subcall function 003401E0: iswupper.MSVCRT ref: 00340295
      • Part of subcall function 003401E0: towlower.MSVCRT ref: 003402A1
    • GetDisplayConfigBufferSizes.USER32(00000002,?,?), ref: 0033A522
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: iswuppertowlower$BufferConfigDisplaySizes
    • String ID: T
    • API String ID: 3551102313-3187964512
    • Opcode ID: 53f8f4d8cee7eabd958841aa074a1266d0fb285130f6ce98c4e1d5c52c400633
    • Instruction ID: f32e039083bf762b7fa99a12b3a1bf70331e3ba2ec47752cd2fa46a3097ff440
    • Opcode Fuzzy Hash: 53f8f4d8cee7eabd958841aa074a1266d0fb285130f6ce98c4e1d5c52c400633
    • Instruction Fuzzy Hash: AA51B671A007199FDB26DF64CC85BAEB7FCAF45300F0541AAA645EB180DB709E808F51
    Function 00338AA1 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 95COMMON
    Download Yara Rule
    APIs
    • WcsCreateIccProfile.MSCMS(?,00000000,?,?), ref: 00338B0C
    • GetLastError.KERNEL32 ref: 00338B1C
    • GetColorProfileFromHandle.MSCMS(00000000,00000000,?,?,?), ref: 00338B51
    • GetLastError.KERNEL32 ref: 00338B5B
    • CloseColorProfile.MSCMS(00000000,?,?), ref: 00338CBF
    • CloseColorProfile.MSCMS(?,?,?), ref: 00338CCE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: Profile$Color$CloseErrorLast$CreateFromHandle
    • String ID: strg
    • API String ID: 2314085371-3320446829
    • Opcode ID: fe9c9596b5615946c4a01b563738012214c91faaae5822492c41a070de52ab2c
    • Instruction ID: a4cfcd3b6d518501d0e26abc05b32f4f2664ac359140c20731037b01fecf35c0
    • Opcode Fuzzy Hash: fe9c9596b5615946c4a01b563738012214c91faaae5822492c41a070de52ab2c
    • Instruction Fuzzy Hash: 072107B52043029BC3039F29D98555BFBE9AFC5790F11092EF954C7251EFB0CE058BA2
    Function 00336A60 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 39synchronizationwindowCOMMON
    Download Yara Rule
    APIs
    • ReleaseMutex.KERNEL32(000001D8), ref: 00336A72
    • CloseHandle.KERNEL32 ref: 00336A7E
    • OpenIcon.USER32(?), ref: 00336A98
    • SetForegroundWindow.USER32(?), ref: 00336AA1
    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000003), ref: 00336AB1
    • CallWindowProcW.USER32(?,?,?,?), ref: 00336ACE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: Window$CallCloseForegroundHandleIconMutexOpenProcRelease
    • String ID: dccw
    • API String ID: 1295780963-1595938506
    • Opcode ID: 8669f46ac7c61c014a3172efff2b0c67f5b9e607edc85f743e381c0c9560792a
    • Instruction ID: 9beeb585fe09e85a74afb9b646d2c41e0cf69e2ae75a150386ba9f5a0589ac55
    • Opcode Fuzzy Hash: 8669f46ac7c61c014a3172efff2b0c67f5b9e607edc85f743e381c0c9560792a
    • Instruction Fuzzy Hash: ADF0E77A10421CFFCB13AF95EC4889A7FADFF4A341F448415F905AA130CB71AA60EB90
    Function 0033905D Relevance: 12.1, APIs: 8, Instructions: 119COMMON
    Download Yara Rule
    APIs
    • WcsGetUsePerUserProfiles.MSCMS(?,6D6E7472,?,?,?,?), ref: 0033909A
    • GetLastError.KERNEL32(?,?,?), ref: 003390A4
    • WcsGetDefaultColorProfile.MSCMS(00000000,?,00000001,00000004,00000000,00000208,?,?,?,?), ref: 003390E7
    • GetLastError.KERNEL32(?,?,?), ref: 003390F1
    • WcsOpenColorProfileW.MSCMS(?,00000000,00000000,00000001,00000001,00000003,00000000,?,?,?), ref: 0033913B
    • GetLastError.KERNEL32(?,?,?), ref: 00339147
    • DccwGetGamutSize.MSCMS(00000000,?,?,?,?), ref: 00339168
    • CloseColorProfile.MSCMS(00000000,?,?,?), ref: 003391B6
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: ColorErrorLastProfile$CloseDccwDefaultGamutOpenProfilesSizeUser
    • String ID:
    • API String ID: 1332131993-0
    • Opcode ID: 4ef57fa8a2efa5aae432e778c6ba971edc081e8ae30f181ab36ec74cd70d7583
    • Instruction ID: 1d215183649466420feb1c8cf3f139fe1a53c175b9b585ba7c6cd9d580d231b1
    • Opcode Fuzzy Hash: 4ef57fa8a2efa5aae432e778c6ba971edc081e8ae30f181ab36ec74cd70d7583
    • Instruction Fuzzy Hash: AB41EB3AD4013ADBD7228B55DCCCBEBBAB8AB45710F12029AED45F7251DE70DD408A90
    Function 00334A7B Relevance: 10.8, APIs: 7, Instructions: 264registrystringCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 003350F7: CharNextW.USER32(00000000,?,00000000,00000000,?,?,00335878,?,00000000,?,00000000,00000000,00000000), ref: 00335132
      • Part of subcall function 003350F7: CharNextW.USER32(00000000,?,00000000,00000000,?,?,00335878,?,00000000,?,00000000,00000000,00000000), ref: 0033514F
      • Part of subcall function 003350F7: CharNextW.USER32(00000000,?,00000000,00000000,?,?,00335878,?,00000000,?,00000000,00000000,00000000), ref: 00335162
      • Part of subcall function 003350F7: CharNextW.USER32(00000027,?,00000000,00000000,?,?,00335878,?,00000000,?,00000000,00000000,00000000), ref: 0033516D
    • lstrcmpiW.KERNEL32(?,00000000,?,?,?,?,0033542A,?,?,?,?,?), ref: 00334AE0
    • CharNextW.USER32(00000000), ref: 00334BBA
    • CharNextW.USER32(00000000), ref: 00334BD4
    • VarUI4FromStr.OLEAUT32(?,00000000,00000000,?), ref: 00334C4B
    • RegSetValueExW.ADVAPI32(?,?,00000000,00000001,?,-00000008,?,?,0033542A,?,?,?,?,?), ref: 00334DB3
      • Part of subcall function 003350F7: CharNextW.USER32(?,?,00000000,00000000,?,?,00335878,?,00000000,?,00000000,00000000,00000000), ref: 003351CA
      • Part of subcall function 003350F7: CharNextW.USER32(00000000,?,00000000,00000000,?,?,00335878,?,00000000,?,00000000,00000000,00000000), ref: 003351EE
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: CharNext$FromValuelstrcmpi
    • String ID:
    • API String ID: 2221274522-0
    • Opcode ID: e7535ccc786e413eed685b8b430a0dfe3a4ebbdc8e0abb7433af7c7719d20dfd
    • Instruction ID: 840bedcfd7c9d2ad35068a8151b29390254ba3607c9aff0cbd14d85c984cb0c5
    • Opcode Fuzzy Hash: e7535ccc786e413eed685b8b430a0dfe3a4ebbdc8e0abb7433af7c7719d20dfd
    • Instruction Fuzzy Hash: 23A1C835A002289BDB369F24CCD9AE9B7B9EF65300F0541E9EB099B251D770AEC1CF50
    Function 0033DE5A Relevance: 10.6, APIs: 7, Instructions: 111COMMON
    Download Yara Rule
    APIs
    • GdipCreateSolidFill.GDIPLUS(FF787878,00000000,00000001,?,?), ref: 0033DEAF
    • GdipCreateFromHDC.GDIPLUS(?,00000000,?,?), ref: 0033DEC0
    • GdipFillRectangleI.GDIPLUS(00000000,00000000,00000000,?,00000001,?,?,?), ref: 0033DEE3
    • GdipFillRectangleI.GDIPLUS(00000000,?,00000005,?,?,?,?,?,?,FFFF0000), ref: 0033DF6B
    • GdipDeleteBrush.GDIPLUS(?), ref: 0033DF74
    • GdipDeleteGraphics.GDIPLUS(00000000), ref: 0033DF7B
    • GdipDeleteBrush.GDIPLUS(00000000), ref: 0033DF84
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: Gdip$DeleteFill$BrushCreateRectangle$FromGraphicsSolid
    • String ID:
    • API String ID: 2116296181-0
    • Opcode ID: 6ec384f1d9146bb7754cc7f91940f0407f8abc5084f550a99e621b5c58325b30
    • Instruction ID: 27be903f43386f0fc769764c801b14692fee8dd5d6656f347b81dd812276fce8
    • Opcode Fuzzy Hash: 6ec384f1d9146bb7754cc7f91940f0407f8abc5084f550a99e621b5c58325b30
    • Instruction Fuzzy Hash: 07415D72900609EFDB21CFA8CD88AAEBBFDFF48301F114619E546E7654DB30AA05CB50
    Function 0033C710 Relevance: 10.6, APIs: 7, Instructions: 104COMMON
    Download Yara Rule
    APIs
    • GdipCreateFromHDC.GDIPLUS(?,?,?,?,00000001), ref: 0033C779
    • GdipCreateSolidFill.GDIPLUS(FF000000,00000093,?,?,00000001), ref: 0033C78C
    • GdipFillRectangleI.GDIPLUS(?,00000093,00000000,?,00000001,?,?,?,00000001), ref: 0033C7AC
      • Part of subcall function 0033C8B1: GdipCreateLineBrushI.GDIPLUS(?,?,?,?,00000000,00000000,?,?,?,0033C7E2,?,00000000,?,?,?,?), ref: 0033C8E2
    • GdipFillRectangleI.GDIPLUS(?,?,00000005,?,?,?,?,00000000,?,?,?,?,00000001), ref: 0033C806
    • GdipDeleteBrush.GDIPLUS(?,?,?,00000001), ref: 0033C80F
    • GdipDeleteBrush.GDIPLUS(00000093,?,?,00000001), ref: 0033C818
    • GdipDeleteGraphics.GDIPLUS(?,?,?,00000001), ref: 0033C81F
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: Gdip$BrushCreateDeleteFill$Rectangle$FromGraphicsLineSolid
    • String ID:
    • API String ID: 1713370201-0
    • Opcode ID: 9dff18e3c789f01e4e1268a70e890de25deaf4b26c09f04279df6e21fc84e758
    • Instruction ID: ceca51a7e64a8aa9a0c0f8f84fa3b09b5deeed5dcf459657fe580236b87ef423
    • Opcode Fuzzy Hash: 9dff18e3c789f01e4e1268a70e890de25deaf4b26c09f04279df6e21fc84e758
    • Instruction Fuzzy Hash: 1741DB7690051AFFCB05DFA8D984CAEBBB9FF08314B104269E516E7610DB30EA15CF91
    Function 00336EB0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101COMMON
    Download Yara Rule
    APIs
    • CallWindowProcW.USER32(?,?,?,00000024,?), ref: 00336F30
    • GetWindowLongW.USER32(?,000000FC), ref: 00336F40
    • CallWindowProcW.USER32(?,?,00000082,00000024,?), ref: 00336F59
    • GetWindowLongW.USER32(?,000000FC), ref: 00336F72
    • SetWindowLongW.USER32(?,000000FC,?), ref: 00336F84
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: Window$Long$CallProc
    • String ID: $
    • API String ID: 513923721-3993045852
    • Opcode ID: 2fb2daf4053f9fa6092ea635ae2bfd0f19b57b766a515f609943d535c11b5514
    • Instruction ID: 1af162b33d4a118d7f3ac7d4ebd4f7492f6ee425b8938d9570edcb7ad13676a7
    • Opcode Fuzzy Hash: 2fb2daf4053f9fa6092ea635ae2bfd0f19b57b766a515f609943d535c11b5514
    • Instruction Fuzzy Hash: 06413B75A0061AFFCB06CF58D9859ADFBB5FF48310F108219E815E3660DB71AA60DF90
    Function 0033E9DC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 95windowCOMMON
    Download Yara Rule
    APIs
    • FormatMessageW.KERNEL32(00001100,00000000,003368A9,00000000,00330000,00000000,00000000), ref: 0033EA5C
    • FormatMessageW.KERNEL32(00002500,?,00000000,00000000,?,00000000,?,00330000,-0000012A), ref: 0033EAC2
    • LocalFree.KERNEL32(00000000), ref: 0033EAE2
    • LocalFree.KERNEL32(00000000,00330000,-0000012A), ref: 0033EAF3
      • Part of subcall function 0033E8E3: EventWrite.ADVAPI32(00331F20,00000001,?,?,003368A9,00000000), ref: 0033E944
      • Part of subcall function 0033E8E3: MessageBoxW.USER32(00000000,00000000,003428C8,00000010), ref: 0033E973
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: Message$FormatFreeLocal$EventWrite
    • String ID: strg$strg
    • API String ID: 3780319976-3117884289
    • Opcode ID: 6af3dbc80cacdd45f6f891586647abd0b1d221981b95ab68a0ecb3114696cca5
    • Instruction ID: df5e825194479c8bac2413712f8dcfa973835d4f12cf691e988b961f3ace49af
    • Opcode Fuzzy Hash: 6af3dbc80cacdd45f6f891586647abd0b1d221981b95ab68a0ecb3114696cca5
    • Instruction Fuzzy Hash: 8431A2716083019FE302DF60DC85B6BBBE8FB84755F00092DF5919A2A0DB74E904CBA2
    Function 0033F3B0 Relevance: 10.6, APIs: 7, Instructions: 82windowCOMMON
    Download Yara Rule
    APIs
    • GetDC.USER32 ref: 0033F3C9
    • EnumDisplayMonitors.USER32(00000000,00000000,Function_0000F100,00000000), ref: 0033F3E1
    • ReleaseDC.USER32(?,00000000), ref: 0033F3E9
    • GetLastError.KERNEL32 ref: 0033F3F1
    • GetParent.USER32(00000000), ref: 0033F43B
    • PostMessageW.USER32(00000000,00000470,00000000,00000003), ref: 0033F44B
    • ShowWindow.USER32(00000000,00000003,?), ref: 0033F460
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: DisplayEnumErrorLastMessageMonitorsParentPostReleaseShowWindow
    • String ID:
    • API String ID: 3937410996-0
    • Opcode ID: fa6a13c65efb35cf5ab9ff0f852a6d83b5ebfe8c70210c7356b11c80b9e7fe7d
    • Instruction ID: 90a4cce4442a63d92db81b6fbcc3934569a739d593eb56597e4def53eb18df89
    • Opcode Fuzzy Hash: fa6a13c65efb35cf5ab9ff0f852a6d83b5ebfe8c70210c7356b11c80b9e7fe7d
    • Instruction Fuzzy Hash: 7B21B039B00211AFDB12AB66DC89BAA7BACEF45751F504065F501EB2A0CF74EE018B51
    Function 0033AF80 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
    Download Yara Rule
    APIs
    • GetDlgItem.USER32(?,00000095), ref: 0033AFD1
    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 0033AFE1
    • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0033AFF9
    • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0033B044
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: DirectoryExecuteItemMessageSendShellSystem
    • String ID: CTTune.exe$open
    • API String ID: 2938676387-2528619867
    • Opcode ID: 7894982a38ff5fe2c694e479c05dd2cf98595f5529829351830bf28a1ff7749a
    • Instruction ID: 105e4d229be1cee7a9f0107bea7e1eac255fa8a7a1f75549860b9a0c7832fe64
    • Opcode Fuzzy Hash: 7894982a38ff5fe2c694e479c05dd2cf98595f5529829351830bf28a1ff7749a
    • Instruction Fuzzy Hash: 4021D475B01224A7CB27AB25DCC9E6BB7ACDF81B10F114165FA15EF281CF74EE408A90
    Function 0033F711 Relevance: 10.6, APIs: 7, Instructions: 64memoryCOMMON
    Download Yara Rule
    APIs
    • GetProcessHeap.KERNEL32(00000008,0000000D,00000000,00000000,0033F911,00000000,?,00000000,?,00336DFD,?), ref: 0033F733
    • HeapAlloc.KERNEL32(00000000,?,00000000,?,00336DFD,?), ref: 0033F73A
      • Part of subcall function 0033F7EE: IsProcessorFeaturePresent.KERNEL32(0000000C,0033F721,00000000,00000000,0033F911,00000000,?,00000000,?,00336DFD,?), ref: 0033F7F0
    • InterlockedPopEntrySList.KERNEL32(00000000,00000000,00000000,0033F911,00000000,?,00000000,?,00336DFD,?), ref: 0033F743
    • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,?,00336DFD,?), ref: 0033F766
    • InterlockedPopEntrySList.KERNEL32(?,00000000,?,00336DFD,?), ref: 0033F77E
    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?,00336DFD,?), ref: 0033F792
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: AllocEntryHeapInterlockedListVirtual$FeatureFreePresentProcessProcessor
    • String ID:
    • API String ID: 3687752540-0
    • Opcode ID: c66f052ee5ac123462cf7096e1f40ea80a19caab8addf501e96017c1aa17bb97
    • Instruction ID: 0a7f6c05e77cbdc81bda49e7e08f33ed608172d4caf572b9884330395510f29a
    • Opcode Fuzzy Hash: c66f052ee5ac123462cf7096e1f40ea80a19caab8addf501e96017c1aa17bb97
    • Instruction Fuzzy Hash: AA11A939A00611BFE7672768DD88B2A769DEF467C2F950430F945EB2A0DF20EC418B60
    Function 0033BC83 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 55COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0033A94C: GetWindowLongW.USER32(?,000000EC), ref: 0033A956
      • Part of subcall function 0033A94C: EnumChildWindows.USER32(?,0033AC60), ref: 0033A994
      • Part of subcall function 0033A94C: EnumChildWindows.USER32(?,0033AC80), ref: 0033A9CC
    • GetDlgItem.USER32(?,din), ref: 0033BD04
    • SetWindowTextW.USER32(00000000,003428C8), ref: 0033BD0E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: ChildEnumWindowWindows$ItemLongText
    • String ID: din$i$n$strg
    • API String ID: 2822888986-2104475465
    • Opcode ID: c86d43cc03b08f92e11bb01bfd4d64b9e5940a6c5e5256e538a31cbcef46ffde
    • Instruction ID: e31d1e3fb6cffa9b55f34fb646409c6c1997c80882decac05a10060be2335687
    • Opcode Fuzzy Hash: c86d43cc03b08f92e11bb01bfd4d64b9e5940a6c5e5256e538a31cbcef46ffde
    • Instruction Fuzzy Hash: 98118275A00209AFDF15DFA5DD84AAEFBBAFF48304F01452DE51567210CB75A914CFA0
    Function 0033A94C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 49COMMON
    Download Yara Rule
    APIs
    • GetWindowLongW.USER32(?,000000EC), ref: 0033A956
    • EnumChildWindows.USER32(?,0033AC60), ref: 0033A994
    • EnumChildWindows.USER32(?,0033AC80), ref: 0033A9CC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: ChildEnumWindows$LongWindow
    • String ID: IDD = %d: m_bIsRtl = %s$false$true
    • API String ID: 92254136-2899959848
    • Opcode ID: fc6fb4e687891de60b60dc6449692490f03e1d3121b3b471d7b6f1bf19542876
    • Instruction ID: c30c0cc6d6b6bc1d2ac8e4c7393c39b67d86397b8b32e558c64a03cafefca253
    • Opcode Fuzzy Hash: fc6fb4e687891de60b60dc6449692490f03e1d3121b3b471d7b6f1bf19542876
    • Instruction Fuzzy Hash: F9018C75601A00AFD7265B38DD4AB97BBA8EF15361F01892DF1E6D90A1CFA0A8449711
    Function 00334793 Relevance: 9.2, APIs: 6, Instructions: 154memoryCOMMON
    Download Yara Rule
    APIs
    • CoTaskMemAlloc.API-MS-WIN-CORE-COM-L1-1-0(?,00000000,?,00000000), ref: 00334805
    • CharNextW.USER32(00000000,?,?,00000001,?,00000000), ref: 00334838
    • wcsncpy_s.MSVCRT ref: 00334879
    • CharNextW.USER32(00000000,00000000,?,?,?,00000001,?,00000000), ref: 003348C6
    • CharNextW.USER32(?,?,00000001,?,00000000), ref: 003348E5
    • CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(?,00000000,?,00000000), ref: 00334922
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: CharNext$Task$AllocFreewcsncpy_s
    • String ID:
    • API String ID: 3890462556-0
    • Opcode ID: 6d0435a2eb7ad8f9315006017ef51af423b31dabd78f32c8ac90e3498c762af6
    • Instruction ID: a751745265c30edc774a1d80a0be52a3520b8aedce0ca43dc57d50edec963e5a
    • Opcode Fuzzy Hash: 6d0435a2eb7ad8f9315006017ef51af423b31dabd78f32c8ac90e3498c762af6
    • Instruction Fuzzy Hash: 4F51E239A002198BCF1B9F68C8D4A6EB7B9EF45700F254129E902EF694EB71FD41CB40
    Function 003350F7 Relevance: 9.1, APIs: 6, Instructions: 127COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 003357ED: CharNextW.USER32(?,00000000,00335107,?,00000000,00000000,?,?,00335878,?,00000000,?,00000000,00000000,00000000), ref: 0033580C
    • CharNextW.USER32(00000000,?,00000000,00000000,?,?,00335878,?,00000000,?,00000000,00000000,00000000), ref: 00335132
    • CharNextW.USER32(00000000,?,00000000,00000000,?,?,00335878,?,00000000,?,00000000,00000000,00000000), ref: 0033514F
    • CharNextW.USER32(00000000,?,00000000,00000000,?,?,00335878,?,00000000,?,00000000,00000000,00000000), ref: 00335162
    • CharNextW.USER32(00000027,?,00000000,00000000,?,?,00335878,?,00000000,?,00000000,00000000,00000000), ref: 0033516D
    • CharNextW.USER32(?,?,00000000,00000000,?,?,00335878,?,00000000,?,00000000,00000000,00000000), ref: 003351CA
    • CharNextW.USER32(00000000,?,00000000,00000000,?,?,00335878,?,00000000,?,00000000,00000000,00000000), ref: 003351EE
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: CharNext
    • String ID:
    • API String ID: 3213498283-0
    • Opcode ID: 2cea047b72e55ea42dcf162794fe0b46f1417ac08d4412781ba5cd9b8f195445
    • Instruction ID: fd990a863164f2f7c268287cea0a43a0a5d2a8f084932171dfca521a69efc619
    • Opcode Fuzzy Hash: 2cea047b72e55ea42dcf162794fe0b46f1417ac08d4412781ba5cd9b8f195445
    • Instruction Fuzzy Hash: 76419139A006128BCF2A9F78D9C457AB7B5FF59300BA64969D84287254FB70EE84C750
    Function 00339C43 Relevance: 9.1, APIs: 6, Instructions: 82COMMON
    Download Yara Rule
    APIs
    • WcsDisassociateColorProfileFromDevice.MSCMS(00000000,?,?,?,00000000,00000000,?,?,?,00338D76,?,?,?), ref: 00339C7E
    • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00338D76,?,?,?), ref: 00339C88
    • WcsGetUsePerUserProfiles.MSCMS(?,6D6E7472,?,?,00000000,00000000,?,?,?,00338D76,?,?,?), ref: 00339CBB
    • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00338D76,?,?,?), ref: 00339CC5
    • WcsDisassociateColorProfileFromDevice.MSCMS(00000001,?,?,?,00000000,00000000,?,?,?,00338D76,?,?,?), ref: 00339CEA
    • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00338D76,?,?,?), ref: 00339CF4
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: ErrorLast$ColorDeviceDisassociateFromProfile$ProfilesUser
    • String ID:
    • API String ID: 2382097621-0
    • Opcode ID: c378cdb1caf97e75a21334e9c861e4fd22e0c24c4a19c8c9c06b9d174bed4476
    • Instruction ID: e9d7d352fc97a4b2b03138a2416d9ea0b486e4a9c42f26576daa4bac55b41e01
    • Opcode Fuzzy Hash: c378cdb1caf97e75a21334e9c861e4fd22e0c24c4a19c8c9c06b9d174bed4476
    • Instruction Fuzzy Hash: B921C63B900121DBD7334B5D8CC9BA7BAA9EF45750F2A4127EC05DB121EBA5DD40C6E0
    Function 0033DFA0 Relevance: 9.1, APIs: 6, Instructions: 65COMMON
    Download Yara Rule
    APIs
    • GetDC.USER32(?), ref: 0033DFB3
    • GetWindowTextLengthW.USER32(?), ref: 0033DFC1
    • GetWindowTextW.USER32(?,00000000,?), ref: 0033DFF3
    • GetTextExtentPoint32W.GDI32(00000000,00000000,?,?), ref: 0033E002
    • MoveWindow.USER32(?,00000000,?,?,?,00000001), ref: 0033E028
    • ReleaseDC.USER32(?,00000000), ref: 0033E03C
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: TextWindow$ExtentLengthMovePoint32Release
    • String ID:
    • API String ID: 516594899-0
    • Opcode ID: 23748e689e5ee95ecbed21d2da40880e0d641fa9901ce1049caba9ebd9a8a7f5
    • Instruction ID: 2acb138e75cacc705041229c355cc93e861e164ab6363f4e6834e1d9357631c1
    • Opcode Fuzzy Hash: 23748e689e5ee95ecbed21d2da40880e0d641fa9901ce1049caba9ebd9a8a7f5
    • Instruction Fuzzy Hash: BD11A776600205FFDB169FB4EC4EE9F7BBDEB45301F114429F642CA0A0DA71AA009B20
    Function 0033D96E Relevance: 9.1, APIs: 6, Instructions: 52COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00337443: GetDlgItem.USER32(?,00000091), ref: 0033745F
      • Part of subcall function 00337443: GetDlgItem.USER32(?,00000087), ref: 003374B2
    • GetDlgItem.USER32(?,000000C8), ref: 0033D98D
    • GetDlgItem.USER32(?,000000CD), ref: 0033D9A1
    • GetDlgItem.USER32(?,000000D2), ref: 0033D9B5
    • GetDlgItem.USER32(?,000000D7), ref: 0033D9C9
    • GetDlgItem.USER32(?,000000DC), ref: 0033D9DD
    • GetDlgItem.USER32(?,000000E1), ref: 0033D9F1
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: Item
    • String ID:
    • API String ID: 3207170592-0
    • Opcode ID: 66b75cbed1e2887b9ed147ee5d9d3663dbfcad118fd3f33e7088ca88c955cd1a
    • Instruction ID: fd484339f1c894e300c809495d65f1cf73ae2928c06c28d9a182018a909dc004
    • Opcode Fuzzy Hash: 66b75cbed1e2887b9ed147ee5d9d3663dbfcad118fd3f33e7088ca88c955cd1a
    • Instruction Fuzzy Hash: EC11BF34415B00EFE7325B61DD05BA6BAE1FF45B01F018A2FE5AE9A1A0DB716890CB20
    Function 00333FBE Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 174COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0033434F: InitializeCriticalSection.KERNEL32(?,00340FD0,0000000C,00334017), ref: 00334361
    • GetModuleFileNameW.KERNEL32(00330000,?,00000104), ref: 00334073
    • GetModuleHandleW.KERNEL32(00000000,?), ref: 003340C6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: Module$CriticalFileHandleInitializeNameSection
    • String ID: Module$Module_Raw$REGISTRY
    • API String ID: 3195065971-549000027
    • Opcode ID: 8a3a05eee564d4cdcce2d36f9ee15cf4d7961f3c1d9fef7130b72b328220b4b8
    • Instruction ID: 47c7ab2804e50684e8f99bea28a15e75e2431d0614a93b03260ec2e5b379ee9e
    • Opcode Fuzzy Hash: 8a3a05eee564d4cdcce2d36f9ee15cf4d7961f3c1d9fef7130b72b328220b4b8
    • Instruction Fuzzy Hash: 1F519436B003299BCB26DB14DDC0AAAB7BDAF45310F054199EA05AB650EB31BF94CF51
    Function 0033963A Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON
    Download Yara Rule
    APIs
    • GetColorDirectoryW.MSCMS(00000000,?,?,00000000), ref: 0033966C
    • GetLastError.KERNEL32 ref: 00339676
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: ColorDirectoryErrorLast
    • String ID: %s\%s$CalibratedDisplayProfile-%d-Temp.icc$CalibratedDisplayProfile-%d.icc
    • API String ID: 3534830153-2182247336
    • Opcode ID: 121ee6a4b0b452fdefa132a300c7a54dd26834f2cc01b1132709b39181cf6790
    • Instruction ID: 0c5077f2ee454277e94c811eac30e356af7a3c5a5c0f592c2585995bd4ff29e5
    • Opcode Fuzzy Hash: 121ee6a4b0b452fdefa132a300c7a54dd26834f2cc01b1132709b39181cf6790
    • Instruction Fuzzy Hash: 2821D275A00309ABDB229B318CC9FD7B7FCEB54304F40496BE959D7042EA70F6058AA0
    Function 0033E7A1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64registryCOMMON
    Download Yara Rule
    APIs
    • RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\DCCW\Simulator,00000000,00020019,?), ref: 0033E7C4
    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0033E7E6
    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 0033E814
    • RegCloseKey.ADVAPI32(?), ref: 0033E829
    Strings
    • SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\DCCW\Simulator, xrefs: 0033E7B7
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: QueryValue$CloseOpen
    • String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\DCCW\Simulator
    • API String ID: 1586453840-1252446219
    • Opcode ID: 87d8c75a64f2c0d7c5cf4df85f8010dcea16c0a86f3ebc7fa627af7f2339c69a
    • Instruction ID: e8f37eb316ef3ce81dc05bd29e17e4b6a7708a3b7ea6390f7a4513c44ac42c4d
    • Opcode Fuzzy Hash: 87d8c75a64f2c0d7c5cf4df85f8010dcea16c0a86f3ebc7fa627af7f2339c69a
    • Instruction Fuzzy Hash: 4511F67AD00118BBCB22DF85D884DEEBBB8EB84B60F118165FC05AB150D730AE50DBA0
    Function 00338D00 Relevance: 7.6, APIs: 5, Instructions: 113fileCOMMON
    Download Yara Rule
    APIs
    • CopyFileW.KERNEL32(?,?,00000000), ref: 00338D29
    • GetLastError.KERNEL32 ref: 00338D33
    • WcsSetCalibrationManagementState.MSCMS(00000001,?,?,?,?), ref: 00338D99
    • GetLastError.KERNEL32 ref: 00338DA3
    • EventWrite.ADVAPI32(00331F80,00000002,?), ref: 00338E47
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: ErrorLast$CalibrationCopyEventFileManagementStateWrite
    • String ID:
    • API String ID: 4173155175-0
    • Opcode ID: b036882909514498546c26d3412cf8a4104c6009c92bd920afcd9496a0ed6c07
    • Instruction ID: 1c65dc570a521f55c863b3e1cfcd6cc015a34056b5cfd58dceb0ca2290de8249
    • Opcode Fuzzy Hash: b036882909514498546c26d3412cf8a4104c6009c92bd920afcd9496a0ed6c07
    • Instruction Fuzzy Hash: 0B41A43AA00715DBCB1B9F6998916AEFAB5FF84710F56412DE9066B350DF30AD408A90
    Function 0033C605 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 003374D3: GetWindowRect.USER32(?,?), ref: 00337505
      • Part of subcall function 003374D3: GetWindowRect.USER32(?,?), ref: 0033751D
      • Part of subcall function 003374D3: GetWindowRect.USER32(?,?), ref: 00337535
      • Part of subcall function 003374D3: MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0033754E
      • Part of subcall function 003374D3: MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0033755F
      • Part of subcall function 003374D3: MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00337570
      • Part of subcall function 003374D3: _ftol2_sse.MSVCRT ref: 00337602
    • GetWindowRect.USER32(?,?), ref: 0033C643
    • GetWindowRect.USER32(?,?), ref: 0033C65B
    • GetWindowRect.USER32(?,?), ref: 0033C673
    • MoveWindow.USER32(?,00000000,?,?,?,00000001,?,00000000,00000000,?,?,00000001), ref: 0033C6DB
    • MoveWindow.USER32(?,-00000010,?,00000010,?,00000001,?,00000000,00000000,?,?,00000001), ref: 0033C6F3
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: Window$Rect$Points$Move$_ftol2_sse
    • String ID:
    • API String ID: 3053001243-0
    • Opcode ID: f64b2b6e934787e9ac39259d6d65d677cacedc4446f3c903c4ad18187a04e256
    • Instruction ID: 91d95afc74f3496ce3fefb7f073774a7575620dbdef9af5cf189f9728beccbb9
    • Opcode Fuzzy Hash: f64b2b6e934787e9ac39259d6d65d677cacedc4446f3c903c4ad18187a04e256
    • Instruction Fuzzy Hash: 2031817160010AAFDB19CF78CC89BEEBBBAEF48304F085629F515E6160DB71A854CB50
    Function 003368BE Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 139COMMON
    Download Yara Rule
    APIs
    • MonitorFromRect.USER32(?,00000002), ref: 00336949
    • MonitorFromRect.USER32(?,00000002), ref: 00336A0B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: FromMonitorRect
    • String ID: Current display is 0x%08x$New rect (%d, %d, %d, %d) is on display 0x%08x
    • API String ID: 2578442757-1896848492
    • Opcode ID: 903131587c45b0a4c2851638a05a21b31ec4f45a70da5e49f3cd53857af1bc58
    • Instruction ID: cb621063e69417aff63dd843b75c1a123dc6b3dc47de1ea6485c1b5875647aa5
    • Opcode Fuzzy Hash: 903131587c45b0a4c2851638a05a21b31ec4f45a70da5e49f3cd53857af1bc58
    • Instruction Fuzzy Hash: 37512A79A00215AFCF06DF98C8859BEBBB5AF88710F15805AE905AB351CB74AE11CF91
    Function 00335E92 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(00342860,00000000,00000000,?,?,?,00333DED), ref: 00335EA8
    • DestroyWindow.USER32(00000000,?,?,?,00333DED), ref: 00335EC2
    • LeaveCriticalSection.KERNEL32(00342860,?,?,?,00333DED), ref: 00335EE8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: CriticalSection$DestroyEnterLeaveWindow
    • String ID: p(4
    • API String ID: 1456685395-3612994397
    • Opcode ID: 54c09ff03940aa1da39e8fc8b0a37893de76d81387e275ac276d65de1a5d5442
    • Instruction ID: 97a87690aa8261e54719adafbf0a2b271d2ec3ffd4bf74554fee8b30cdfdb7df
    • Opcode Fuzzy Hash: 54c09ff03940aa1da39e8fc8b0a37893de76d81387e275ac276d65de1a5d5442
    • Instruction Fuzzy Hash: 3901D435601A24ABC7236B54D88975FB7ACEF82B15F56040CF8007F351CF74BE418695
    Function 0033E84A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36registryCOMMON
    Download Yara Rule
    APIs
    • RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\DCCW\Simulator,00000000,00020006,00000000,?,?,?,0033E16E,Brightness,00000004,00000004,?), ref: 0033E86A
    • RegSetValueExW.ADVAPI32(00000000,?,00000000,?,?,?,?,?,?,0033E16E,Brightness,00000004,00000004,?), ref: 0033E886
    • RegCloseKey.ADVAPI32(00000000,?,?,?,0033E16E,Brightness,00000004,00000004,?), ref: 0033E897
    Strings
    • SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\DCCW\Simulator, xrefs: 0033E860
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: CloseOpenValue
    • String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\DCCW\Simulator
    • API String ID: 779948276-1252446219
    • Opcode ID: 04aab94bc552a2e196aaaaad9cf8144d39e01bb7be12e4a3db34e56c3880d6dd
    • Instruction ID: 39438f41b22777daafc231034fd179000526d9edb711587623400ad4166d49b9
    • Opcode Fuzzy Hash: 04aab94bc552a2e196aaaaad9cf8144d39e01bb7be12e4a3db34e56c3880d6dd
    • Instruction Fuzzy Hash: D6F04936900228FBDB228F809D09FDE7A79EB04755F114150FD01BA1A0C7729E10EBA0
    Function 00338540 Relevance: 6.2, APIs: 4, Instructions: 173COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: ErrorLast_ftol2
    • String ID:
    • API String ID: 3138094797-0
    • Opcode ID: a738a70d7a50922478171ca93df90a9a4cb9a1a7b66747b04ec58d53f7f5b95c
    • Instruction ID: 8864af19b33fcc9ffc52f2e96ead0cd61d37ccf8431444bce9014a02044d125f
    • Opcode Fuzzy Hash: a738a70d7a50922478171ca93df90a9a4cb9a1a7b66747b04ec58d53f7f5b95c
    • Instruction Fuzzy Hash: BA516E397006208FCB039F24D894B6D7BA6AF89790F1640A9ED06DF395DF74ED058B91
    Function 0033D780 Relevance: 6.2, APIs: 4, Instructions: 152windowtimeCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0033E04F: SendMessageW.USER32(?,00000406,00000001,?), ref: 0033E06C
    • SendMessageW.USER32(?,00000415,00000000,00000000), ref: 0033D7E7
      • Part of subcall function 0033E07C: SendMessageW.USER32(?,00000405,00000001,?), ref: 0033E08E
    • SendMessageW.USER32(?,00000415,00000000,00000000), ref: 0033D87A
    • SendMessageW.USER32(?,00000415,00000000,00000000), ref: 0033D910
    • SetTimer.USER32(?,00000001,00000032,00000000), ref: 0033D952
      • Part of subcall function 0033AB40: GetParent.USER32(?), ref: 0033AB48
      • Part of subcall function 0033AB40: PostMessageW.USER32(00000000,00000470,00000000,00000003), ref: 0033AB58
      • Part of subcall function 0033AB40: GetParent.USER32(?), ref: 0033AB61
      • Part of subcall function 0033AB40: SendMessageW.USER32(00000000,00000489,00000000,00331FA0), ref: 0033AB74
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: Message$Send$Parent$PostTimer
    • String ID:
    • API String ID: 1672226202-0
    • Opcode ID: 0cda692951c369dfbe408e452a39d3cac4ad1ac83cbc93ab9c27edc2f481f88b
    • Instruction ID: e03f4a4b8f5a1c35dee34123b79f6e264f949c94c0a67b7637b69616a24e1fb4
    • Opcode Fuzzy Hash: 0cda692951c369dfbe408e452a39d3cac4ad1ac83cbc93ab9c27edc2f481f88b
    • Instruction Fuzzy Hash: F5510835600116EFDF069F54DCC4FA87BAABF49700F1940B5EE09AF2A6CB71A9119F60
    Function 0033A030 Relevance: 6.1, APIs: 4, Instructions: 91COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • DestroyPhysicalMonitors.DXVA2(00000001,00000014,00000000,00000000,00000000,?,00337B14,00000000,00000000,00333D1A), ref: 0033A054
    • DeleteDC.GDI32(?), ref: 0033A06C
    • DccwReleaseDisplayProfileAssociationList.MSCMS(?,00000000,00000000,00000000,?,00337B14,00000000,00000000,00333D1A), ref: 0033A14D
    • DccwReleaseDisplayProfileAssociationList.MSCMS(?,?,00337B14,00000000,00000000,00333D1A), ref: 0033A159
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: AssociationDccwDisplayListProfileRelease$DeleteDestroyMonitorsPhysical
    • String ID:
    • API String ID: 896183022-0
    • Opcode ID: 365909ae69512e74ab40c1ab195cf68b7f9c0d9efbe42c7433d8861459289a8a
    • Instruction ID: a22ac62d612afb45f023239ae0daa846e4c7d0c4e9d2d4a11c85edbe75821b23
    • Opcode Fuzzy Hash: 365909ae69512e74ab40c1ab195cf68b7f9c0d9efbe42c7433d8861459289a8a
    • Instruction Fuzzy Hash: 994169B5805B009FD3729F2A9994AD3FBE4FF4A710F90492EE5AE86214DB317940CF81
    Function 0033A9ED Relevance: 6.1, APIs: 4, Instructions: 91COMMON
    Download Yara Rule
    APIs
    • MapDialogRect.USER32(?,?), ref: 0033AA1C
    • GetWindowRect.USER32(?,?), ref: 0033AA42
    • EnumChildWindows.USER32(?,0033AD30), ref: 0033AABD
    • InvalidateRect.USER32(?,00000000,00000001), ref: 0033AAC9
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: Rect$ChildDialogEnumInvalidateWindowWindows
    • String ID:
    • API String ID: 102734436-0
    • Opcode ID: 599d59b18d5e934037b14b5e5bf12509602d1f87f085a141c4d7890aca705229
    • Instruction ID: 120ba2c724b8fdba50d7e791f0a4484b447ce28be7a699d5f803b2d4ea991f22
    • Opcode Fuzzy Hash: 599d59b18d5e934037b14b5e5bf12509602d1f87f085a141c4d7890aca705229
    • Instruction Fuzzy Hash: F6313C31600A0A9FDB15CF7CC985BEEBBFAEB45301F454528A59AEB150DBB0B908CB51
    Function 0033C047 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 003374D3: GetWindowRect.USER32(?,?), ref: 00337505
      • Part of subcall function 003374D3: GetWindowRect.USER32(?,?), ref: 0033751D
      • Part of subcall function 003374D3: GetWindowRect.USER32(?,?), ref: 00337535
      • Part of subcall function 003374D3: MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0033754E
      • Part of subcall function 003374D3: MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0033755F
      • Part of subcall function 003374D3: MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00337570
      • Part of subcall function 003374D3: _ftol2_sse.MSVCRT ref: 00337602
    • GetWindowRect.USER32(?,?), ref: 0033C085
    • GetWindowRect.USER32(?,?), ref: 0033C099
    • GetWindowRect.USER32(?,?), ref: 0033C0AD
    • MoveWindow.USER32(?,00000000,?,?,?,00000001,?,00000000,00000000), ref: 0033C0FF
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: Window$Rect$Points$Move_ftol2_sse
    • String ID:
    • API String ID: 4240149109-0
    • Opcode ID: 0cc6cdc998ac2eee3852ad5a7836afbd9a846333a118885e4db9b85fd3153b38
    • Instruction ID: 0cd8f11e9282c49d52d901812c259cfdfda754edccd0963710ef1dfb0a0bb824
    • Opcode Fuzzy Hash: 0cc6cdc998ac2eee3852ad5a7836afbd9a846333a118885e4db9b85fd3153b38
    • Instruction Fuzzy Hash: 1A21AC75A00209AFDB119F79CD88BEEBBB9EF48304F054528F516E61A0DB30E844CB20
    Function 0033B9B0 Relevance: 6.1, APIs: 4, Instructions: 64COMMON
    Download Yara Rule
    APIs
    • GetWindowLongW.USER32(?,000000F0), ref: 0033BA20
    • SetTextColor.GDI32(?,00000000), ref: 0033BA32
    • SetBkMode.GDI32(?,00000001), ref: 0033BA3C
    • GetStockObject.GDI32(00000005), ref: 0033BA44
      • Part of subcall function 0033BAD1: GetDlgItem.USER32(?,000000AA), ref: 0033BB07
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: ColorItemLongModeObjectStockTextWindow
    • String ID:
    • API String ID: 3442870416-0
    • Opcode ID: b679628b0da868a81835dca752bda5a0389cc4f495e4d6aaa1c15b515b33d32c
    • Instruction ID: 8ce29c519cb8d37b574d0cad945850b39827383596437fd85e56b624eff038c9
    • Opcode Fuzzy Hash: b679628b0da868a81835dca752bda5a0389cc4f495e4d6aaa1c15b515b33d32c
    • Instruction Fuzzy Hash: EC11BC31104A19EBCF228F15DC48B9EBB68FB04725F00812AFA258A1A0CB74AD60DF90
    Function 0033AEE0 Relevance: 6.1, APIs: 4, Instructions: 54windowCOMMON
    Download Yara Rule
    APIs
    • GetParent.USER32(?), ref: 0033AEEA
    • PostMessageW.USER32(00000000,00000470,00000000,00000005), ref: 0033AEFB
    • GetDlgItem.USER32(?,00000095), ref: 0033AF17
    • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 0033AF26
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: Message$ItemParentPostSend
    • String ID:
    • API String ID: 3857695281-0
    • Opcode ID: 2a104dd2b33149322d98b5833b3bdbd521821cae89f1db7de25ab5a243af9be8
    • Instruction ID: ccd646e56751fde9ec6fef46e9287263f3b4da0ebc458fd3df913ac4af0fa4ef
    • Opcode Fuzzy Hash: 2a104dd2b33149322d98b5833b3bdbd521821cae89f1db7de25ab5a243af9be8
    • Instruction Fuzzy Hash: AF01A139300211AFCB125F20CC88A6B3F69EB85B91F044471FD05DF291CF70A9018B91
    Function 00340340 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00340B1A: GetModuleHandleW.KERNEL32(00000000), ref: 00340B21
    • __set_app_type.MSVCRT ref: 00340352
    • __p__fmode.MSVCRT ref: 00340368
    • __p__commode.MSVCRT ref: 00340376
    • __setusermatherr.MSVCRT ref: 00340397
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
    • String ID:
    • API String ID: 1632413811-0
    • Opcode ID: ae013f08572afbaa7a1a24b4ca4a7b4f722c028ec8597dffa7ac449b44b13b5b
    • Instruction ID: 8cc4ad48fe133abc8608bde778cb6260bbeb45128dd2ef9fa5929ed1891a313a
    • Opcode Fuzzy Hash: ae013f08572afbaa7a1a24b4ca4a7b4f722c028ec8597dffa7ac449b44b13b5b
    • Instruction Fuzzy Hash: E1F0D47C6443048FC72B6F70AC4AA097AE9FB42321F500609F4529E2F1CF39B1448A00
    Function 0033F360 Relevance: 6.0, APIs: 4, Instructions: 21windowCOMMON
    Download Yara Rule
    APIs
    • GetParent.USER32(?), ref: 0033F368
    • PostMessageW.USER32(00000000,00000470,00000000,00000002), ref: 0033F378
    • GetParent.USER32(?), ref: 0033F381
    • SendMessageW.USER32(00000000,00000489,00000000,00331FA0), ref: 0033F394
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: MessageParent$PostSend
    • String ID:
    • API String ID: 2241083247-0
    • Opcode ID: 1df00f262909f263397ade25b735ecf0ce7512ebc6afcc0ba525d1d0c7b1aa46
    • Instruction ID: d893865aabc3bfb5fedfeb3ad43bb26f1f27701e46c584b14ecc102438c62cac
    • Opcode Fuzzy Hash: 1df00f262909f263397ade25b735ecf0ce7512ebc6afcc0ba525d1d0c7b1aa46
    • Instruction Fuzzy Hash: D8E0EC76684640BBE6222B70EC0EF863A6CAB45B05F118910B356EE0E0CFE079408B44
    Function 0033AB40 Relevance: 6.0, APIs: 4, Instructions: 21windowCOMMON
    Download Yara Rule
    APIs
    • GetParent.USER32(?), ref: 0033AB48
    • PostMessageW.USER32(00000000,00000470,00000000,00000003), ref: 0033AB58
    • GetParent.USER32(?), ref: 0033AB61
    • SendMessageW.USER32(00000000,00000489,00000000,00331FA0), ref: 0033AB74
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: MessageParent$PostSend
    • String ID:
    • API String ID: 2241083247-0
    • Opcode ID: f8469e923fb0bcf6165473ca20ef263104eb51d8c8ef803afd4f6a0647730a74
    • Instruction ID: e8a8f0b50b10ddea800f30f40ba8ffa90198b75241f380f2e714f474ca402e33
    • Opcode Fuzzy Hash: f8469e923fb0bcf6165473ca20ef263104eb51d8c8ef803afd4f6a0647730a74
    • Instruction Fuzzy Hash: 91E0EC76684640BBE6222B70EC0EF863A6CAB45B05F118910B356EE0E0CFE07A408B44
    Function 0033E8E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60windowCOMMON
    Download Yara Rule
    APIs
    • EventWrite.ADVAPI32(00331F20,00000001,?,?,003368A9,00000000), ref: 0033E944
    • MessageBoxW.USER32(00000000,00000000,003428C8,00000010), ref: 0033E973
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: EventMessageWrite
    • String ID: strg
    • API String ID: 2344367845-3320446829
    • Opcode ID: f67c26f825ff8b7b06061a0776e1b959eca38cb3189842c162d8af5a19270855
    • Instruction ID: e1b25ac2da88f1705ad91a1917598b767b8fcf0e6d3e2e1b1616f2684c774d31
    • Opcode Fuzzy Hash: f67c26f825ff8b7b06061a0776e1b959eca38cb3189842c162d8af5a19270855
    • Instruction Fuzzy Hash: 8A11047AD00209ABCF169F55DC85AEFBBB9EF89300F410119F9127B250DB74AE05CB90
    Function 0033A6A6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
    Download Yara Rule
    APIs
    • memset.MSVCRT ref: 0033A6CC
      • Part of subcall function 0033A4CC: GetDisplayConfigBufferSizes.USER32(00000002,?,?), ref: 0033A522
    • DisplayConfigGetDeviceInfo.USER32(?), ref: 0033A70F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: ConfigDisplay$BufferDeviceInfoSizesmemset
    • String ID:
    • API String ID: 4257415688-3916222277
    • Opcode ID: 8a14da48388519f6392d453df88c42d8ed9e0c3b7cf091cdca4385f97a2bfa95
    • Instruction ID: 6f58157ce4c2f30e92b874ceabb809bd115df813e7e04a48a582233e6e4be9ee
    • Opcode Fuzzy Hash: 8a14da48388519f6392d453df88c42d8ed9e0c3b7cf091cdca4385f97a2bfa95
    • Instruction Fuzzy Hash: A311B276E012298BCB15CBE4C98579EB7F4AB44710F220529DD05AB381DB78ED04CBD1
    Function 0033EB17 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
    Download Yara Rule
    APIs
    • memset.MSVCRT ref: 0033EB33
    • TaskDialogIndirect.COMCTL32(00000060,00000001,00000000,00000000,?,00000000,00000000), ref: 0033EB79
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: DialogIndirectTaskmemset
    • String ID: `
    • API String ID: 3334335582-2679148245
    • Opcode ID: 6789f43d11a6e8e0e93746757039a9c68280210defd1ca61774d248e05a33837
    • Instruction ID: 49c9f6536a11f072c53aa94882bd813d31330dae2780f6f55cfbdeefff5aed8d
    • Opcode Fuzzy Hash: 6789f43d11a6e8e0e93746757039a9c68280210defd1ca61774d248e05a33837
    • Instruction Fuzzy Hash: D201E1B5900358ABDF21DF95C949BCFBFBDEB81715F10012AE505AB240D7B45948CB51
    Function 00338FF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
    Download Yara Rule
    APIs
    • GetMonitorInfoW.USER32(?,?), ref: 00339020
    • CreateDCW.GDI32(?,?,00000000,00000000), ref: 00339034
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: CreateInfoMonitor
    • String ID: h
    • API String ID: 3263162237-2439710439
    • Opcode ID: 1cc7f605e6b9a6dbd23778d48820d950c07f5943764c2f3f8e03646cb35e82d1
    • Instruction ID: 93f3a52b9f23f2d4b01d1cc5756b4d71d7438fb1fb817e292ccb11cfeca43926
    • Opcode Fuzzy Hash: 1cc7f605e6b9a6dbd23778d48820d950c07f5943764c2f3f8e03646cb35e82d1
    • Instruction Fuzzy Hash: 1DF08C72614704AFC724DF34D885B5777E8EB48350F518A1AF996CB190EB70F900CBA2
    Function 0033F857 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetProcAddress.KERNEL32(00000000,AtlThunk_AllocateData), ref: 0033F85E
    • EncodePointer.KERNEL32(00000000,?,0033FC57,003428BC,?,0033F9CB,?,00000000,?,00336D51,00000000,?,00000000,0033615B,00000000,00000000), ref: 0033F86D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1288590890.0000000000331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
    • Associated: 00000000.00000002.1288556056.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288613361.0000000000342000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1288638151.0000000000343000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_330000_skZwfU6wMR.jbxd
    Similarity
    • API ID: AddressEncodePointerProc
    • String ID: AtlThunk_AllocateData
    • API String ID: 1846120836-3926079072
    • Opcode ID: 60b0b8ca4ce3d92ff71cb88465d3c5ea7930cef4b3653941c947448144da988e
    • Instruction ID: f55339214dd4bff2226a0443b8456b7376a566468a85177ede79c7e599d6e250
    • Opcode Fuzzy Hash: 60b0b8ca4ce3d92ff71cb88465d3c5ea7930cef4b3653941c947448144da988e
    • Instruction Fuzzy Hash: BED0A774100304BF8B155F3298499637B5CEA93711B004028F806CB210E936E4059534