Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Yu4oufkUC8.exe

Overview

General Information

Sample name:Yu4oufkUC8.exe
renamed because original name is a hash value
Original sample name:28d2c70bb31fc2be17ff15f5c07eea5f373563970ec210b3af343444222ef167.exe
Analysis ID:1543065
MD5:a15f95b58098883533e018a0f90564bb
SHA1:4f09e4c7171ee03f47c0954dd24335d19412aca8
SHA256:28d2c70bb31fc2be17ff15f5c07eea5f373563970ec210b3af343444222ef167
Tags:exegurt-duna-uauser-JAMESWT_MHT
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found large amount of non-executed APIs
PE file contains an invalid checksum
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Yu4oufkUC8.exe (PID: 5640 cmdline: "C:\Users\user\Desktop\Yu4oufkUC8.exe" MD5: A15F95B58098883533E018A0F90564BB)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: Yu4oufkUC8.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: Yu4oufkUC8.exeReversingLabs: Detection: 32%
Source: Yu4oufkUC8.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Yu4oufkUC8.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: dccw.pdbGCTL source: Yu4oufkUC8.exe
Source: Binary string: dccw.pdb source: Yu4oufkUC8.exe
Source: C:\Users\user\Desktop\Yu4oufkUC8.exeCode function: 0_2_00F3EDC2 GetObjectW,GetLastError,GetWindowRect,GetLastError,GetDC,GetLastError,CreateCompatibleDC,GetLastError,SelectObject,CreateCompatibleDC,GetLastError,SetStretchBltMode,GetLastError,CreateCompatibleBitmap,GetLastError,SelectObject,StretchBlt,GetLastError,SendMessageW,DeleteObject,ReleaseDC,DeleteDC,DeleteDC,DeleteObject,0_2_00F3EDC2
Source: C:\Users\user\Desktop\Yu4oufkUC8.exeCode function: 0_2_00F361660_2_00F36166
Source: C:\Users\user\Desktop\Yu4oufkUC8.exeCode function: 0_2_00F352450_2_00F35245
Source: Yu4oufkUC8.exeBinary or memory string: OriginalFilename vs Yu4oufkUC8.exe
Source: Yu4oufkUC8.exe, 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedccw.exej% vs Yu4oufkUC8.exe
Source: Yu4oufkUC8.exe, 00000000.00000000.1397182904.0000000000F43000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedccw.exej% vs Yu4oufkUC8.exe
Source: Yu4oufkUC8.exeBinary or memory string: OriginalFilenamedccw.exej% vs Yu4oufkUC8.exe
Source: Yu4oufkUC8.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal56.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\Yu4oufkUC8.exeCode function: 0_2_00F4002C FormatMessageW,LocalFree,GetLastError,0_2_00F4002C
Source: C:\Users\user\Desktop\Yu4oufkUC8.exeCode function: 0_2_00F40138 CoCreateInstance,SysAllocString,WinSqmAddToStream,SysFreeString,0_2_00F40138
Source: C:\Users\user\Desktop\Yu4oufkUC8.exeCode function: 0_2_00F3596D LoadLibraryExW,FindResourceExW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,0_2_00F3596D
Source: C:\Users\user\Desktop\Yu4oufkUC8.exeMutant created: \Sessions\1\BaseNamedObjects\Local\DCCW Startup Mutex
Source: C:\Users\user\Desktop\Yu4oufkUC8.exeCommand line argument: strg0_2_00F33BBD
Source: Yu4oufkUC8.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Yu4oufkUC8.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Yu4oufkUC8.exeReversingLabs: Detection: 32%
Source: C:\Users\user\Desktop\Yu4oufkUC8.exeSection loaded: dxva2.dllJump to behavior
Source: C:\Users\user\Desktop\Yu4oufkUC8.exeSection loaded: mscms.dllJump to behavior
Source: C:\Users\user\Desktop\Yu4oufkUC8.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\Yu4oufkUC8.exeSection loaded: coloradapterclient.dllJump to behavior
Source: C:\Users\user\Desktop\Yu4oufkUC8.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Yu4oufkUC8.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\Yu4oufkUC8.exeSection loaded: duser.dllJump to behavior
Source: C:\Users\user\Desktop\Yu4oufkUC8.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Users\user\Desktop\Yu4oufkUC8.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Users\user\Desktop\Yu4oufkUC8.exeSection loaded: textshaping.dllJump to behavior
Source: Yu4oufkUC8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Yu4oufkUC8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Yu4oufkUC8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Yu4oufkUC8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Yu4oufkUC8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Yu4oufkUC8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Yu4oufkUC8.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Yu4oufkUC8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: dccw.pdbGCTL source: Yu4oufkUC8.exe
Source: Binary string: dccw.pdb source: Yu4oufkUC8.exe
Source: Yu4oufkUC8.exeStatic PE information: real checksum: 0x2100c should be: 0x71b58
Source: C:\Users\user\Desktop\Yu4oufkUC8.exeCode function: 0_2_00F40DD1 push ecx; ret 0_2_00F40DE4
Source: C:\Users\user\Desktop\Yu4oufkUC8.exeCode function: 0_2_00F31D0C pushad ; retf 0_2_00F31D0D
Source: C:\Users\user\Desktop\Yu4oufkUC8.exeAPI coverage: 5.2 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\Yu4oufkUC8.exeCode function: 0_2_00F3F7EE mov esi, dword ptr fs:[00000030h]0_2_00F3F7EE
Source: C:\Users\user\Desktop\Yu4oufkUC8.exeCode function: 0_2_00F3F8CD GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,0_2_00F3F8CD
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\Yu4oufkUC8.exeCode function: 0_2_00F40A80 SetUnhandledExceptionFilter,0_2_00F40A80
Source: C:\Users\user\Desktop\Yu4oufkUC8.exeCode function: 0_2_00F407FD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00F407FD
Source: C:\Users\user\Desktop\Yu4oufkUC8.exeCode function: 0_2_00F40CC9 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00F40CC9

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
DLL Side-Loading		1
DLL Side-Loading		OS Credential Dumping1
System Time Discovery		Remote Services1
Screen Capture		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Obfuscated Files or Information		LSASS Memory1
Security Software Discovery		Remote Desktop Protocol1
Archive Collected Data		Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager2
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Yu4oufkUC8.exe32%ReversingLabsWin32.Trojan.Cerbu
Yu4oufkUC8.exe100%AviraTR/Drop.Agent.hgoel

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1543065
Start date and time:2024-10-27 07:36:07 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 58s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:Yu4oufkUC8.exe
renamed because original name is a hash value
Original Sample Name:28d2c70bb31fc2be17ff15f5c07eea5f373563970ec210b3af343444222ef167.exe
Detection:MAL
Classification:mal56.winEXE@1/0@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 8
  • Number of non-executed functions: 69
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe
  • VT rate limit hit for: Yu4oufkUC8.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.325656675016633
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:Yu4oufkUC8.exe
File size:454'452 bytes
MD5:a15f95b58098883533e018a0f90564bb
SHA1:4f09e4c7171ee03f47c0954dd24335d19412aca8
SHA256:28d2c70bb31fc2be17ff15f5c07eea5f373563970ec210b3af343444222ef167
SHA512:c3b565ca12801a7e82963bc6727cdb801b04807647f9ab577158f7d20abbda22defba6f7a39d91d2f9d4d44090c1d0601f38d035a923d4652fa5039fe559cf9a
SSDEEP:6144:NLj3gPQYfLQzXGkr1lpLj3gPQYfLQzXGkr1lMLj3gPQYfLQzXGkr1lAUaLj3gPQ9:ht9t+tstRt
TLSH:A9A4F652754A00E3DAE7177A7DAFBD34E2BD96350790F4C3132486C6D8922C19EB07EA
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........[..a...a...a.......a...b...a...e...a...d...a...`...a...`.[.a...i...a.......a...c...a.Rich..a.........PE..L.....g............

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x410670
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:0x1B679987 [Fri Jul 27 11:05:43 1984 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:10
OS Version Minor:0
File Version Major:10
File Version Minor:0
Subsystem Version Major:10
Subsystem Version Minor:0
Import Hash:491393967a8d093caa31d224e1563ec2

Entrypoint Preview

Instruction
call 00007FD5B8E723E9h
jmp 00007FD5B8E71B04h
int3
int3
int3
int3
int3
int3
cmp ecx, dword ptr [00412074h]
jne 00007FD5B8E71D95h
retn 0000h
jmp 00007FD5B8E71F32h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov edi, edi
push ebp
mov ebp, esp
push dword ptr [ebp+14h]
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
push 00410680h
push 00412074h
call 00007FD5B8E724C0h
add esp, 18h
pop ebp
ret
int3
int3
int3
int3
int3
int3
jmp dword ptr [004133B4h]
int3
int3
int3
int3
int3
int3
push 00000014h
push 00411010h
call 00007FD5B8E7243Eh
and dword ptr [ebp-24h], 00000000h
mov eax, dword ptr [004128DCh]
mov dword ptr [ebp-1Ch], eax
cmp eax, FFFFFFFFh
jne 00007FD5B8E71DA8h
push dword ptr [ebp+08h]
mov esi, dword ptr [00413350h]
mov ecx, esi
call dword ptr [004133DCh]
call esi
pop ecx
jmp 00007FD5B8E71DE6h
push 00000008h
call 00007FD5B8E7247Bh
pop ecx
and dword ptr [ebp-04h], 00000000h
mov eax, dword ptr [004128DCh]
mov dword ptr [ebp-1Ch], eax
mov eax, dword ptr [004128D8h]
mov dword ptr [ebp-20h], eax
lea eax, dword ptr [ebp-20h]
push eax
lea eax, dword ptr [ebp-1Ch]
push eax
push dword ptr [ebp+08h]
call 00007FD5B8E7246Eh
add esp, 00000000h

Rich Headers

Programming Language:
  • [IMP] VS2008 SP1 build 30729

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x133e40x118.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x150000xad8.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x160000x1100.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x36ec0x54.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1a180xc0.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x130000x3dc.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x100740x10200a0f29a9cfdb6ce8a5e5b661d4c75fdddFalse0.4699763808139535data6.213626139783662IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0x120000x9400x600e13e04f6d2fb4da4268ddcbfffc6f9caFalse0.2903645833333333data2.5070998695029845IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata0x130000x1a880x1c00d1d54d4ebc4341b577fa01ca1ae5cd84False0.41322544642857145data5.362229922857188IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0x150000xad80xc00f6912cbbd83d4fc3adab01bc338a72ffFalse0.396484375data4.422366166757536IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x160000x11000x12003f96f8b6178ac65c1972f0c44dfe3d56False0.7999131944444444data6.534591735538366IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
MUI0x159d00x108dataEnglishUnited States0.5681818181818182
RT_VERSION0x156400x390dataEnglishUnited States0.46600877192982454
RT_MANIFEST0x150f00x54bXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4154981549815498

Imports

DLLImport
ADVAPI32.dllRegCloseKey, RegQueryInfoKeyW, RegEnumKeyExW, RegOpenKeyExW, RegSetValueExW, RegCreateKeyExW, RegDeleteValueW, EventRegister, EventUnregister, EventWrite, RegQueryValueExW
KERNEL32.dllCreateMutexW, HeapSetInformation, InitializeCriticalSection, GetModuleFileNameW, FindResourceExW, LoadResource, SizeofResource, WaitForSingleObject, lstrcmpiW, GetModuleHandleW, LoadLibraryExW, GetProcAddress, FreeLibrary, GetLastError, ReleaseMutex, CloseHandle, CreateFileW, GetCurrentProcessId, LockResource, FindResourceW, GlobalFree, GlobalUnlock, GlobalLock, GlobalAlloc, LocalFree, FormatMessageW, GetSystemDirectoryW, WriteFile, WideCharToMultiByte, GetSystemTime, CopyFileW, MultiByteToWideChar, EnterCriticalSection, LeaveCriticalSection, RaiseException, DeleteCriticalSection, GetSystemTimeAsFileTime, GetCurrentThreadId, GetTickCount, OutputDebugStringA, TerminateProcess, SetUnhandledExceptionFilter, HeapFree, VirtualFree, GetCurrentProcess, VirtualAlloc, LoadLibraryExA, EncodePointer, HeapAlloc, DecodePointer, IsProcessorFeaturePresent, GetProcessHeap, FlushInstructionCache, InterlockedPushEntrySList, InterlockedPopEntrySList, Sleep, GetStartupInfoW, UnhandledExceptionFilter, QueryPerformanceCounter
GDI32.dllStretchBlt, CreateCompatibleBitmap, SetStretchBltMode, SelectObject, CreateCompatibleDC, GetObjectW, GetTextExtentPoint32W, SetDeviceGammaRamp, GetDeviceGammaRamp, GetStockObject, SetBkMode, SetBkColor, SetTextColor, CreateSolidBrush, GetDeviceCaps, CreateDCW, DeleteDC, DeleteObject
USER32.dllLoadStringW, GetWindow, ShowWindow, MessageBoxW, ReleaseDC, GetWindowTextW, GetWindowTextLengthW, GetDC, KillTimer, SetTimer, SetWindowTextW, PostMessageW, MapDialogRect, EnumChildWindows, DisplayConfigGetDeviceInfo, QueryDisplayConfig, GetDisplayConfigBufferSizes, EnumDisplayDevicesW, ShowCursor, LoadCursorW, SetCursor, GetMonitorInfoW, EnumDisplayMonitors, MonitorFromWindow, GetParent, InvalidateRect, MapWindowPoints, GetWindowRect, GetDlgItem, DefWindowProcW, SendMessageW, CallWindowProcW, SetWindowPos, SetForegroundWindow, OpenIcon, SetWindowLongW, GetWindowLongW, MonitorFromRect, SendMessageTimeoutW, AllowSetForegroundWindow, GetWindowThreadProcessId, FindWindowW, RegisterWindowMessageW, GetActiveWindow, GetSystemMetrics, CharNextW, DestroyWindow, UnregisterClassA, MoveWindow
msvcrt.dll_ftol2, memcpy, _controlfp, ?terminate@@YAXXZ, realloc, _errno, _onexit, __dllonexit, _unlock, _lock, _except_handler4_common, _wcmdln, _initterm, __setusermatherr, __p__fmode, _cexit, _exit, exit, __set_app_type, __wgetmainargs, _amsg_exit, __p__commode, _XcptFilter, _callnewh, swscanf_s, wcsstr, _wcsupr, _purecall, memcpy_s, malloc, wcsncpy_s, free, _ftol2_sse, _vsnwprintf, towlower, iswupper, _CIpow, memset
ntdll.dllWinSqmAddToStream
dxva2.dllGetNumberOfPhysicalMonitorsFromHMONITOR, GetPhysicalMonitorsFromHMONITOR, DestroyPhysicalMonitors, GetMonitorBrightness, SetMonitorBrightness, GetMonitorContrast, SetMonitorContrast, GetVCPFeatureAndVCPFeatureReply, SetVCPFeature
mscms.dllGetColorProfileFromHandle, UninstallColorProfileW, WcsCreateIccProfile, GetColorDirectoryW, InstallColorProfileW, CloseColorProfile, DccwSetDisplayProfileAssociationList, WcsGetUsePerUserProfiles, WcsGetDefaultColorProfile, WcsOpenColorProfileW, DccwGetGamutSize, DccwCreateDisplayProfileAssociationList, DccwGetDisplayProfileAssociationList, WcsGetCalibrationManagementState, SetColorProfileElement, SetColorProfileElementSize, DccwReleaseDisplayProfileAssociationList, WcsDisassociateColorProfileFromDevice, WcsSetCalibrationManagementState, WcsSetDefaultColorProfile
SHELL32.dllShellExecuteW
GDIPLUS.dllGdipCreateHBITMAPFromBitmap, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipFree, GdipCreateLineBrushI, GdipFillRectangleI, GdipCloneBrush, GdipAlloc, GdipDeleteBrush, GdipCreateSolidFill, GdipDeleteGraphics, GdipCreateFromHDC, GdiplusShutdown, GdiplusStartup
COMCTL32.dllTaskDialogIndirect, DestroyPropertySheetPage, CreatePropertySheetPageW, PropertySheetW
OLEAUT32.dllSysFreeString, VarUI4FromStr, SysAllocString
api-ms-win-core-com-l1-1-0.dllCoTaskMemRealloc, CoTaskMemFree, CreateStreamOnHGlobal, CoTaskMemAlloc, StringFromCLSID, CoCreateInstance

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

General

Target ID:0
Start time:02:37:02
Start date:27/10/2024
Path:C:\Users\user\Desktop\Yu4oufkUC8.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\Yu4oufkUC8.exe"
Imagebase:0xf30000
File size:454'452 bytes
MD5 hash:A15F95B58098883533E018A0F90564BB
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:5.7%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:14.5%
    Total number of Nodes:1562
    Total number of Limit Nodes:24
    execution_graph 5890 f3d1f0 5891 f3d207 5890->5891 5892 f3d221 5891->5892 5893 f3e9dc 13 API calls 5891->5893 5894 f3d21e 5893->5894 5065 f3e4f0 5068 f3e84a RegOpenKeyExW 5065->5068 5069 f3e876 RegSetValueExW 5068->5069 5070 f3e88e 5068->5070 5069->5070 5071 f3e894 RegCloseKey 5070->5071 5072 f3e50e 5070->5072 5071->5072 5901 f38ff0 5902 f39012 GetMonitorInfoW 5901->5902 5903 f3903d 5901->5903 5902->5903 5904 f3902a CreateDCW 5902->5904 5905 f40680 4 API calls 5903->5905 5904->5903 5906 f39051 5905->5906 5238 f3aee0 GetParent PostMessageW 5239 f3af09 GetDlgItem SendMessageW 5238->5239 5240 f3af2c 5238->5240 5239->5240 5241 f3e9dc 13 API calls 5240->5241 5242 f3af6f 5240->5242 5241->5242 5130 f3b8e0 5131 f3b8f4 5130->5131 5137 f3b92e 5130->5137 5132 f3b900 5131->5132 5133 f3b93c 5131->5133 5139 f3bc83 5132->5139 5138 f3b90d 5133->5138 5147 f3bd3d 5133->5147 5136 f370f2 17 API calls 5136->5137 5138->5136 5138->5137 5140 f3a94c 3 API calls 5139->5140 5145 f3bca1 ctype 5140->5145 5141 f3bd24 5142 f40680 4 API calls 5141->5142 5144 f3bd33 5142->5144 5143 f3fe77 3 API calls 5143->5145 5144->5138 5145->5141 5145->5143 5146 f3bcfd GetDlgItem SetWindowTextW 5145->5146 5146->5145 5148 f3a9ed 8 API calls 5147->5148 5155 f3bd60 5148->5155 5149 f3bdaa GetDlgItem 5168 f3ec08 5149->5168 5151 f3bde3 GetWindowRect 5152 f3bdf5 MapWindowPoints 5151->5152 5153 f3be08 GetLastError 5151->5153 5152->5155 5153->5155 5154 f3bf59 DeleteObject 5154->5155 5155->5149 5155->5151 5155->5154 5156 f3bf71 5155->5156 5159 f3be37 _ftol2_sse 5155->5159 5160 f3be7b MoveWindow 5155->5160 5163 f3bec8 InvalidateRect GetDlgItem GetWindowRect 5155->5163 5166 f3bf1a MoveWindow 5155->5166 5188 f3edc2 5155->5188 5157 f40680 4 API calls 5156->5157 5158 f3bf7e 5157->5158 5158->5138 5159->5160 5160->5155 5161 f3be90 GetLastError 5160->5161 5161->5155 5164 f3bef1 MapWindowPoints 5163->5164 5165 f3bf04 GetLastError 5163->5165 5164->5166 5165->5155 5166->5155 5167 f3bf4a GetLastError 5166->5167 5167->5155 5230 f3f117 FindResourceW 5168->5230 5171 f3ec37 GlobalAlloc 5172 f3ec65 GlobalLock 5171->5172 5173 f3ec48 GetLastError 5171->5173 5176 f3ec72 GetLastError 5172->5176 5177 f3ec8f memcpy CreateStreamOnHGlobal 5172->5177 5175 f3ec54 5173->5175 5174 f3ed72 5174->5155 5175->5172 5175->5174 5178 f3ec7e 5176->5178 5179 f3ecb1 GlobalUnlock GlobalFree 5177->5179 5180 f3ecc4 GlobalUnlock 5177->5180 5178->5174 5178->5177 5179->5174 5181 f3eccf GetLastError 5180->5181 5182 f3ecec GdipAlloc 5180->5182 5183 f3ecdb 5181->5183 5182->5174 5184 f3ed00 GdipCreateBitmapFromStream GdipCreateHBITMAPFromBitmap 5182->5184 5183->5174 5183->5182 5185 f3ed39 5184->5185 5185->5174 5186 f3ed5d GetObjectW 5185->5186 5186->5174 5187 f3ed86 GetLastError 5186->5187 5187->5174 5189 f3edf3 5188->5189 5190 f3f03f 5188->5190 5189->5190 5192 f3ee03 GetObjectW 5189->5192 5191 f40680 4 API calls 5190->5191 5193 f3f05a 5191->5193 5194 f3ee33 GetLastError 5192->5194 5196 f3ee25 5192->5196 5193->5155 5194->5196 5195 f3ee50 GetWindowRect 5197 f3ee78 GetLastError 5195->5197 5198 f3ee5f 5195->5198 5196->5190 5196->5195 5197->5198 5198->5190 5199 f3ee95 GetDC 5198->5199 5200 f3eec2 CreateCompatibleDC 5199->5200 5201 f3eea5 GetLastError 5199->5201 5203 f3eecf GetLastError 5200->5203 5204 f3eeec SelectObject 5200->5204 5202 f3eeb1 5201->5202 5202->5200 5207 f3f02e 5202->5207 5208 f3eedb 5203->5208 5205 f3ef94 5204->5205 5206 f3eefe CreateCompatibleDC 5204->5206 5215 f3f015 5205->5215 5216 f3f00b ReleaseDC 5205->5216 5209 f3ef2e SetStretchBltMode 5206->5209 5210 f3ef0e GetLastError 5206->5210 5207->5190 5211 f3f036 DeleteObject 5207->5211 5208->5204 5208->5205 5213 f3ef3b GetLastError 5209->5213 5214 f3ef58 CreateCompatibleBitmap 5209->5214 5212 f3ef1a 5210->5212 5211->5190 5212->5205 5212->5209 5217 f3ef47 5213->5217 5218 f3ef86 SelectObject 5214->5218 5219 f3ef6d GetLastError 5214->5219 5220 f3f020 5215->5220 5221 f3f019 DeleteDC 5215->5221 5216->5215 5217->5205 5217->5214 5218->5205 5222 f3ef9b StretchBlt 5218->5222 5223 f3ef79 5219->5223 5220->5207 5224 f3f027 DeleteDC 5220->5224 5221->5220 5225 f3efc0 GetLastError 5222->5225 5226 f3efd9 SendMessageW 5222->5226 5223->5205 5223->5218 5224->5207 5227 f3efcc 5225->5227 5228 f3eff6 5226->5228 5227->5205 5227->5226 5228->5205 5229 f3effd DeleteObject 5228->5229 5229->5205 5231 f3f164 LoadResource 5230->5231 5232 f3f14b GetLastError 5230->5232 5234 f3f172 GetLastError 5231->5234 5235 f3f18b SizeofResource LockResource 5231->5235 5233 f3f157 5232->5233 5233->5231 5236 f3ec29 5233->5236 5237 f3f17e 5234->5237 5235->5236 5236->5171 5236->5174 5237->5235 5237->5236 5076 f3cce0 5079 f3cfbf SetVCPFeature 5076->5079 5080 f3cfda GetLastError 5079->5080 5081 f3ccf2 5079->5081 5080->5081 5082 f3d0e0 5083 f3d1a0 5082->5083 5084 f3d0f4 5082->5084 5086 f3d11d 5084->5086 5087 f3d14c 5084->5087 5089 f3d15a 5084->5089 5086->5087 5088 f3e9dc 13 API calls 5086->5088 5087->5083 5091 f370f2 5087->5091 5088->5087 5089->5087 5090 f3e9dc 13 API calls 5089->5090 5090->5087 5092 f37105 5091->5092 5093 f371aa 5091->5093 5094 f37120 5092->5094 5095 f37110 5092->5095 5093->5083 5097 f37142 5094->5097 5098 f37125 5094->5098 5105 f3a94c GetWindowLongW 5095->5105 5100 f3714a SetTextColor SetBkColor 5097->5100 5101 f3716f 5097->5101 5111 f3a9ed 5098->5111 5102 f3711e 5100->5102 5101->5102 5120 f3aaed GetWindowLongW 5101->5120 5102->5093 5123 f3771c 5102->5123 5106 f3a96e 5105->5106 5107 f3a981 EnumChildWindows 5106->5107 5108 f3a9b4 5107->5108 5109 f3a9e0 5108->5109 5110 f3a9bc EnumChildWindows 5108->5110 5109->5102 5110->5109 5112 f3aa13 MapDialogRect 5111->5112 5113 f3aa24 5111->5113 5112->5113 5114 f3aad6 5113->5114 5115 f3aa35 GetWindowRect 5113->5115 5116 f40680 4 API calls 5114->5116 5115->5114 5117 f3aa50 5115->5117 5118 f3aae3 5116->5118 5117->5114 5119 f3aa60 EnumChildWindows InvalidateRect 5117->5119 5118->5102 5119->5114 5121 f3ab07 SetTextColor SetBkColor 5120->5121 5122 f3ab25 5120->5122 5121->5122 5122->5102 5124 f37743 5123->5124 5125 f37728 5123->5125 5124->5093 5125->5124 5127 f3776c 5125->5127 5128 f3777f GetParent 5127->5128 5129 f3778a 5127->5129 5128->5129 5129->5124 5243 f360e0 5244 f36107 ctype 13 API calls 5243->5244 5245 f360ed 5244->5245 5246 f36ae0 SendMessageW 5247 f372e0 5250 f37307 5247->5250 5249 f372ed 5251 f37323 5250->5251 5252 f3731c DeleteObject 5250->5252 5253 f37334 5251->5253 5254 f3732d DeleteObject 5251->5254 5252->5251 5255 f3a854 DeleteObject 5253->5255 5257 f3a85d ctype 5253->5257 5254->5253 5255->5257 5256 f3a880 5256->5249 5257->5256 5258 f3f9a5 ctype 10 API calls 5257->5258 5258->5256 5910 f36de0 5911 f36e25 5910->5911 5912 f36deb 5910->5912 5919 f37057 EnterCriticalSection 5912->5919 5914 f36df1 5923 f36fee 5914->5923 5917 f33e63 free 5918 f36e04 GetWindowLongW SetWindowLongW 5917->5918 5918->5911 5920 f370a1 LeaveCriticalSection 5919->5920 5921 f37074 GetCurrentThreadId 5919->5921 5920->5914 5922 f3707e 5921->5922 5922->5920 5924 f37004 5923->5924 5925 f37016 5924->5925 5932 f3f8cd GetProcessHeap HeapAlloc 5924->5932 5929 f36dfd 5925->5929 5941 f3f934 5925->5941 5929->5917 5933 f3f8e7 5932->5933 5934 f3f8eb 5932->5934 5933->5925 5951 f3faac 5934->5951 5936 f3f8f1 5940 f3f900 5936->5940 5965 f3f711 5936->5965 5938 f3f92a 5938->5925 5939 f3f919 GetProcessHeap HeapFree 5939->5933 5940->5938 5940->5939 5942 f3f941 5941->5942 5946 f37025 5941->5946 5943 f3f97a 5942->5943 5944 f3f94d GetCurrentProcess FlushInstructionCache 5942->5944 5942->5946 5984 f3fb5e 5943->5984 5944->5946 5947 f3f884 5946->5947 5948 f3f892 5947->5948 5950 f3702d SetWindowLongW 5947->5950 5948->5950 5998 f3f9fa 5948->5998 5950->5929 5952 f3fabb DecodePointer 5951->5952 5953 f3fac9 LoadLibraryExA 5951->5953 5952->5936 5954 f3fb53 5953->5954 5955 f3fae2 5953->5955 5954->5936 5956 f3f857 ctype 2 API calls 5955->5956 5957 f3faf3 5956->5957 5957->5954 5958 f3f857 ctype 2 API calls 5957->5958 5959 f3fb08 5958->5959 5959->5954 5960 f3f857 ctype 2 API calls 5959->5960 5961 f3fb1d 5960->5961 5961->5954 5962 f3f857 ctype 2 API calls 5961->5962 5963 f3fb32 5962->5963 5963->5954 5964 f3fb36 DecodePointer 5963->5964 5964->5954 5966 f3f721 5965->5966 5967 f3f71c 5965->5967 5968 f3f742 InterlockedPopEntrySList 5966->5968 5969 f3f72f GetProcessHeap HeapAlloc 5966->5969 5976 f3f74f 5966->5976 5977 f3f7ee IsProcessorFeaturePresent 5967->5977 5971 f3f75b VirtualAlloc 5968->5971 5968->5976 5969->5976 5972 f3f776 InterlockedPopEntrySList 5971->5972 5971->5976 5973 f3f78a VirtualFree 5972->5973 5974 f3f79c 5972->5974 5973->5976 5975 f3f7a2 InterlockedPushEntrySList 5974->5975 5975->5975 5975->5976 5976->5940 5978 f3f801 GetPEB 5977->5978 5979 f3f7fa 5977->5979 5980 f3f812 GetProcessHeap HeapAlloc 5978->5980 5981 f3f845 5978->5981 5979->5966 5980->5981 5982 f3f82b 5980->5982 5981->5966 5982->5981 5983 f3f835 GetProcessHeap HeapFree 5982->5983 5983->5981 5985 f3fb7b LoadLibraryExA 5984->5985 5986 f3fb6d DecodePointer 5984->5986 5987 f3fb94 5985->5987 5989 f3fc05 5985->5989 5986->5946 5988 f3f857 ctype 2 API calls 5987->5988 5990 f3fba5 5988->5990 5989->5946 5990->5989 5991 f3f857 ctype 2 API calls 5990->5991 5992 f3fbba 5991->5992 5992->5989 5993 f3f857 ctype 2 API calls 5992->5993 5994 f3fbcf 5993->5994 5994->5989 5995 f3f857 ctype 2 API calls 5994->5995 5996 f3fbe4 5995->5996 5996->5989 5997 f3fbe8 DecodePointer 5996->5997 5997->5989 5999 f3fa17 LoadLibraryExA 5998->5999 6000 f3fa09 DecodePointer 5998->6000 6001 f3faa1 5999->6001 6002 f3fa30 5999->6002 6000->5950 6001->5950 6003 f3f857 ctype 2 API calls 6002->6003 6004 f3fa41 6003->6004 6004->6001 6005 f3f857 ctype 2 API calls 6004->6005 6006 f3fa56 6005->6006 6006->6001 6007 f3f857 ctype 2 API calls 6006->6007 6008 f3fa6b 6007->6008 6008->6001 6009 f3f857 ctype 2 API calls 6008->6009 6010 f3fa80 6009->6010 6010->6001 6011 f3fa84 DecodePointer 6010->6011 6011->6001 4660 f403e9 4675 f40d8c 4660->4675 4662 f403f5 GetStartupInfoW 4663 f40412 4662->4663 4664 f40427 4663->4664 4665 f4042e Sleep 4663->4665 4666 f40446 _amsg_exit 4664->4666 4668 f40450 4664->4668 4665->4663 4666->4668 4667 f40492 _initterm 4670 f404ad __IsNonwritableInCurrentImage 4667->4670 4668->4667 4668->4670 4672 f40473 4668->4672 4669 f40599 4671 f405a2 _cexit 4669->4671 4669->4672 4670->4669 4670->4672 4674 f4054a exit 4670->4674 4676 f33bbd HeapSetInformation 4670->4676 4671->4672 4674->4670 4675->4662 4721 f35f21 4676->4721 4679 f33c20 4887 f3fe77 4679->4887 4680 f33c8d GetSystemMetrics 4681 f33caf 4680->4681 4682 f33c9c 4680->4682 4708 f33ca1 4681->4708 4726 f3f064 RegOpenKeyExW 4681->4726 4909 f3e996 4682->4909 4685 f33c45 4689 f33c76 ctype 4685->4689 4893 f4002c FormatMessageW 4685->4893 4687 f33dc5 4692 f33dd7 EventUnregister 4687->4692 4693 f33ddf 4687->4693 4688 f33dbb GdiplusShutdown 4688->4687 4689->4680 4692->4693 4874 f35e92 EnterCriticalSection 4693->4874 4694 f33cf3 4697 f402fe ctype 2 API calls 4694->4697 4695 f33cc4 4914 f402fe 4695->4914 4699 f33cfd 4697->4699 4704 f33d04 memset 4699->4704 4709 f33ceb 4699->4709 4706 f37aa8 6 API calls 4704->4706 4705 f33cd5 memset 4918 f37aa8 4705->4918 4706->4709 4708->4687 4708->4688 4709->4708 4731 f36036 memset 4709->4731 4711 f33d40 4732 f36166 CreateMutexW 4711->4732 4713 f33d49 4714 f33da0 4713->4714 4715 f33d4f GetActiveWindow 4713->4715 4922 f36107 4714->4922 4716 f33d63 4715->4716 4865 f33e92 4716->4865 4719 f33d8c PropertySheetW 4871 f33e63 4719->4871 4722 f35f5d GetCurrentThreadId 4721->4722 4725 f35f3a 4721->4725 4723 f402fe ctype 2 API calls 4722->4723 4724 f33be7 EventRegister GdiplusStartup 4723->4724 4724->4679 4724->4680 4725->4722 4727 f3f0a0 RegQueryValueExW 4726->4727 4728 f3f0c1 4726->4728 4727->4728 4729 f3f0d3 RegCloseKey 4728->4729 4730 f33cc0 4728->4730 4729->4730 4730->4694 4730->4695 4731->4711 4733 f361b2 RegisterWindowMessageW 4732->4733 4734 f36194 GetLastError 4732->4734 4736 f3fe77 3 API calls 4733->4736 4734->4733 4735 f361a1 WaitForSingleObject 4734->4735 4735->4733 4737 f361e0 FindWindowW 4736->4737 4738 f361f4 GetWindowThreadProcessId AllowSetForegroundWindow SendMessageTimeoutW 4737->4738 4739 f3622b 4737->4739 4738->4739 4740 f36865 4739->4740 4741 f402fe ctype 2 API calls 4739->4741 4743 f36893 4740->4743 4744 f36879 ReleaseMutex CloseHandle 4740->4744 4745 f368a9 ctype 4740->4745 4742 f3625d 4741->4742 4746 f3627e 4742->4746 4926 f3a74b memset 4742->4926 4743->4745 4748 f3e9dc 13 API calls 4743->4748 4744->4743 4745->4713 4930 f36bd5 4746->4930 4748->4745 4751 f402fe ctype 2 API calls 4752 f362a4 4751->4752 4753 f362c2 4752->4753 4754 f3a74b 5 API calls 4752->4754 4755 f36bd5 3 API calls 4753->4755 4754->4753 4756 f362d4 4755->4756 4756->4740 4757 f402fe ctype 2 API calls 4756->4757 4758 f362e8 4757->4758 4759 f3631e 4758->4759 4939 f3bbd9 4758->4939 4761 f36bd5 3 API calls 4759->4761 4762 f36330 4761->4762 4762->4740 4763 f402fe ctype 2 API calls 4762->4763 4764 f36344 4763->4764 4765 f36371 4764->4765 4942 f3c11c 4764->4942 4767 f36bd5 3 API calls 4765->4767 4768 f36383 4767->4768 4768->4740 4769 f402fe ctype 2 API calls 4768->4769 4770 f36397 4769->4770 4771 f363b5 4770->4771 4772 f3a74b 5 API calls 4770->4772 4773 f36bd5 3 API calls 4771->4773 4772->4771 4774 f363c7 4773->4774 4774->4740 4775 f402fe ctype 2 API calls 4774->4775 4776 f363db 4775->4776 4777 f36411 4776->4777 4778 f3bbd9 5 API calls 4776->4778 4779 f36bd5 3 API calls 4777->4779 4778->4777 4780 f36423 4779->4780 4780->4740 4781 f402fe ctype 2 API calls 4780->4781 4782 f36437 4781->4782 4783 f3645f 4782->4783 4945 f37276 4782->4945 4785 f36bd5 3 API calls 4783->4785 4786 f36471 4785->4786 4786->4740 4787 f402fe ctype 2 API calls 4786->4787 4788 f36485 4787->4788 4789 f364bb 4788->4789 4790 f3bbd9 5 API calls 4788->4790 4791 f36bd5 3 API calls 4789->4791 4790->4789 4792 f364cd 4791->4792 4792->4740 4793 f402fe ctype 2 API calls 4792->4793 4794 f364e1 4793->4794 4795 f3650c 4794->4795 4796 f37276 5 API calls 4794->4796 4797 f36bd5 3 API calls 4795->4797 4796->4795 4798 f3651e 4797->4798 4798->4740 4799 f402fe ctype 2 API calls 4798->4799 4800 f36532 4799->4800 4801 f3655f 4800->4801 4802 f3c11c 6 API calls 4800->4802 4803 f36bd5 3 API calls 4801->4803 4802->4801 4804 f36571 4803->4804 4804->4740 4805 f402fe ctype 2 API calls 4804->4805 4806 f36585 4805->4806 4807 f365b2 4806->4807 4808 f3c11c 6 API calls 4806->4808 4809 f36bd5 3 API calls 4807->4809 4808->4807 4810 f365c4 4809->4810 4810->4740 4811 f402fe ctype 2 API calls 4810->4811 4812 f365d8 4811->4812 4813 f365f9 4812->4813 4814 f3a74b 5 API calls 4812->4814 4815 f36bd5 3 API calls 4813->4815 4814->4813 4816 f3660b 4815->4816 4816->4740 4817 f402fe ctype 2 API calls 4816->4817 4818 f3661f 4817->4818 4819 f3664d 4818->4819 4820 f37276 5 API calls 4818->4820 4821 f36bd5 3 API calls 4819->4821 4820->4819 4822 f36666 4821->4822 4822->4740 4823 f402fe ctype 2 API calls 4822->4823 4824 f3667a 4823->4824 4825 f3669b 4824->4825 4826 f3a74b 5 API calls 4824->4826 4827 f36bd5 3 API calls 4825->4827 4826->4825 4828 f366ad 4827->4828 4828->4740 4829 f402fe ctype 2 API calls 4828->4829 4830 f366c1 4829->4830 4831 f366d9 4830->4831 4948 f3d35d 4830->4948 4833 f36bd5 3 API calls 4831->4833 4834 f366e5 4833->4834 4834->4740 4835 f402fe ctype 2 API calls 4834->4835 4836 f366f9 4835->4836 4837 f36718 4836->4837 4838 f3ae9f 5 API calls 4836->4838 4839 f36bd5 3 API calls 4837->4839 4838->4837 4840 f3672a 4839->4840 4840->4740 4841 f402fe ctype 2 API calls 4840->4841 4842 f3673e 4841->4842 4843 f3675d 4842->4843 4936 f3ae9f 4842->4936 4845 f36bd5 3 API calls 4843->4845 4846 f3676f 4845->4846 4846->4740 4847 f402fe ctype 2 API calls 4846->4847 4848 f36783 4847->4848 4849 f367a7 4848->4849 4850 f3a74b 5 API calls 4848->4850 4851 f36bd5 3 API calls 4849->4851 4850->4849 4853 f367b9 4851->4853 4852 f367c5 RegisterWindowMessageW 4852->4853 4854 f367ec GetLastError 4852->4854 4853->4740 4853->4852 4855 f367e8 4853->4855 4854->4855 4855->4740 4856 f36801 WcsGetCalibrationManagementState 4855->4856 4857 f36812 GetLastError 4856->4857 4858 f3683b WcsSetCalibrationManagementState 4856->4858 4859 f3681e 4857->4859 4858->4745 4860 f36847 GetLastError 4858->4860 4951 f3e9dc 4859->4951 4862 f36853 4860->4862 4864 f3e9dc 13 API calls 4862->4864 4863 f36830 4863->4740 4863->4858 4864->4740 4866 f33ea0 4865->4866 4867 f33ed9 4865->4867 4866->4867 4868 f33ea7 GetCurrentThreadId EnterCriticalSection LeaveCriticalSection 4866->4868 4975 f35d67 RaiseException 4867->4975 4868->4719 4870 f33ee3 4870->4719 4872 f33e83 4871->4872 4873 f33e76 free 4871->4873 4872->4714 4873->4872 4875 f35ee0 LeaveCriticalSection 4874->4875 4876 f35eb8 4874->4876 4976 f35d22 4875->4976 4878 f35ece 4876->4878 4879 f35ebe DestroyWindow 4876->4879 4878->4875 4985 f35d41 4878->4985 4879->4878 4884 f35ed9 4884->4875 4885 f35f0b 4979 f35e10 4885->4979 4888 f402fe ctype 2 API calls 4887->4888 4891 f3fe90 4888->4891 4889 f3fe92 LoadStringW 4890 f3fed7 ctype 4889->4890 4889->4891 4890->4685 4891->4889 4891->4890 4892 f402fe ctype 2 API calls 4891->4892 4892->4891 4894 f4007d GetLastError 4893->4894 4895 f4005f 4893->4895 4897 f33c64 4894->4897 4994 f3fdd6 4895->4994 4897->4689 4900 f3e8e3 4897->4900 4898 f4006a 4898->4897 4899 f40072 LocalFree 4898->4899 4899->4897 4901 f3e902 EventWrite 4900->4901 4903 f3fe77 3 API calls 4901->4903 4904 f3e968 4903->4904 4905 f3e979 ctype 4904->4905 4906 f3e96c MessageBoxW 4904->4906 4998 f40680 4905->4998 4906->4905 4908 f3e98e 4908->4689 4910 f3fe77 3 API calls 4909->4910 4911 f3e9be 4910->4911 4912 f3e8e3 9 API calls 4911->4912 4913 f3e9cc ctype 4911->4913 4912->4913 4913->4708 4915 f40313 malloc 4914->4915 4916 f40306 _callnewh 4915->4916 4917 f33cce 4915->4917 4916->4915 4916->4917 4917->4705 4917->4709 4919 f37b04 4918->4919 4919->4919 5004 f3a030 4919->5004 4923 f36129 4922->4923 5022 f36d13 4923->5022 4927 f3fe77 3 API calls 4926->4927 4928 f3a7f5 CreateSolidBrush 4927->4928 4928->4746 4931 f36290 4930->4931 4932 f36bef 4930->4932 4931->4740 4931->4751 4932->4931 4933 f36bff 4932->4933 4969 f36cb7 CreatePropertySheetPageW 4933->4969 4937 f3a74b 5 API calls 4936->4937 4938 f3aeba 4937->4938 4938->4843 4940 f3a74b 5 API calls 4939->4940 4941 f3bbf3 4940->4941 4941->4759 4943 f37276 5 API calls 4942->4943 4944 f3c13b CreateSolidBrush 4943->4944 4944->4765 4946 f3a74b 5 API calls 4945->4946 4947 f3728f 4946->4947 4947->4783 4949 f37276 5 API calls 4948->4949 4950 f3d384 CreateSolidBrush 4949->4950 4950->4831 4952 f3ea04 4951->4952 4965 f3ea42 ctype 4951->4965 4953 f3fe77 3 API calls 4952->4953 4954 f3ea1f 4953->4954 4955 f3ea47 FormatMessageW 4954->4955 4956 f3ea39 4954->4956 4954->4965 4958 f3ea6a 4955->4958 4957 f3e8e3 9 API calls 4956->4957 4957->4965 4959 f3fe77 3 API calls 4958->4959 4960 f3eaa0 4959->4960 4961 f3eaa4 FormatMessageW 4960->4961 4962 f3eae8 4960->4962 4963 f3ead7 4961->4963 4964 f3eacc 4961->4964 4962->4965 4966 f3eaef LocalFree 4962->4966 4963->4962 4968 f3eade LocalFree 4963->4968 4967 f3e8e3 9 API calls 4964->4967 4965->4863 4966->4965 4967->4963 4968->4962 4970 f36cd0 4969->4970 4971 f36c08 4969->4971 4972 f36cd9 SendMessageW 4970->4972 4973 f36cec 4970->4973 4971->4931 4972->4973 4973->4971 4974 f36cfe DestroyPropertySheetPage 4973->4974 4974->4971 4975->4870 4977 f35d39 4976->4977 4978 f35d2d LeaveCriticalSection 4976->4978 4977->4885 4988 f34247 4977->4988 4978->4977 4980 f35d7b 4979->4980 4980->4979 4981 f33ded 4980->4981 4984 f35da2 4980->4984 4993 f35d67 RaiseException 4980->4993 4981->4670 4982 f35ded DeleteCriticalSection 4982->4981 4984->4982 4986 f35d57 4985->4986 4987 f35d4b free 4985->4987 4986->4884 4987->4986 4989 f34251 free 4988->4989 4990 f3425d 4988->4990 4989->4990 4991 f34263 free 4990->4991 4992 f34271 4990->4992 4991->4992 4992->4885 4993->4980 4995 f3fdea 4994->4995 4997 f3fe18 ctype 4994->4997 4995->4995 4996 f402fe ctype 2 API calls 4995->4996 4996->4997 4997->4898 4999 f40688 4998->4999 5000 f4068b 4998->5000 4999->4908 5003 f407fd SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 5000->5003 5002 f40939 5002->4908 5003->5002 5005 f3a046 5004->5005 5006 f3a05a 5004->5006 5005->5006 5007 f3a04e DestroyPhysicalMonitors 5005->5007 5008 f3a072 5006->5008 5009 f3a069 DeleteDC 5006->5009 5007->5006 5010 f3a147 DccwReleaseDisplayProfileAssociationList DccwReleaseDisplayProfileAssociationList 5008->5010 5011 f3a15f 5008->5011 5009->5008 5010->5011 5012 f3fdd6 ctype 2 API calls 5011->5012 5013 f3a179 5012->5013 5014 f3fdd6 ctype 2 API calls 5013->5014 5015 f3a185 5014->5015 5016 f3fdd6 ctype 2 API calls 5015->5016 5017 f3a191 5016->5017 5018 f3fdd6 ctype 2 API calls 5017->5018 5019 f3a19d 5018->5019 5020 f3fdd6 ctype 2 API calls 5019->5020 5021 f37b14 5020->5021 5021->4709 5023 f36d3b 5022->5023 5025 f36d20 5022->5025 5026 f35d41 ctype free 5023->5026 5024 f36d54 5042 f35d67 RaiseException 5024->5042 5025->5024 5028 f36d29 DestroyPropertySheetPage 5025->5028 5029 f36d43 5026->5029 5028->5023 5028->5025 5031 f3615b 5029->5031 5033 f3f9a5 5029->5033 5030 f36d5e 5031->4708 5034 f3f9ef 5033->5034 5035 f3f9b2 5033->5035 5034->5031 5036 f3f9df GetProcessHeap HeapFree 5035->5036 5037 f3f9c5 5035->5037 5038 f3f9be 5035->5038 5036->5034 5048 f3fc10 5037->5048 5043 f3f7c1 5038->5043 5041 f3f9c3 5041->5036 5042->5030 5044 f3f7e7 5043->5044 5045 f3f7c5 5043->5045 5044->5041 5046 f3f7e0 InterlockedPushEntrySList 5045->5046 5047 f3f7d0 GetProcessHeap HeapFree 5045->5047 5046->5044 5047->5041 5049 f3fc1f DecodePointer 5048->5049 5050 f3fc2d LoadLibraryExA 5048->5050 5049->5041 5051 f3fcb7 5050->5051 5052 f3fc46 5050->5052 5051->5041 5062 f3f857 GetProcAddress 5052->5062 5055 f3f857 ctype 2 API calls 5056 f3fc6c 5055->5056 5056->5051 5057 f3f857 ctype 2 API calls 5056->5057 5058 f3fc81 5057->5058 5058->5051 5059 f3f857 ctype 2 API calls 5058->5059 5060 f3fc96 5059->5060 5060->5051 5061 f3fc9a DecodePointer 5060->5061 5061->5051 5063 f3f868 5062->5063 5064 f3f86c EncodePointer 5062->5064 5063->5051 5063->5055 5064->5063 5259 f3f4d0 5261 f3f4e0 5259->5261 5264 f3f51d 5259->5264 5260 f370f2 17 API calls 5260->5264 5263 f3f514 5261->5263 5265 f3f583 5261->5265 5263->5260 5263->5264 5266 f3f5a1 5265->5266 5267 f3f5f0 5266->5267 5268 f3f5a9 GetParent PostMessageW 5266->5268 5271 f3e9dc 13 API calls 5267->5271 5273 f3f489 5268->5273 5272 f3f5ea 5271->5272 5272->5263 5274 f3f492 GetWindowLongW 5273->5274 5275 f3f4a4 GetParent 5274->5275 5276 f3f4ad GetWindow 5274->5276 5277 f3f4b6 5275->5277 5276->5277 5277->5274 5278 f3f4bc ShowWindow 5277->5278 5278->5272 5279 f3e2d0 5282 f3e7a1 RegOpenKeyExW 5279->5282 5283 f3e81e 5282->5283 5284 f3e7d6 RegQueryValueExW 5282->5284 5286 f3e826 RegCloseKey 5283->5286 5287 f3e2e6 5283->5287 5284->5283 5285 f3e7f2 5284->5285 5285->5283 5288 f3e802 RegQueryValueExW 5285->5288 5286->5287 5288->5283 5289 f376d0 MoveWindow 6015 f3add0 6016 f37057 3 API calls 6015->6016 6018 f3addb 6016->6018 6017 f3ae3d 6018->6017 6019 f3ae08 6018->6019 6020 f3f8cd 22 API calls 6018->6020 6021 f3f934 7 API calls 6019->6021 6022 f3ae17 6019->6022 6020->6019 6021->6022 6023 f3f884 5 API calls 6022->6023 6024 f3ae1f SetWindowLongW 6023->6024 6024->6017 5290 f3c2c0 5291 f3c2e1 SendMessageW SendMessageW 5290->5291 5293 f3c34c 5291->5293 5294 f3c354 5293->5294 5295 f3c37a 5293->5295 5301 f3c832 5294->5301 5297 f3e9dc 13 API calls 5295->5297 5298 f3c376 5297->5298 5299 f3c361 SetTimer 5304 f3ab40 GetParent PostMessageW GetParent SendMessageW 5299->5304 5302 f3c840 SendMessageW 5301->5302 5302->5299 5304->5298 5305 f3ccc0 5308 f3cf80 GetVCPFeatureAndVCPFeatureReply 5305->5308 5309 f3ccd2 5308->5309 5310 f3cf9d GetLastError 5308->5310 5310->5309 5311 f38ac0 5340 f39d26 5311->5340 5314 f38b07 WcsCreateIccProfile 5316 f38b28 5314->5316 5317 f38b1c GetLastError 5314->5317 5315 f38b3c 5318 f38b6a 5315->5318 5319 f38b4a GetColorProfileFromHandle 5315->5319 5316->5315 5366 f3a1b6 5316->5366 5317->5316 5320 f38cc5 5318->5320 5321 f38cbb CloseColorProfile 5318->5321 5323 f38b66 5319->5323 5324 f38b5b GetLastError 5319->5324 5325 f38ccd CloseColorProfile 5320->5325 5327 f38cd4 ctype 5320->5327 5321->5320 5323->5318 5326 f38ba5 GetColorProfileFromHandle 5323->5326 5324->5323 5325->5327 5328 f38bd3 CreateFileW 5326->5328 5329 f38bb6 GetLastError 5326->5329 5331 f38c19 WriteFile 5328->5331 5332 f38bfc GetLastError 5328->5332 5330 f38bc2 5329->5330 5330->5318 5330->5328 5333 f38c41 GetLastError 5331->5333 5334 f38c30 5331->5334 5335 f38c08 5332->5335 5333->5334 5336 f38c5a CloseHandle InstallColorProfileW 5334->5336 5337 f38ca8 5334->5337 5335->5318 5335->5331 5336->5318 5339 f38c77 GetLastError 5336->5339 5337->5318 5338 f38cad CloseHandle 5337->5338 5338->5318 5339->5318 5341 f3fe77 3 API calls 5340->5341 5342 f39d6d 5341->5342 5343 f39d8c 5342->5343 5344 f3fe77 3 API calls 5342->5344 5345 f39dab 5343->5345 5347 f3fe77 3 API calls 5343->5347 5344->5343 5346 f39dd1 5345->5346 5348 f3fe77 3 API calls 5345->5348 5349 f39de6 GetSystemTime 5346->5349 5353 f39fe2 ctype 5346->5353 5347->5345 5348->5346 5387 f3ff30 5349->5387 5351 f39e1c 5352 f4002c 5 API calls 5351->5352 5351->5353 5359 f39e44 5352->5359 5354 f40680 4 API calls 5353->5354 5356 f38afb 5354->5356 5355 f3fcc2 2 API calls 5357 f39f6a 5355->5357 5356->5314 5356->5315 5357->5353 5358 f39f95 WcsOpenColorProfileW 5357->5358 5358->5353 5360 f39fd6 GetLastError 5358->5360 5359->5353 5361 f39eb4 _CIpow _CIpow _CIpow 5359->5361 5364 f39f4b ctype 5359->5364 5360->5353 5362 f3ff30 3 API calls 5361->5362 5363 f39f37 5362->5363 5363->5364 5390 f3fcc2 5363->5390 5364->5353 5364->5355 5367 f3fe77 3 API calls 5366->5367 5368 f3a1ea 5367->5368 5369 f3a208 5368->5369 5370 f3fe77 3 API calls 5368->5370 5371 f3a226 5369->5371 5372 f3fe77 3 API calls 5369->5372 5370->5369 5373 f3a240 WideCharToMultiByte 5371->5373 5377 f3a2bf 5371->5377 5372->5371 5374 f3a262 GetLastError 5373->5374 5375 f3a26e 5373->5375 5374->5375 5376 f3a296 WideCharToMultiByte 5375->5376 5375->5377 5380 f3a28a ctype 5375->5380 5376->5377 5378 f3a2b3 GetLastError 5376->5378 5379 f3a333 memset memcpy 5377->5379 5377->5380 5378->5377 5386 f3a371 5379->5386 5380->5315 5381 f3a436 SetColorProfileElementSize 5382 f3a464 SetColorProfileElement 5381->5382 5383 f3a44b GetLastError 5381->5383 5382->5380 5385 f3a484 GetLastError 5382->5385 5384 f3a457 5383->5384 5384->5380 5384->5382 5385->5380 5386->5381 5386->5386 5394 f3ff75 5387->5394 5389 f3ff43 ctype 5389->5351 5391 f3fce6 5390->5391 5393 f3fd30 ctype 5390->5393 5392 f402fe ctype 2 API calls 5391->5392 5391->5393 5392->5393 5393->5364 5395 f402fe ctype 2 API calls 5394->5395 5397 f3ff8c 5395->5397 5396 f3ffab _vsnwprintf 5396->5397 5397->5396 5398 f402fe ctype 2 API calls 5397->5398 5399 f4000c 5397->5399 5398->5397 5399->5389 5400 f370c0 5401 f370f2 17 API calls 5400->5401 5402 f370e3 5401->5402 6034 f3f1c0 GdipDisposeImage 6035 f3f1e4 6034->6035 6036 f3f1dd GdipFree 6034->6036 6036->6035 6025 f3cbc0 SetDeviceGammaRamp 6026 f3cbd8 GetLastError 6025->6026 6027 f3cbe4 6025->6027 6026->6027 5406 f3cab0 GetMonitorContrast 5407 f3cad2 GetLastError 5406->5407 5408 f3cade 5406->5408 5407->5408 6037 f3b9b0 6038 f3b9c4 6037->6038 6047 f3b9fe 6037->6047 6039 f3b9d0 6038->6039 6040 f3ba0c 6038->6040 6048 f3bad1 6039->6048 6042 f3ba15 GetWindowLongW 6040->6042 6043 f3b9dd 6040->6043 6045 f3ba42 GetStockObject 6042->6045 6046 f3ba2d SetTextColor SetBkMode 6042->6046 6044 f370f2 17 API calls 6043->6044 6043->6047 6044->6047 6045->6043 6046->6045 6049 f3a94c 3 API calls 6048->6049 6053 f3baea 6049->6053 6050 f3bb81 6050->6043 6051 f3bafe GetDlgItem 6051->6053 6052 f3ec08 21 API calls 6052->6053 6053->6050 6053->6051 6053->6052 6054 f3bb4f SendMessageW 6053->6054 6055 f3edc2 28 API calls 6053->6055 6054->6053 6056 f3bb67 DeleteObject 6054->6056 6055->6053 6056->6053 6057 f35fb0 6058 f35fc7 6057->6058 6059 f35fe9 6057->6059 6060 f35fdd 6058->6060 6063 f368be 6058->6063 6060->6059 6071 f36c45 6060->6071 6066 f368e7 6063->6066 6068 f36968 6063->6068 6064 f40680 4 API calls 6065 f36a50 6064->6065 6065->6060 6067 f36927 MonitorFromRect 6066->6067 6069 f369a9 6066->6069 6067->6068 6068->6064 6069->6068 6070 f369e6 MonitorFromRect 6069->6070 6070->6068 6072 f36c54 6071->6072 6076 f36c6b 6071->6076 6073 f36c5e 6072->6073 6074 f36c72 6072->6074 6078 f36d65 CallWindowProcW 6073->6078 6074->6076 6077 f36c93 SendMessageW 6074->6077 6076->6059 6077->6076 6079 f36dc6 6078->6079 6080 f36d91 6078->6080 6079->6076 6080->6079 6081 f36da7 SendMessageW 6080->6081 6081->6079 6082 f36dbd DestroyWindow 6081->6082 6082->6079 6083 f3f3b0 GetDC 6084 f3f3f1 GetLastError 6083->6084 6085 f3f3d5 EnumDisplayMonitors ReleaseDC 6083->6085 6086 f3f3fb 6084->6086 6085->6086 6087 f3f436 GetParent PostMessageW 6086->6087 6088 f3f468 6086->6088 6089 f3f489 3 API calls 6087->6089 6091 f3e9dc 13 API calls 6088->6091 6090 f3f45c ShowWindow 6089->6090 6092 f3f479 6090->6092 6091->6092 4659 f403b0 __wgetmainargs 6093 f40fb0 6096 f3f68c 6093->6096 6097 f3f69d 6096->6097 6098 f3f698 6096->6098 6098->6097 6099 f3f6cc 6098->6099 6100 f3f700 6098->6100 6103 f3f6b7 UnregisterClassA 6098->6103 6101 f3f6d3 free 6099->6101 6102 f3f6e1 DeleteCriticalSection 6099->6102 6106 f35d67 RaiseException 6100->6106 6101->6102 6102->6097 6103->6098 6103->6099 6105 f3f70a 6106->6105 6107 f407b2 6108 f407e6 realloc 6107->6108 6109 f407bc 6107->6109 6109->6108 6110 f407c8 _errno 6109->6110 6111 f407df 6110->6111 5416 f36ea1 5417 f36eb0 5416->5417 5418 f36f23 CallWindowProcW 5417->5418 5419 f36f3b GetWindowLongW CallWindowProcW 5417->5419 5422 f36f8a 5417->5422 5418->5422 5420 f36f6d GetWindowLongW 5419->5420 5419->5422 5421 f36f7c SetWindowLongW 5420->5421 5420->5422 5421->5422 5423 f38aa1 5424 f38aa9 5423->5424 5425 f38ab8 5423->5425 5426 f39d26 17 API calls 5425->5426 5427 f38afb 5426->5427 5428 f38b07 WcsCreateIccProfile 5427->5428 5439 f38b3c 5427->5439 5429 f38b28 5428->5429 5430 f38b1c GetLastError 5428->5430 5435 f3a1b6 13 API calls 5429->5435 5429->5439 5430->5429 5431 f38b6a 5433 f38cc5 5431->5433 5434 f38cbb CloseColorProfile 5431->5434 5432 f38b4a GetColorProfileFromHandle 5436 f38b66 5432->5436 5437 f38b5b GetLastError 5432->5437 5438 f38ccd CloseColorProfile 5433->5438 5441 f38cd4 ctype 5433->5441 5434->5433 5435->5439 5436->5431 5440 f38ba5 GetColorProfileFromHandle 5436->5440 5437->5436 5438->5441 5439->5431 5439->5432 5442 f38bd3 CreateFileW 5440->5442 5443 f38bb6 GetLastError 5440->5443 5445 f38c19 WriteFile 5442->5445 5446 f38bfc GetLastError 5442->5446 5444 f38bc2 5443->5444 5444->5431 5444->5442 5447 f38c41 GetLastError 5445->5447 5448 f38c30 5445->5448 5449 f38c08 5446->5449 5447->5448 5450 f38c5a CloseHandle InstallColorProfileW 5448->5450 5451 f38ca8 5448->5451 5449->5431 5449->5445 5450->5431 5453 f38c77 GetLastError 5450->5453 5451->5431 5452 f38cad CloseHandle 5451->5452 5452->5431 5453->5431 6121 f3b3a0 6122 f3b3d1 6121->6122 6123 f3b3e5 6122->6123 6124 f3b3d9 6122->6124 6125 f3fe77 3 API calls 6123->6125 6132 f3c1c0 6124->6132 6131 f3b40a 6125->6131 6127 f3b3e0 ctype 6128 f40680 4 API calls 6127->6128 6129 f3b59f 6128->6129 6130 f3b48d EventWrite 6130->6127 6131->6127 6131->6130 6133 f3fe77 3 API calls 6132->6133 6137 f3c1f9 6133->6137 6134 f3c298 ctype 6135 f40680 4 API calls 6134->6135 6136 f3c2ab 6135->6136 6136->6127 6137->6134 6138 f3c24b EventWrite 6137->6138 6138->6134 6115 f3dfa0 GetDC GetWindowTextLengthW 6116 f3dfe2 6115->6116 6117 f3e035 ReleaseDC 6116->6117 6118 f3dfe9 GetWindowTextW GetTextExtentPoint32W MoveWindow 6116->6118 6119 f3e034 6118->6119 6119->6117 5460 f3b2a0 5461 f3b2b6 5460->5461 5470 f3b319 5460->5470 5462 f3b2d4 5461->5462 5463 f3b2bf 5461->5463 5464 f3b2da 5462->5464 5469 f3b321 5462->5469 5472 f3b66d 5463->5472 5478 f3b6c3 5464->5478 5467 f3b2cd 5467->5470 5491 f3b130 5467->5491 5469->5467 5513 f3b87e 5469->5513 5519 f3c3fe 5472->5519 5475 f3b680 GetDlgItem 5476 f3b698 5475->5476 5477 f3b69d SendMessageW 5475->5477 5476->5467 5477->5476 5479 f3b867 5478->5479 5480 f3b6e4 5478->5480 5482 f40680 4 API calls 5479->5482 5480->5479 5481 f3b6ee GetWindowRect 5480->5481 5481->5479 5483 f3b703 GetWindowRect 5481->5483 5484 f3b874 5482->5484 5483->5479 5485 f3b71b GetWindowRect 5483->5485 5484->5467 5485->5479 5486 f3b733 MoveWindow _ftol2_sse 5485->5486 5487 f3b7ba MoveWindow MoveWindow 5486->5487 5488 f3b7b8 5486->5488 5489 f3b80e MoveWindow MoveWindow InvalidateRect 5487->5489 5490 f3b80c 5487->5490 5488->5487 5489->5479 5490->5489 5492 f3b148 5491->5492 5512 f3b188 5491->5512 5493 f3b193 5492->5493 5494 f3b154 5492->5494 5496 f3b1bb 5493->5496 5497 f3b19a 5493->5497 5495 f3c3fe 33 API calls 5494->5495 5509 f3b161 5495->5509 5498 f3b200 5496->5498 5502 f3b1c2 5496->5502 5546 f3c48f 5497->5546 5500 f3b205 5498->5500 5501 f3b229 5498->5501 5554 f3c605 5500->5554 5504 f3b251 5501->5504 5505 f3b22e 5501->5505 5502->5509 5511 f3c832 SendMessageW 5502->5511 5506 f3b25c 5504->5506 5504->5509 5565 f3c710 5505->5565 5510 f3aaed 3 API calls 5506->5510 5509->5512 5537 f371e0 5509->5537 5510->5512 5511->5509 5512->5470 5514 f3b89a 5513->5514 5589 f3eba9 _ftol2 5514->5589 5516 f3b8a8 5517 f3c832 SendMessageW 5516->5517 5518 f3b8c4 5517->5518 5518->5467 5528 f37443 5519->5528 5522 f3c421 GetDlgItem 5523 f3c465 5522->5523 5524 f3c439 GetDlgItem 5522->5524 5525 f40680 4 API calls 5523->5525 5524->5523 5526 f3c451 GetWindowRect 5524->5526 5527 f3b67a 5525->5527 5526->5523 5527->5475 5527->5476 5529 f3a94c 3 API calls 5528->5529 5530 f37451 5529->5530 5531 f37457 GetDlgItem 5530->5531 5532 f374c2 5530->5532 5531->5532 5533 f3746f 5531->5533 5532->5522 5532->5523 5534 f3ec08 21 API calls 5533->5534 5535 f37490 5534->5535 5535->5532 5536 f374aa GetDlgItem 5535->5536 5536->5532 5538 f371f4 5537->5538 5541 f3722e 5537->5541 5539 f37200 5538->5539 5540 f3723c 5538->5540 5542 f37443 26 API calls 5539->5542 5543 f3720d 5540->5543 5571 f374d3 5540->5571 5541->5512 5542->5543 5543->5541 5544 f370f2 17 API calls 5543->5544 5544->5541 5547 f3c5d6 5546->5547 5549 f3c4bd 5546->5549 5547->5509 5548 f3c4d0 5548->5547 5550 f3e9dc 13 API calls 5548->5550 5549->5547 5549->5548 5551 f3c57f SendMessageW 5549->5551 5552 f3c55f 5549->5552 5550->5547 5551->5548 5552->5548 5553 f3c564 SendMessageW 5552->5553 5553->5548 5555 f3c626 5554->5555 5556 f3c6f9 5554->5556 5555->5556 5558 f374d3 40 API calls 5555->5558 5557 f40680 4 API calls 5556->5557 5559 f3c706 5557->5559 5560 f3c63c GetWindowRect 5558->5560 5559->5509 5560->5556 5561 f3c651 GetWindowRect 5560->5561 5561->5556 5562 f3c669 GetWindowRect 5561->5562 5562->5556 5564 f3c67d MoveWindow MoveWindow 5562->5564 5564->5556 5566 f3c825 5565->5566 5567 f3c72d GdipCreateFromHDC GdipCreateSolidFill GdipFillRectangleI 5565->5567 5566->5509 5588 f3c8b1 GdipCreateLineBrushI 5567->5588 5570 f3c7e2 GdipFillRectangleI GdipDeleteBrush GdipDeleteBrush GdipDeleteGraphics 5570->5566 5572 f374f4 5571->5572 5573 f376b9 5571->5573 5572->5573 5574 f374fe GetWindowRect 5572->5574 5575 f40680 4 API calls 5573->5575 5576 f37513 GetWindowRect 5574->5576 5577 f376ac InvalidateRect 5574->5577 5578 f376c6 5575->5578 5576->5577 5579 f3752b GetWindowRect 5576->5579 5577->5573 5578->5543 5579->5577 5580 f37543 MapWindowPoints MapWindowPoints MapWindowPoints 5579->5580 5581 f375d1 5580->5581 5582 f3760b _ftol2_sse _ftol2_sse 5581->5582 5583 f375f8 _ftol2_sse 5581->5583 5584 f37638 MoveWindow 5582->5584 5583->5584 5585 f3edc2 28 API calls 5584->5585 5586 f3767f InvalidateRect 5585->5586 5587 f376a7 5586->5587 5587->5577 5588->5570 5589->5516 6120 f3c3a0 KillTimer 5590 f406a0 _except_handler4_common 6139 f3ad90 6140 f3adb8 6139->6140 6141 f3ad9e 6139->6141 6141->6140 6142 f33e92 4 API calls 6141->6142 6142->6140 6143 f3bf90 6144 f3bfa6 6143->6144 6145 f3c001 6143->6145 6146 f3c009 6144->6146 6147 f3bfaf 6144->6147 6153 f3bfdb 6146->6153 6154 f3c047 6146->6154 6148 f37443 26 API calls 6147->6148 6151 f3bfbd 6148->6151 6149 f371e0 76 API calls 6149->6145 6152 f3bfc3 GetDlgItem 6151->6152 6151->6153 6152->6153 6153->6145 6153->6149 6155 f3c105 6154->6155 6157 f3c068 6154->6157 6156 f40680 4 API calls 6155->6156 6158 f3c112 6156->6158 6157->6155 6159 f374d3 40 API calls 6157->6159 6158->6153 6160 f3c07e GetWindowRect 6159->6160 6160->6155 6161 f3c08f GetWindowRect 6160->6161 6161->6155 6162 f3c0a3 GetWindowRect 6161->6162 6162->6155 6163 f3c0b7 MoveWindow 6162->6163 6163->6155 5597 f3c880 GdipDeleteBrush 5598 f3c8a4 5597->5598 5599 f3c89d GdipFree 5597->5599 5599->5598 6183 f3cb80 GetDeviceGammaRamp 6184 f3cb98 GetLastError 6183->6184 6185 f3cba4 6183->6185 6184->6185 5600 f3ac80 GetWindowRect 5601 f3acd3 5600->5601 5602 f3acbe MapWindowPoints 5600->5602 5603 f40680 4 API calls 5601->5603 5602->5601 5604 f3ad13 5603->5604 6316 f38f80 6317 f38f92 6316->6317 6317->6317 6318 f38fd6 6317->6318 6319 f38fbe 6317->6319 6320 f38fad DccwSetDisplayProfileAssociationList 6317->6320 6319->6318 6321 f38fc8 DccwSetDisplayProfileAssociationList 6319->6321 6320->6318 6320->6319 6321->6318 5605 f38a80 5608 f39b02 WcsSetCalibrationManagementState 5605->5608 5609 f39b22 GetLastError 5608->5609 5611 f39b2e 5608->5611 5609->5611 5610 f39b7a 5612 f39b90 WcsGetUsePerUserProfiles 5610->5612 5613 f38a8d 5610->5613 5611->5610 5615 f39b59 WcsSetDefaultColorProfile 5611->5615 5614 f39ba6 GetLastError 5612->5614 5619 f39bb2 5612->5619 5614->5619 5615->5610 5617 f39b6e GetLastError 5615->5617 5616 f39c12 WcsSetCalibrationManagementState 5616->5613 5618 f39c1f GetLastError 5616->5618 5617->5610 5618->5613 5619->5613 5619->5616 5619->5619 5620 f39be3 WcsSetDefaultColorProfile 5619->5620 5620->5616 5621 f39bf9 GetLastError 5620->5621 5622 f39c05 5621->5622 5622->5613 5622->5616 6179 f3cd80 6180 f3cd96 6179->6180 6181 f3cd8f 6179->6181 6182 f3cfbf 2 API calls 6180->6182 6182->6181 6325 f3d780 6326 f3d7af 6325->6326 6344 f3e04f SendMessageW 6326->6344 6328 f3d7cb SendMessageW 6329 f3d804 6328->6329 6343 f3d95f 6329->6343 6345 f3e07c SendMessageW 6329->6345 6331 f3d821 6346 f3e04f SendMessageW 6331->6346 6333 f3d85e SendMessageW 6334 f3d89a 6333->6334 6334->6343 6347 f3e07c SendMessageW 6334->6347 6336 f3d8b7 6348 f3e04f SendMessageW 6336->6348 6338 f3d8f4 SendMessageW 6339 f3d930 6338->6339 6339->6343 6349 f3e07c SendMessageW 6339->6349 6341 f3d949 SetTimer 6350 f3ab40 GetParent PostMessageW GetParent SendMessageW 6341->6350 6344->6328 6345->6331 6346->6333 6347->6336 6348->6338 6349->6341 6350->6343 6197 f37b80 MonitorFromWindow 6198 f37b9e 6197->6198 6199 f37ba6 6197->6199 6201 f391d3 LoadCursorW SetCursor ShowCursor 6198->6201 6202 f39222 6201->6202 6226 f39212 6201->6226 6206 f39257 GetNumberOfPhysicalMonitorsFromHMONITOR 6202->6206 6202->6226 6203 f394ab ShowCursor LoadCursorW SetCursor 6204 f40680 4 API calls 6203->6204 6205 f394d7 6204->6205 6205->6199 6207 f3927a 6206->6207 6206->6226 6208 f39290 DeleteDC 6207->6208 6209 f39299 EnumDisplayMonitors 6207->6209 6207->6226 6208->6209 6210 f392c7 GetDeviceCaps 6209->6210 6209->6226 6211 f392df 6210->6211 6210->6226 6233 f394e3 GetMonitorInfoW 6211->6233 6214 f392f0 GetPhysicalMonitorsFromHMONITOR 6215 f39303 6214->6215 6215->6226 6250 f3905d WcsGetUsePerUserProfiles 6215->6250 6220 f39382 6220->6203 6222 f393c0 DccwGetDisplayProfileAssociationList 6220->6222 6223 f393ad DccwCreateDisplayProfileAssociationList 6220->6223 6220->6226 6225 f393d6 6222->6225 6222->6226 6224 f393be 6223->6224 6223->6226 6224->6222 6227 f393f3 DccwGetDisplayProfileAssociationList 6225->6227 6228 f393e2 DccwCreateDisplayProfileAssociationList 6225->6228 6226->6203 6227->6226 6229 f3940a 6227->6229 6228->6226 6228->6227 6277 f3963a GetColorDirectoryW 6229->6277 6231 f39411 6231->6226 6231->6231 6232 f3947b EventWrite 6231->6232 6232->6226 6234 f39523 GetLastError 6233->6234 6235 f39540 EnumDisplayDevicesW 6233->6235 6236 f3952f 6234->6236 6237 f39561 GetLastError 6235->6237 6238 f3957e StringFromCLSID 6235->6238 6236->6235 6241 f39609 6236->6241 6239 f3956d 6237->6239 6240 f39596 _wcsupr wcsstr 6238->6240 6238->6241 6239->6238 6239->6241 6240->6241 6242 f395bf 6240->6242 6243 f39623 6241->6243 6244 f39617 CoTaskMemFree 6241->6244 6245 f3fdd6 ctype 2 API calls 6242->6245 6246 f40680 4 API calls 6243->6246 6244->6243 6247 f395c8 6245->6247 6248 f392e6 6246->6248 6247->6241 6249 f395e6 swscanf_s 6247->6249 6248->6214 6248->6226 6249->6241 6251 f390b0 6250->6251 6252 f390a4 GetLastError 6250->6252 6253 f390cc WcsGetDefaultColorProfile 6251->6253 6254 f39198 6251->6254 6252->6251 6255 f390f1 GetLastError 6253->6255 6256 f390fd 6253->6256 6257 f391b5 CloseColorProfile 6254->6257 6258 f391bc 6254->6258 6255->6256 6256->6254 6259 f3910e WcsOpenColorProfileW 6256->6259 6257->6258 6260 f40680 4 API calls 6258->6260 6261 f39160 DccwGetGamutSize 6259->6261 6262 f39147 GetLastError 6259->6262 6263 f391cb 6260->6263 6261->6254 6265 f39174 6261->6265 6264 f39153 6262->6264 6263->6203 6267 f3a6a6 memset 6263->6267 6264->6254 6264->6261 6265->6254 6266 f3eb17 2 API calls 6265->6266 6266->6254 6268 f3a6d8 6267->6268 6274 f3a71b 6267->6274 6290 f3a4cc 6268->6290 6270 f40680 4 API calls 6272 f3936b 6270->6272 6272->6220 6275 f3eb17 memset TaskDialogIndirect 6272->6275 6273 f3a6eb DisplayConfigGetDeviceInfo 6273->6274 6274->6270 6276 f3eb83 6275->6276 6276->6220 6278 f39680 6277->6278 6279 f39676 GetLastError 6277->6279 6280 f3ff30 3 API calls 6278->6280 6281 f3970d 6278->6281 6279->6278 6282 f396a7 6280->6282 6283 f40680 4 API calls 6281->6283 6282->6281 6285 f3ff30 3 API calls 6282->6285 6284 f3971c 6283->6284 6284->6231 6286 f396ce 6285->6286 6286->6281 6287 f3ff30 3 API calls 6286->6287 6288 f396ec 6287->6288 6288->6281 6289 f3ff30 3 API calls 6288->6289 6289->6281 6305 f401e0 6290->6305 6293 f3a512 GetDisplayConfigBufferSizes 6296 f3a530 6293->6296 6298 f3a551 6293->6298 6294 f40680 4 API calls 6295 f3a69e 6294->6295 6295->6273 6295->6274 6297 f3a588 QueryDisplayConfig 6296->6297 6296->6298 6299 f3a5a5 GetLastError 6297->6299 6302 f3a5c3 6297->6302 6298->6294 6299->6298 6300 f3a5d8 DisplayConfigGetDeviceInfo 6301 f3a605 EnumDisplayDevicesW 6300->6301 6300->6302 6301->6302 6302->6298 6302->6300 6303 f401e0 8 API calls 6302->6303 6304 f3a636 lstrcmpiW 6302->6304 6303->6302 6304->6298 6304->6302 6310 f3a4f6 6305->6310 6311 f401fa 6305->6311 6306 f40204 iswupper 6307 f40222 towlower 6306->6307 6308 f40233 iswupper 6306->6308 6307->6308 6309 f4023f towlower 6308->6309 6308->6311 6309->6311 6310->6293 6310->6298 6311->6306 6311->6310 6312 f4026a iswupper 6311->6312 6313 f40294 iswupper 6312->6313 6314 f40283 towlower 6312->6314 6313->6311 6315 f402a0 towlower 6313->6315 6314->6313 6315->6311 6186 f37980 6188 f379dd 6186->6188 6189 f37990 6186->6189 6187 f370f2 17 API calls 6187->6188 6189->6187 6189->6188 6190 f36b80 6191 f36b9a WcsSetCalibrationManagementState 6190->6191 6193 f36bcb 6191->6193 6194 f36bab GetLastError 6191->6194 6195 f36bb5 6194->6195 6196 f3e9dc 13 API calls 6195->6196 6196->6193 6172 f3b980 6175 f3bc48 6172->6175 6177 f3bc5e 6175->6177 6176 f3bc63 DeleteObject 6176->6177 6177->6176 6178 f3bc73 6177->6178 6351 f3af80 6352 f3afad 6351->6352 6353 f3afb7 6352->6353 6354 f3afc9 GetDlgItem SendMessageW 6352->6354 6355 f3e9dc 13 API calls 6353->6355 6356 f3afc4 6354->6356 6357 f3afec GetSystemDirectoryW 6354->6357 6355->6356 6358 f40680 4 API calls 6356->6358 6357->6356 6359 f3b003 6357->6359 6360 f3b065 6358->6360 6359->6356 6361 f3b033 ShellExecuteW 6359->6361 6361->6356 5626 f40a80 SetUnhandledExceptionFilter 5627 f3ca70 SetMonitorBrightness 5628 f3ca88 GetLastError 5627->5628 5629 f3ca94 5627->5629 5628->5629 5637 f38070 5638 f38086 5637->5638 5639 f38090 5638->5639 5641 f398d9 5638->5641 5644 f39905 5641->5644 5642 f40680 4 API calls 5643 f39a81 5642->5643 5643->5639 5645 f399ea _CIpow _ftol2 5644->5645 5646 f3991e 5644->5646 5645->5644 5645->5646 5646->5642 5647 f38e70 5648 f38e94 5647->5648 5648->5648 5649 f38eb3 EventWrite 5648->5649 5650 f38ef1 5649->5650 5651 f3e9dc 13 API calls 5650->5651 5652 f38f08 5650->5652 5651->5652 5653 f3e9dc 13 API calls 5652->5653 5655 f38f2f 5652->5655 5653->5655 5654 f38f5c 5657 f40680 4 API calls 5654->5657 5655->5654 5656 f3e9dc 13 API calls 5655->5656 5656->5654 5658 f38f72 5657->5658 5659 f3f270 5660 f3f285 5659->5660 5661 f3f2fd 5659->5661 5662 f3f2c2 5660->5662 5663 f3f28e 5660->5663 5664 f3f301 5662->5664 5665 f3f2c8 5662->5665 5666 f3a94c 3 API calls 5663->5666 5668 f40138 4 API calls 5664->5668 5669 f3f2b8 5664->5669 5665->5669 5674 f40138 CoCreateInstance 5665->5674 5667 f3f29b 5666->5667 5667->5669 5670 f3f489 3 API calls 5667->5670 5668->5669 5669->5661 5671 f370f2 17 API calls 5669->5671 5673 f3f2ae ShowWindow 5670->5673 5671->5661 5673->5669 5675 f40178 SysFreeString 5674->5675 5676 f40167 SysAllocString 5674->5676 5675->5669 5676->5675 5678 f4017f WinSqmAddToStream 5676->5678 5678->5675 6362 f3b370 6365 f3c192 6362->6365 6366 f3c1a7 DeleteObject 6365->6366 6367 f3c1ae 6365->6367 6366->6367 5679 f40670 5682 f40cc9 5679->5682 5681 f40675 5681->5681 5683 f40cf2 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 5682->5683 5684 f40cee 5682->5684 5685 f40d41 5683->5685 5684->5683 5684->5685 5685->5681 6371 f4057e 6372 f40592 _exit 6371->6372 6373 f40599 6371->6373 6372->6373 6374 f405a2 _cexit 6373->6374 6375 f405ad 6373->6375 6374->6375 6376 f3f562 PostMessageW 5710 f37860 5712 f378c0 5710->5712 5711 f37930 5712->5711 5713 f3791d SetWindowLongW 5712->5713 5713->5711 5696 f3ba60 5699 f3ba87 5696->5699 5700 f3ba95 5699->5700 5701 f3ba9f DeleteObject 5700->5701 5702 f3bab0 DeleteObject 5700->5702 5703 f3bac2 5700->5703 5701->5700 5702->5700 5714 f36a60 5715 f36a71 ReleaseMutex CloseHandle 5714->5715 5716 f36a8a 5714->5716 5715->5716 5717 f36a95 OpenIcon SetForegroundWindow SetWindowPos 5716->5717 5718 f36abe CallWindowProcW 5716->5718 5719 f36ad4 5717->5719 5718->5719 5686 f3ce60 5689 f3cf06 5686->5689 5690 f3cf2e 5689->5690 5690->5690 5691 f3cf37 GetDeviceGammaRamp 5690->5691 5692 f3cf5b 5691->5692 5693 f3cf49 SetDeviceGammaRamp 5691->5693 5694 f40680 4 API calls 5692->5694 5693->5692 5695 f3cead 5694->5695 6377 f3f360 GetParent PostMessageW GetParent SendMessageW 6378 f3cb60 6379 f3cfbf 2 API calls 6378->6379 6380 f3cb73 6379->6380 6381 f37f60 6383 f37f76 6381->6383 6382 f37f80 6383->6382 6384 f398d9 6 API calls 6383->6384 6384->6382 5720 f3f66e DeleteCriticalSection 6385 f4056a _XcptFilter 5724 f37e50 5725 f37e66 5724->5725 5726 f37e70 5725->5726 5728 f39724 5725->5728 5731 f3974e 5728->5731 5729 f397da _CIpow 5730 f3980d _ftol2 5729->5730 5730->5730 5730->5731 5731->5729 5732 f39863 5731->5732 5733 f40680 4 API calls 5732->5733 5734 f3989b 5733->5734 5734->5726 6386 f3e150 6387 f3e84a 3 API calls 6386->6387 6388 f3e16e 6387->6388 6389 f37350 6390 f3fe77 3 API calls 6389->6390 6391 f37385 6390->6391 6392 f373dc ctype 6391->6392 6393 f373b3 EventWrite 6391->6393 6394 f40680 4 API calls 6392->6394 6393->6392 6395 f373ed 6394->6395 6396 f33b55 6401 f3434f 6396->6401 6408 f40d8c 6401->6408 6403 f3435b InitializeCriticalSection 6404 f33b5a 6403->6404 6405 f40780 6404->6405 6409 f406d7 6405->6409 6408->6403 6410 f406e3 6409->6410 6411 f406f4 _onexit 6410->6411 6412 f4070a _lock __dllonexit 6410->6412 6415 f33b6f 6411->6415 6416 f40771 _unlock 6412->6416 6416->6415 5735 f38a40 5736 f38a56 5735->5736 5737 f38a6d 5736->5737 5738 f3e9dc 13 API calls 5736->5738 5738->5737 6417 f38540 6419 f3856f 6417->6419 6418 f38591 _ftol2 6420 f385b4 6418->6420 6419->6418 6425 f38628 6419->6425 6421 f385c8 6420->6421 6422 f385bc GetLastError 6420->6422 6423 f385ef _ftol2 6421->6423 6428 f386b0 6421->6428 6422->6421 6424 f38612 6423->6424 6424->6425 6426 f3861c GetLastError 6424->6426 6427 f39724 6 API calls 6425->6427 6425->6428 6426->6425 6427->6428 6432 f3cb40 6433 f3cf80 2 API calls 6432->6433 6434 f3cb4f 6433->6434 6438 f40340 6439 f40345 6438->6439 6447 f40b1a GetModuleHandleW 6439->6447 6441 f40351 __set_app_type __p__fmode __p__commode 6442 f40389 6441->6442 6443 f40392 __setusermatherr 6442->6443 6444 f4039e 6442->6444 6443->6444 6449 f40d67 _controlfp 6444->6449 6446 f403a3 6448 f40b2b 6447->6448 6448->6441 6449->6446 5748 f3d230 5749 f3d248 5748->5749 5765 f3d2ff 5748->5765 5750 f3d253 5749->5750 5751 f3d265 5749->5751 5769 f3d96e 5750->5769 5753 f3d28d 5751->5753 5754 f3d26d 5751->5754 5756 f3d2a3 5753->5756 5757 f3d295 5753->5757 5774 f3da3b 5754->5774 5758 f3d2ca 5756->5758 5759 f3d2a8 5756->5759 5781 f3dbd9 5757->5781 5762 f3d2cf 5758->5762 5767 f3d307 5758->5767 5789 f3dc75 5759->5789 5801 f3de5a 5762->5801 5764 f3d260 5764->5765 5766 f371e0 76 API calls 5764->5766 5766->5765 5767->5764 5768 f3aaed 3 API calls 5767->5768 5768->5764 5770 f37443 26 API calls 5769->5770 5771 f3d97b 5770->5771 5772 f3d985 6 API calls 5771->5772 5773 f3da07 5771->5773 5772->5773 5773->5764 5776 f3da5a 5774->5776 5775 f3dbaa 5775->5764 5776->5775 5778 f3db12 SendMessageW 5776->5778 5779 f3daf9 SendMessageW 5776->5779 5780 f3daf4 5776->5780 5777 f3e9dc 13 API calls 5777->5775 5778->5780 5779->5780 5780->5775 5780->5777 5782 f3dbf8 5781->5782 5784 f3dc0e 5782->5784 5808 f3e07c SendMessageW 5782->5808 5786 f3dc3b 5784->5786 5809 f3e07c SendMessageW 5784->5809 5787 f3dc68 5786->5787 5810 f3e07c SendMessageW 5786->5810 5787->5764 5790 f3de43 5789->5790 5791 f3dc99 5789->5791 5792 f40680 4 API calls 5790->5792 5791->5790 5794 f374d3 40 API calls 5791->5794 5793 f3de50 5792->5793 5793->5764 5795 f3dcaf GetWindowRect 5794->5795 5795->5790 5796 f3dcc4 GetWindowRect 5795->5796 5796->5790 5797 f3dcdc GetWindowRect 5796->5797 5797->5790 5798 f3dcf4 _ftol2_sse _ftol2_sse _ftol2_sse 5797->5798 5799 f3dd74 8 API calls 5798->5799 5800 f3dd6e 5798->5800 5799->5790 5800->5799 5802 f3de7f GdipCreateSolidFill GdipCreateFromHDC GdipFillRectangleI 5801->5802 5804 f3def2 5802->5804 5811 f3c8b1 GdipCreateLineBrushI 5804->5811 5806 f3df2c GdipFillRectangleI GdipDeleteBrush GdipDeleteGraphics GdipDeleteBrush 5806->5764 5808->5784 5809->5786 5810->5787 5811->5806 6451 f3e130 6452 f3e7a1 4 API calls 6451->6452 6453 f3e146 6452->6453 5812 f40a30 5813 f40a6d 5812->5813 5815 f40a42 5812->5815 5814 f40a67 ?terminate@ 5814->5813 5815->5813 5815->5814 5816 f40e32 OutputDebugStringA 5817 f40680 4 API calls 5816->5817 5818 f40ed6 5817->5818 6455 f33b35 6456 f3434f InitializeCriticalSection 6455->6456 6457 f33b3a 6456->6457 6458 f40780 4 API calls 6457->6458 6459 f33b44 6458->6459 5819 f3ca20 GetMonitorBrightness 5820 f3ca42 GetLastError 5819->5820 5821 f3ca4e 5819->5821 5820->5821 5825 f37a20 5828 f3a843 5825->5828 5827 f37a2d 5829 f3a854 DeleteObject 5828->5829 5830 f3a85d ctype 5828->5830 5829->5830 5831 f3a880 5830->5831 5832 f3f9a5 ctype 10 API calls 5830->5832 5831->5827 5832->5831 5833 f34220 5836 f34313 5833->5836 5843 f342e0 EnterCriticalSection 5836->5843 5838 f34324 5839 f34338 5838->5839 5840 f3432d DeleteCriticalSection 5838->5840 5846 f3427d 5839->5846 5840->5839 5842 f34340 5844 f3427d ctype 5 API calls 5843->5844 5845 f342fc LeaveCriticalSection 5844->5845 5845->5838 5847 f342b8 5846->5847 5854 f3428c 5846->5854 5848 f34247 ctype 2 API calls 5847->5848 5850 f342bf 5848->5850 5849 f342c4 5857 f35d67 RaiseException 5849->5857 5850->5842 5852 f342ce EnterCriticalSection 5855 f3427d ctype 3 API calls 5852->5855 5854->5847 5854->5849 5856 f342fc LeaveCriticalSection 5855->5856 5856->5842 5857->5852 6463 f3e520 6464 f3e7a1 4 API calls 6463->6464 6466 f3e53f 6464->6466 6465 f3e792 6466->6465 6467 f3e7a1 4 API calls 6466->6467 6470 f3e5cc 6466->6470 6468 f3e575 6467->6468 6468->6465 6469 f3e7a1 4 API calls 6468->6469 6471 f3e592 6469->6471 6470->6465 6472 f3e7a1 4 API calls 6470->6472 6478 f3e61e 6470->6478 6471->6465 6474 f3e7a1 4 API calls 6471->6474 6473 f3e601 6472->6473 6473->6465 6476 f3e7a1 4 API calls 6473->6476 6475 f3e5af 6474->6475 6475->6465 6477 f3e7a1 4 API calls 6475->6477 6476->6478 6477->6470 6478->6465 6479 f3e7a1 4 API calls 6478->6479 6483 f3e6f1 6478->6483 6480 f3e656 6479->6480 6480->6465 6481 f3e7a1 4 API calls 6480->6481 6482 f3e675 6481->6482 6482->6465 6484 f3e7a1 4 API calls 6482->6484 6483->6465 6488 f3e7a1 4 API calls 6483->6488 6485 f3e694 6484->6485 6485->6465 6486 f3e7a1 4 API calls 6485->6486 6487 f3e6b3 6486->6487 6487->6465 6490 f3e7a1 4 API calls 6487->6490 6489 f3e779 6488->6489 6489->6465 6492 f3e7a1 4 API calls 6489->6492 6491 f3e6d2 6490->6491 6491->6465 6493 f3e7a1 4 API calls 6491->6493 6492->6465 6493->6483 6497 f33f20 6498 f33f34 6497->6498 6499 f33f2d 6497->6499 6498->6499 6500 f33f3f CoCreateInstance 6498->6500 6500->6499 5873 f33e10 5876 f37b1e 5873->5876 5875 f33e1d 5877 f3a030 ctype 6 API calls 5876->5877 5878 f37b30 ctype 5877->5878 5878->5875 5882 f3f200 GdipCloneImage 5883 f3f221 GdipAlloc 5882->5883 5884 f3f21e 5882->5884 5885 f3f22d 5883->5885 5884->5883 6504 f3c900 GdipCloneBrush 6505 f3c922 6504->6505 6506 f3c924 GdipAlloc 6504->6506 6505->6506 6507 f3c932 6506->6507 6508 f3c945 GdipDeleteBrush 6506->6508 6508->6507 6509 f38d00 CopyFileW 6510 f38d33 GetLastError 6509->6510 6511 f38d3f 6509->6511 6510->6511 6512 f39b02 10 API calls 6511->6512 6513 f38e4d 6511->6513 6514 f38d5f 6512->6514 6515 f40680 4 API calls 6513->6515 6514->6513 6525 f39c43 6514->6525 6517 f38e5c 6515->6517 6521 f38d97 WcsSetCalibrationManagementState 6522 f38da3 GetLastError 6521->6522 6523 f38daf 6521->6523 6522->6523 6523->6513 6523->6523 6524 f38e24 EventWrite 6523->6524 6524->6513 6526 f39c5f 6525->6526 6535 f38d76 6525->6535 6527 f39c79 WcsDisassociateColorProfileFromDevice 6526->6527 6526->6535 6528 f39c88 GetLastError 6527->6528 6529 f39caf WcsGetUsePerUserProfiles 6527->6529 6528->6529 6532 f39c95 6528->6532 6530 f39cc5 GetLastError 6529->6530 6531 f39cd1 6529->6531 6530->6531 6533 f39ce4 WcsDisassociateColorProfileFromDevice 6531->6533 6531->6535 6532->6529 6532->6535 6534 f39cf4 GetLastError 6533->6534 6533->6535 6534->6535 6535->6513 6536 f39a8d 6535->6536 6537 f39aa3 6536->6537 6542 f38d8d 6536->6542 6538 f39c43 6 API calls 6537->6538 6537->6542 6539 f39ac2 6538->6539 6540 f39ac8 UninstallColorProfileW 6539->6540 6539->6542 6541 f39ad8 GetLastError 6540->6541 6540->6542 6541->6542 6542->6513 6542->6521 6543 f3cb00 SetMonitorContrast 6544 f3cb18 GetLastError 6543->6544 6545 f3cb24 6543->6545 6544->6545 5886 f3f60f 5887 f3f665 5886->5887 5889 f3f61d DeleteCriticalSection 5886->5889 5889->5887

    Executed Functions

    Function 00F36166 Relevance: 37.4, APIs: 16, Strings: 5, Instructions: 627synchronizationwindowregistryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 f36166-f36192 CreateMutexW 1 f361b2-f361f2 RegisterWindowMessageW call f3fe77 FindWindowW 0->1 2 f36194-f3619f GetLastError 0->2 6 f361f4-f36229 GetWindowThreadProcessId AllowSetForegroundWindow SendMessageTimeoutW 1->6 7 f3623d-f3624d 1->7 2->1 3 f361a1-f361ac WaitForSingleObject 2->3 3->1 6->7 8 f3622b-f36232 6->8 9 f36253-f36265 call f402fe 7->9 10 f3686d 7->10 8->7 11 f36234-f36239 8->11 19 f36267-f36279 call f3a74b 9->19 20 f36286 9->20 13 f36870-f36877 10->13 11->7 15 f36893-f36895 13->15 16 f36879-f3688c ReleaseMutex CloseHandle 13->16 17 f36897-f3689a 15->17 18 f368a9-f368b7 call f3ff06 15->18 16->15 17->18 21 f3689c-f368a4 call f3e9dc 17->21 27 f3627e-f36284 19->27 24 f36288-f36294 call f36bd5 20->24 21->18 24->10 30 f3629a-f362a9 call f402fe 24->30 27->24 33 f362ab-f362c8 call f3a74b 30->33 34 f362ca 30->34 36 f362cc-f362d8 call f36bd5 33->36 34->36 36->10 40 f362de-f362ed call f402fe 36->40 43 f36326 40->43 44 f362ef-f36324 call f3bbd9 40->44 46 f36328-f36334 call f36bd5 43->46 44->46 46->10 50 f3633a-f36349 call f402fe 46->50 53 f3634b-f36377 call f3c11c 50->53 54 f36379 50->54 56 f3637b-f36387 call f36bd5 53->56 54->56 56->10 60 f3638d-f3639c call f402fe 56->60 63 f3639e-f363bb call f3a74b 60->63 64 f363bd 60->64 66 f363bf-f363cb call f36bd5 63->66 64->66 66->10 70 f363d1-f363e0 call f402fe 66->70 73 f363e2-f36417 call f3bbd9 70->73 74 f36419 70->74 76 f3641b-f36427 call f36bd5 73->76 74->76 76->10 80 f3642d-f3643c call f402fe 76->80 83 f36467 80->83 84 f3643e-f36465 call f37276 80->84 86 f36469-f36475 call f36bd5 83->86 84->86 86->10 90 f3647b-f3648a call f402fe 86->90 93 f364c3 90->93 94 f3648c-f364c1 call f3bbd9 90->94 95 f364c5-f364d1 call f36bd5 93->95 94->95 95->10 100 f364d7-f364e6 call f402fe 95->100 103 f36514 100->103 104 f364e8-f36512 call f37276 100->104 106 f36516-f36522 call f36bd5 103->106 104->106 106->10 110 f36528-f36537 call f402fe 106->110 113 f36567 110->113 114 f36539-f36565 call f3c11c 110->114 116 f36569-f36575 call f36bd5 113->116 114->116 116->10 120 f3657b-f3658a call f402fe 116->120 123 f365ba 120->123 124 f3658c-f365b8 call f3c11c 120->124 126 f365bc-f365c8 call f36bd5 123->126 124->126 126->10 130 f365ce-f365dd call f402fe 126->130 133 f36601 130->133 134 f365df-f365ff call f3a74b 130->134 136 f36603-f3660f call f36bd5 133->136 134->136 136->10 140 f36615-f36624 call f402fe 136->140 143 f36626-f3665a call f37276 140->143 144 f3665c 140->144 146 f3665e-f3666a call f36bd5 143->146 144->146 146->10 150 f36670-f3667f call f402fe 146->150 153 f366a3 150->153 154 f36681-f366a1 call f3a74b 150->154 156 f366a5-f366b1 call f36bd5 153->156 154->156 156->10 160 f366b7-f366c4 call f402fe 156->160 163 f366c6-f366d9 call f3d35d 160->163 164 f366db 160->164 166 f366dd-f366e9 call f36bd5 163->166 164->166 166->10 170 f366ef-f366fe call f402fe 166->170 173 f36720 170->173 174 f36700-f3671e call f3ae9f 170->174 175 f36722-f3672e call f36bd5 173->175 174->175 175->10 180 f36734-f36743 call f402fe 175->180 183 f36765 180->183 184 f36745-f36758 call f3ae9f 180->184 186 f36767-f36773 call f36bd5 183->186 187 f3675d-f36763 184->187 186->10 190 f36779-f36788 call f402fe 186->190 187->186 193 f3678a-f367ad call f3a74b 190->193 194 f367af 190->194 196 f367b1-f367bd call f36bd5 193->196 194->196 196->10 200 f367c3 196->200 201 f367c5-f367de RegisterWindowMessageW 200->201 202 f367e0-f367e6 201->202 203 f367ec-f367f6 GetLastError 201->203 202->201 204 f367e8-f367ea 202->204 205 f367f8-f367fd 203->205 206 f367ff 203->206 207 f36801-f36810 WcsGetCalibrationManagementState 204->207 205->206 206->10 206->207 208 f36812-f3681c GetLastError 207->208 209 f3683b-f36845 WcsSetCalibrationManagementState 207->209 210 f36823-f36834 call f3e9dc 208->210 211 f3681e-f36821 208->211 209->18 212 f36847-f36851 GetLastError 209->212 210->13 218 f36836 210->218 211->210 214 f36853-f36856 212->214 215 f36858-f36869 call f3e9dc 212->215 214->215 215->18 220 f3686b 215->220 218->209 220->13
    APIs
    • CreateMutexW.KERNELBASE(00000000,00000001,Local\DCCW Startup Mutex,00000000,00000000,00000000,?,?,?,?,?,00F33D49,00000000), ref: 00F36185
    • GetLastError.KERNEL32(?,?,?,?,?,00F33D49,00000000), ref: 00F36194
    • WaitForSingleObject.KERNEL32(00002710,?,?,?,?,?,00F33D49,00000000), ref: 00F361AC
    • RegisterWindowMessageW.USER32(Microsoft.Windows.ICM.DCCW.Activate,?,?,?,?,?,00F33D49,00000000), ref: 00F361B7
    • FindWindowW.USER32(NativeHWNDHost,00F428C8), ref: 00F361E8
    • GetWindowThreadProcessId.USER32(00000000,00F33D49), ref: 00F361FC
    • AllowSetForegroundWindow.USER32(00F33D49), ref: 00F36205
    • SendMessageTimeoutW.USER32(00000000,00000000,00000000,00000002,00002710,?), ref: 00F36221
    • RegisterWindowMessageW.USER32(00F323E8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F367CB
    • GetLastError.KERNEL32 ref: 00F367EC
    • WcsGetCalibrationManagementState.MSCMS(?), ref: 00F36808
    • GetLastError.KERNEL32 ref: 00F36812
    • WcsSetCalibrationManagementState.MSCMS(00000000), ref: 00F3683D
    • GetLastError.KERNEL32 ref: 00F36847
    • ReleaseMutex.KERNEL32(000001D0), ref: 00F3687A
    • CloseHandle.KERNEL32 ref: 00F36886
      • Part of subcall function 00F402FE: malloc.MSVCRT ref: 00F40316
      • Part of subcall function 00F3C11C: CreateSolidBrush.GDI32(00787878), ref: 00F3C179
      • Part of subcall function 00F402FE: _callnewh.MSVCRT ref: 00F40309
      • Part of subcall function 00F3A74B: memset.MSVCRT ref: 00F3A772
      • Part of subcall function 00F3A74B: CreateSolidBrush.GDI32(00AAAAAA), ref: 00F3A80B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: Window$ErrorLast$CreateMessage$BrushCalibrationManagementMutexRegisterSolidState$AllowCloseFindForegroundHandleObjectProcessReleaseSendSingleThreadTimeoutWait_callnewhmallocmemset
    • String ID: Local\DCCW Startup Mutex$Microsoft.Windows.ICM.DCCW.Activate$NativeHWNDHost$dccw$strg
    • API String ID: 2331678428-2660824010
    • Opcode ID: b4aff9a1daf8bbe3fd7ddd227c084a9eeaf26111a8c47d8a33bb96237656d8d7
    • Instruction ID: d010e033e792c7b99d4bbf7cf732a7a81564d704089ded3b7961e417a675e71c
    • Opcode Fuzzy Hash: b4aff9a1daf8bbe3fd7ddd227c084a9eeaf26111a8c47d8a33bb96237656d8d7
    • Instruction Fuzzy Hash: 2402B532F81A3677EB291A648C56F3E79519B45B70F05822DBE02FB2C1DEA89D0077D1
    Function 00F33BBD Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 171memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000), ref: 00F33BD7
      • Part of subcall function 00F35F21: GetCurrentThreadId.KERNEL32 ref: 00F35F5D
    • EventRegister.ADVAPI32(00F31F40,00000000,00000000,00F42858), ref: 00F33BF3
    • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00F33C14
    • GetSystemMetrics.USER32(00001000), ref: 00F33C92
    • memset.MSVCRT ref: 00F33CDC
      • Part of subcall function 00F4002C: FormatMessageW.KERNEL32(00000500,?,00000000,00000000,00000137,00000000,?,67727473,?,?,?,00F33C64,?,?,00000000), ref: 00F40052
      • Part of subcall function 00F4002C: LocalFree.KERNEL32(00000000,00000137,?,?,?,00F33C64,?,?,00000000), ref: 00F40075
    • memset.MSVCRT ref: 00F33D0B
    • GetActiveWindow.USER32 ref: 00F33D4F
    • PropertySheetW.COMCTL32(?,?,?), ref: 00F33D91
      • Part of subcall function 00F3E8E3: EventWrite.ADVAPI32(00F31F20,00000001,?,?,00F368A9,00000000), ref: 00F3E944
      • Part of subcall function 00F3E8E3: MessageBoxW.USER32(00000000,00000000,00F428C8,00000010), ref: 00F3E973
    • GdiplusShutdown.GDIPLUS(?), ref: 00F33DBF
    • EventUnregister.ADVAPI32(032F6098,0000002B), ref: 00F33DD9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: Event$GdiplusMessagememset$ActiveCurrentFormatFreeHeapInformationLocalMetricsPropertyRegisterSheetShutdownStartupSystemThreadUnregisterWindowWrite
    • String ID: strg
    • API String ID: 299502029-3320446829
    • Opcode ID: a1bcaa843d24192e9aae1137676faac8775d58c40fea459de62dddf2d98d6ae7
    • Instruction ID: da410cd8636b17af24cf20f5279239fbc04dbe3f8e355f52621416eb8bf68856
    • Opcode Fuzzy Hash: a1bcaa843d24192e9aae1137676faac8775d58c40fea459de62dddf2d98d6ae7
    • Instruction Fuzzy Hash: 1F51B175908359ABC361EF64CC4595FBBE8EF80774F004A2DFC8592291DB38DE04AB92
    Function 00F403E9 Relevance: 10.6, APIs: 7, Instructions: 138sleepCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 283 f403e9-f40410 call f40d8c GetStartupInfoW 286 f40412-f40421 283->286 287 f40423-f40425 286->287 288 f4043b-f4043d 286->288 290 f40427-f4042c 287->290 291 f4042e-f40439 Sleep 287->291 289 f4043e-f40444 288->289 292 f40446-f4044e _amsg_exit 289->292 293 f40450-f40456 289->293 290->289 291->286 294 f4048a-f40490 292->294 295 f40484 293->295 296 f40458-f40471 call f405ca 293->296 298 f40492-f404a3 _initterm 294->298 299 f404ad-f404af 294->299 295->294 296->294 303 f40473-f4047f 296->303 298->299 301 f404b1-f404b8 299->301 302 f404ba-f404c1 299->302 301->302 304 f404e6-f404ef 302->304 305 f404c3-f404d0 call f40bc0 302->305 307 f405b4-f405c3 303->307 304->303 306 f404f1-f404f7 304->306 305->304 311 f404d2-f404e4 305->311 309 f404fa-f40500 306->309 312 f40551-f40554 309->312 313 f40502-f40505 309->313 311->304 314 f40556-f4055f 312->314 315 f40562-f40568 312->315 316 f40507-f40509 313->316 317 f40520-f40524 313->317 314->315 315->309 319 f40599-f405a0 315->319 316->312 320 f4050b-f4050e 316->320 321 f40526-f4052a 317->321 322 f4052c-f4052e 317->322 325 f405a2-f405a8 _cexit 319->325 326 f405ad 319->326 320->317 323 f40510-f40513 320->323 324 f4052f-f40548 call f33bbd 321->324 322->324 323->317 328 f40515-f4051e 323->328 324->319 330 f4054a-f4054b exit 324->330 325->326 326->307 328->320 330->312
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: CurrentImageInfoNonwritableSleepStartup_amsg_exit_inittermexit
    • String ID:
    • API String ID: 2849151604-0
    • Opcode ID: e8b8b8ec1c3b5c124040568d2292864fb7ff18458163e1bc3ad51ba96151a5d3
    • Instruction ID: f982244cc904207426be02da408c839175820f532e2dc4e3db88be65f958b754
    • Opcode Fuzzy Hash: e8b8b8ec1c3b5c124040568d2292864fb7ff18458163e1bc3ad51ba96151a5d3
    • Instruction Fuzzy Hash: 1E41DD7AE003198FEB69DB64AC047697AA0FB55770F68403AEF01972A0DF788840FB50
    Function 00F3F064 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 331 f3f064-f3f09e RegOpenKeyExW 332 f3f0a0-f3f0bf RegQueryValueExW 331->332 333 f3f0ce-f3f0d1 331->333 332->333 336 f3f0c1-f3f0c4 332->336 334 f3f0d3-f3f0d6 RegCloseKey 333->334 335 f3f0dc-f3f0ef 333->335 334->335 337 f3f0c6-f3f0c9 336->337 338 f3f0cb-f3f0cd 336->338 337->333 337->338 338->333
    APIs
    • RegOpenKeyExW.KERNELBASE(80000001,SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\DCCW\Simulator,00000000,00020019,00F33CC0,00000000,00000000,00000000,?,?,?,00F33CC0), ref: 00F3F094
    • RegQueryValueExW.ADVAPI32(00F33CC0,UseSimulator,00000000,?,?,?,?,?,?,00F33CC0), ref: 00F3F0B5
    • RegCloseKey.ADVAPI32(00F33CC0,?,?,?,00F33CC0), ref: 00F3F0D6
    Strings
    • SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\DCCW\Simulator, xrefs: 00F3F081
    • UseSimulator, xrefs: 00F3F0AD
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: CloseOpenQueryValue
    • String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\DCCW\Simulator$UseSimulator
    • API String ID: 3677997916-1182467772
    • Opcode ID: e04fca8b800e765c13423050bc07997bb236ad8e1f9358e3777cd6edd4c206f0
    • Instruction ID: 569c90e7ff2ce2fae17e3ab2d83c279cac06002ad26223fa68bc97e662b5a392
    • Opcode Fuzzy Hash: e04fca8b800e765c13423050bc07997bb236ad8e1f9358e3777cd6edd4c206f0
    • Instruction Fuzzy Hash: FF118BB6D4021CFBDB21CB999C859DEBFB8EF44724F104277F900A6052D7B08A48EA90
    Function 00F3A74B Relevance: 3.1, APIs: 2, Instructions: 67COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 339 f3a74b-f3a7f0 memset call f3fe77 341 f3a7f5-f3a7f7 339->341 342 f3a806-f3a83a CreateSolidBrush 341->342 343 f3a7f9-f3a803 341->343 343->342
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: BrushCreateSolidmemset
    • String ID:
    • API String ID: 1302505579-0
    • Opcode ID: 899007536a891ddad25acab0a43f74a9acacf6667af4c28d903aaba2a227908f
    • Instruction ID: 8b949d7cbbbe1aff196696ac13ccb216a09dff1d9f508b6c0ea197dd504fd624
    • Opcode Fuzzy Hash: 899007536a891ddad25acab0a43f74a9acacf6667af4c28d903aaba2a227908f
    • Instruction Fuzzy Hash: DB31E0B0A01A06BFD345CF2AD985681FBE4FF19314F50822AE968C7A51D7B0B464EBD0
    Function 00F402FE Relevance: 3.0, APIs: 2, Instructions: 20COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 344 f402fe-f40304 345 f40313-f40320 malloc 344->345 346 f40306-f40311 _callnewh 345->346 347 f40322-f40326 345->347 346->345 346->347
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: _callnewhmalloc
    • String ID:
    • API String ID: 2285944120-0
    • Opcode ID: 827a41add3e7882cda66cdcc4134e2c9379e0503a851913f5d561a6cac6c916e
    • Instruction ID: d95c9fe137f9fae1cdde6fb2eb8d66c1453f1f10ea01907183e9bba6862477bd
    • Opcode Fuzzy Hash: 827a41add3e7882cda66cdcc4134e2c9379e0503a851913f5d561a6cac6c916e
    • Instruction Fuzzy Hash: 53D0A937A0122A338A212DA9EC00AAABF08CA417B03184031FF08AE166DE39CC00B2C0
    Function 00F3FE77 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 348 f3fe77-f3fe90 call f402fe 351 f3fed0-f3fed5 348->351 352 f3fe92-f3fea2 LoadStringW 351->352 353 f3fed7 351->353 355 f3fef2-f3fefe call f402e8 352->355 356 f3fea4-f3feab 352->356 354 f3fedc-f3fee0 353->354 355->354 358 f3fee3-f3fef0 call f3ff06 356->358 359 f3fead-f3fecf call f402e8 call f402fe 356->359 358->354 359->351
    APIs
      • Part of subcall function 00F402FE: malloc.MSVCRT ref: 00F40316
    • LoadStringW.USER32(00F361E0,?,00000000,00000400), ref: 00F3FE9A
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: LoadStringmalloc
    • String ID:
    • API String ID: 905986743-0
    • Opcode ID: 89718e697548feed4913527672ad6b74b06d4ed4a38415b777a86be925f35740
    • Instruction ID: e7243fff710e2cfcdb4a8d9fa55fa7009255de98467fba87835db571d796a401
    • Opcode Fuzzy Hash: 89718e697548feed4913527672ad6b74b06d4ed4a38415b777a86be925f35740
    • Instruction Fuzzy Hash: B8012633B410547BDB242528AC0AE2F7E489B813B0F14813EFF0ACF5E2DD64C880B1A4
    Function 00F403B0 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 367 f403b0-f403e2 __wgetmainargs
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: __wgetmainargs
    • String ID:
    • API String ID: 1709950718-0
    • Opcode ID: a5ee632212a8dcf6fef7ade4e9261f2aa91f131dfd595a7831c21fc73fbe16cf
    • Instruction ID: b4be94632a8c2735e2a2ef528a3b2cb7796999d5cd715d81a648bc5e10c1143c
    • Opcode Fuzzy Hash: a5ee632212a8dcf6fef7ade4e9261f2aa91f131dfd595a7831c21fc73fbe16cf
    • Instruction Fuzzy Hash: E1D0E9B8A41208AB87C4AF64AD268263EB0AA667067CD0179FC015117AE6629750FF57

    Non-executed Functions

    Function 00F3EDC2 Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 227windowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 371 f3edc2-f3eded 372 f3edf3-f3edf5 371->372 373 f3f048 371->373 372->373 375 f3edfb-f3edfd 372->375 374 f3f04d-f3f05b call f40680 373->374 375->373 377 f3ee03-f3ee23 GetObjectW 375->377 379 f3ee33-f3ee3d GetLastError 377->379 380 f3ee25-f3ee31 377->380 382 f3ee4a 379->382 383 f3ee3f-f3ee48 379->383 381 f3ee50-f3ee5d GetWindowRect 380->381 385 f3ee78-f3ee82 GetLastError 381->385 386 f3ee5f-f3ee76 381->386 382->381 384 f3f03f-f3f046 382->384 383->382 384->374 388 f3ee84-f3ee87 385->388 389 f3ee8f 385->389 387 f3ee8d 386->387 387->389 388->387 389->384 390 f3ee95-f3eea3 GetDC 389->390 391 f3eec2-f3eecd CreateCompatibleDC 390->391 392 f3eea5-f3eeaf GetLastError 390->392 395 f3eecf-f3eed9 GetLastError 391->395 396 f3eeec-f3eef8 SelectObject 391->396 393 f3eeb1-f3eeba 392->393 394 f3eebc 392->394 393->394 394->391 399 f3f02e-f3f030 394->399 400 f3eee6 395->400 401 f3eedb-f3eee4 395->401 397 f3ef94-f3ef99 396->397 398 f3eefe-f3ef0c CreateCompatibleDC 396->398 403 f3f004-f3f009 397->403 404 f3ef2e-f3ef39 SetStretchBltMode 398->404 405 f3ef0e-f3ef18 GetLastError 398->405 399->384 402 f3f032-f3f034 399->402 400->396 400->403 401->400 402->384 406 f3f036-f3f03d DeleteObject 402->406 411 f3f015-f3f017 403->411 412 f3f00b-f3f00f ReleaseDC 403->412 409 f3ef3b-f3ef45 GetLastError 404->409 410 f3ef58-f3ef6b CreateCompatibleBitmap 404->410 407 f3ef25 405->407 408 f3ef1a-f3ef23 405->408 406->384 407->403 413 f3ef2b 407->413 408->407 414 f3ef52 409->414 415 f3ef47-f3ef50 409->415 416 f3ef86-f3ef92 SelectObject 410->416 417 f3ef6d-f3ef77 GetLastError 410->417 418 f3f020-f3f025 411->418 419 f3f019-f3f01a DeleteDC 411->419 412->411 413->404 414->403 414->410 415->414 416->397 420 f3ef9b-f3efbe StretchBlt 416->420 421 f3ef84 417->421 422 f3ef79-f3ef82 417->422 418->399 423 f3f027-f3f028 DeleteDC 418->423 419->418 424 f3efc0-f3efca GetLastError 420->424 425 f3efd9-f3effb SendMessageW call f3eba0 420->425 421->403 421->416 422->421 423->399 426 f3efd7 424->426 427 f3efcc-f3efd5 424->427 425->403 430 f3effd-f3effe DeleteObject 425->430 426->403 426->425 427->426 430->403
    APIs
    • GetObjectW.GDI32(?,00000018,?), ref: 00F3EE1B
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F3767F,?), ref: 00F3EE33
    • GetWindowRect.USER32(?,?), ref: 00F3EE55
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F3767F,?), ref: 00F3EE78
    • GetDC.USER32(?), ref: 00F3EE96
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F3767F,?), ref: 00F3EEA5
    • CreateCompatibleDC.GDI32(00000000), ref: 00F3EEC3
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F3767F,?), ref: 00F3EECF
    • SelectObject.GDI32(00000000,?), ref: 00F3EEF0
    • CreateCompatibleDC.GDI32(?), ref: 00F3EF01
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F3767F,?), ref: 00F3EF0E
    • SetStretchBltMode.GDI32(00000000,00000003), ref: 00F3EF31
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F3767F,?), ref: 00F3EF3B
    • CreateCompatibleBitmap.GDI32(?,?,?), ref: 00F3EF61
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F3767F,?), ref: 00F3EF6D
    • SelectObject.GDI32(?,00000000), ref: 00F3EF8A
    • StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00F3EFB6
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F3767F,?), ref: 00F3EFC0
    • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00F3EFE4
    • DeleteObject.GDI32(00000000), ref: 00F3EFFE
    • ReleaseDC.USER32(?,?), ref: 00F3F00F
    • DeleteDC.GDI32(00000000), ref: 00F3F01A
    • DeleteDC.GDI32(?), ref: 00F3F028
    • DeleteObject.GDI32(00000000), ref: 00F3F037
    Strings
    • SendMessage(STM_SETIMAGE, 0x%08x) returned 0x%08x, xrefs: 00F3EFEC
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: ErrorLast$Object$Delete$CompatibleCreate$SelectStretch$BitmapMessageModeRectReleaseSendWindow
    • String ID: SendMessage(STM_SETIMAGE, 0x%08x) returned 0x%08x
    • API String ID: 1596057509-2907994607
    • Opcode ID: 0b9b73e8478c4b96c9da05ea2495ab50a9a6ae4cd7cb4d1c7d81de179cb426b4
    • Instruction ID: 4327b874f91a55eb4da3f85bcbb7d4e04b9a01afbc510124c8cb6314f0717ccd
    • Opcode Fuzzy Hash: 0b9b73e8478c4b96c9da05ea2495ab50a9a6ae4cd7cb4d1c7d81de179cb426b4
    • Instruction Fuzzy Hash: D671A87AD002299BDB258FADDD44AAEBEB4AF58730F110134FD05F7251DB34DD00AAA0
    Function 00F35245 Relevance: 28.5, APIs: 12, Strings: 4, Instructions: 457registrystringCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 524 f35245-f35298 call f40f00 call f350f7 529 f35371-f35387 call f40680 524->529 530 f3529e-f352a4 524->530 531 f35362 530->531 532 f352aa-f352d5 lstrcmpiW * 2 530->532 536 f35366-f35368 531->536 534 f352d7-f352d9 532->534 535 f352df-f352ed call f350f7 532->535 534->535 538 f3538a 534->538 535->531 543 f352ef-f352f4 535->543 536->529 540 f3536a-f3536b RegCloseKey 536->540 542 f3538c-f3539a lstrcmpiW 538->542 540->529 544 f353b0-f353be lstrcmpiW 542->544 545 f3539c-f353ae call f350f7 542->545 543->542 548 f352fa-f35312 call f34948 543->548 546 f353c4-f353d9 call f350f7 544->546 547 f354bd-f354c9 call f34948 544->547 545->531 545->544 546->531 557 f353db-f353e9 call f350f7 546->557 559 f357dd-f357e2 547->559 560 f354cf-f354d2 547->560 558 f35318-f35320 call f34ea7 548->558 548->559 557->531 572 f353ef-f353f5 557->572 573 f35322-f35334 call f34f26 558->573 574 f35338-f3533c 558->574 559->536 563 f355e2-f355e6 560->563 564 f354d8-f354ee call f34ede 560->564 568 f355e8-f35608 call f34ede 563->568 569 f3560c 563->569 578 f35551-f35561 call f350f7 564->578 579 f354f0-f35502 call f34ede 564->579 571 f35614-f35617 568->571 584 f3560a 568->584 569->571 580 f3561b-f35646 wcsncpy_s call f34e01 call f350f7 571->580 572->559 581 f353fb-f353ff 572->581 573->574 574->542 576 f3533e-f3534c call f350f7 574->576 576->531 599 f3534e-f3535c call f34e3a 576->599 578->531 604 f35567-f3556d 578->604 579->578 600 f35504-f35527 RegCreateKeyExW 579->600 580->531 620 f3564c-f3565a call f34e3a 580->620 587 f35401-f35434 call f34a7b 581->587 588 f3543f-f35443 581->588 584->580 587->536 611 f3543a 587->611 596 f35445-f3544a 588->596 597 f354a4-f354a9 call f34e3a 588->597 596->597 598 f3544c-f3546f call f34ede 596->598 610 f354ae-f354b2 597->610 624 f357b5-f357c3 call f350e1 598->624 625 f35475-f3548a RegDeleteValueW 598->625 599->531 616 f3558d-f35593 599->616 607 f35545 600->607 608 f35529-f3552f 600->608 612 f35589 604->612 613 f3556f-f35583 call f34a7b 604->613 621 f35549-f3554b 607->621 618 f35531-f35535 RegCloseKey 608->618 619 f3553b-f35543 608->619 610->531 622 f354b8 610->622 611->616 612->616 613->531 613->612 626 f35783-f35789 616->626 627 f35599-f3559b 616->627 618->619 619->621 620->531 641 f35660-f35666 620->641 621->578 629 f357cf-f357d8 call f350e1 621->629 622->626 624->531 647 f357c9-f357cd 624->647 631 f35495-f35497 625->631 632 f3548c-f3548f 625->632 626->531 634 f3578f-f35793 626->634 633 f3559e-f355a9 627->633 629->536 631->597 639 f35499-f354a0 RegCloseKey 631->639 632->631 638 f35798-f357a3 call f350e1 632->638 633->633 640 f355ab-f355b2 633->640 634->532 638->531 654 f357a9 638->654 639->597 640->626 643 f355b8-f355cf call f35245 640->643 645 f35668-f3566a 641->645 646 f356bd 641->646 643->531 658 f355d5-f355dd call f350f7 643->658 652 f3566d-f35678 645->652 651 f356c1-f356c8 646->651 648 f357aa-f357b0 RegCloseKey 647->648 648->531 651->626 655 f356ce-f356d0 651->655 652->652 656 f3567a-f35681 652->656 654->648 659 f356d2-f356d6 655->659 660 f356ea-f356ee 655->660 656->646 657 f35683-f3569a call f35245 656->657 672 f356a7-f356b5 call f350f7 657->672 673 f3569c-f356a1 657->673 658->610 659->626 665 f356dc-f356e5 call f350e1 659->665 661 f356f0-f356f8 call f35009 660->661 662 f3571f-f3572b call f35009 660->662 661->662 676 f356fa-f35706 call f34ea7 661->676 678 f3574a 662->678 679 f3572d-f3573e RegCloseKey 662->679 665->531 672->531 686 f356bb 672->686 673->531 673->672 676->626 688 f35708-f3570d 676->688 680 f3574c-f35751 678->680 679->629 683 f35744-f35748 679->683 680->626 684 f35753-f35755 680->684 683->680 684->626 687 f35757-f3577d call f35046 684->687 686->651 687->626 687->665 688->626 690 f3570f-f3571d call f34f26 688->690 690->626
    APIs
      • Part of subcall function 00F350F7: CharNextW.USER32(00000000,?,00000000,00000000,?,?,00F35878,?,00000000,?,00000000,00000000,00000000), ref: 00F35132
      • Part of subcall function 00F350F7: CharNextW.USER32(00000000,?,00000000,00000000,?,?,00F35878,?,00000000,?,00000000,00000000,00000000), ref: 00F3514F
      • Part of subcall function 00F350F7: CharNextW.USER32(00000000,?,00000000,00000000,?,?,00F35878,?,00000000,?,00000000,00000000,00000000), ref: 00F35162
      • Part of subcall function 00F350F7: CharNextW.USER32(00000027,?,00000000,00000000,?,?,00F35878,?,00000000,?,00000000,00000000,00000000), ref: 00F3516D
    • lstrcmpiW.KERNEL32(?,Delete,?,?,00000000,00000000,?,00F35944,?,00000000,00000000,00000000,?), ref: 00F352B8
    • lstrcmpiW.KERNEL32(?,ForceRemove,?,00000000,00000000,?,00F35944,?,00000000,00000000,00000000,?), ref: 00F352CD
    • RegCloseKey.ADVAPI32(?,?,?,00000000,00000000,?,00F35944,?,00000000,00000000,00000000,?), ref: 00F3536B
    • lstrcmpiW.KERNEL32(?,NoRemove,?,?,00000000,00000000,?,00F35944,?,00000000,00000000,00000000,?), ref: 00F35392
    • lstrcmpiW.KERNEL32(?,Val,?,00000000,00000000,?,00F35944,?,00000000,00000000,00000000,?), ref: 00F353B6
    • RegDeleteValueW.ADVAPI32(?,?,?,00000000,00020006,?,?), ref: 00F35482
    • RegCloseKey.ADVAPI32(?), ref: 00F3549A
    • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,?,00020019,?,?,0002001F), ref: 00F3551F
    • RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,00F35944,?,00000000,00000000,00000000,?), ref: 00F35535
    • wcsncpy_s.MSVCRT ref: 00F35628
      • Part of subcall function 00F35245: RegCloseKey.ADVAPI32(?,?,?), ref: 00F3572E
      • Part of subcall function 00F35245: RegCloseKey.ADVAPI32(?,?,00000000,00020006,?,?), ref: 00F357AA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: Close$CharNextlstrcmpi$CreateDeleteValuewcsncpy_s
    • String ID: Delete$ForceRemove$NoRemove$Val
    • API String ID: 670805417-1781481701
    • Opcode ID: 9f4ad957a861a09925564f3bdfb17ec5d84c8586d9e559574d96949b3a56e2fa
    • Instruction ID: d344781aa9f2e1d4528f212e9fdabb80376869a92ce4c47ddf148d9fb19944b6
    • Opcode Fuzzy Hash: 9f4ad957a861a09925564f3bdfb17ec5d84c8586d9e559574d96949b3a56e2fa
    • Instruction Fuzzy Hash: FDE1AC71A08B129BC7249F24C895A2FB7E8AFC4F74F04492DF94597241EB74DD40EBA2
    Function 00F3596D Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 118libraryCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00000022), ref: 00F359A8
    • FindResourceExW.KERNEL32(00000000,?,?,00000000), ref: 00F359C5
    • FreeLibrary.KERNEL32(00000000), ref: 00F35A89
      • Part of subcall function 00F34658: GetLastError.KERNEL32(00F359D6), ref: 00F34658
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: Library$ErrorFindFreeLastLoadResource
    • String ID: Module$Module_Raw$REGISTRY
    • API String ID: 3418355812-549000027
    • Opcode ID: 4d28a4d2755a112b6bb682af8b08d65b82d5720044c4205a31a4c6acb525a7c0
    • Instruction ID: 4e3ab6b5f78cb4badd0e045eb139b3c3fece0c2b3d2cd25309767c1085efbf46
    • Opcode Fuzzy Hash: 4d28a4d2755a112b6bb682af8b08d65b82d5720044c4205a31a4c6acb525a7c0
    • Instruction Fuzzy Hash: 5131C7B590051DABCF24DF14CC85BAE76B8DF95B70F1042A9FA05A7240DB349E81BBA4
    Function 00F40138 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 61commemoryCOMMON
    Download Yara Rule
    APIs
    • CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0(00F33658,00000000,00000017,00F33668,?,?,00000001), ref: 00F4015B
    • SysAllocString.OLEAUT32(mshelp://windows/?id=27a2764a-ad05-4a52-96f4-eac32ae3c9e1), ref: 00F4016C
    • WinSqmAddToStream.NTDLL(00000000,0000038F,00000001,00000053), ref: 00F40199
    • SysFreeString.OLEAUT32(00000000), ref: 00F401CD
    Strings
    • COLOR_MANAGEMENT_CALIBRATE_DISPLAY, xrefs: 00F40182
    • mshelp://windows/?id=27a2764a-ad05-4a52-96f4-eac32ae3c9e1, xrefs: 00F40167
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: String$AllocCreateFreeInstanceStream
    • String ID: COLOR_MANAGEMENT_CALIBRATE_DISPLAY$mshelp://windows/?id=27a2764a-ad05-4a52-96f4-eac32ae3c9e1
    • API String ID: 148082582-1466657646
    • Opcode ID: bc093a112dbd0dfda0d218cbc56b13d0c41e400df1820818ba817a78582079d5
    • Instruction ID: c5e8d830dd40e5307822141c0a3d24843bdd4d9ff40b9ca772f8ff76d9394a82
    • Opcode Fuzzy Hash: bc093a112dbd0dfda0d218cbc56b13d0c41e400df1820818ba817a78582079d5
    • Instruction Fuzzy Hash: F9115135B40218BFD7109B949C49E6E7BF8DB99B61F204059FD05A7290CFB09E00AB51
    Function 00F40CC9 Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON
    Download Yara Rule
    APIs
    • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00F40CF6
    • GetCurrentProcessId.KERNEL32 ref: 00F40D05
    • GetCurrentThreadId.KERNEL32 ref: 00F40D0E
    • GetTickCount.KERNEL32 ref: 00F40D17
    • QueryPerformanceCounter.KERNEL32(?), ref: 00F40D2C
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
    • String ID:
    • API String ID: 1445889803-0
    • Opcode ID: 3e43234ad3b8bc5380b71e6fffb110ee1da13940d5884bc3009fd15790e3a647
    • Instruction ID: 2b6905cc4ebd9dfd6bd514a759297860eb9a14f4d9083719792a2c4e64cb2b23
    • Opcode Fuzzy Hash: 3e43234ad3b8bc5380b71e6fffb110ee1da13940d5884bc3009fd15790e3a647
    • Instruction Fuzzy Hash: 2D11EC75D01218EBDB14DFF8EA4869EBBF4EFA9311F610565ED01E7250EA309B04EB40
    Function 00F3F7EE Relevance: 7.5, APIs: 5, Instructions: 37memoryCOMMON
    Download Yara Rule
    APIs
    • IsProcessorFeaturePresent.KERNEL32(0000000C,00F3F721,00000000,00000000,00F3F911,00000000,?,00000000,?,00F36DFD,?), ref: 00F3F7F0
    • GetProcessHeap.KERNEL32(00000008,00000008,00000000,?,00000000,?,00F36DFD,?), ref: 00F3F816
    • HeapAlloc.KERNEL32(00000000,?,00000000,?,00F36DFD,?), ref: 00F3F81D
    • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,?,00F36DFD,?), ref: 00F3F838
    • HeapFree.KERNEL32(00000000,?,00000000,?,00F36DFD,?), ref: 00F3F83F
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: Heap$Process$AllocFeatureFreePresentProcessor
    • String ID:
    • API String ID: 53968077-0
    • Opcode ID: f7f9329e44bd304cce319582fc51744938fdd940ecb66e03f459ca2a8f5739fb
    • Instruction ID: 312ad0845bd966d0dddddc9ce87a99c559fd65691362b15934e54f700c3abed1
    • Opcode Fuzzy Hash: f7f9329e44bd304cce319582fc51744938fdd940ecb66e03f459ca2a8f5739fb
    • Instruction Fuzzy Hash: 10F03079E512069BEB549F799C08B1637A9BFA6725F048438FE85C7294EB30C840EB50
    Function 00F407FD Relevance: 6.0, APIs: 4, Instructions: 13COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00F40939,00F31004), ref: 00F40804
    • UnhandledExceptionFilter.KERNEL32(00F40939,?,00F40939,00F31004), ref: 00F4080D
    • GetCurrentProcess.KERNEL32(C0000409,?,00F40939,00F31004), ref: 00F40818
    • TerminateProcess.KERNEL32(00000000,?,00F40939,00F31004), ref: 00F4081F
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
    • String ID:
    • API String ID: 3231755760-0
    • Opcode ID: d95f6cc759eb77a0727898af8f7f8e6e826d9b31067cfb77ae187139d7e2869e
    • Instruction ID: ad1007c3364f31f71ab8d47f383af6bca2bfc200b54355a4fe6aaf6533742e52
    • Opcode Fuzzy Hash: d95f6cc759eb77a0727898af8f7f8e6e826d9b31067cfb77ae187139d7e2869e
    • Instruction Fuzzy Hash: 5DD0123680020CBBCB002BF1ED0CA097F28FBD6312F584000FB0982021CF325601AB65
    Function 00F3F8CD Relevance: 5.0, APIs: 4, Instructions: 40memoryCOMMON
    Download Yara Rule
    APIs
    • GetProcessHeap.KERNEL32(00000008,00000008,00000000,00F37016,?,00000000,?,00F36DFD,?), ref: 00F3F8D4
    • HeapAlloc.KERNEL32(00000000,?,00000000,?,00F36DFD,?), ref: 00F3F8DB
    • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,?,00F36DFD,?), ref: 00F3F91B
    • HeapFree.KERNEL32(00000000,?,00000000,?,00F36DFD,?), ref: 00F3F922
      • Part of subcall function 00F3F711: GetProcessHeap.KERNEL32(00000008,0000000D,00000000,00000000,00F3F911,00000000,?,00000000,?,00F36DFD,?), ref: 00F3F733
      • Part of subcall function 00F3F711: HeapAlloc.KERNEL32(00000000,?,00000000,?,00F36DFD,?), ref: 00F3F73A
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: Heap$Process$Alloc$Free
    • String ID:
    • API String ID: 1864747095-0
    • Opcode ID: dbf84f3ea75b535b5e4eae192e9a295286ff5ba1359f68d6fda89e3bf90cf8de
    • Instruction ID: 13bd32bca4c65155ea407b64c9ecab90834dcd6e6f09d282232e878f40d4ac6b
    • Opcode Fuzzy Hash: dbf84f3ea75b535b5e4eae192e9a295286ff5ba1359f68d6fda89e3bf90cf8de
    • Instruction Fuzzy Hash: 4AF0BE77E0561567DB612BB87C0CB6A3A68AFE2BB1F114038F94AC7244DF34C809B750
    Function 00F4002C Relevance: 4.5, APIs: 3, Instructions: 42windowCOMMON
    Download Yara Rule
    APIs
    • FormatMessageW.KERNEL32(00000500,?,00000000,00000000,00000137,00000000,?,67727473,?,?,?,00F33C64,?,?,00000000), ref: 00F40052
    • LocalFree.KERNEL32(00000000,00000137,?,?,?,00F33C64,?,?,00000000), ref: 00F40075
    • GetLastError.KERNEL32(?,?,?,00F33C64,?,?,00000000), ref: 00F4007D
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: ErrorFormatFreeLastLocalMessage
    • String ID:
    • API String ID: 1365068426-0
    • Opcode ID: 4258625ccc577a26486b4f197826b004297b45c6d1d17b8ee630d1d2ae33d2e6
    • Instruction ID: 71d080c88dc70c74b598b7976f8dad9ea68f9d381e01283989ea27a2d9e03eed
    • Opcode Fuzzy Hash: 4258625ccc577a26486b4f197826b004297b45c6d1d17b8ee630d1d2ae33d2e6
    • Instruction Fuzzy Hash: 2E01FB76C01128FBDB209B95CD09A9EBEB8EF45761F114166FD05A6150EA719F00EAE0
    Function 00F40A80 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32(Function_00010A30), ref: 00F40A85
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled
    • String ID:
    • API String ID: 3192549508-0
    • Opcode ID: ca3a5f43e89ec14964dc2afa0d44b6cbbdc34eed9f6debec3cd8e7b733bc05b8
    • Instruction ID: f7c2be4cf334b61c5ba2d05414571db05d49ac476accf04d0a265de7b2793cd1
    • Opcode Fuzzy Hash: ca3a5f43e89ec14964dc2afa0d44b6cbbdc34eed9f6debec3cd8e7b733bc05b8
    • Instruction Fuzzy Hash: 829002646612044646001B709D1990679905BA9602B950550A942C4055DF749100B512
    Function 00F3BD3D Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 193COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 431 f3bd3d-f3bda7 call f3a9ed 434 f3bdaa-f3bdd5 GetDlgItem 431->434 435 f3bdd6 call f3ec08 434->435 436 f3bddb-f3bddd 435->436 437 f3bf53-f3bf57 436->437 438 f3bde3-f3bdf3 GetWindowRect 436->438 441 f3bf62-f3bf6b 437->441 442 f3bf59-f3bf5c DeleteObject 437->442 439 f3bdf5-f3be06 MapWindowPoints 438->439 440 f3be08-f3be10 GetLastError 438->440 443 f3be22-f3be35 439->443 444 f3be12-f3be1a 440->444 445 f3be1c 440->445 441->434 446 f3bf71-f3bf7f call f40680 441->446 442->441 451 f3be72-f3be78 443->451 452 f3be37-f3be70 _ftol2_sse 443->452 444->445 445->437 445->443 453 f3be7b-f3be8e MoveWindow 451->453 452->453 454 f3be90-f3be98 GetLastError 453->454 455 f3beaa-f3beba 453->455 457 f3bea4 454->457 458 f3be9a-f3bea2 454->458 456 f3bebb call f3edc2 455->456 460 f3bec0-f3bec2 456->460 457->455 459 f3bf50 457->459 458->457 459->437 460->437 461 f3bec8-f3beef InvalidateRect GetDlgItem GetWindowRect 460->461 462 f3bef1-f3bf02 MapWindowPoints 461->462 463 f3bf04-f3bf0c GetLastError 461->463 464 f3bf1a-f3bf48 MoveWindow 462->464 465 f3bf18 463->465 466 f3bf0e-f3bf16 463->466 464->459 467 f3bf4a GetLastError 464->467 465->437 465->464 466->465 467->459
    APIs
      • Part of subcall function 00F3A9ED: MapDialogRect.USER32(?,?), ref: 00F3AA1C
      • Part of subcall function 00F3A9ED: GetWindowRect.USER32(?,?), ref: 00F3AA42
      • Part of subcall function 00F3A9ED: EnumChildWindows.USER32(?,00F3AD30), ref: 00F3AABD
      • Part of subcall function 00F3A9ED: InvalidateRect.USER32(?,00000000,00000001), ref: 00F3AAC9
    • GetDlgItem.USER32(?,sx}), ref: 00F3BDB1
      • Part of subcall function 00F3EC08: GlobalAlloc.KERNEL32(00000002,?,?,?,?,00000000,?), ref: 00F3EC3C
      • Part of subcall function 00F3EC08: GetLastError.KERNEL32(?,00000000,?), ref: 00F3EC48
      • Part of subcall function 00F3EC08: GlobalLock.KERNEL32(00000000), ref: 00F3EC66
      • Part of subcall function 00F3EC08: GetLastError.KERNEL32(?,00000000,?), ref: 00F3EC72
      • Part of subcall function 00F3EC08: memcpy.MSVCRT(00000000,?,?,?,00000000,?), ref: 00F3EC96
      • Part of subcall function 00F3EC08: CreateStreamOnHGlobal.API-MS-WIN-CORE-COM-L1-1-0(00000000,00000001,00000000,?,00000000,?), ref: 00F3ECA5
      • Part of subcall function 00F3EC08: GlobalUnlock.KERNEL32(00000000), ref: 00F3ECB2
      • Part of subcall function 00F3EC08: GlobalFree.KERNEL32(00000000), ref: 00F3ECB9
    • GetWindowRect.USER32(?,?), ref: 00F3BDEB
    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00F3BE00
    • GetLastError.KERNEL32(?,00000005,?,?,00000001,?), ref: 00F3BE08
    • _ftol2_sse.MSVCRT ref: 00F3BE6B
    • MoveWindow.USER32(?,?,?,?,?,00000000,?,00000005,?,?,00000001,?), ref: 00F3BE86
    • GetLastError.KERNEL32(?,00000005,?,?,00000001,?), ref: 00F3BE90
    • InvalidateRect.USER32(?,00000000,00000000,?,?,00000005,?,?,00000001,?), ref: 00F3BECD
    • GetDlgItem.USER32(?,00000064), ref: 00F3BEDA
    • GetWindowRect.USER32(00000000,?), ref: 00F3BEE7
    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00F3BEFC
    • GetLastError.KERNEL32(?,00000005,?,?,00000001,?), ref: 00F3BF04
    • MoveWindow.USER32(00000000,?,?,?,?,00000001,?,00000005,?,?,00000001,?), ref: 00F3BF40
    • GetLastError.KERNEL32(?,00000005,?,?,00000001,?), ref: 00F3BF4A
    • DeleteObject.GDI32(00000000), ref: 00F3BF5C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: Window$ErrorLastRect$Global$InvalidateItemMovePoints$AllocChildCreateDeleteDialogEnumFreeLockObjectStreamUnlockWindows_ftol2_ssememcpy
    • String ID: d$i$n$sx}$x$}
    • API String ID: 3487292329-3487999874
    • Opcode ID: 970bc4d4dbf6abbdf070924d56c2244a955d2466901508942a6763e0ffc67fcf
    • Instruction ID: e4e5cd226e601e8efb2110ab727ccccee10021c3b3f63b61c05c23210567293f
    • Opcode Fuzzy Hash: 970bc4d4dbf6abbdf070924d56c2244a955d2466901508942a6763e0ffc67fcf
    • Instruction Fuzzy Hash: 17712835E00219EFEB009FE4CD48BADBBB9FF44760F004015EA05AB264CB749A55EF60
    Function 00F38AC0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 181fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 468 f38ac0-f38b05 call f39d26 471 f38b07-f38b1a WcsCreateIccProfile 468->471 472 f38b3e-f38b44 468->472 473 f38b35-f38b3c call f3a1b6 471->473 474 f38b1c-f38b26 GetLastError 471->474 475 f38cb4-f38cb9 472->475 476 f38b4a-f38b59 GetColorProfileFromHandle 472->476 473->472 479 f38b33 474->479 480 f38b28-f38b31 474->480 477 f38cc5-f38ccb 475->477 478 f38cbb-f38cbf CloseColorProfile 475->478 482 f38b83-f38b85 476->482 483 f38b5b-f38b64 GetLastError 476->483 485 f38cd4-f38cec call f402f3 call f3ff06 477->485 486 f38ccd-f38cce CloseColorProfile 477->486 478->477 479->472 479->473 480->479 482->475 484 f38b8b-f38b99 call f4032d 482->484 483->482 488 f38b66-f38b68 483->488 497 f38ba5-f38bb4 GetColorProfileFromHandle 484->497 498 f38b9b-f38ba0 484->498 486->485 491 f38b74 488->491 492 f38b6a-f38b6f 488->492 493 f38b76-f38b78 491->493 494 f38b7a-f38b7d 491->494 492->475 493->482 494->482 500 f38bd3-f38bfa CreateFileW 497->500 501 f38bb6-f38bc0 GetLastError 497->501 498->475 505 f38c19-f38c2e WriteFile 500->505 506 f38bfc-f38c06 GetLastError 500->506 503 f38bc2-f38bcb 501->503 504 f38bcd 501->504 503->504 504->475 504->500 507 f38c41-f38c4b GetLastError 505->507 508 f38c30-f38c38 505->508 509 f38c13 506->509 510 f38c08-f38c11 506->510 513 f38c58 507->513 514 f38c4d-f38c50 507->514 511 f38c56 508->511 512 f38c3a-f38c3f 508->512 509->475 509->505 510->509 511->513 512->511 515 f38c5a-f38c75 CloseHandle InstallColorProfileW 513->515 516 f38ca8-f38cab 513->516 514->511 518 f38c90-f38ca6 515->518 519 f38c77-f38c81 GetLastError 515->519 516->475 517 f38cad-f38cae CloseHandle 516->517 517->475 518->475 520 f38c83-f38c8c 519->520 521 f38c8e 519->521 520->521 521->475 521->518
    APIs
      • Part of subcall function 00F39D26: GetSystemTime.KERNEL32(?,000001F5,?,00000000), ref: 00F39DEA
    • WcsCreateIccProfile.MSCMS(?,00000000,?,?), ref: 00F38B0C
    • GetLastError.KERNEL32 ref: 00F38B1C
    • GetColorProfileFromHandle.MSCMS(00000000,00000000,?,?,?), ref: 00F38B51
    • GetLastError.KERNEL32 ref: 00F38B5B
    • GetColorProfileFromHandle.MSCMS(00000000,00000000,?), ref: 00F38BAC
    • GetLastError.KERNEL32 ref: 00F38BB6
    • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00F38BEF
    • GetLastError.KERNEL32 ref: 00F38BFC
    • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00F38C26
    • GetLastError.KERNEL32 ref: 00F38C41
    • CloseHandle.KERNEL32(00000000), ref: 00F38C5B
    • InstallColorProfileW.MSCMS(00000000,?), ref: 00F38C6D
    • GetLastError.KERNEL32 ref: 00F38C77
    • CloseHandle.KERNEL32(00000000), ref: 00F38CAE
    • CloseColorProfile.MSCMS(00000000,?,?), ref: 00F38CBF
    • CloseColorProfile.MSCMS(?,?,?), ref: 00F38CCE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: ErrorLastProfile$Color$CloseHandle$CreateFileFrom$InstallSystemTimeWrite
    • String ID: strg
    • API String ID: 3772428985-3320446829
    • Opcode ID: 33392285533e0227b9530759b55e53afcecd0670deec1895a6b384cec1e2fb5d
    • Instruction ID: e74d16eea12e4342a57974a5e4db876e53cbb1e12d9fe40992046208f5477633
    • Opcode Fuzzy Hash: 33392285533e0227b9530759b55e53afcecd0670deec1895a6b384cec1e2fb5d
    • Instruction Fuzzy Hash: F151237A5043129BD3119F248D44B5BBAA6AFD43F0F210528FD55C7291EF38CA02BAB1
    Function 00F3A1B6 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 277COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 694 f3a1b6-f3a1f8 call f3fe77 697 f3a20a-f3a216 694->697 698 f3a1fa-f3a208 call f3fe77 694->698 700 f3a218-f3a22b call f3fe77 697->700 701 f3a22e-f3a23a 697->701 698->697 700->701 704 f3a240-f3a260 WideCharToMultiByte 701->704 705 f3a2c8-f3a2d4 701->705 709 f3a262-f3a26c GetLastError 704->709 710 f3a277 704->710 706 f3a2da-f3a2e7 705->706 707 f3a499-f3a4c5 call f402f3 * 2 call f3ff06 * 3 705->707 711 f3a2f1-f3a2f4 706->711 712 f3a2e9-f3a2ee 706->712 714 f3a279 709->714 715 f3a26e-f3a271 709->715 710->714 717 f3a2f7-f3a301 711->717 712->711 714->705 718 f3a27b-f3a288 call f4032d 714->718 715->710 717->717 720 f3a303-f3a327 call f4032d 717->720 725 f3a296-f3a2b1 WideCharToMultiByte 718->725 726 f3a28a-f3a291 718->726 731 f3a333-f3a36e memset memcpy 720->731 732 f3a329-f3a32e 720->732 725->705 729 f3a2b3-f3a2bd GetLastError 725->729 726->707 729->705 733 f3a2bf-f3a2c2 729->733 735 f3a371-f3a37a 731->735 732->707 733->705 735->735 737 f3a37c-f3a396 735->737 738 f3a3c1-f3a3e0 737->738 739 f3a398-f3a3a0 737->739 742 f3a3e3-f3a3ed 738->742 741 f3a3a3-f3a3a7 739->741 744 f3a3b7-f3a3bc 741->744 745 f3a3a9-f3a3b2 741->745 742->742 746 f3a3ef-f3a3f3 742->746 744->741 748 f3a3be 744->748 747 f3a3b4 745->747 745->748 749 f3a436-f3a449 SetColorProfileElementSize 746->749 750 f3a3f5-f3a401 746->750 747->744 748->738 752 f3a464-f3a482 SetColorProfileElement 749->752 753 f3a44b-f3a455 GetLastError 749->753 751 f3a403-f3a418 750->751 757 f3a41b-f3a425 751->757 752->707 756 f3a484-f3a48e GetLastError 752->756 754 f3a462 753->754 755 f3a457-f3a460 753->755 754->707 754->752 755->754 756->707 758 f3a490-f3a493 756->758 757->757 759 f3a427-f3a42e 757->759 758->707 759->751 760 f3a430-f3a433 759->760 760->749
    APIs
    • WideCharToMultiByte.KERNEL32(0000FDE9,00000080,?,000000FF,00000000,00000000,00000000,00000000,00F30000,000001F7,00000000,00000000,00000000), ref: 00F3A253
    • GetLastError.KERNEL32 ref: 00F3A262
      • Part of subcall function 00F3FE77: LoadStringW.USER32(00F361E0,?,00000000,00000400), ref: 00F3FE9A
    • WideCharToMultiByte.KERNEL32(0000FDE9,00000080,?,000000FF,00000000,00000000,00000000,00000000), ref: 00F3A2A9
    • GetLastError.KERNEL32 ref: 00F3A2B3
    • memset.MSVCRT ref: 00F3A33A
    • memcpy.MSVCRT(00000004,?,?,00000000,00000000,?,00F30000,000001F7,00000000,00000000,00000000), ref: 00F3A35C
    • SetColorProfileElementSize.MSCMS(?,64657363,?,?,00F30000,000001F7,00000000,00000000,00000000), ref: 00F3A441
    • GetLastError.KERNEL32(?,00F30000,000001F7,00000000,00000000,00000000), ref: 00F3A44B
    • SetColorProfileElement.MSCMS(?,64657363,00000000,?,00000000,?,00F30000,000001F7,00000000,00000000,00000000), ref: 00F3A47A
    • GetLastError.KERNEL32(?,00F30000,000001F7,00000000,00000000,00000000), ref: 00F3A484
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: ErrorLast$ByteCharColorElementMultiProfileWide$LoadSizeStringmemcpymemset
    • String ID: strg$strg$strg$strg
    • API String ID: 139363455-4050408924
    • Opcode ID: e0b78afcd72de1c5d8f0b4779ca36f7c1fd2977fdc7993c1ef3c2f6670a303c0
    • Instruction ID: 39ca4e8937cfef5edbdc7abd4dd70bb11db440880cbacb2393f8c30755de200b
    • Opcode Fuzzy Hash: e0b78afcd72de1c5d8f0b4779ca36f7c1fd2977fdc7993c1ef3c2f6670a303c0
    • Instruction Fuzzy Hash: DBA1D275E0021A9BCB04DFA9CC81AEEBBF5FF48320F144129E941B7361DB759941EB91
    Function 00F39D26 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 235timeCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 761 f39d26-f39d77 call f3fe77 764 f39d79-f39d8c call f3fe77 761->764 765 f39d8e-f39d96 761->765 764->765 767 f39db0-f39dbc 765->767 768 f39d98-f39dae call f3fe77 765->768 769 f39dd3-f39de0 767->769 770 f39dbe-f39dd1 call f3fe77 767->770 768->767 775 f39de6-f39e26 GetSystemTime call f3ff30 769->775 776 f39feb-f3a01f call f3ff06 * 5 call f40680 769->776 770->769 775->776 782 f39e2c-f39e4b call f4002c 775->782 782->776 789 f39e51-f39e68 782->789 796 f39e6e-f39f3e call f398a7 * 3 call f3ebd2 _CIpow * 3 call f3ff30 789->796 797 f39f5d-f39f6e call f3fcc2 789->797 817 f39f40-f39f4b call f3fcc2 796->817 818 f39f4d-f39f57 call f3ff06 796->818 797->776 805 f39f70-f39f86 797->805 807 f39f89-f39f93 805->807 807->807 809 f39f95-f39fd4 WcsOpenColorProfileW 807->809 809->776 811 f39fd6-f39fe0 GetLastError 809->811 811->776 813 f39fe2-f39fe5 811->813 813->776 817->818 818->776 818->797
    APIs
    • GetSystemTime.KERNEL32(?,000001F5,?,00000000), ref: 00F39DEA
    • _CIpow.MSVCRT ref: 00F39ED5
      • Part of subcall function 00F3FE77: LoadStringW.USER32(00F361E0,?,00000000,00000400), ref: 00F3FE9A
    • _CIpow.MSVCRT ref: 00F39EF3
    • _CIpow.MSVCRT ref: 00F39F11
    • WcsOpenColorProfileW.MSCMS(00000002,?,00000000,00000001,00000001,00000003,00000000,</cdm:Calibration></cdm:ColorDeviceModel>), ref: 00F39FC7
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00F39FD6
    Strings
    • D65.camp, xrefs: 00F39FA4
    • strg, xrefs: 00F39F8F
    • </cdm:Calibration></cdm:ColorDeviceModel>, xrefs: 00F39F60
    • strg, xrefs: 00F39D4C
    • <?xml version="1.0" encoding="utf-16"?><cdm:ColorDeviceModel%txmlns:cdm="http://schemas.microsoft.com/windows/2005/02/color/Colo, xrefs: 00F39E37
    • %4d-%02d-%02dT%02d:%02d:%02d, xrefs: 00F39E11
    • strg, xrefs: 00F39E71
    • <cal:AdapterGammaConfiguration><cal:ParameterizedCurves><wcs:RedTRC Gamma="%f" Gain="%f" Offset1="0.0"/><wcs:GreenT, xrefs: 00F39F2C
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: Ipow$ColorErrorLastLoadOpenProfileStringSystemTime
    • String ID: </cdm:Calibration></cdm:ColorDeviceModel>$<cal:AdapterGammaConfiguration><cal:ParameterizedCurves><wcs:RedTRC Gamma="%f" Gain="%f" Offset1="0.0"/><wcs:GreenT$%4d-%02d-%02dT%02d:%02d:%02d$<?xml version="1.0" encoding="utf-16"?><cdm:ColorDeviceModel%txmlns:cdm="http://schemas.microsoft.com/windows/2005/02/color/Colo$D65.camp$strg$strg$strg
    • API String ID: 1408563361-1103866935
    • Opcode ID: 0974120e9dfd2de7a3f45366f74e7bad180bba9e88d3d21f2553527b75fbe5eb
    • Instruction ID: 0b91586b7b7871a52af5f91ab9def98bad1b4658b5692db753281fd8f07d2573
    • Opcode Fuzzy Hash: 0974120e9dfd2de7a3f45366f74e7bad180bba9e88d3d21f2553527b75fbe5eb
    • Instruction Fuzzy Hash: E2916631D01219EBCB01EFA4D8859EEBFB5EF48320F110069F940BB265DB759D25EBA0
    Function 00F391D3 Relevance: 24.2, APIs: 16, Instructions: 245COMMON
    Download Yara Rule
    APIs
    • LoadCursorW.USER32(00000000,00007F02), ref: 00F391F9
    • SetCursor.USER32(00000000), ref: 00F39200
    • ShowCursor.USER32(00000001), ref: 00F39208
    • GetNumberOfPhysicalMonitorsFromHMONITOR.DXVA2(?,?), ref: 00F39266
    • ShowCursor.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?,00F37BA6,00000000), ref: 00F394AC
    • LoadCursorW.USER32(00000000,00007F00), ref: 00F394BA
    • SetCursor.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?,00F37BA6,00000000), ref: 00F394C1
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: Cursor$LoadShow$FromMonitorsNumberPhysical
    • String ID:
    • API String ID: 1684749270-0
    • Opcode ID: e8217179904455da15cc731133afab9341bcb1030e2f2389522ec63f80d5355e
    • Instruction ID: c9a3463bc82ae9945455859bf60eeb057d8d904b57a9d892e670d81b024be85a
    • Opcode Fuzzy Hash: e8217179904455da15cc731133afab9341bcb1030e2f2389522ec63f80d5355e
    • Instruction Fuzzy Hash: 9381E276A046229BC711CF74DC44A6EBBA5BF48730F15462AED02A7390DBF4ED01ABD1
    Function 00F3EC08 Relevance: 22.6, APIs: 15, Instructions: 149memorywindowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00F3F117: FindResourceW.KERNEL32(00F30000,?,000001F4,?,00000000,?,?,?,00F3EC29,?,?,?,00000000,?), ref: 00F3F13C
      • Part of subcall function 00F3F117: GetLastError.KERNEL32(?,00000000,?,?,?,00F3EC29,?,?,?,00000000,?), ref: 00F3F14B
      • Part of subcall function 00F3F117: LoadResource.KERNEL32(00F30000,00000000,?,00000000,?,?,?,00F3EC29,?,?,?,00000000,?), ref: 00F3F166
      • Part of subcall function 00F3F117: GetLastError.KERNEL32(?,00000000,?,?,?,00F3EC29,?,?,?,00000000,?), ref: 00F3F172
      • Part of subcall function 00F3F117: SizeofResource.KERNEL32(00F30000,?,?,00000000,?,?,?,00F3EC29,?,?,?,00000000,?), ref: 00F3F18F
      • Part of subcall function 00F3F117: LockResource.KERNEL32(00000000,?,00000000,?,?,?,00F3EC29,?,?,?,00000000,?), ref: 00F3F19B
    • GlobalAlloc.KERNEL32(00000002,?,?,?,?,00000000,?), ref: 00F3EC3C
    • GetLastError.KERNEL32(?,00000000,?), ref: 00F3EC48
    • GlobalLock.KERNEL32(00000000), ref: 00F3EC66
    • GetLastError.KERNEL32(?,00000000,?), ref: 00F3EC72
    • memcpy.MSVCRT(00000000,?,?,?,00000000,?), ref: 00F3EC96
    • CreateStreamOnHGlobal.API-MS-WIN-CORE-COM-L1-1-0(00000000,00000001,00000000,?,00000000,?), ref: 00F3ECA5
    • GlobalUnlock.KERNEL32(00000000), ref: 00F3ECB2
    • GlobalFree.KERNEL32(00000000), ref: 00F3ECB9
    • GlobalUnlock.KERNEL32(00000000), ref: 00F3ECC5
    • GetLastError.KERNEL32(?,00000000,?), ref: 00F3ECCF
    • GdipAlloc.GDIPLUS(00000010,?,00000000,?), ref: 00F3ECF0
    • GdipCreateBitmapFromStream.GDIPLUS(00000000,?,?,00000000,?), ref: 00F3ED12
    • GdipCreateHBITMAPFromBitmap.GDIPLUS(00000000,00000110,FF000000,?,00000000,?), ref: 00F3ED2D
    • GetObjectW.GDI32(00000110,00000018,?), ref: 00F3ED68
    • GetLastError.KERNEL32(?,00000000,?), ref: 00F3ED86
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: ErrorGlobalLast$Resource$CreateGdip$AllocBitmapFromLockStreamUnlock$FindFreeLoadObjectSizeofmemcpy
    • String ID:
    • API String ID: 4269010864-0
    • Opcode ID: 9e9c75e978a089fff32df3017b6c7ea06d4dca55e857eb0c02723707ff8e0915
    • Instruction ID: 1661d3215e345b862b096b0f20ed471ac692f463cda9c018aff1ee4c25c2ffb2
    • Opcode Fuzzy Hash: 9e9c75e978a089fff32df3017b6c7ea06d4dca55e857eb0c02723707ff8e0915
    • Instruction Fuzzy Hash: FC51707BD0062AABC7219B9AC9447AEBBB8BF54771F114114ED55F7280DB34DE00ABA0
    Function 00F3DC75 Relevance: 21.2, APIs: 14, Instructions: 155COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00F374D3: GetWindowRect.USER32(?,?), ref: 00F37505
      • Part of subcall function 00F374D3: GetWindowRect.USER32(?,?), ref: 00F3751D
      • Part of subcall function 00F374D3: GetWindowRect.USER32(?,?), ref: 00F37535
      • Part of subcall function 00F374D3: MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00F3754E
      • Part of subcall function 00F374D3: MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00F3755F
      • Part of subcall function 00F374D3: MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00F37570
      • Part of subcall function 00F374D3: _ftol2_sse.MSVCRT ref: 00F37602
    • GetWindowRect.USER32(?,?), ref: 00F3DCB6
    • GetWindowRect.USER32(?,?), ref: 00F3DCCE
    • GetWindowRect.USER32(?,?), ref: 00F3DCE6
    • _ftol2_sse.MSVCRT ref: 00F3DD2C
    • _ftol2_sse.MSVCRT ref: 00F3DD4B
    • _ftol2_sse.MSVCRT ref: 00F3DD5F
    • _ftol2_sse.MSVCRT ref: 00F3DD87
    • MoveWindow.USER32(?,00000000,?,?,?,00000001,?,00000000,00000000,00000001,?,?), ref: 00F3DDA0
    • MoveWindow.USER32(?,00000000,?,?,?,00000001,?,00000000,00000000,00000001,?,?), ref: 00F3DDB6
    • _ftol2_sse.MSVCRT ref: 00F3DDCB
    • MoveWindow.USER32(?,00000000,?,?,?,00000001,?,00000000,00000000,00000001,?,?), ref: 00F3DDED
    • MoveWindow.USER32(?,00000000,?,?,?,00000001,?,00000000,00000000,00000001,?,?), ref: 00F3DE06
    • MoveWindow.USER32(?,00000000,?,?,?,00000001,?,00000000,00000000,00000001,?,?), ref: 00F3DE27
    • MoveWindow.USER32(?,00000000,?,?,?,00000001,?,00000000,00000000,00000001,?,?), ref: 00F3DE3D
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: Window$MoveRect_ftol2_sse$Points
    • String ID:
    • API String ID: 4142400812-0
    • Opcode ID: 60b64b61222d26a1709b4534525d1cbd3155479191b5654670fe682d6e3be8e9
    • Instruction ID: ef9814b0cd1bf528c31639647530738e7f2d6ba7fa8e5bbbe476a3f694e8ab42
    • Opcode Fuzzy Hash: 60b64b61222d26a1709b4534525d1cbd3155479191b5654670fe682d6e3be8e9
    • Instruction Fuzzy Hash: E8513672E00208FFCB119FA0EC49AADBFBAEF48720F154528F505A2264DB715A61EF50
    Function 00F394E3 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 103COMMON
    Download Yara Rule
    APIs
    • GetMonitorInfoW.USER32(?,00000068), ref: 00F39519
    • GetLastError.KERNEL32(?,?,?), ref: 00F39523
    • EnumDisplayDevicesW.USER32(?,00000000,?,00000000), ref: 00F39557
    • GetLastError.KERNEL32(?,?,?), ref: 00F39561
    • StringFromCLSID.API-MS-WIN-CORE-COM-L1-1-0(00F3343C,?,?,?,?), ref: 00F3958A
    • _wcsupr.MSVCRT ref: 00F3959D
    • wcsstr.MSVCRT ref: 00F395B0
    • swscanf_s.MSVCRT ref: 00F395FB
    • CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(00000000,?,?,?), ref: 00F3961D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: ErrorLast$DevicesDisplayEnumFreeFromInfoMonitorStringTask_wcsuprswscanf_swcsstr
    • String ID: %04d$h
    • API String ID: 4201562086-3314846054
    • Opcode ID: 5d9ccf1bdbc0b22a285243571476b7e622a2d6a63704ecc1f936967eee74e0fb
    • Instruction ID: 982ef7c97020646eb1fb68bb28d595598d1a2e60717a09a8dee69e01e5b3a916
    • Opcode Fuzzy Hash: 5d9ccf1bdbc0b22a285243571476b7e622a2d6a63704ecc1f936967eee74e0fb
    • Instruction Fuzzy Hash: 2031917AC052289BCB229F64DC49AADB7B8FF44724F0501A9ED05E7204DBB0DF45DB90
    Function 00F374D3 Relevance: 18.2, APIs: 12, Instructions: 169COMMON
    Download Yara Rule
    APIs
    • GetWindowRect.USER32(?,?), ref: 00F37505
    • GetWindowRect.USER32(?,?), ref: 00F3751D
    • GetWindowRect.USER32(?,?), ref: 00F37535
    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00F3754E
    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00F3755F
    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00F37570
    • _ftol2_sse.MSVCRT ref: 00F37602
    • _ftol2_sse.MSVCRT ref: 00F37617
    • _ftol2_sse.MSVCRT ref: 00F3762E
    • MoveWindow.USER32(?,?,?,-00000001,?,00000000,?,00000001,?), ref: 00F37661
    • InvalidateRect.USER32(?,00000000,00000000,?,?,00000001,?), ref: 00F37689
    • InvalidateRect.USER32(?,00000000,00000001,?,00000001,?), ref: 00F376B3
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: Window$Rect$Points_ftol2_sse$Invalidate$Move
    • String ID:
    • API String ID: 3848721580-0
    • Opcode ID: c1f823d832c2bcaa54607033b90152def89bc002f91660361759d85c9ce9601a
    • Instruction ID: f34c98088187bc1f101b299737fed495d3db78d3b22dea2509155ab8249340a1
    • Opcode Fuzzy Hash: c1f823d832c2bcaa54607033b90152def89bc002f91660361759d85c9ce9601a
    • Instruction Fuzzy Hash: C2616871E00208EFCB149FA4DD89BEDBFB9FF48310F058068E905AA2A5DB709955DF60
    Function 00F401E0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 98COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: iswuppertowlower
    • String ID: {4D36E96E-E325-11CE-BFC1-08002BE10318}
    • API String ID: 2404469642-206008433
    • Opcode ID: d1e16aa32c62e3d0cb72032a6226222131eaa6d7d17eae429ad45ce9f7a412d8
    • Instruction ID: f2ff0a2dd335157a680083c309cf887524842046b795ae76549299442cc02059
    • Opcode Fuzzy Hash: d1e16aa32c62e3d0cb72032a6226222131eaa6d7d17eae429ad45ce9f7a412d8
    • Instruction Fuzzy Hash: 84316B76D002159B8B259FA9D8485BA7BF5EBA9321314006AFD81D72C0EEB4CF40F760
    Function 00F35046 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 57libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(API-MS-Win-Core-LocalRegistry-L1-1-0.dll,?,00000000,?,?,00F34FD9,?), ref: 00F35061
    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00F35071
    • LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000000,?,00F34FD9,?), ref: 00F35083
    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyW), ref: 00F35093
    • GetLastError.KERNEL32(?,00000000,?,?,00F34FD9,?), ref: 00F350CE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: AddressProc$ErrorHandleLastLibraryLoadModule
    • String ID: API-MS-Win-Core-LocalRegistry-L1-1-0.dll$RegDeleteKeyExW$RegDeleteKeyW$advapi32.dll
    • API String ID: 856554993-2654589138
    • Opcode ID: f939e8c07fb93d4375fa5ba7c7ed8cc1dcdb094a791c39017287875bfc1f916e
    • Instruction ID: 5e07d05bc77830a5f747beae56c3245957b3d8563d00f468791dab91adde8d35
    • Opcode Fuzzy Hash: f939e8c07fb93d4375fa5ba7c7ed8cc1dcdb094a791c39017287875bfc1f916e
    • Instruction Fuzzy Hash: 1911CCB5A0470AEF97346F64DC4592BBB6DFBD1FB47244029F84692120DA72DC00FB60
    Function 00F3B6C3 Relevance: 15.2, APIs: 10, Instructions: 153COMMON
    Download Yara Rule
    APIs
    • GetWindowRect.USER32(?,?), ref: 00F3B6F5
    • GetWindowRect.USER32(?,?), ref: 00F3B70D
    • GetWindowRect.USER32(?,?), ref: 00F3B725
    • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00F3B778
    • _ftol2_sse.MSVCRT ref: 00F3B796
    • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00F3B7D3
    • MoveWindow.USER32(?,?,?,00000010,?,00000001), ref: 00F3B7ED
    • MoveWindow.USER32(?,00000000,?,?,?,00000001), ref: 00F3B82A
    • MoveWindow.USER32(?,00000000,?,?,?,00000001), ref: 00F3B854
    • InvalidateRect.USER32(?,00000000,00000001), ref: 00F3B861
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: Window$Move$Rect$Invalidate_ftol2_sse
    • String ID:
    • API String ID: 1052920605-0
    • Opcode ID: e4f1f606ef4d486468808425aa794dc482c9becfbc9d93d3e1d2b71bb6135f78
    • Instruction ID: 0b536255115d7612c4bdba21ee6a7efe1b04fadae8da2da8be985587648fbecf
    • Opcode Fuzzy Hash: e4f1f606ef4d486468808425aa794dc482c9becfbc9d93d3e1d2b71bb6135f78
    • Instruction Fuzzy Hash: A3514E75B00619AFDB148FB9DC89BEDBBB9FF04310F044228F919E22A4DB71A951DB50
    Function 00F39B02 Relevance: 15.1, APIs: 10, Instructions: 119COMMON
    Download Yara Rule
    APIs
    • WcsSetCalibrationManagementState.MSCMS(00000001,?,?,00000000), ref: 00F39B18
    • GetLastError.KERNEL32(?,?,00000000), ref: 00F39B22
    • WcsSetDefaultColorProfile.MSCMS(00000000,?,00000000,00000004,00000000,?,?,?,00000000), ref: 00F39B64
    • GetLastError.KERNEL32(?,?,00000000), ref: 00F39B6E
    • WcsGetUsePerUserProfiles.MSCMS(?,6D6E7472,?,?,?,00000000), ref: 00F39B9C
    • GetLastError.KERNEL32(?,?,00000000), ref: 00F39BA6
    • WcsSetDefaultColorProfile.MSCMS(00000001,?,00000000,00000004,00000000,?,?,?,00000000), ref: 00F39BEF
    • GetLastError.KERNEL32(?,?,00000000), ref: 00F39BF9
    • WcsSetCalibrationManagementState.MSCMS(00000000,?,?,00000000), ref: 00F39C15
    • GetLastError.KERNEL32(?,?,00000000), ref: 00F39C1F
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: ErrorLast$CalibrationColorDefaultManagementProfileState$ProfilesUser
    • String ID:
    • API String ID: 2534168751-0
    • Opcode ID: a01864d1caea308ae10121c07517dfca361bce025ff652a19172097df6b53fb7
    • Instruction ID: 8b42d546dca7da10847be5a5f7b0374d923f0b08f42e7cf57ce2af2d8f3814ee
    • Opcode Fuzzy Hash: a01864d1caea308ae10121c07517dfca361bce025ff652a19172097df6b53fb7
    • Instruction Fuzzy Hash: 9E31083BE041369BD7205F799C4477BBAA4AF90770F158128ED45EB240EAF4DE00A6E0
    Function 00F3FC10 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 53libraryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • DecodePointer.KERNEL32(1C2474FF,?,00F3F9CB,?,00000000,?,00F36D51,00000000,?,00000000,00F3615B,00000000,00000000,00000000,?,?), ref: 00F3FC25
    • LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,00F33DB7,1C2474FF,?,00F3F9CB,?,00000000,?,00F36D51,00000000,?,00000000,00F3615B,00000000), ref: 00F3FC3A
    • DecodePointer.KERNEL32(00F428AC,00F428B0,00F428B4,00F428BC,?,00F3F9CB,?,00000000,?,00F36D51,00000000,?,00000000,00F3615B,00000000,00000000), ref: 00F3FCAF
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: DecodePointer$LibraryLoad
    • String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
    • API String ID: 1423960858-1745123996
    • Opcode ID: 0bb93ba149bf73692774446a1078464bb2c6cd698b9f4c3366e29d7d3395a6bb
    • Instruction ID: 0009a3a552efa1d62840d446137a4ff5b0ebd56dc257ac1213167c6714392cd4
    • Opcode Fuzzy Hash: 0bb93ba149bf73692774446a1078464bb2c6cd698b9f4c3366e29d7d3395a6bb
    • Instruction Fuzzy Hash: 2E01D235E4025C2FDB5A97209D07A6D7A418FA27B4F944079BC4157391CB64CE09B286
    Function 00F3F9FA Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 53libraryCOMMON
    Download Yara Rule
    APIs
    • DecodePointer.KERNEL32(?,?,00F3F8A5,?,00000000,00000000,?,00F3702D,?,?,00000000,00000000,?,00000000,?,00F36DFD), ref: 00F3FA0F
    • LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,?,?,?,00F3F8A5,?,00000000,00000000,?,00F3702D,?,?,00000000,00000000), ref: 00F3FA24
    • DecodePointer.KERNEL32(00F428AC,00F428B0,00F428B4,00F428BC,?,?,00F3F8A5,?,00000000,00000000,?,00F3702D,?,?,00000000,00000000), ref: 00F3FA99
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: DecodePointer$LibraryLoad
    • String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
    • API String ID: 1423960858-1745123996
    • Opcode ID: a3fdca628a4ca4d432703d01ecfdf317a85615921fecd03db697bdc73a4cefa1
    • Instruction ID: b0cdc48f2e0708c47a545cfb8b3a10b9476b20d9a100ee0f01316e64687511ee
    • Opcode Fuzzy Hash: a3fdca628a4ca4d432703d01ecfdf317a85615921fecd03db697bdc73a4cefa1
    • Instruction Fuzzy Hash: 78019224F402587FEF59D7109C07A5D3E418B92778F14007DBC0967392CB68CE0EB686
    Function 00F3FAAC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 53libraryCOMMON
    Download Yara Rule
    APIs
    • DecodePointer.KERNEL32(?,?,00F3F8F1,00000000,?,00000000,?,00F36DFD,?), ref: 00F3FAC1
    • LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,00000000,?,?,00F3F8F1,00000000,?,00000000,?,00F36DFD,?), ref: 00F3FAD6
    • DecodePointer.KERNEL32(00F428AC,00F428B0,00F428B4,00F428BC,?,?,00F3F8F1,00000000,?,00000000,?,00F36DFD,?), ref: 00F3FB4B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: DecodePointer$LibraryLoad
    • String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
    • API String ID: 1423960858-1745123996
    • Opcode ID: e91d9cfea5433146c8a110b62e04d365060d6606925940ecf7bde842618cdbd8
    • Instruction ID: 49c9b0d5430bc1ac9805f6326b4f33105850e990c5b79fb7a29a31993c76b040
    • Opcode Fuzzy Hash: e91d9cfea5433146c8a110b62e04d365060d6606925940ecf7bde842618cdbd8
    • Instruction Fuzzy Hash: 5E019260E042496FEB599720DC17A5D7E428BD2778F18807DBD0957392CA68CA09B296
    Function 00F3FB5E Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 53libraryCOMMON
    Download Yara Rule
    APIs
    • DecodePointer.KERNEL32(?,?,00F3F980,00000000,00000000,?,00F37025,?,00000000,00000000,?,00000000,?,00F36DFD,?), ref: 00F3FB73
    • LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,?,?,?,00F3F980,00000000,00000000,?,00F37025,?,00000000,00000000,?,00000000), ref: 00F3FB88
    • DecodePointer.KERNEL32(00F428AC,00F428B0,00F428B4,00F428BC,?,00F3F980,00000000,00000000,?,00F37025,?,00000000,00000000,?,00000000), ref: 00F3FBFD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: DecodePointer$LibraryLoad
    • String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
    • API String ID: 1423960858-1745123996
    • Opcode ID: 8f499a7a5085d046f20950d818077f48b8ac8c0cbde7b8f877825d5b7f23a5ed
    • Instruction ID: 25a7b579429bbfa200aeae0da735890efc192ae6a2f7e2cca3ff3629c2ff46f4
    • Opcode Fuzzy Hash: 8f499a7a5085d046f20950d818077f48b8ac8c0cbde7b8f877825d5b7f23a5ed
    • Instruction Fuzzy Hash: 1101F560F4024E2FEB5997208D0BB5D3E418B92774F14003DBC02173D2DB64CE0AB286
    Function 00F3A4CC Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 146COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00F401E0: iswupper.MSVCRT ref: 00F40217
      • Part of subcall function 00F401E0: towlower.MSVCRT ref: 00F40226
      • Part of subcall function 00F401E0: iswupper.MSVCRT ref: 00F40234
      • Part of subcall function 00F401E0: towlower.MSVCRT ref: 00F40240
      • Part of subcall function 00F401E0: iswupper.MSVCRT ref: 00F40278
      • Part of subcall function 00F401E0: towlower.MSVCRT ref: 00F40287
      • Part of subcall function 00F401E0: iswupper.MSVCRT ref: 00F40295
      • Part of subcall function 00F401E0: towlower.MSVCRT ref: 00F402A1
    • GetDisplayConfigBufferSizes.USER32(00000002,?,?), ref: 00F3A522
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: iswuppertowlower$BufferConfigDisplaySizes
    • String ID: T
    • API String ID: 3551102313-3187964512
    • Opcode ID: aff1209e6d1590d6e33094b3b6e26c8e322c6708f06d506ddbe435752c06bf63
    • Instruction ID: 577c60e04482ad5d59e9f76f733c2f856207f9dce337579633d723c866aad4e7
    • Opcode Fuzzy Hash: aff1209e6d1590d6e33094b3b6e26c8e322c6708f06d506ddbe435752c06bf63
    • Instruction Fuzzy Hash: 2251B472E003199FDB25DF65CC45BAEB7BCAF45320F0441AAAA49E7180EB749F40AF51
    Function 00F38AA1 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 95COMMON
    Download Yara Rule
    APIs
    • WcsCreateIccProfile.MSCMS(?,00000000,?,?), ref: 00F38B0C
    • GetLastError.KERNEL32 ref: 00F38B1C
    • GetColorProfileFromHandle.MSCMS(00000000,00000000,?,?,?), ref: 00F38B51
    • GetLastError.KERNEL32 ref: 00F38B5B
    • CloseColorProfile.MSCMS(00000000,?,?), ref: 00F38CBF
    • CloseColorProfile.MSCMS(?,?,?), ref: 00F38CCE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: Profile$Color$CloseErrorLast$CreateFromHandle
    • String ID: strg
    • API String ID: 2314085371-3320446829
    • Opcode ID: 4b4562a2d35bfd0bc290fa69cc3489edf71d6b548ea6956052aaf12cf95f313b
    • Instruction ID: 7f9ba2c1aad3c270cc3b9121123af0d0f987430ef2c7046ed6b5541c5a5d8936
    • Opcode Fuzzy Hash: 4b4562a2d35bfd0bc290fa69cc3489edf71d6b548ea6956052aaf12cf95f313b
    • Instruction Fuzzy Hash: 962106765043029BC3009F289D4555BBBE9AFD53F0F10052EFC54C2251EF78CA06ABA2
    Function 00F36A60 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 39synchronizationwindowCOMMON
    Download Yara Rule
    APIs
    • ReleaseMutex.KERNEL32(000001D0), ref: 00F36A72
    • CloseHandle.KERNEL32 ref: 00F36A7E
    • OpenIcon.USER32(?), ref: 00F36A98
    • SetForegroundWindow.USER32(?), ref: 00F36AA1
    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000003), ref: 00F36AB1
    • CallWindowProcW.USER32(?,?,?,?), ref: 00F36ACE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: Window$CallCloseForegroundHandleIconMutexOpenProcRelease
    • String ID: dccw
    • API String ID: 1295780963-1595938506
    • Opcode ID: a82c7fcb1e0955c995926932f488266652d0ea0391b9fd8190da1e4b0a9551dd
    • Instruction ID: 90e803a2a65ab25da533410a6aaf8bacc2d2de8dbb665c998d6b35846cd43c8b
    • Opcode Fuzzy Hash: a82c7fcb1e0955c995926932f488266652d0ea0391b9fd8190da1e4b0a9551dd
    • Instruction Fuzzy Hash: 7EF0E73A50421CFBDF119F95EC0899A7FA9FB6A351B448022FD0595230C7718A60FBA0
    Function 00F3905D Relevance: 12.1, APIs: 8, Instructions: 119COMMON
    Download Yara Rule
    APIs
    • WcsGetUsePerUserProfiles.MSCMS(?,6D6E7472,?,?,?,?), ref: 00F3909A
    • GetLastError.KERNEL32(?,?,?), ref: 00F390A4
    • WcsGetDefaultColorProfile.MSCMS(00000000,?,00000001,00000004,00000000,00000208,?,?,?,?), ref: 00F390E7
    • GetLastError.KERNEL32(?,?,?), ref: 00F390F1
    • WcsOpenColorProfileW.MSCMS(?,00000000,00000000,00000001,00000001,00000003,00000000,?,?,?), ref: 00F3913B
    • GetLastError.KERNEL32(?,?,?), ref: 00F39147
    • DccwGetGamutSize.MSCMS(00000000,?,?,?,?), ref: 00F39168
    • CloseColorProfile.MSCMS(00000000,?,?,?), ref: 00F391B6
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: ColorErrorLastProfile$CloseDccwDefaultGamutOpenProfilesSizeUser
    • String ID:
    • API String ID: 1332131993-0
    • Opcode ID: edcad4bb96c44dbbb960f5382e001bc87202e6a383733a4dd305fa4e466c8299
    • Instruction ID: ea4027a251ae4a780b99fe37dd0d52380026cc2b504616e29be88a847e2995c4
    • Opcode Fuzzy Hash: edcad4bb96c44dbbb960f5382e001bc87202e6a383733a4dd305fa4e466c8299
    • Instruction Fuzzy Hash: 51411876D4023E9BD7309B64DC4CBABBAB4AF54730F0202A9ED05F7251DBB0DE409A90
    Function 00F34A7B Relevance: 10.8, APIs: 7, Instructions: 264registrystringCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00F350F7: CharNextW.USER32(00000000,?,00000000,00000000,?,?,00F35878,?,00000000,?,00000000,00000000,00000000), ref: 00F35132
      • Part of subcall function 00F350F7: CharNextW.USER32(00000000,?,00000000,00000000,?,?,00F35878,?,00000000,?,00000000,00000000,00000000), ref: 00F3514F
      • Part of subcall function 00F350F7: CharNextW.USER32(00000000,?,00000000,00000000,?,?,00F35878,?,00000000,?,00000000,00000000,00000000), ref: 00F35162
      • Part of subcall function 00F350F7: CharNextW.USER32(00000027,?,00000000,00000000,?,?,00F35878,?,00000000,?,00000000,00000000,00000000), ref: 00F3516D
    • lstrcmpiW.KERNEL32(?,00000000,?,?,?,?,00F3542A,?,?,?,?,?), ref: 00F34AE0
    • CharNextW.USER32(00000000), ref: 00F34BBA
    • CharNextW.USER32(00000000), ref: 00F34BD4
    • VarUI4FromStr.OLEAUT32(?,00000000,00000000,?), ref: 00F34C4B
    • RegSetValueExW.ADVAPI32(?,?,00000000,00000001,?,-00000008,?,?,00F3542A,?,?,?,?,?), ref: 00F34DB3
      • Part of subcall function 00F350F7: CharNextW.USER32(?,?,00000000,00000000,?,?,00F35878,?,00000000,?,00000000,00000000,00000000), ref: 00F351CA
      • Part of subcall function 00F350F7: CharNextW.USER32(00000000,?,00000000,00000000,?,?,00F35878,?,00000000,?,00000000,00000000,00000000), ref: 00F351EE
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: CharNext$FromValuelstrcmpi
    • String ID:
    • API String ID: 2221274522-0
    • Opcode ID: d848935c634cf278c128a56dd8ce2f1e23c0b6cbc31eceeab33ac56bffdba6c4
    • Instruction ID: d106df28e2f83b0a7a12dc2a0addc23f099f8b28676bb8fceb94bf5c6e1f0e43
    • Opcode Fuzzy Hash: d848935c634cf278c128a56dd8ce2f1e23c0b6cbc31eceeab33ac56bffdba6c4
    • Instruction Fuzzy Hash: 32A1B475E002298BDB249F24CC89AE9B7B5EF65360F0541E9EB09A7250D770BEC1EF50
    Function 00F3DE5A Relevance: 10.6, APIs: 7, Instructions: 111COMMON
    Download Yara Rule
    APIs
    • GdipCreateSolidFill.GDIPLUS(FF787878,00000000,00000001,?,?), ref: 00F3DEAF
    • GdipCreateFromHDC.GDIPLUS(?,00000000,?,?), ref: 00F3DEC0
    • GdipFillRectangleI.GDIPLUS(00000000,00000000,00000000,?,00000001,?,?,?), ref: 00F3DEE3
    • GdipFillRectangleI.GDIPLUS(00000000,?,00000005,?,?,?,?,?,?,FFFF0000), ref: 00F3DF6B
    • GdipDeleteBrush.GDIPLUS(?), ref: 00F3DF74
    • GdipDeleteGraphics.GDIPLUS(00000000), ref: 00F3DF7B
    • GdipDeleteBrush.GDIPLUS(00000000), ref: 00F3DF84
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: Gdip$DeleteFill$BrushCreateRectangle$FromGraphicsSolid
    • String ID:
    • API String ID: 2116296181-0
    • Opcode ID: 3505db35d468543c2c1d8dfe91ae74ee527828bf6cd5436778152eecd68eb863
    • Instruction ID: 9b4d170c2ac1ce8cfd004535f2fe534dce7b0fec2004cffcaf213de03c208e56
    • Opcode Fuzzy Hash: 3505db35d468543c2c1d8dfe91ae74ee527828bf6cd5436778152eecd68eb863
    • Instruction Fuzzy Hash: BC416D72900609EFCB20CFA8CD88AAEBBF9FF58314F004619E546E7654D730AA45DB50
    Function 00F3C710 Relevance: 10.6, APIs: 7, Instructions: 104COMMON
    Download Yara Rule
    APIs
    • GdipCreateFromHDC.GDIPLUS(?,?,?,?,00000001), ref: 00F3C779
    • GdipCreateSolidFill.GDIPLUS(FF000000,00000093,?,?,00000001), ref: 00F3C78C
    • GdipFillRectangleI.GDIPLUS(?,00000093,00000000,?,00000001,?,?,?,00000001), ref: 00F3C7AC
      • Part of subcall function 00F3C8B1: GdipCreateLineBrushI.GDIPLUS(?,?,?,?,00000000,00000000,?,?,?,00F3C7E2,?,00000000,?,?,?,?), ref: 00F3C8E2
    • GdipFillRectangleI.GDIPLUS(?,?,00000005,?,?,?,?,00000000,?,?,?,?,00000001), ref: 00F3C806
    • GdipDeleteBrush.GDIPLUS(?,?,?,00000001), ref: 00F3C80F
    • GdipDeleteBrush.GDIPLUS(00000093,?,?,00000001), ref: 00F3C818
    • GdipDeleteGraphics.GDIPLUS(?,?,?,00000001), ref: 00F3C81F
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: Gdip$BrushCreateDeleteFill$Rectangle$FromGraphicsLineSolid
    • String ID:
    • API String ID: 1713370201-0
    • Opcode ID: c0c79bfdfeb7f29cf499e9aff4f9fef519312926a1dd6e1184d594a114184b34
    • Instruction ID: 42fbda0867c9db320edb076c19664831126d5e2b2d143a9efd2b2837d3939965
    • Opcode Fuzzy Hash: c0c79bfdfeb7f29cf499e9aff4f9fef519312926a1dd6e1184d594a114184b34
    • Instruction Fuzzy Hash: 7541EA7690051AEFCB05DFA8D984CAEBBB9FF18314B004269E906E3610DB30EA15DF91
    Function 00F36EB0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101COMMON
    Download Yara Rule
    APIs
    • CallWindowProcW.USER32(?,?,?,00000024,?), ref: 00F36F30
    • GetWindowLongW.USER32(?,000000FC), ref: 00F36F40
    • CallWindowProcW.USER32(?,?,00000082,00000024,?), ref: 00F36F59
    • GetWindowLongW.USER32(?,000000FC), ref: 00F36F72
    • SetWindowLongW.USER32(?,000000FC,?), ref: 00F36F84
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: Window$Long$CallProc
    • String ID: $
    • API String ID: 513923721-3993045852
    • Opcode ID: 509e39ea2cd2c3f8d827fb32b2f9ea0b3fbaae986b0daa96ad62200f2c126bad
    • Instruction ID: c1e52e4e7d67babb3666f5ace3fa81778219d448276faf90ce95fb8ae467b976
    • Opcode Fuzzy Hash: 509e39ea2cd2c3f8d827fb32b2f9ea0b3fbaae986b0daa96ad62200f2c126bad
    • Instruction Fuzzy Hash: 47411D75A0051AFFCB05CF68D9849ADFBB5FF58320F108219E915E3660D771AA60EF90
    Function 00F3E9DC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 95windowCOMMON
    Download Yara Rule
    APIs
    • FormatMessageW.KERNEL32(00001100,00000000,00F368A9,00000000,00F30000,00000000,00000000), ref: 00F3EA5C
    • FormatMessageW.KERNEL32(00002500,?,00000000,00000000,?,00000000,?,00F30000,-0000012A), ref: 00F3EAC2
    • LocalFree.KERNEL32(00000000), ref: 00F3EAE2
    • LocalFree.KERNEL32(00000000,00F30000,-0000012A), ref: 00F3EAF3
      • Part of subcall function 00F3E8E3: EventWrite.ADVAPI32(00F31F20,00000001,?,?,00F368A9,00000000), ref: 00F3E944
      • Part of subcall function 00F3E8E3: MessageBoxW.USER32(00000000,00000000,00F428C8,00000010), ref: 00F3E973
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: Message$FormatFreeLocal$EventWrite
    • String ID: strg$strg
    • API String ID: 3780319976-3117884289
    • Opcode ID: 4f781d32d6a1b017b57de484302f6d048c11bb9d510802d973bdff6eacf10184
    • Instruction ID: 25ac244c783db1cd00ba322df138fd9d068686e6b5072de7661dad56871e685a
    • Opcode Fuzzy Hash: 4f781d32d6a1b017b57de484302f6d048c11bb9d510802d973bdff6eacf10184
    • Instruction Fuzzy Hash: B8319C71A08301ABE700DF64DC45B6FBBE8EFC4764F00092DF991922A1D774D948EBA2
    Function 00F3F3B0 Relevance: 10.6, APIs: 7, Instructions: 82windowCOMMON
    Download Yara Rule
    APIs
    • GetDC.USER32 ref: 00F3F3C9
    • EnumDisplayMonitors.USER32(00000000,00000000,Function_0000F100,00000000), ref: 00F3F3E1
    • ReleaseDC.USER32(?,00000000), ref: 00F3F3E9
    • GetLastError.KERNEL32 ref: 00F3F3F1
    • GetParent.USER32(00000000), ref: 00F3F43B
    • PostMessageW.USER32(00000000,00000470,00000000,00000003), ref: 00F3F44B
    • ShowWindow.USER32(00000000,00000003,?), ref: 00F3F460
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: DisplayEnumErrorLastMessageMonitorsParentPostReleaseShowWindow
    • String ID:
    • API String ID: 3937410996-0
    • Opcode ID: afb9b85b0dcfcb6a1d527d82f7adc75e4fb00a511b5597a51380df54ef008703
    • Instruction ID: 1bed438151c4ee8d3b0396c207a722042c60bbe654150e56a99b633f1c4b7da9
    • Opcode Fuzzy Hash: afb9b85b0dcfcb6a1d527d82f7adc75e4fb00a511b5597a51380df54ef008703
    • Instruction Fuzzy Hash: 0F21B035B00215AFDB10AB65DC49B6E7BA8EF45771F104065F901EB2A0CB74EE09AB61
    Function 00F3AF80 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
    Download Yara Rule
    APIs
    • GetDlgItem.USER32(?,00000095), ref: 00F3AFD1
    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00F3AFE1
    • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00F3AFF9
    • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00F3B044
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: DirectoryExecuteItemMessageSendShellSystem
    • String ID: CTTune.exe$open
    • API String ID: 2938676387-2528619867
    • Opcode ID: 20b061f65f19f379ccf9add952ac609a3e019cafe44047e24a7566e790da3d23
    • Instruction ID: 1e97cdb11f526b1af1dbd85f514dbf18f59920a1bd584a94a64ddd9152a57897
    • Opcode Fuzzy Hash: 20b061f65f19f379ccf9add952ac609a3e019cafe44047e24a7566e790da3d23
    • Instruction Fuzzy Hash: CE2129B5B01228A7CB349B24DC5DE6B7768DF81B30F110165FE11E7281CB74DE00AA90
    Function 00F3F711 Relevance: 10.6, APIs: 7, Instructions: 64memoryCOMMON
    Download Yara Rule
    APIs
    • GetProcessHeap.KERNEL32(00000008,0000000D,00000000,00000000,00F3F911,00000000,?,00000000,?,00F36DFD,?), ref: 00F3F733
    • HeapAlloc.KERNEL32(00000000,?,00000000,?,00F36DFD,?), ref: 00F3F73A
      • Part of subcall function 00F3F7EE: IsProcessorFeaturePresent.KERNEL32(0000000C,00F3F721,00000000,00000000,00F3F911,00000000,?,00000000,?,00F36DFD,?), ref: 00F3F7F0
    • InterlockedPopEntrySList.KERNEL32(00000000,00000000,00000000,00F3F911,00000000,?,00000000,?,00F36DFD,?), ref: 00F3F743
    • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,?,00F36DFD,?), ref: 00F3F766
    • InterlockedPopEntrySList.KERNEL32(?,00000000,?,00F36DFD,?), ref: 00F3F77E
    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?,00F36DFD,?), ref: 00F3F792
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: AllocEntryHeapInterlockedListVirtual$FeatureFreePresentProcessProcessor
    • String ID:
    • API String ID: 3687752540-0
    • Opcode ID: ca9eb3cc8cef7a52c43192e832a56620cf77b868c8d00c3c2fb59422c5e01228
    • Instruction ID: 3fe03699dd55bd1ef2a040fe0976ec1fcc1b70d163f24cd3b940ba6b44db35e1
    • Opcode Fuzzy Hash: ca9eb3cc8cef7a52c43192e832a56620cf77b868c8d00c3c2fb59422c5e01228
    • Instruction Fuzzy Hash: 2411043AF00602BBE760177CED08B2A3B95AF96772F540431FE45D62A0DB20CC09BB60
    Function 00F3BC83 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 55COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00F3A94C: GetWindowLongW.USER32(?,000000EC), ref: 00F3A956
      • Part of subcall function 00F3A94C: EnumChildWindows.USER32(?,00F3AC60), ref: 00F3A994
      • Part of subcall function 00F3A94C: EnumChildWindows.USER32(?,00F3AC80), ref: 00F3A9CC
    • GetDlgItem.USER32(?,din), ref: 00F3BD04
    • SetWindowTextW.USER32(00000000,00F428C8), ref: 00F3BD0E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: ChildEnumWindowWindows$ItemLongText
    • String ID: din$i$n$strg
    • API String ID: 2822888986-2104475465
    • Opcode ID: 880c8d5dbd0f312d825cb40dbc51fc9dad0f268c1c3a7bbe71773ff651f8f768
    • Instruction ID: 1939c1f7bfe4d36bc8343cd35a6e450c83b94ec4b984ef21b05fc311ef9dcfdc
    • Opcode Fuzzy Hash: 880c8d5dbd0f312d825cb40dbc51fc9dad0f268c1c3a7bbe71773ff651f8f768
    • Instruction Fuzzy Hash: 57118F75E00209ABDF14EFA5ED44AAEBBB6FF58314F01412DEA1563210CB759A14EFA0
    Function 00F3A94C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 49COMMON
    Download Yara Rule
    APIs
    • GetWindowLongW.USER32(?,000000EC), ref: 00F3A956
    • EnumChildWindows.USER32(?,00F3AC60), ref: 00F3A994
    • EnumChildWindows.USER32(?,00F3AC80), ref: 00F3A9CC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: ChildEnumWindows$LongWindow
    • String ID: IDD = %d: m_bIsRtl = %s$false$true
    • API String ID: 92254136-2899959848
    • Opcode ID: 9021594b28fa7e72cd86eafebb1e420d4a124a55f7747b8414aed8fa542fba28
    • Instruction ID: 386acdf475e593d131edd57b078e7ed5448b4b1cee9d5c91f8c9a40eb4dc4c6a
    • Opcode Fuzzy Hash: 9021594b28fa7e72cd86eafebb1e420d4a124a55f7747b8414aed8fa542fba28
    • Instruction Fuzzy Hash: 5101DE32A02710AFD7219B38CC0AB57BBA4EF14371F01892DF5E6C41E2CAA0E904B711
    Function 00F34793 Relevance: 9.2, APIs: 6, Instructions: 154memoryCOMMON
    Download Yara Rule
    APIs
    • CoTaskMemAlloc.API-MS-WIN-CORE-COM-L1-1-0(?,00000000,?,00000000), ref: 00F34805
    • CharNextW.USER32(00000000,?,?,00000001,?,00000000), ref: 00F34838
    • wcsncpy_s.MSVCRT ref: 00F34879
    • CharNextW.USER32(00000000,00000000,?,?,?,00000001,?,00000000), ref: 00F348C6
    • CharNextW.USER32(?,?,00000001,?,00000000), ref: 00F348E5
    • CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(?,00000000,?,00000000), ref: 00F34922
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: CharNext$Task$AllocFreewcsncpy_s
    • String ID:
    • API String ID: 3890462556-0
    • Opcode ID: 92d2611d41723fa3961f8a8b126ca8fe579b77d5947c129bfebecc2b52a3a61d
    • Instruction ID: 27956f5881c389821a1a746f223e851fe7190f5d550c4cfe7639d3ebf494fe88
    • Opcode Fuzzy Hash: 92d2611d41723fa3961f8a8b126ca8fe579b77d5947c129bfebecc2b52a3a61d
    • Instruction Fuzzy Hash: 7D51F339A012198BCF159F68CC94B6EB7B5EF45730F244129E902DB294EB70FE41EB50
    Function 00F350F7 Relevance: 9.1, APIs: 6, Instructions: 127COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00F357ED: CharNextW.USER32(?,00000000,00F35107,?,00000000,00000000,?,?,00F35878,?,00000000,?,00000000,00000000,00000000), ref: 00F3580C
    • CharNextW.USER32(00000000,?,00000000,00000000,?,?,00F35878,?,00000000,?,00000000,00000000,00000000), ref: 00F35132
    • CharNextW.USER32(00000000,?,00000000,00000000,?,?,00F35878,?,00000000,?,00000000,00000000,00000000), ref: 00F3514F
    • CharNextW.USER32(00000000,?,00000000,00000000,?,?,00F35878,?,00000000,?,00000000,00000000,00000000), ref: 00F35162
    • CharNextW.USER32(00000027,?,00000000,00000000,?,?,00F35878,?,00000000,?,00000000,00000000,00000000), ref: 00F3516D
    • CharNextW.USER32(?,?,00000000,00000000,?,?,00F35878,?,00000000,?,00000000,00000000,00000000), ref: 00F351CA
    • CharNextW.USER32(00000000,?,00000000,00000000,?,?,00F35878,?,00000000,?,00000000,00000000,00000000), ref: 00F351EE
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: CharNext
    • String ID:
    • API String ID: 3213498283-0
    • Opcode ID: 29d9df78bbcb585f097a78d18cf445c89b46d21af46b69ae1f67a00c0d6c80e7
    • Instruction ID: 91d6e0e58aa2201d7a3d3275d2769be6bd31672fbaf51b7712e9c53fdd5bf4e8
    • Opcode Fuzzy Hash: 29d9df78bbcb585f097a78d18cf445c89b46d21af46b69ae1f67a00c0d6c80e7
    • Instruction Fuzzy Hash: 1C41E639A005128FCB24AF78C88457AF7B1FFE8B30B65441AD84287254FB70DE44E710
    Function 00F39C43 Relevance: 9.1, APIs: 6, Instructions: 82COMMON
    Download Yara Rule
    APIs
    • WcsDisassociateColorProfileFromDevice.MSCMS(00000000,?,?,?,00000000,00000000,?,?,?,00F38D76,?,?,?), ref: 00F39C7E
    • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00F38D76,?,?,?), ref: 00F39C88
    • WcsGetUsePerUserProfiles.MSCMS(?,6D6E7472,?,?,00000000,00000000,?,?,?,00F38D76,?,?,?), ref: 00F39CBB
    • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00F38D76,?,?,?), ref: 00F39CC5
    • WcsDisassociateColorProfileFromDevice.MSCMS(00000001,?,?,?,00000000,00000000,?,?,?,00F38D76,?,?,?), ref: 00F39CEA
    • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00F38D76,?,?,?), ref: 00F39CF4
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: ErrorLast$ColorDeviceDisassociateFromProfile$ProfilesUser
    • String ID:
    • API String ID: 2382097621-0
    • Opcode ID: ed52dc53f25b3af59bba55a7932fdca860c08bd39a5ebced0f140a15886d39dc
    • Instruction ID: 2a90e968749e23b184bea95eff2886b19b679662a6d8b63ea57fe446b233fedd
    • Opcode Fuzzy Hash: ed52dc53f25b3af59bba55a7932fdca860c08bd39a5ebced0f140a15886d39dc
    • Instruction Fuzzy Hash: 21210437D081239BD7300B5D8849B67BAA8EF917B0F294125EC41DB121E6E4CC40F6E0
    Function 00F3DFA0 Relevance: 9.1, APIs: 6, Instructions: 65COMMON
    Download Yara Rule
    APIs
    • GetDC.USER32(?), ref: 00F3DFB3
    • GetWindowTextLengthW.USER32(?), ref: 00F3DFC1
    • GetWindowTextW.USER32(?,00000000,?), ref: 00F3DFF3
    • GetTextExtentPoint32W.GDI32(00000000,00000000,?,?), ref: 00F3E002
    • MoveWindow.USER32(?,00000000,?,?,?,00000001), ref: 00F3E028
    • ReleaseDC.USER32(?,00000000), ref: 00F3E03C
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: TextWindow$ExtentLengthMovePoint32Release
    • String ID:
    • API String ID: 516594899-0
    • Opcode ID: 6e0fca41926fbb6749a6853e4e6f45d7238f5c463f4a965642bbdedb4daf3c83
    • Instruction ID: 8c304fe34f3b819f4876d2f54dcf87dddbb4af8e6a768e7473eea7b582336ce6
    • Opcode Fuzzy Hash: 6e0fca41926fbb6749a6853e4e6f45d7238f5c463f4a965642bbdedb4daf3c83
    • Instruction Fuzzy Hash: 6411A776600209FFDB159FB4EC4EE9F7FBDEB85311F104029FA42C50A0DA719A00AB20
    Function 00F3F117 Relevance: 9.1, APIs: 6, Instructions: 59COMMON
    Download Yara Rule
    APIs
    • FindResourceW.KERNEL32(00F30000,?,000001F4,?,00000000,?,?,?,00F3EC29,?,?,?,00000000,?), ref: 00F3F13C
    • GetLastError.KERNEL32(?,00000000,?,?,?,00F3EC29,?,?,?,00000000,?), ref: 00F3F14B
    • LoadResource.KERNEL32(00F30000,00000000,?,00000000,?,?,?,00F3EC29,?,?,?,00000000,?), ref: 00F3F166
    • GetLastError.KERNEL32(?,00000000,?,?,?,00F3EC29,?,?,?,00000000,?), ref: 00F3F172
    • SizeofResource.KERNEL32(00F30000,?,?,00000000,?,?,?,00F3EC29,?,?,?,00000000,?), ref: 00F3F18F
    • LockResource.KERNEL32(00000000,?,00000000,?,?,?,00F3EC29,?,?,?,00000000,?), ref: 00F3F19B
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: Resource$ErrorLast$FindLoadLockSizeof
    • String ID:
    • API String ID: 518650369-0
    • Opcode ID: 627130f9448be9cde380a4021a5f56ba6475919e5d03e3de4df3604c82df06f4
    • Instruction ID: 5babd40a0e66e643cf1bc6960c2fcefda1eee2bb559c1a2d2c11aa3945e23ffb
    • Opcode Fuzzy Hash: 627130f9448be9cde380a4021a5f56ba6475919e5d03e3de4df3604c82df06f4
    • Instruction Fuzzy Hash: B311737BD00234EBC7119FA9ED4495ABAB8AB99770B114125FD45D7350D630CD00E7E0
    Function 00F3D96E Relevance: 9.1, APIs: 6, Instructions: 52COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00F37443: GetDlgItem.USER32(?,00000091), ref: 00F3745F
      • Part of subcall function 00F37443: GetDlgItem.USER32(?,00000087), ref: 00F374B2
    • GetDlgItem.USER32(?,000000C8), ref: 00F3D98D
    • GetDlgItem.USER32(?,000000CD), ref: 00F3D9A1
    • GetDlgItem.USER32(?,000000D2), ref: 00F3D9B5
    • GetDlgItem.USER32(?,000000D7), ref: 00F3D9C9
    • GetDlgItem.USER32(?,000000DC), ref: 00F3D9DD
    • GetDlgItem.USER32(?,000000E1), ref: 00F3D9F1
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: Item
    • String ID:
    • API String ID: 3207170592-0
    • Opcode ID: 5e93e8489ed2175cbd7784cefac4c67bf1fe8079363c38afd678bd2000643766
    • Instruction ID: 1e7f3dafbc37e9d53ba041329a8a78f719bde0c685c551604a14d43d89791318
    • Opcode Fuzzy Hash: 5e93e8489ed2175cbd7784cefac4c67bf1fe8079363c38afd678bd2000643766
    • Instruction Fuzzy Hash: 1711E234811B00EFEB305B61DD05B96BAE0FF10721F008A2FE96E96160C7715980EB10
    Function 00F33FBE Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 174COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00F3434F: InitializeCriticalSection.KERNEL32(?,00F40FD0,0000000C,00F34017), ref: 00F34361
    • GetModuleFileNameW.KERNEL32(00F30000,?,00000104), ref: 00F34073
    • GetModuleHandleW.KERNEL32(00000000,?), ref: 00F340C6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: Module$CriticalFileHandleInitializeNameSection
    • String ID: Module$Module_Raw$REGISTRY
    • API String ID: 3195065971-549000027
    • Opcode ID: 98a707bbd52b77e5c23027b8bd4ecd56eb698732e744f80c52aace771d093879
    • Instruction ID: 0942bdf14c68aa4b8a9841e3d664367915a4496df770f62e3766904dd2442ad6
    • Opcode Fuzzy Hash: 98a707bbd52b77e5c23027b8bd4ecd56eb698732e744f80c52aace771d093879
    • Instruction Fuzzy Hash: BF51C676B003299BCB24DF24CD40A9AB7B9AF55320F054099EE05A7240EB35BF44EF61
    Function 00F3963A Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON
    Download Yara Rule
    APIs
    • GetColorDirectoryW.MSCMS(00000000,?,?,00000000), ref: 00F3966C
    • GetLastError.KERNEL32 ref: 00F39676
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: ColorDirectoryErrorLast
    • String ID: %s\%s$CalibratedDisplayProfile-%d-Temp.icc$CalibratedDisplayProfile-%d.icc
    • API String ID: 3534830153-2182247336
    • Opcode ID: 410ba916182eb71dc666fb73331da7dfdeb83e3bb8cbce288e2adae5158686ee
    • Instruction ID: 1d3deb73518778045fcee0e09c081dc5f11b829e3268220d61fecbdc01fb5d18
    • Opcode Fuzzy Hash: 410ba916182eb71dc666fb73331da7dfdeb83e3bb8cbce288e2adae5158686ee
    • Instruction Fuzzy Hash: B221D271A00309A7DB209B318C49FD7B7FCEB54314F00456AAD59D6042EAB1E605AAA0
    Function 00F3E7A1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64registryCOMMON
    Download Yara Rule
    APIs
    • RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\DCCW\Simulator,00000000,00020019,?), ref: 00F3E7C4
    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00F3E7E6
    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 00F3E814
    • RegCloseKey.ADVAPI32(?), ref: 00F3E829
    Strings
    • SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\DCCW\Simulator, xrefs: 00F3E7B7
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: QueryValue$CloseOpen
    • String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\DCCW\Simulator
    • API String ID: 1586453840-1252446219
    • Opcode ID: 597946c542d0da0aaa36708b82b9cfa77cb8aea2ce1ab2d87795127b5814b8ec
    • Instruction ID: ebcbb67f84c3208038e6d6f70712f745922ef6fe00e7f00e1de4a858178503b2
    • Opcode Fuzzy Hash: 597946c542d0da0aaa36708b82b9cfa77cb8aea2ce1ab2d87795127b5814b8ec
    • Instruction Fuzzy Hash: 8A11F67AD00118BBCB21DF89D844EAEBBB8EF94760F108165FC04A6150D3309E50EBA0
    Function 00F38D00 Relevance: 7.6, APIs: 5, Instructions: 113fileCOMMON
    Download Yara Rule
    APIs
    • CopyFileW.KERNEL32(?,?,00000000), ref: 00F38D29
    • GetLastError.KERNEL32 ref: 00F38D33
    • WcsSetCalibrationManagementState.MSCMS(00000001,?,?,?,?), ref: 00F38D99
    • GetLastError.KERNEL32 ref: 00F38DA3
    • EventWrite.ADVAPI32(00F31F80,00000002,?), ref: 00F38E47
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: ErrorLast$CalibrationCopyEventFileManagementStateWrite
    • String ID:
    • API String ID: 4173155175-0
    • Opcode ID: ceac9eb84ff7d63400e58d7896d3404e17d17991ffc9c6ff66e7b8da620e5eb7
    • Instruction ID: 9b3db23319f7d106062b024280e7fe8b0f083cacc280a519a7960e309b9d4bb9
    • Opcode Fuzzy Hash: ceac9eb84ff7d63400e58d7896d3404e17d17991ffc9c6ff66e7b8da620e5eb7
    • Instruction Fuzzy Hash: C541D636E007169BCB199FA888516AEFBB1FF94760F15412DED0667380DF34AD42AB90
    Function 00F3C605 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00F374D3: GetWindowRect.USER32(?,?), ref: 00F37505
      • Part of subcall function 00F374D3: GetWindowRect.USER32(?,?), ref: 00F3751D
      • Part of subcall function 00F374D3: GetWindowRect.USER32(?,?), ref: 00F37535
      • Part of subcall function 00F374D3: MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00F3754E
      • Part of subcall function 00F374D3: MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00F3755F
      • Part of subcall function 00F374D3: MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00F37570
      • Part of subcall function 00F374D3: _ftol2_sse.MSVCRT ref: 00F37602
    • GetWindowRect.USER32(?,?), ref: 00F3C643
    • GetWindowRect.USER32(?,?), ref: 00F3C65B
    • GetWindowRect.USER32(?,?), ref: 00F3C673
    • MoveWindow.USER32(?,00000000,?,?,?,00000001,?,00000000,00000000,?,?,00000001), ref: 00F3C6DB
    • MoveWindow.USER32(?,-00000010,?,00000010,?,00000001,?,00000000,00000000,?,?,00000001), ref: 00F3C6F3
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: Window$Rect$Points$Move$_ftol2_sse
    • String ID:
    • API String ID: 3053001243-0
    • Opcode ID: 11ce29a033455e3bcb0b0b4a52ba0bbdcf0d3df125e79c3d658f95033119f76c
    • Instruction ID: 55da97a9ce4cd45147e02c59d2c4ea2d9227ad388d910dc78e510272149b54f9
    • Opcode Fuzzy Hash: 11ce29a033455e3bcb0b0b4a52ba0bbdcf0d3df125e79c3d658f95033119f76c
    • Instruction Fuzzy Hash: 37316171A0010AAFDB14CF78DC49FEEBBBAEF48314F044229F919E2160DB71A955DB90
    Function 00F368BE Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 139COMMON
    Download Yara Rule
    APIs
    • MonitorFromRect.USER32(?,00000002), ref: 00F36949
    • MonitorFromRect.USER32(?,00000002), ref: 00F36A0B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: FromMonitorRect
    • String ID: Current display is 0x%08x$New rect (%d, %d, %d, %d) is on display 0x%08x
    • API String ID: 2578442757-1896848492
    • Opcode ID: ec7598c4482d6e98c88619a62be1c411b1382378132b12c0f0b816ac1a8f6ed8
    • Instruction ID: 4227694fd54d02187e8c6ae3f5f091668dfeb6d191a28ecdde0afb6051b8c5db
    • Opcode Fuzzy Hash: ec7598c4482d6e98c88619a62be1c411b1382378132b12c0f0b816ac1a8f6ed8
    • Instruction Fuzzy Hash: 9F513A79B00219AFCF05DF98C8859BEBBB5AF88320F14805AE905A7351CB74EE11DF91
    Function 00F3E84A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36registryCOMMON
    Download Yara Rule
    APIs
    • RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\DCCW\Simulator,00000000,00020006,00000000,?,?,?,00F3E16E,Brightness,00000004,00000004,?), ref: 00F3E86A
    • RegSetValueExW.ADVAPI32(00000000,?,00000000,?,?,?,?,?,?,00F3E16E,Brightness,00000004,00000004,?), ref: 00F3E886
    • RegCloseKey.ADVAPI32(00000000,?,?,?,00F3E16E,Brightness,00000004,00000004,?), ref: 00F3E897
    Strings
    • SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\DCCW\Simulator, xrefs: 00F3E860
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: CloseOpenValue
    • String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\DCCW\Simulator
    • API String ID: 779948276-1252446219
    • Opcode ID: b930dee419e7897eafdd5aad94dc77c98da94608467caa4f7803d394daa8bb97
    • Instruction ID: ad06e2cc9ed4524883f45fc713cb89a4f5306fe37901b735e7fdf32b703dfbbd
    • Opcode Fuzzy Hash: b930dee419e7897eafdd5aad94dc77c98da94608467caa4f7803d394daa8bb97
    • Instruction Fuzzy Hash: 4DF04936D00228FBDB218F849D09F9E7A79EF04765F104160FD01A61A0C3728E10FBA1
    Function 00F38540 Relevance: 6.2, APIs: 4, Instructions: 173COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: ErrorLast_ftol2
    • String ID:
    • API String ID: 3138094797-0
    • Opcode ID: e6584b0cc8b1b809f9a751a4afa562db4313ca6003b90723a508129361e3f3f7
    • Instruction ID: 2aa14b51a93df9755e8835a4b5954611d711f94286a4e24741250a395fc40f00
    • Opcode Fuzzy Hash: e6584b0cc8b1b809f9a751a4afa562db4313ca6003b90723a508129361e3f3f7
    • Instruction Fuzzy Hash: 6B5181397006248FCB019F24D854B6D7BA2AF897B0F1600A9ED06DB395DF74ED06DB91
    Function 00F3D780 Relevance: 6.2, APIs: 4, Instructions: 152windowtimeCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00F3E04F: SendMessageW.USER32(?,00000406,00000001,?), ref: 00F3E06C
    • SendMessageW.USER32(?,00000415,00000000,00000000), ref: 00F3D7E7
      • Part of subcall function 00F3E07C: SendMessageW.USER32(?,00000405,00000001,?), ref: 00F3E08E
    • SendMessageW.USER32(?,00000415,00000000,00000000), ref: 00F3D87A
    • SendMessageW.USER32(?,00000415,00000000,00000000), ref: 00F3D910
    • SetTimer.USER32(?,00000001,00000032,00000000), ref: 00F3D952
      • Part of subcall function 00F3AB40: GetParent.USER32(?), ref: 00F3AB48
      • Part of subcall function 00F3AB40: PostMessageW.USER32(00000000,00000470,00000000,00000003), ref: 00F3AB58
      • Part of subcall function 00F3AB40: GetParent.USER32(?), ref: 00F3AB61
      • Part of subcall function 00F3AB40: SendMessageW.USER32(00000000,00000489,00000000,00F31FA0), ref: 00F3AB74
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: Message$Send$Parent$PostTimer
    • String ID:
    • API String ID: 1672226202-0
    • Opcode ID: 320c74509e482720f8633cc2edb3d3935881db6ca50cf9537bfc1c7d481fe0c3
    • Instruction ID: 0830489fc8e2321d542662713264d277174f82360f4d7d309975d2b652c26b25
    • Opcode Fuzzy Hash: 320c74509e482720f8633cc2edb3d3935881db6ca50cf9537bfc1c7d481fe0c3
    • Instruction Fuzzy Hash: 27513B35600116EFDF059F54DC84FA87BA6FF49310F1940B5EE09AB2A6CB71AE11AF60
    Function 00F3A030 Relevance: 6.1, APIs: 4, Instructions: 91COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • DestroyPhysicalMonitors.DXVA2(00000001,00000014,00000000,00000000,00000000,?,00F37B14,00000000,00000000,00F33D1A), ref: 00F3A054
    • DeleteDC.GDI32(?), ref: 00F3A06C
    • DccwReleaseDisplayProfileAssociationList.MSCMS(?,00000000,00000000,00000000,?,00F37B14,00000000,00000000,00F33D1A), ref: 00F3A14D
    • DccwReleaseDisplayProfileAssociationList.MSCMS(?,?,00F37B14,00000000,00000000,00F33D1A), ref: 00F3A159
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: AssociationDccwDisplayListProfileRelease$DeleteDestroyMonitorsPhysical
    • String ID:
    • API String ID: 896183022-0
    • Opcode ID: 98f74680f88e1e59656554d51eb5a1c87f5a7e7830acd729a3495bb9e20de0f7
    • Instruction ID: e0450ea71ca9a179e56024cf8eccfbcc247b0cd87dd35b946e17d89692f4d003
    • Opcode Fuzzy Hash: 98f74680f88e1e59656554d51eb5a1c87f5a7e7830acd729a3495bb9e20de0f7
    • Instruction Fuzzy Hash: 8941AAB1805B009FD3719F2A9894AD3FBE4FF4A320F90492EE5AE82210DB356944DF91
    Function 00F3A9ED Relevance: 6.1, APIs: 4, Instructions: 91COMMON
    Download Yara Rule
    APIs
    • MapDialogRect.USER32(?,?), ref: 00F3AA1C
    • GetWindowRect.USER32(?,?), ref: 00F3AA42
    • EnumChildWindows.USER32(?,00F3AD30), ref: 00F3AABD
    • InvalidateRect.USER32(?,00000000,00000001), ref: 00F3AAC9
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: Rect$ChildDialogEnumInvalidateWindowWindows
    • String ID:
    • API String ID: 102734436-0
    • Opcode ID: 59534c05ac0c1996699c389c837b6eddafbfc0b8b71b14a935370bce4641619a
    • Instruction ID: ae4b9700534ecd24481de0077f6a0e1b25b4669cf8a01672e6b312a9ee77f20a
    • Opcode Fuzzy Hash: 59534c05ac0c1996699c389c837b6eddafbfc0b8b71b14a935370bce4641619a
    • Instruction Fuzzy Hash: 10316D31A0060A9FDB14CF7CC945BAEBBF6FB45311F044528A59AD6150DBB4A908DB51
    Function 00F3C047 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00F374D3: GetWindowRect.USER32(?,?), ref: 00F37505
      • Part of subcall function 00F374D3: GetWindowRect.USER32(?,?), ref: 00F3751D
      • Part of subcall function 00F374D3: GetWindowRect.USER32(?,?), ref: 00F37535
      • Part of subcall function 00F374D3: MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00F3754E
      • Part of subcall function 00F374D3: MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00F3755F
      • Part of subcall function 00F374D3: MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00F37570
      • Part of subcall function 00F374D3: _ftol2_sse.MSVCRT ref: 00F37602
    • GetWindowRect.USER32(?,?), ref: 00F3C085
    • GetWindowRect.USER32(?,?), ref: 00F3C099
    • GetWindowRect.USER32(?,?), ref: 00F3C0AD
    • MoveWindow.USER32(?,00000000,?,?,?,00000001,?,00000000,00000000), ref: 00F3C0FF
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: Window$Rect$Points$Move_ftol2_sse
    • String ID:
    • API String ID: 4240149109-0
    • Opcode ID: 9365928529aa31f4c0b0ad460500c5f3f03c496c2ec86cd733827aa0172779ff
    • Instruction ID: d9e5e4deb4d8c6f906aac4d8b2c9c923b8f9520747027f3812adf042a7f5830b
    • Opcode Fuzzy Hash: 9365928529aa31f4c0b0ad460500c5f3f03c496c2ec86cd733827aa0172779ff
    • Instruction Fuzzy Hash: 0C217175A00209AFDB10EF78CD49BEEBBB9EF48324F054129F916E2195DB30E944DB60
    Function 00F3B9B0 Relevance: 6.1, APIs: 4, Instructions: 64COMMON
    Download Yara Rule
    APIs
    • GetWindowLongW.USER32(?,000000F0), ref: 00F3BA20
    • SetTextColor.GDI32(?,00000000), ref: 00F3BA32
    • SetBkMode.GDI32(?,00000001), ref: 00F3BA3C
    • GetStockObject.GDI32(00000005), ref: 00F3BA44
      • Part of subcall function 00F3BAD1: GetDlgItem.USER32(?,000000AA), ref: 00F3BB07
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: ColorItemLongModeObjectStockTextWindow
    • String ID:
    • API String ID: 3442870416-0
    • Opcode ID: 791dca1a6aceefe5baa58ea578bf8fbd91265ba3aa32d869075aa708006fafcc
    • Instruction ID: 9fad91f8b4a0294a990228707e4fe43a02a2f513e238c073a5b431d1692d44ed
    • Opcode Fuzzy Hash: 791dca1a6aceefe5baa58ea578bf8fbd91265ba3aa32d869075aa708006fafcc
    • Instruction Fuzzy Hash: 46116D3250466DABDF255F19DC18B9E7B65EB05735F004126FE1586260C7789D20EFA0
    Function 00F3AEE0 Relevance: 6.1, APIs: 4, Instructions: 54windowCOMMON
    Download Yara Rule
    APIs
    • GetParent.USER32(?), ref: 00F3AEEA
    • PostMessageW.USER32(00000000,00000470,00000000,00000005), ref: 00F3AEFB
    • GetDlgItem.USER32(?,00000095), ref: 00F3AF17
    • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00F3AF26
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: Message$ItemParentPostSend
    • String ID:
    • API String ID: 3857695281-0
    • Opcode ID: f750fc16bf95bb60fad391a61b55e64e23e4369d3711abcb140320b0f33ad10c
    • Instruction ID: 4ac5a51f5def954116ef4ea93478e823024f9e36f1b8c266fb7128e81955cee4
    • Opcode Fuzzy Hash: f750fc16bf95bb60fad391a61b55e64e23e4369d3711abcb140320b0f33ad10c
    • Instruction Fuzzy Hash: 5301A139700211AFDB105F318C48A6B3F65EB85BA1F044071FD05DB291CB709A01ABA0
    Function 00F40340 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00F40B1A: GetModuleHandleW.KERNEL32(00000000), ref: 00F40B21
    • __set_app_type.MSVCRT ref: 00F40352
    • __p__fmode.MSVCRT ref: 00F40368
    • __p__commode.MSVCRT ref: 00F40376
    • __setusermatherr.MSVCRT ref: 00F40397
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
    • String ID:
    • API String ID: 1632413811-0
    • Opcode ID: 55823a0f01b9ccd7c28221311005744c016ad340aaa5c4b064a3253b36cf6783
    • Instruction ID: 14044702c3b1b9213e0f68c530e6161f666bab0b62465b4b94c379d1ba1cfeb0
    • Opcode Fuzzy Hash: 55823a0f01b9ccd7c28221311005744c016ad340aaa5c4b064a3253b36cf6783
    • Instruction Fuzzy Hash: 26F0F87854430C8FD7686F70AC4A6287BA1FB62321B50062AFC52863F1CF3A9184FA01
    Function 00F3F360 Relevance: 6.0, APIs: 4, Instructions: 21windowCOMMON
    Download Yara Rule
    APIs
    • GetParent.USER32(?), ref: 00F3F368
    • PostMessageW.USER32(00000000,00000470,00000000,00000002), ref: 00F3F378
    • GetParent.USER32(?), ref: 00F3F381
    • SendMessageW.USER32(00000000,00000489,00000000,00F31FA0), ref: 00F3F394
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: MessageParent$PostSend
    • String ID:
    • API String ID: 2241083247-0
    • Opcode ID: 71fece270a7c4ddcb9373575ac2984f9f4938fec0f5f239df4f624da11622544
    • Instruction ID: d2575e3bf5f23e478fe7ed913e1da3ec4d229570cc2e250309d23d772122e164
    • Opcode Fuzzy Hash: 71fece270a7c4ddcb9373575ac2984f9f4938fec0f5f239df4f624da11622544
    • Instruction Fuzzy Hash: 39E01276684744BFE6202B70EC0FF463A68EB55B15F118550B756E90F0CBF0AA40AB44
    Function 00F3AB40 Relevance: 6.0, APIs: 4, Instructions: 21windowCOMMON
    Download Yara Rule
    APIs
    • GetParent.USER32(?), ref: 00F3AB48
    • PostMessageW.USER32(00000000,00000470,00000000,00000003), ref: 00F3AB58
    • GetParent.USER32(?), ref: 00F3AB61
    • SendMessageW.USER32(00000000,00000489,00000000,00F31FA0), ref: 00F3AB74
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: MessageParent$PostSend
    • String ID:
    • API String ID: 2241083247-0
    • Opcode ID: d8a46cc8e3c69221443030047e584bc20fa75a696288687c6e426be0fe688c1d
    • Instruction ID: 3e952dee53bc8d88531b68099173f91bc193c8063d9d873e6f5c542f44ae9da5
    • Opcode Fuzzy Hash: d8a46cc8e3c69221443030047e584bc20fa75a696288687c6e426be0fe688c1d
    • Instruction Fuzzy Hash: 12E01276684744BFE6202B70FC0EF463A68EB55B15F118550B756E90F0CBF0AB40AB44
    Function 00F3E8E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60windowCOMMON
    Download Yara Rule
    APIs
    • EventWrite.ADVAPI32(00F31F20,00000001,?,?,00F368A9,00000000), ref: 00F3E944
    • MessageBoxW.USER32(00000000,00000000,00F428C8,00000010), ref: 00F3E973
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: EventMessageWrite
    • String ID: strg
    • API String ID: 2344367845-3320446829
    • Opcode ID: 3b90ad0729476ecb4b8dfa0a934eecc90f0811abd63ca37faf3dc3044e3de564
    • Instruction ID: 423e5cb29fb7f669dde2271c7b5dc21a3a73245ad126cbf38dea0acb14b49cbd
    • Opcode Fuzzy Hash: 3b90ad0729476ecb4b8dfa0a934eecc90f0811abd63ca37faf3dc3044e3de564
    • Instruction Fuzzy Hash: 1211C47AD0020DABDF149F69DC45AAFBBB5EF89320F00052AFD1263290D7759E45EB90
    Function 00F3A6A6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
    Download Yara Rule
    APIs
    • memset.MSVCRT ref: 00F3A6CC
      • Part of subcall function 00F3A4CC: GetDisplayConfigBufferSizes.USER32(00000002,?,?), ref: 00F3A522
    • DisplayConfigGetDeviceInfo.USER32(?), ref: 00F3A70F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: ConfigDisplay$BufferDeviceInfoSizesmemset
    • String ID:
    • API String ID: 4257415688-3916222277
    • Opcode ID: 297f7c5eaf9e6d6b6704934d902c7b3dc92ec6e2813ab479173bc850020c8f74
    • Instruction ID: 1967e3c8d3b8c1d2b892f9a435ba8935385fcf806df1bcc1f53c2e4105021014
    • Opcode Fuzzy Hash: 297f7c5eaf9e6d6b6704934d902c7b3dc92ec6e2813ab479173bc850020c8f74
    • Instruction Fuzzy Hash: 7811C476D012298BDB10CFA5C94579EBBF4AF44720F210129DD05AB381DB78DE04DBD1
    Function 00F3EB17 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
    Download Yara Rule
    APIs
    • memset.MSVCRT ref: 00F3EB33
    • TaskDialogIndirect.COMCTL32(00000060,00000001,00000000,00000000,?,00000000,00000000), ref: 00F3EB79
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: DialogIndirectTaskmemset
    • String ID: `
    • API String ID: 3334335582-2679148245
    • Opcode ID: a4f103fdd955f82b9fd4e279eb4d7cd82edcd02d7b593fd781affe6c9e970ee4
    • Instruction ID: 5f0b48605d65164c312de696b9403baff6658408fd8d83a59b7bced6b13d70b3
    • Opcode Fuzzy Hash: a4f103fdd955f82b9fd4e279eb4d7cd82edcd02d7b593fd781affe6c9e970ee4
    • Instruction Fuzzy Hash: 6C01E1B5900358ABDF20DF99CD49BCEBFBDEF81724F10012AE505AB280D7B45948DB50
    Function 00F38FF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
    Download Yara Rule
    APIs
    • GetMonitorInfoW.USER32(?,?), ref: 00F39020
    • CreateDCW.GDI32(?,?,00000000,00000000), ref: 00F39034
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: CreateInfoMonitor
    • String ID: h
    • API String ID: 3263162237-2439710439
    • Opcode ID: 857acfaca7cf85f4f75ea52390f47bdc4675a016c2d62e4f3bb7afdab8bc6794
    • Instruction ID: 2b622b4f4406c0261f71486ae614f4bcf733aefba6a74fe42471013eef0e7bce
    • Opcode Fuzzy Hash: 857acfaca7cf85f4f75ea52390f47bdc4675a016c2d62e4f3bb7afdab8bc6794
    • Instruction Fuzzy Hash: F6F08C72514704AFC724DF34D845F577BE8AB58360F518A1DF996C3190EB74E900DBA2
    Function 00F3F857 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetProcAddress.KERNEL32(00000000,AtlThunk_AllocateData), ref: 00F3F85E
    • EncodePointer.KERNEL32(00000000,?,00F3FC57,00F428BC,?,00F3F9CB,?,00000000,?,00F36D51,00000000,?,00000000,00F3615B,00000000,00000000), ref: 00F3F86D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1399136813.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true
    • Associated: 00000000.00000002.1399117243.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399163835.0000000000F42000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1399178924.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_f30000_Yu4oufkUC8.jbxd
    Similarity
    • API ID: AddressEncodePointerProc
    • String ID: AtlThunk_AllocateData
    • API String ID: 1846120836-3926079072
    • Opcode ID: 53d1ed338591d9c7d7472bd27bcb1e3ef20f5373d0717dc21ed0265a1b5a28e5
    • Instruction ID: 38ed3c31c280599fd8d75b1b3284872f7382f2d0515736f7f13d3cc429f2c65a
    • Opcode Fuzzy Hash: 53d1ed338591d9c7d7472bd27bcb1e3ef20f5373d0717dc21ed0265a1b5a28e5
    • Instruction Fuzzy Hash: EBD0A775500308BB8B144F329809A677B5CAAE37217004028FC05C3210E536D409B534