Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Convert.exe

Overview

General Information

Sample name:Convert.exe
Analysis ID:1558891
MD5:e14d3585a6b4feb3897d76d42c6b8d83
SHA1:6d78a56a86327839f683f7fbf28c579896e5b05a
SHA256:608c1b94fb38dc8c67287f4fb8523ecf99c205422b5c439cdbc61385dc1f7835
Infos:

Detection

Score:4
Range:0 - 100
Whitelisted:false
Confidence:40%

Signatures

Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to retrieve information about pressed keystrokes
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Potential key logger detected (key state polling based)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Convert.exe (PID: 5920 cmdline: "C:\Users\user\Desktop\Convert.exe" MD5: E14D3585A6B4FEB3897D76D42C6B8D83)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: Convert.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Convert.exeString found in binary or memory: http://www.joshmadison.com/software
Source: C:\Users\user\Desktop\Convert.exeCode function: 0_2_004597D5 GetAsyncKeyState,SendMessageA,0_2_004597D5
Source: C:\Users\user\Desktop\Convert.exeCode function: 0_2_004560CD GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,0_2_004560CD
Source: C:\Users\user\Desktop\Convert.exeCode function: 0_2_00452C1A GetKeyState,GetKeyState,GetKeyState,GetKeyState,0_2_00452C1A
Source: C:\Users\user\Desktop\Convert.exeCode function: 0_2_004554290_2_00455429
Source: C:\Users\user\Desktop\Convert.exeCode function: 0_2_004514700_2_00451470
Source: C:\Users\user\Desktop\Convert.exeCode function: 0_2_0044A6200_2_0044A620
Source: C:\Users\user\Desktop\Convert.exeCode function: 0_2_0044BE7C0_2_0044BE7C
Source: C:\Users\user\Desktop\Convert.exeCode function: String function: 004469E0 appears 76 times
Source: C:\Users\user\Desktop\Convert.exeCode function: String function: 004428C0 appears 2745 times
Source: C:\Users\user\Desktop\Convert.exeCode function: String function: 00453EEE appears 34 times
Source: C:\Users\user\Desktop\Convert.exeCode function: String function: 00453DF5 appears 127 times
Source: C:\Users\user\Desktop\Convert.exeCode function: String function: 00442D50 appears 350 times
Source: Convert.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: clean4.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\Convert.exeCode function: 0_2_0045377E __EH_prolog,FindResourceA,LoadResource,LockResource,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,0_2_0045377E
Source: Convert.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Convert.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\Convert.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Convert.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Convert.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\Convert.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\Convert.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\Convert.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\Convert.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\Convert.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\Convert.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\Convert.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Convert.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Convert.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Convert.exeWindow found: window name: SysTabControl32Jump to behavior
Source: Convert.exeStatic PE information: section name: RT_CURSOR
Source: Convert.exeStatic PE information: section name: RT_BITMAP
Source: Convert.exeStatic PE information: section name: RT_ICON
Source: Convert.exeStatic PE information: section name: RT_MENU
Source: Convert.exeStatic PE information: section name: RT_DIALOG
Source: Convert.exeStatic PE information: section name: RT_STRING
Source: Convert.exeStatic PE information: section name: RT_ACCELERATOR
Source: Convert.exeStatic PE information: section name: RT_GROUP_ICON
Source: C:\Users\user\Desktop\Convert.exeCode function: 0_2_0044C828 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0044C828
Source: C:\Users\user\Desktop\Convert.exeCode function: 0_2_004469E0 push eax; ret 0_2_004469FE
Source: C:\Users\user\Desktop\Convert.exeCode function: 0_2_004359AD push es; iretd 0_2_004359B7
Source: C:\Users\user\Desktop\Convert.exeCode function: 0_2_00446CB0 push eax; ret 0_2_00446CDE
Source: C:\Users\user\Desktop\Convert.exeCode function: 0_2_0044F3D0 GetPropA,CallWindowProcA,CallWindowProcA,IsIconic,CallWindowProcA,GetWindowLongA,SendMessageA,CallWindowProcA,CallWindowProcA,GetWindowLongA,GetClassNameA,lstrcmpA,CallWindowProcA,GetWindowLongA,CallWindowProcA,CallWindowProcA,CallWindowProcA,0_2_0044F3D0
Source: C:\Users\user\Desktop\Convert.exeCode function: 0_2_00445986 IsIconic,GetWindowPlacement,GetWindowRect,0_2_00445986
Source: C:\Users\user\Desktop\Convert.exeCode function: 0_2_00442A90 IsIconic,0_2_00442A90
Source: C:\Users\user\Desktop\Convert.exeCode function: 0_2_0044EC20 CallWindowProcA,DefWindowProcA,IsIconic,SendMessageA,GetWindowLongA,GetWindowLongA,GetWindowDC,GetWindowRect,InflateRect,InflateRect,SelectObject,OffsetRect,SelectObject,ReleaseDC,0_2_0044EC20
Source: C:\Users\user\Desktop\Convert.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Convert.exeAPI coverage: 8.5 %
Source: C:\Users\user\Desktop\Convert.exeCode function: 0_2_0044C828 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0044C828
Source: C:\Users\user\Desktop\Convert.exeCode function: 0_2_0044B865 SetUnhandledExceptionFilter,0_2_0044B865
Source: C:\Users\user\Desktop\Convert.exeCode function: 0_2_0044B877 SetUnhandledExceptionFilter,0_2_0044B877
Source: C:\Users\user\Desktop\Convert.exeCode function: 0_2_00455429 __EH_prolog,GetVersion,0_2_00455429

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		21
Input Capture		1
Application Window Discovery		Remote Services21
Input Capture		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
DLL Side-Loading		LSASS Memory2
System Information Discovery		Remote Desktop Protocol1
Archive Collected Data		Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
Obfuscated Files or Information		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Convert.exe0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.joshmadison.com/software0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.joshmadison.com/softwareConvert.exefalse
  • Avira URL Cloud: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1558891
Start date and time:2024-11-19 22:42:33 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 15s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:12
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:Convert.exe
Detection:CLEAN
Classification:clean4.winEXE@1/0@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 95%
  • Number of executed functions: 36
  • Number of non-executed functions: 108
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • VT rate limit hit for: Convert.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.033949882605988
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.83%
  • Windows Screen Saver (13104/52) 0.13%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:Convert.exe
File size:561'152 bytes
MD5:e14d3585a6b4feb3897d76d42c6b8d83
SHA1:6d78a56a86327839f683f7fbf28c579896e5b05a
SHA256:608c1b94fb38dc8c67287f4fb8523ecf99c205422b5c439cdbc61385dc1f7835
SHA512:076b9902adbac2a01a42f5a604eb64dcef661bafc119d03515893863ce99d429b69bdfa13579c3c8cafa489241d6b07f197f7de243f8e72e29f6112d49fdc7b2
SSDEEP:6144:y/APOLEh6jVvtJa2N3RxQbJ94pzLNWX5VeoKpve1:1QJTxm+9NWX5VA
TLSH:8DC4F113405E09D8DCC06C3B7F68C24A9A50ABF237900E6397DCBE6A175B54177ACAB7
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:|..T/..T/..T/..T/..T/..G/..T/..U/?.T/C._/..T/(.Z/..T/C.^/..T/T._/..T/l.R/..T/Rich..T/........................PE..L...h..8...

File Icon

Icon Hash:07032307181b1a18

Static PE Info

General

Entrypoint:0x446848
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:0x381BAF68 [Sun Oct 31 02:54:32 1999 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:b8479b613de20959882f4cacef53e330

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00466F58h
push 00449208h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 58h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [0045F1D4h]
xor edx, edx
mov dl, ah
mov dword ptr [00485294h], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [00485290h], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [0048528Ch], ecx
shr eax, 10h
mov dword ptr [00485288h], eax
push 00000001h
call 00007FED78C2565Fh
pop ecx
test eax, eax
jne 00007FED78C2239Ah
push 0000001Ch
call 00007FED78C22458h
pop ecx
call 00007FED78C246B9h
test eax, eax
jne 00007FED78C2239Ah
push 00000010h
call 00007FED78C22447h
pop ecx
xor esi, esi
mov dword ptr [ebp-04h], esi
call 00007FED78C2547Bh
call dword ptr [0045F140h]
mov dword ptr [004869B8h], eax
call 00007FED78C25339h
mov dword ptr [00485278h], eax
call 00007FED78C250E2h
call 00007FED78C25024h
call 00007FED78C224CDh
mov dword ptr [ebp-30h], esi
lea eax, dword ptr [ebp-5Ch]
push eax
call dword ptr [0045F144h]
call 00007FED78C24FB5h
mov dword ptr [ebp-64h], eax
test byte ptr [ebp-30h], 00000001h
je 00007FED78C22398h
movzx eax, word ptr [ebp+00h]

Rich Headers

Programming Language:
  • [C++] VS98 (6.0) build 8168
  • [ C ] VS98 (6.0) build 8168
  • [EXP] VC++ 6.0 SP5 build 8804

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x6a4480xa0.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x880000x41d8.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x5f0000x444.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x5d1e60x5e000dfdd185f413d1acb1a0b75c18262b6bdFalse0.30044880319148937data5.927869322301452IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x5f0000xcafa0xd00013cc6380a2ebaf739b1de0706208c2a7False0.5330341045673077data6.0482662906911555IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x6c0000x1b4e80x180007f0397b04e3ca0fdebbbf7a099e314a5False0.07505289713541667data4.533934654618574IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x880000x41d80x5000919b14682648b411e6875fc21d2bc714False0.244921875data3.2354218330227975IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_CURSOR0x89ec00x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.37987012987012986
RT_CURSOR0x8a0180x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4805194805194805
RT_CURSOR0x8a1500xb4Targa image data - Map 32 x 65536 x 1 +16 "\001"EnglishUnited States0.7
RT_BITMAP0x8a2300x5e4Device independent bitmap graphic, 70 x 39 x 4, image size 1404EnglishUnited States0.34615384615384615
RT_BITMAP0x8a9000xb8Device independent bitmap graphic, 12 x 10 x 4, image size 80EnglishUnited States0.44565217391304346
RT_BITMAP0x8a9b80x16cDevice independent bitmap graphic, 39 x 13 x 4, image size 260EnglishUnited States0.28296703296703296
RT_BITMAP0x8ab280x144Device independent bitmap graphic, 33 x 11 x 4, image size 220EnglishUnited States0.37962962962962965
RT_ICON0x887c00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23118279569892472
RT_ICON0x88aa80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.42905405405405406
RT_ICON0x88bf80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23521505376344087
RT_ICON0x88ee00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.4155405405405405
RT_MENU0x89dd00xeadataEnglishUnited States0.6538461538461539
RT_DIALOG0x890300x1fedataEnglishUnited States0.5372549019607843
RT_DIALOG0x898780x146dataEnglishUnited States0.6134969325153374
RT_DIALOG0x892300x27cdataEnglishUnited States0.5267295597484277
RT_DIALOG0x894b00x1d0dataEnglishUnited States0.5905172413793104
RT_DIALOG0x896800x1f2dataEnglishUnited States0.5281124497991968
RT_DIALOG0x899c00x78dataEnglishUnited States0.7833333333333333
RT_DIALOG0x8a8180xe8dataEnglishUnited States0.6336206896551724
RT_STRING0x8ac700x82StarOffice Gallery theme p, 536899072 objects, 1st nEnglishUnited States0.7153846153846154
RT_STRING0x8acf80x2adataEnglishUnited States0.5476190476190477
RT_STRING0x8ad280x14adataEnglishUnited States0.5060606060606061
RT_STRING0x8ae780x4e2dataEnglishUnited States0.376
RT_STRING0x8b6f00x2a2dataEnglishUnited States0.28338278931750743
RT_STRING0x8b4100x2dcdataEnglishUnited States0.36885245901639346
RT_STRING0x8b3600xacdataEnglishUnited States0.45348837209302323
RT_STRING0x8c0c80xdedataEnglishUnited States0.536036036036036
RT_STRING0x8b9980x4c4dataEnglishUnited States0.3221311475409836
RT_STRING0x8be600x264dataEnglishUnited States0.3741830065359477
RT_STRING0x8c1a80x2cdataEnglishUnited States0.5227272727272727
RT_ACCELERATOR0x8a0100x8dataEnglishUnited States2.0
RT_GROUP_CURSOR0x89ff80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
RT_GROUP_CURSOR0x8a2080x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States1.0294117647058822
RT_GROUP_ICON0x88bd00x22dataEnglishUnited States1.0
RT_GROUP_ICON0x890080x22dataEnglishUnited States1.0294117647058822
RT_VERSION0x89a380x398OpenPGP Public KeyEnglishUnited States0.46956521739130436

Imports

DLLImport
KERNEL32.dllHeapSize, GetACP, HeapReAlloc, HeapAlloc, RaiseException, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetStdHandle, GetFileType, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, IsBadWritePtr, GetEnvironmentStrings, LCMapStringW, HeapFree, SetHandleCount, GetEnvironmentStringsW, TerminateProcess, IsBadCodePtr, SetStdHandle, FindResourceA, LoadResource, WritePrivateProfileStringA, GetPrivateProfileStringA, GetPrivateProfileIntA, ExitProcess, GetCommandLineA, GetStartupInfoA, RtlUnwind, FlushFileBuffers, SetFilePointer, WriteFile, GetCurrentProcess, SetErrorMode, GetOEMCP, GetCPInfo, SizeofResource, GetProcessVersion, GetLastError, GlobalFlags, lstrcpynA, TlsGetValue, LocalReAlloc, TlsSetValue, EnterCriticalSection, GlobalReAlloc, LeaveCriticalSection, TlsFree, TlsAlloc, GetStringTypeA, GlobalHandle, DeleteCriticalSection, GetStringTypeW, SetUnhandledExceptionFilter, CloseHandle, InitializeCriticalSection, lstrcpyA, LocalAlloc, LoadLibraryA, MulDiv, SetLastError, GlobalGetAtomNameA, FreeLibrary, GetVersion, GetModuleHandleA, GlobalAddAtomA, GlobalFindAtomA, LocalFree, GetProcAddress, InterlockedDecrement, MultiByteToWideChar, WideCharToMultiByte, GlobalFree, InterlockedIncrement, GlobalUnlock, LockResource, IsBadReadPtr, LCMapStringA, GetModuleFileNameA, GetCurrentThread, WinExec, lstrlenA, lstrcatA, GetCurrentThreadId, GetProfileStringA, lstrcmpiA, lstrcmpA, GlobalDeleteAtom, GlobalAlloc, GlobalLock
USER32.dllSetDlgItemTextA, IsDialogMessageA, SetWindowTextA, MoveWindow, ShowWindow, wvsprintfA, ClientToScreen, GetWindowDC, BeginPaint, EndPaint, TabbedTextOutA, DrawTextA, GrayStringA, GetAsyncKeyState, MapDialogRect, DestroyMenu, WindowFromPoint, DrawFocusRect, FillRect, PtInRect, GetClassNameA, GetSysColorBrush, LoadStringA, GetTopWindow, GetCapture, WinHelpA, GetClassInfoA, RegisterClassA, GetMenu, GetMenuItemCount, GetSubMenu, GetMenuItemID, GetWindowTextLengthA, GetWindowTextA, SendDlgItemMessageA, DefWindowProcA, CreateWindowExA, GetClassLongA, UpdateWindow, RemovePropA, GetMessageTime, GetForegroundWindow, SetForegroundWindow, GetWindow, OffsetRect, IntersectRect, SystemParametersInfoA, GetWindowPlacement, CopyRect, EndDialog, SetActiveWindow, IsWindow, CreateDialogIndirectParamA, DestroyWindow, GetDlgItem, wsprintfA, GetMenuCheckMarkDimensions, LoadBitmapA, GetMenuState, ModifyMenuA, SetMenuItemBitmaps, CheckMenuItem, GetFocus, GetNextDlgTabItem, GetMessageA, TranslateMessage, DispatchMessageA, GetActiveWindow, GetKeyState, CallNextHookEx, ValidateRect, IsWindowVisible, PeekMessageA, GetCursorPos, SetWindowsHookExA, GetLastActivePopup, IsWindowEnabled, GetWindowLongA, MessageBoxA, PostQuitMessage, PostMessageA, GetParent, ReleaseDC, GetDC, InflateRect, MessageBeep, SetWindowLongA, SetCursor, LoadIconA, LoadCursorA, EnableWindow, InvalidateRect, SetFocus, GetClientRect, GetWindowRect, IsIconic, AdjustWindowRectEx, ScreenToClient, MapWindowPoints, GetSysColor, UnhookWindowsHookEx, GetPropA, GetDlgCtrlID, SetPropA, GetSystemMenu, SendMessageA, EnableMenuItem, DeleteMenu, DrawIcon, GetSystemMetrics, GetMessagePos, RegisterWindowMessageA, SetWindowPos, CallWindowProcA, DefDlgProcA, ExcludeUpdateRgn, HideCaret, IsWindowUnicode, CharNextA, ShowCaret, UnregisterClassA
GDI32.dllGetStockObject, GetTextExtentPoint32A, CreateBitmap, GetObjectA, PatBlt, SetTextColor, SetBkColor, GetClipBox, SaveDC, DeleteDC, SelectObject, RestoreDC, SetBkMode, SetMapMode, SetViewportOrgEx, ScaleViewportExtEx, ScaleWindowExtEx, IntersectClipRect, DeleteObject, GetDeviceCaps, CreateSolidBrush, PtVisible, RectVisible, TextOutA, ExtTextOutA, Escape, BitBlt, CreateCompatibleDC, GetTextMetricsA, CreateDIBitmap, OffsetViewportOrgEx, SetViewportExtEx, SetWindowExtEx, GetTextExtentPointA, CreateFontIndirectA
WINSPOOL.DRVDocumentPropertiesA, ClosePrinter, OpenPrinterA
ADVAPI32.dllRegSetValueExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegQueryValueExA, RegCreateKeyExA, RegOpenKeyExA, RegQueryValueA
SHELL32.dllShellExecuteA
COMCTL32.dllDestroyPropertySheetPage, PropertySheetA, CreatePropertySheetPageA, ImageList_Destroy

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

General

Target ID:0
Start time:16:43:25
Start date:19/11/2024
Path:C:\Users\user\Desktop\Convert.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\Convert.exe"
Imagebase:0x400000
File size:561'152 bytes
MD5 hash:E14D3585A6B4FEB3897D76D42C6B8D83
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:false

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:4.1%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:3.7%
    Total number of Nodes:2000
    Total number of Limit Nodes:58
    execution_graph 33645 4052e1 33650 453df5 33645->33650 33648 453df5 ctype 23 API calls 33649 405305 33648->33649 33651 453e05 InterlockedDecrement 33650->33651 33652 4052f6 33650->33652 33651->33652 33653 453e13 33651->33653 33652->33648 33655 453ce4 22 API calls ctype 33653->33655 33655->33652 33656 44a916 33661 44a929 ctype 33656->33661 33657 44a962 HeapAlloc 33657->33661 33662 44a98d Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot 33657->33662 33661->33657 33661->33662 33663 449d61 33661->33663 33678 44a16b 33661->33678 33686 449dc2 LeaveCriticalSection 33661->33686 33664 449db7 EnterCriticalSection 33663->33664 33665 449d79 33663->33665 33664->33661 33687 447881 33665->33687 33669 449d61 ctype 18 API calls 33671 449d97 33669->33671 33670 449d8f 33670->33669 33672 449d9e InitializeCriticalSection 33671->33672 33673 449da8 33671->33673 33674 449dad 33672->33674 33691 446b4a 33673->33691 33704 449dc2 LeaveCriticalSection 33674->33704 33677 449db5 33677->33664 33683 44a19d 33678->33683 33679 44a259 33679->33661 33680 44a245 33730 44a525 VirtualAlloc 33680->33730 33682 44a24b 33682->33679 33683->33679 33683->33680 33723 44a474 33683->33723 33686->33661 33705 447893 33687->33705 33690 446950 7 API calls ctype 33690->33670 33692 446b90 33691->33692 33693 446b53 33691->33693 33692->33674 33694 449d61 ctype 19 API calls 33693->33694 33695 446b5a ctype 33694->33695 33696 446b66 33695->33696 33697 446b79 33695->33697 33720 449e40 VirtualFree VirtualFree HeapFree ctype 33696->33720 33722 449dc2 LeaveCriticalSection 33697->33722 33700 446b6d 33721 449dc2 LeaveCriticalSection 33700->33721 33701 446b80 HeapFree 33701->33692 33703 446b74 33703->33674 33704->33677 33706 447890 33705->33706 33708 44789a ctype 33705->33708 33706->33670 33706->33690 33708->33706 33709 4478bf 33708->33709 33710 4478cd 33709->33710 33712 4478e3 33709->33712 33713 449d61 ctype 19 API calls 33710->33713 33711 4478f5 RtlAllocateHeap 33714 4478ea 33711->33714 33712->33711 33712->33714 33715 4478d4 33713->33715 33714->33708 33716 44a16b ctype 5 API calls 33715->33716 33717 4478da 33716->33717 33719 449dc2 LeaveCriticalSection 33717->33719 33719->33712 33720->33700 33721->33703 33722->33701 33724 44a4b7 HeapAlloc 33723->33724 33725 44a487 HeapReAlloc 33723->33725 33727 44a23c 33724->33727 33728 44a4dd VirtualAlloc 33724->33728 33726 44a4a6 33725->33726 33725->33727 33726->33724 33727->33679 33727->33680 33728->33727 33729 44a4f7 HeapFree 33728->33729 33729->33727 33730->33682 33731 452b40 33732 452b4b 33731->33732 33740 452b6e 33732->33740 33741 445833 28 API calls 33732->33741 33734 452b5a 33742 455d0d 33734->33742 33741->33734 33743 455d15 33742->33743 33744 452b6a 33743->33744 33746 455d38 GetParent 33743->33746 33756 454679 33743->33756 33759 456ce1 33743->33759 33744->33740 33748 454652 33744->33748 33746->33743 33749 4545e0 std::bad_exception::~bad_exception 48 API calls 33748->33749 33750 45465b 33749->33750 33825 4573fa 33750->33825 33752 454668 33831 456f06 33752->33831 33754 452b7e 33755 455b51 53 API calls 33754->33755 33755->33740 33764 4545e0 33756->33764 33758 454680 std::bad_exception::~bad_exception 33758->33743 33760 456d03 IsDialogMessageA 33759->33760 33761 456cea 33759->33761 33762 456cef 33760->33762 33763 45bf76 ctype 28 API calls 33761->33763 33762->33743 33763->33762 33765 4545ea __EH_prolog 33764->33765 33772 45bf9c 33765->33772 33767 4545f0 std::bad_exception::~bad_exception 33771 45462e std::bad_exception::~bad_exception 33767->33771 33777 4540ef 20 API calls ctype 33767->33777 33769 454612 33769->33771 33778 457395 20 API calls 2 library calls 33769->33778 33771->33758 33779 45bf76 33772->33779 33777->33769 33778->33771 33780 45c5e4 ctype 21 API calls 33779->33780 33781 45bf85 33780->33781 33782 45bf9b 33781->33782 33795 45c679 33781->33795 33784 45c5e4 33782->33784 33785 45c5ed 33784->33785 33786 45c61a TlsGetValue 33784->33786 33788 45c607 33785->33788 33822 45c1e4 RaiseException TlsAlloc InitializeCriticalSection ctype 33785->33822 33787 45c62d 33786->33787 33790 45bfb2 33787->33790 33791 45c640 33787->33791 33812 45c27d EnterCriticalSection 33788->33812 33790->33767 33823 45c3ec 8 API calls 2 library calls 33791->33823 33793 45c618 33793->33786 33796 45c683 __EH_prolog 33795->33796 33797 45c6b1 33796->33797 33801 45c83e 33796->33801 33797->33782 33802 45c849 33801->33802 33804 45c84e 33801->33804 33811 45c7ab GetVersion InitializeCriticalSection 33802->33811 33805 45c69a 33804->33805 33806 45c872 EnterCriticalSection 33804->33806 33807 45c89b EnterCriticalSection 33804->33807 33810 45c8ae LeaveCriticalSection 33805->33810 33808 45c880 InitializeCriticalSection 33806->33808 33809 45c893 LeaveCriticalSection 33806->33809 33807->33805 33808->33809 33809->33807 33810->33797 33811->33804 33813 45c29c 33812->33813 33815 45c2d6 GlobalAlloc 33813->33815 33816 45c2e9 GlobalHandle GlobalUnlock GlobalReAlloc 33813->33816 33821 45c358 Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot 33813->33821 33814 45c36d LeaveCriticalSection 33814->33793 33817 45c30b 33815->33817 33816->33817 33818 45c334 GlobalLock 33817->33818 33819 45c319 GlobalHandle GlobalLock LeaveCriticalSection 33817->33819 33818->33821 33824 451a3e RaiseException ctype 33819->33824 33821->33814 33822->33788 33823->33790 33826 457404 std::bad_exception::~bad_exception __EH_prolog 33825->33826 33827 457479 33826->33827 33830 457415 std::bad_exception::~bad_exception 33826->33830 33835 451a3e RaiseException ctype 33826->33835 33836 45234b 20 API calls std::bad_exception::~bad_exception 33827->33836 33830->33752 33832 456f0d 33831->33832 33834 456f29 std::bad_exception::~bad_exception 33831->33834 33833 456f13 GetParent 33832->33833 33832->33834 33833->33834 33834->33754 33836->33830 33837 4532c0 33838 4532ee 33837->33838 33839 4532ca 33837->33839 33840 454679 48 API calls 33839->33840 33841 4532d3 33840->33841 33841->33838 33843 40233b 33841->33843 33876 4429d0 DeleteMenu 33843->33876 33845 40234a 33877 4429d0 DeleteMenu 33845->33877 33847 402359 33878 442a00 EnableMenuItem 33847->33878 33849 402368 33879 442b10 SendMessageA 33849->33879 33851 40237c 33880 442ab0 GetWindowRect 33851->33880 33853 402399 33881 442ab0 GetWindowRect 33853->33881 33855 4023b6 33882 442ab0 GetWindowRect 33855->33882 33857 4023d3 33883 442ab0 GetWindowRect 33857->33883 33859 4023f0 33884 457e80 ScreenToClient ScreenToClient 33859->33884 33861 402407 33862 457e80 3 API calls 33861->33862 33863 40241e 33862->33863 33864 457e80 3 API calls 33863->33864 33865 402435 33864->33865 33866 457e80 3 API calls 33865->33866 33867 40244c 33866->33867 33887 4423aa 33867->33887 33875 40247b 33875->33838 33876->33845 33877->33847 33878->33849 33879->33851 33880->33853 33881->33855 33882->33857 33883->33859 33944 456d2e 33884->33944 33886 457ea6 33886->33861 33947 4430c0 SendMessageA 33887->33947 33889 442433 33891 44243f 33889->33891 33892 442458 33889->33892 33890 4423c1 33890->33889 33895 4423f3 ctype 33890->33895 33954 456d48 GetWindowLongA SetWindowLongA SetWindowPos 33891->33954 33955 456d48 GetWindowLongA SetWindowLongA SetWindowPos 33892->33955 33953 443090 SendMessageA 33895->33953 33896 442456 Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot 33948 4430f0 SendMessageA 33896->33948 33899 44251d 33900 442526 33899->33900 33901 44253f 33899->33901 33902 4425d8 33900->33902 33909 442530 33900->33909 33904 443050 MoveWindow 33901->33904 33908 443050 MoveWindow 33902->33908 33903 44253a 33905 442738 33903->33905 33906 442729 33903->33906 33907 442588 33904->33907 33913 456e7c ShowWindow 33905->33913 33956 456e7c 33906->33956 33916 443050 MoveWindow 33907->33916 33911 44262d 33908->33911 33909->33903 33949 443050 33909->33949 33919 443050 MoveWindow 33911->33919 33914 442736 33913->33914 33952 442af0 InvalidateRect 33914->33952 33915 4426d2 33922 443050 MoveWindow 33915->33922 33918 4425a1 33916->33918 33924 443050 MoveWindow 33918->33924 33921 442646 33919->33921 33920 402454 33933 442900 33920->33933 33926 443050 MoveWindow 33921->33926 33923 4426eb 33922->33923 33928 443050 MoveWindow 33923->33928 33925 4425ba 33924->33925 33930 443050 MoveWindow 33925->33930 33927 44265f 33926->33927 33931 443050 MoveWindow 33927->33931 33929 442704 33928->33929 33932 443050 MoveWindow 33929->33932 33930->33903 33931->33903 33932->33903 33934 45bf76 ctype 28 API calls 33933->33934 33935 402465 33934->33935 33936 45b66c 33935->33936 33937 45b6be GetPrivateProfileIntA 33936->33937 33938 45b678 33936->33938 33940 40246c 33937->33940 33962 45b626 33938->33962 33943 443000 SendMessageA 33940->33943 33942 45b68b RegQueryValueExA RegCloseKey 33942->33940 33943->33875 33945 456d35 GetWindowLongA 33944->33945 33946 456d41 33944->33946 33945->33886 33947->33890 33948->33899 33959 456dec 33949->33959 33952->33920 33953->33890 33954->33896 33955->33896 33957 456e83 ShowWindow 33956->33957 33958 456e92 33956->33958 33957->33958 33958->33914 33960 456df6 MoveWindow 33959->33960 33961 443089 33959->33961 33960->33961 33961->33915 33967 45b592 RegOpenKeyExA 33962->33967 33965 45b641 RegCreateKeyExA RegCloseKey 33966 45b63d 33965->33966 33966->33940 33966->33942 33968 45b604 33967->33968 33969 45b5ca RegCreateKeyExA 33967->33969 33971 45b614 33968->33971 33972 45b60f RegCloseKey 33968->33972 33969->33968 33970 45b5e9 RegCreateKeyExA 33969->33970 33970->33968 33973 45b61e 33971->33973 33974 45b619 RegCloseKey 33971->33974 33972->33971 33973->33965 33973->33966 33974->33973 33975 454892 33976 45c679 ctype 7 API calls 33975->33976 33977 4548a6 33976->33977 33981 4548f0 33977->33981 34009 456299 7 API calls 33977->34009 33980 4548f4 33981->33980 33982 454733 33981->33982 34010 4469e0 33982->34010 33984 45473d GetPropA 33985 454770 33984->33985 33986 45481d 33984->33986 33987 4547fc 33985->33987 33988 454779 33985->33988 33989 454652 49 API calls 33986->33989 33990 454652 49 API calls 33987->33990 33991 45477e 33988->33991 33992 4547d8 SetWindowLongA RemovePropA GlobalFindAtomA GlobalDeleteAtom 33988->33992 33993 454825 33989->33993 33997 454802 33990->33997 33994 454789 33991->33994 33995 45483b CallWindowProcA 33991->33995 33992->33995 33996 454652 49 API calls 33993->33996 33998 454652 49 API calls 33994->33998 34000 4547c4 33995->34000 33999 45482d 33996->33999 34013 45441b 57 API calls 33997->34013 34002 45478f 33998->34002 34014 4543ba 55 API calls 33999->34014 34000->33980 34011 45431e GetWindowRect GetWindowLongA 34002->34011 34004 454814 34006 454837 34004->34006 34006->33995 34006->34000 34007 45479f CallWindowProcA 34012 454341 83 API calls 34007->34012 34009->33981 34010->33984 34011->34007 34012->34000 34013->34004 34014->34006 34015 45c8cf 34020 45c8d9 34015->34020 34017 45c8d4 34028 445fee 23 API calls 34017->34028 34019 45c8ed 34021 45c94b GetVersion 34020->34021 34022 45c98c GetProcessVersion 34021->34022 34023 45c99e 34021->34023 34022->34023 34029 45718f KiUserCallbackDispatcher GetSystemMetrics 34023->34029 34025 45c9a5 34036 45714b 7 API calls 34025->34036 34027 45c9af LoadCursorA LoadCursorA 34027->34017 34028->34019 34030 4571b5 34029->34030 34031 4571ae 34029->34031 34038 45c929 GetSystemMetrics GetSystemMetrics 34030->34038 34037 45c8f9 GetSystemMetrics GetSystemMetrics 34031->34037 34034 4571ba GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 34034->34025 34035 4571b3 34035->34034 34036->34027 34037->34035 34038->34034 34039 45490e 34040 45c5e4 ctype 21 API calls 34039->34040 34041 454923 34040->34041 34042 454943 34041->34042 34043 45492c CallNextHookEx 34041->34043 34045 45bf76 ctype 28 API calls 34042->34045 34044 454afb 34043->34044 34046 454953 34045->34046 34047 45497c GetClassLongA 34046->34047 34048 4549c8 34046->34048 34065 454a6b CallNextHookEx 34046->34065 34051 454990 34047->34051 34047->34065 34049 4549d0 34048->34049 34050 454a79 GetWindowLongA 34048->34050 34072 454697 49 API calls std::bad_exception::~bad_exception 34049->34072 34055 454a89 GetPropA 34050->34055 34050->34065 34056 4549b4 lstrcmpiA 34051->34056 34057 45499d GlobalGetAtomNameA 34051->34057 34053 454aee UnhookWindowsHookEx 34053->34044 34059 454a9c SetPropA GetPropA 34055->34059 34055->34065 34056->34048 34056->34065 34057->34056 34058 4549d8 34063 454a56 34058->34063 34073 454491 34058->34073 34060 454ab0 GlobalAddAtomA 34059->34060 34059->34065 34061 454ac5 34060->34061 34062 454aca SetWindowLongA 34060->34062 34061->34062 34062->34065 34064 454a5b SetWindowLongA 34063->34064 34064->34065 34065->34044 34065->34053 34068 454a22 34069 454a27 GetWindowLongA 34068->34069 34070 454a44 34069->34070 34070->34065 34071 454a48 SetWindowLongA 34070->34071 34071->34065 34072->34058 34074 45449b __EH_prolog 34073->34074 34075 45c5e4 ctype 21 API calls 34074->34075 34076 4544b3 34075->34076 34077 454510 34076->34077 34089 45431e GetWindowRect GetWindowLongA 34076->34089 34083 4553e5 34077->34083 34080 454539 34080->34063 34080->34068 34091 455429 34083->34091 34163 4545b9 34083->34163 34084 455407 34085 454521 34084->34085 34168 454ecf 34084->34168 34085->34080 34090 454341 83 API calls 34085->34090 34089->34077 34090->34080 34092 455433 __EH_prolog 34091->34092 34093 455462 34092->34093 34094 45544a 34092->34094 34095 4554a7 34093->34095 34096 455497 34093->34096 34152 455455 34093->34152 34173 4559c6 34094->34173 34181 4559c8 34094->34181 34098 4554c4 34095->34098 34099 4554ac 34095->34099 34097 454652 49 API calls 34096->34097 34100 45549d 34097->34100 34104 45c83e ctype 6 API calls 34098->34104 34221 45441b 57 API calls 34099->34221 34220 4543ba 55 API calls 34100->34220 34102 4554bc 34102->34098 34102->34152 34105 4554e5 34104->34105 34106 455503 34105->34106 34110 45552a 34105->34110 34222 45c8ae LeaveCriticalSection 34106->34222 34107 4555a7 34223 45c8ae LeaveCriticalSection 34107->34223 34110->34107 34111 4555c5 34110->34111 34150 455888 34110->34150 34224 45c8ae LeaveCriticalSection 34111->34224 34112 4555e1 GetVersion 34113 4555f3 34112->34113 34116 4557ba 34113->34116 34117 455604 34113->34117 34118 455781 34113->34118 34119 455800 34113->34119 34120 45578f 34113->34120 34121 455716 34113->34121 34122 455799 34113->34122 34123 45561a 34113->34123 34124 4557da 34113->34124 34125 455763 34113->34125 34126 4556ed 34113->34126 34127 4557ad 34113->34127 34128 4557e8 34113->34128 34129 4557f1 34113->34129 34130 455631 34113->34130 34131 455732 34113->34131 34146 45563f Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot 34113->34146 34148 455755 34113->34148 34113->34150 34113->34152 34158 4556ac 34113->34158 34115 455510 34115->34112 34115->34113 34115->34152 34147 454652 49 API calls 34116->34147 34225 457a14 48 API calls ctype 34117->34225 34229 457a14 48 API calls ctype 34118->34229 34149 454652 49 API calls 34119->34149 34119->34152 34230 456fd4 48 API calls ctype 34120->34230 34228 456fd4 48 API calls ctype 34121->34228 34231 456fd4 48 API calls ctype 34122->34231 34144 454652 49 API calls 34123->34144 34134 454652 49 API calls 34124->34134 34139 454652 49 API calls 34125->34139 34137 454652 49 API calls 34126->34137 34145 454652 49 API calls 34127->34145 34135 454652 49 API calls 34128->34135 34136 454652 49 API calls 34129->34136 34133 454652 49 API calls 34130->34133 34189 4024b6 34131->34189 34133->34152 34134->34152 34135->34152 34136->34148 34137->34152 34151 45576b 34139->34151 34144->34152 34145->34152 34154 454679 48 API calls 34146->34154 34147->34148 34207 442332 34148->34207 34149->34148 34232 45c8ae LeaveCriticalSection 34150->34232 34153 454652 49 API calls 34151->34153 34152->34084 34153->34148 34156 45566b std::bad_exception::~bad_exception 34154->34156 34226 454cc4 49 API calls 3 library calls 34156->34226 34227 457a91 49 API calls 2 library calls 34158->34227 34164 45c5e4 ctype 21 API calls 34163->34164 34165 4545cb 34164->34165 34167 454ecf 2 API calls 34165->34167 34166 4545de 34166->34084 34167->34166 34169 454edc 34168->34169 34170 454efe CallWindowProcA 34168->34170 34169->34170 34172 454eea DefWindowProcA 34169->34172 34171 454f11 34170->34171 34171->34085 34172->34171 34174 4559c8 34173->34174 34176 45c5e4 ctype 21 API calls 34174->34176 34178 4559e6 34174->34178 34175 455a19 34175->34152 34177 455a2f 34176->34177 34177->34175 34241 455d7c 50 API calls 3 library calls 34177->34241 34178->34175 34233 453399 34178->34233 34182 455a20 34181->34182 34187 4559e6 34181->34187 34183 45c5e4 ctype 21 API calls 34182->34183 34184 455a2f 34183->34184 34185 455a19 34184->34185 34322 455d7c 50 API calls 3 library calls 34184->34322 34185->34152 34187->34185 34188 453399 78 API calls 34187->34188 34188->34185 34323 442a90 IsIconic 34189->34323 34191 4024e2 34192 4024ea 34191->34192 34193 40259f 34191->34193 34327 457f70 52 API calls __EH_prolog 34192->34327 34324 442b40 34193->34324 34196 4024f9 34328 442a30 SendMessageA 34196->34328 34197 4025aa 34197->34152 34199 402518 GetSystemMetrics GetSystemMetrics 34200 402536 Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot 34199->34200 34329 442ad0 GetClientRect 34200->34329 34202 402545 34330 4429a0 DrawIcon 34202->34330 34204 40258e 34331 457fe2 50 API calls 2 library calls 34204->34331 34206 40259d 34206->34197 34332 443030 34207->34332 34213 4423a4 34213->34152 34214 442380 34214->34213 34340 442a00 EnableMenuItem 34214->34340 34215 442371 34339 442a00 EnableMenuItem 34215->34339 34218 442395 34341 442a00 EnableMenuItem 34218->34341 34220->34095 34221->34102 34222->34115 34223->34152 34224->34115 34225->34152 34226->34158 34227->34152 34228->34152 34229->34152 34230->34152 34231->34148 34232->34152 34242 452f56 34233->34242 34235 4533b4 34236 4533ce GetParent 34235->34236 34240 4533f9 34235->34240 34237 454652 49 API calls 34236->34237 34238 4533dd 34237->34238 34238->34240 34248 452858 34238->34248 34240->34175 34241->34178 34243 452f87 34242->34243 34244 452f66 34242->34244 34247 452f6b 34243->34247 34253 452e4f 34243->34253 34245 45bf76 ctype 28 API calls 34244->34245 34245->34247 34247->34235 34249 45bf9c ctype 28 API calls 34248->34249 34250 45285d 34249->34250 34251 452869 34250->34251 34252 45bf76 ctype 28 API calls 34250->34252 34251->34240 34252->34251 34254 452e6e 34253->34254 34255 452e5e 34253->34255 34254->34255 34257 405315 34254->34257 34255->34247 34274 442fd0 SendMessageA 34257->34274 34259 40535a 34275 442fa0 SendMessageA 34259->34275 34261 405369 34276 453e1f 34261->34276 34263 405375 34284 455001 34263->34284 34265 40539a 34266 442900 28 API calls 34265->34266 34267 4053b6 34266->34267 34290 45878c 34267->34290 34269 4053bd 34270 453df5 ctype 23 API calls 34269->34270 34271 4053d1 34270->34271 34272 453df5 ctype 23 API calls 34271->34272 34273 4053e0 34272->34273 34273->34255 34274->34259 34275->34261 34277 453e33 34276->34277 34283 453e46 34276->34283 34278 453e3d 34277->34278 34279 453e48 lstrlenA 34277->34279 34308 4571e7 57 API calls 34278->34308 34281 453e55 34279->34281 34279->34283 34309 453c62 34281->34309 34283->34263 34285 45500b GetWindowTextLengthA 34284->34285 34289 455037 34284->34289 34316 4540b5 25 API calls 34285->34316 34287 455022 GetWindowTextA 34317 45408d 34287->34317 34289->34265 34291 458797 34290->34291 34292 458811 WritePrivateProfileStringA 34290->34292 34293 45879d 34291->34293 34294 4587b8 34291->34294 34295 4587a8 34292->34295 34296 45b592 5 API calls 34293->34296 34297 4587c1 34294->34297 34298 4587d8 34294->34298 34295->34269 34299 4587a2 34296->34299 34300 45b626 7 API calls 34297->34300 34301 45b626 7 API calls 34298->34301 34299->34295 34302 4587ac RegDeleteKeyA 34299->34302 34303 4587c6 34300->34303 34304 4587dd 34301->34304 34305 4587ff RegCloseKey 34302->34305 34303->34295 34306 4587cc RegDeleteValueA 34303->34306 34304->34295 34307 4587e3 lstrlenA RegSetValueExA 34304->34307 34305->34295 34306->34305 34307->34305 34308->34283 34311 453c77 34309->34311 34313 453c6e 34309->34313 34310 453c7f 34312 445eb5 22 API calls 34310->34312 34311->34310 34314 453cbe 34311->34314 34312->34313 34313->34283 34315 4540ef std::bad_exception::~bad_exception 20 API calls 34314->34315 34315->34313 34316->34287 34318 453d9e 25 API calls 34317->34318 34319 454095 34318->34319 34320 4540a6 34319->34320 34321 45409e lstrlenA 34319->34321 34320->34289 34321->34320 34322->34187 34323->34191 34325 4545b9 23 API calls 34324->34325 34326 442b4f 34325->34326 34326->34197 34327->34196 34328->34199 34329->34202 34330->34204 34331->34206 34333 4545b9 23 API calls 34332->34333 34334 44234f 34333->34334 34335 442a60 GetSystemMenu 34334->34335 34342 456fd4 48 API calls ctype 34335->34342 34337 442359 34337->34214 34338 442a00 EnableMenuItem 34337->34338 34338->34215 34339->34214 34340->34218 34341->34213 34342->34337 34343 4546fe 34344 45470f 34343->34344 34345 45470a 34343->34345 34346 454679 48 API calls 34344->34346 34347 454717 34346->34347 34348 454491 140 API calls 34347->34348 34348->34345 34349 40269b 35452 442d50 SendMessageA 34349->35452 34351 4026ae 35453 442d50 SendMessageA 34351->35453 34353 4026c1 35454 442d50 SendMessageA 34353->35454 34355 4026d4 35455 442d50 SendMessageA 34355->35455 34357 4026e7 35456 442d50 SendMessageA 34357->35456 34359 4026fa 35457 442d50 SendMessageA 34359->35457 34361 40270d 35458 442d50 SendMessageA 34361->35458 34363 402720 35459 442d50 SendMessageA 34363->35459 34365 402733 35460 442d50 SendMessageA 34365->35460 34367 402746 35461 442d50 SendMessageA 34367->35461 34369 402759 35462 442d50 SendMessageA 34369->35462 34371 40276c 35463 442d50 SendMessageA 34371->35463 34373 40277f 35464 442d50 SendMessageA 34373->35464 34375 402792 35465 442d50 SendMessageA 34375->35465 34377 4027a5 35466 442d50 SendMessageA 34377->35466 34379 4027b8 35467 442d50 SendMessageA 34379->35467 34381 4027cb 35468 442d50 SendMessageA 34381->35468 34383 4027de 35469 442d50 SendMessageA 34383->35469 34385 4027f1 35470 442d50 SendMessageA 34385->35470 34387 402804 35471 442d50 SendMessageA 34387->35471 34389 402817 35472 442d50 SendMessageA 34389->35472 34391 40282a 35473 442d50 SendMessageA 34391->35473 34393 40283d 35474 442d50 SendMessageA 34393->35474 34395 402850 35475 442d50 SendMessageA 34395->35475 34397 402863 35476 442d50 SendMessageA 34397->35476 34399 402876 35477 442d50 SendMessageA 34399->35477 34401 402889 35478 442d50 SendMessageA 34401->35478 34403 40289c 35479 442d50 SendMessageA 34403->35479 34405 4028af 35480 442d50 SendMessageA 34405->35480 34407 4028c2 35481 442d50 SendMessageA 34407->35481 34409 4028d5 35482 442d50 SendMessageA 34409->35482 34411 4028e8 35483 442d50 SendMessageA 34411->35483 34413 4028fb 35484 442d50 SendMessageA 34413->35484 34415 40290e 35485 442d50 SendMessageA 34415->35485 34417 402921 34420 4029d4 34417->34420 35488 442d50 SendMessageA 34417->35488 34419 40294f 35489 442d50 SendMessageA 34419->35489 34426 402a87 34420->34426 35496 442d50 SendMessageA 34420->35496 34423 402962 35490 442d50 SendMessageA 34423->35490 34424 402a02 35497 442d50 SendMessageA 34424->35497 34438 402dc0 34426->34438 35504 442d50 SendMessageA 34426->35504 34428 402975 35491 442d50 SendMessageA 34428->35491 34430 402a15 35498 442d50 SendMessageA 34430->35498 34432 402ab5 35505 442d50 SendMessageA 34432->35505 34434 402988 35492 442d50 SendMessageA 34434->35492 34436 402a28 35499 442d50 SendMessageA 34436->35499 34447 402fef 34438->34447 35546 442d50 SendMessageA 34438->35546 34439 402ac8 35506 442d50 SendMessageA 34439->35506 34441 40299b 35493 442d50 SendMessageA 34441->35493 34444 402a3b 35500 442d50 SendMessageA 34444->35500 34446 402dee 35547 442d50 SendMessageA 34446->35547 34462 4032b6 34447->34462 35574 442d50 SendMessageA 34447->35574 34448 402adb 35507 442d50 SendMessageA 34448->35507 34450 4029ae 35494 442d50 SendMessageA 34450->35494 34452 402e01 35548 442d50 SendMessageA 34452->35548 34455 402a4e 35501 442d50 SendMessageA 34455->35501 34458 40301d 35575 442d50 SendMessageA 34458->35575 34459 402aee 35508 442d50 SendMessageA 34459->35508 34461 4029c1 35495 442d50 SendMessageA 34461->35495 34480 403531 34462->34480 35610 442d50 SendMessageA 34462->35610 34463 402e14 35549 442d50 SendMessageA 34463->35549 34466 402a61 35502 442d50 SendMessageA 34466->35502 34470 403030 35576 442d50 SendMessageA 34470->35576 34471 402b01 35509 442d50 SendMessageA 34471->35509 34474 402a74 35503 442d50 SendMessageA 34474->35503 34475 4032e4 35611 442d50 SendMessageA 34475->35611 34476 402e27 35550 442d50 SendMessageA 34476->35550 34478 402b14 35510 442d50 SendMessageA 34478->35510 34494 4036c8 34480->34494 35642 442d50 SendMessageA 34480->35642 34483 403043 35577 442d50 SendMessageA 34483->35577 34486 4032f7 35612 442d50 SendMessageA 34486->35612 34487 402e3a 35551 442d50 SendMessageA 34487->35551 34489 402b27 35511 442d50 SendMessageA 34489->35511 34490 40355f 35643 442d50 SendMessageA 34490->35643 34493 403056 35578 442d50 SendMessageA 34493->35578 34515 40385f 34494->34515 35662 442d50 SendMessageA 34494->35662 34498 40330a 35613 442d50 SendMessageA 34498->35613 34499 402e4d 35552 442d50 SendMessageA 34499->35552 34501 403069 35579 442d50 SendMessageA 34501->35579 34502 402b3a 35512 442d50 SendMessageA 34502->35512 34503 403572 35644 442d50 SendMessageA 34503->35644 34506 4036f6 35663 442d50 SendMessageA 34506->35663 34510 40331d 35614 442d50 SendMessageA 34510->35614 34511 402e60 35553 442d50 SendMessageA 34511->35553 34513 40307c 35580 442d50 SendMessageA 34513->35580 34514 402b4d 35513 442d50 SendMessageA 34514->35513 34536 403b4c 34515->34536 35682 442d50 SendMessageA 34515->35682 34516 403585 35645 442d50 SendMessageA 34516->35645 34519 403709 35664 442d50 SendMessageA 34519->35664 34524 403330 35615 442d50 SendMessageA 34524->35615 34525 402e73 35554 442d50 SendMessageA 34525->35554 34527 40308f 35581 442d50 SendMessageA 34527->35581 34528 402b60 35514 442d50 SendMessageA 34528->35514 34529 40388d 35683 442d50 SendMessageA 34529->35683 34530 403598 35646 442d50 SendMessageA 34530->35646 34533 40371c 35665 442d50 SendMessageA 34533->35665 34564 403c97 34536->34564 35720 442d50 SendMessageA 34536->35720 34539 403343 35616 442d50 SendMessageA 34539->35616 34540 402e86 35555 442d50 SendMessageA 34540->35555 34542 4030a2 35582 442d50 SendMessageA 34542->35582 34543 402b73 35515 442d50 SendMessageA 34543->35515 34545 4038a0 35684 442d50 SendMessageA 34545->35684 34546 4035ab 35647 442d50 SendMessageA 34546->35647 34551 403356 35617 442d50 SendMessageA 34551->35617 34552 402e99 35556 442d50 SendMessageA 34552->35556 34553 40372f 35666 442d50 SendMessageA 34553->35666 34556 403b7a 35721 442d50 SendMessageA 34556->35721 34557 4038b3 35685 442d50 SendMessageA 34557->35685 34558 4035be 35648 442d50 SendMessageA 34558->35648 34562 4030b5 35583 442d50 SendMessageA 34562->35583 34563 402b86 35516 442d50 SendMessageA 34563->35516 34585 403de2 34564->34585 35736 442d50 SendMessageA 34564->35736 34568 403369 35618 442d50 SendMessageA 34568->35618 34569 402eac 35557 442d50 SendMessageA 34569->35557 34570 403742 35667 442d50 SendMessageA 34570->35667 34574 403b8d 35722 442d50 SendMessageA 34574->35722 34575 4038c6 35686 442d50 SendMessageA 34575->35686 34576 4035d1 35649 442d50 SendMessageA 34576->35649 34580 4030c8 35584 442d50 SendMessageA 34580->35584 34581 402b99 35517 442d50 SendMessageA 34581->35517 34582 403cc5 35737 442d50 SendMessageA 34582->35737 34615 403e95 34585->34615 35752 442d50 SendMessageA 34585->35752 34587 403ba0 35723 442d50 SendMessageA 34587->35723 34590 40337c 35619 442d50 SendMessageA 34590->35619 34591 402ebf 35558 442d50 SendMessageA 34591->35558 34592 403755 35668 442d50 SendMessageA 34592->35668 34594 402bac 35518 442d50 SendMessageA 34594->35518 34596 403cd8 35738 442d50 SendMessageA 34596->35738 34598 4038d9 35687 442d50 SendMessageA 34598->35687 34599 4035e4 35650 442d50 SendMessageA 34599->35650 34603 4030db 35585 442d50 SendMessageA 34603->35585 34605 403e10 35753 442d50 SendMessageA 34605->35753 34607 403bb3 35724 442d50 SendMessageA 34607->35724 34610 40338f 35620 442d50 SendMessageA 34610->35620 34611 402ed2 35559 442d50 SendMessageA 34611->35559 34612 403768 35669 442d50 SendMessageA 34612->35669 34614 402bbf 35519 442d50 SendMessageA 34614->35519 34658 4043bc 34615->34658 35760 442d50 SendMessageA 34615->35760 34617 403ceb 35739 442d50 SendMessageA 34617->35739 34619 4038ec 35688 442d50 SendMessageA 34619->35688 34620 4035f7 35651 442d50 SendMessageA 34620->35651 34624 4030ee 35586 442d50 SendMessageA 34624->35586 34625 40377b 35670 442d50 SendMessageA 34625->35670 34629 403e23 35754 442d50 SendMessageA 34629->35754 34631 403bc6 35725 442d50 SendMessageA 34631->35725 34634 4033a2 35621 442d50 SendMessageA 34634->35621 34635 402ee5 35560 442d50 SendMessageA 34635->35560 34637 403101 35587 442d50 SendMessageA 34637->35587 34638 402bd2 35520 442d50 SendMessageA 34638->35520 34639 403ec3 35761 442d50 SendMessageA 34639->35761 34641 403cfe 35740 442d50 SendMessageA 34641->35740 34643 4038ff 35689 442d50 SendMessageA 34643->35689 34644 40360a 35652 442d50 SendMessageA 34644->35652 34647 40378e 35671 442d50 SendMessageA 34647->35671 34651 403e36 35755 442d50 SendMessageA 34651->35755 34653 403bd9 35726 442d50 SendMessageA 34653->35726 34656 4033b5 35622 442d50 SendMessageA 34656->35622 34657 402ef8 35561 442d50 SendMessageA 34657->35561 34695 4044e1 34658->34695 35828 442d50 SendMessageA 34658->35828 34659 403114 35588 442d50 SendMessageA 34659->35588 34661 403d11 35741 442d50 SendMessageA 34661->35741 34663 40361d 35653 442d50 SendMessageA 34663->35653 34667 402be5 35521 442d50 SendMessageA 34667->35521 34668 403ed6 35762 442d50 SendMessageA 34668->35762 34669 403912 35690 442d50 SendMessageA 34669->35690 34671 4043ea 35829 442d50 SendMessageA 34671->35829 34673 403e49 35756 442d50 SendMessageA 34673->35756 34675 403bec 35727 442d50 SendMessageA 34675->35727 34677 4033c8 35623 442d50 SendMessageA 34677->35623 34678 402f0b 35562 442d50 SendMessageA 34678->35562 34679 4037a1 35672 442d50 SendMessageA 34679->35672 34684 403127 35589 442d50 SendMessageA 34684->35589 34686 403d24 35742 442d50 SendMessageA 34686->35742 34688 403630 35654 442d50 SendMessageA 34688->35654 34692 402bf8 35522 442d50 SendMessageA 34692->35522 34693 403ee9 35763 442d50 SendMessageA 34693->35763 34694 403925 35691 442d50 SendMessageA 34694->35691 34733 4045e0 34695->34733 35842 442d50 SendMessageA 34695->35842 34696 4043fd 35830 442d50 SendMessageA 34696->35830 34698 403e5c 35757 442d50 SendMessageA 34698->35757 34700 403bff 35728 442d50 SendMessageA 34700->35728 34702 4033db 35624 442d50 SendMessageA 34702->35624 34703 402f1e 35563 442d50 SendMessageA 34703->35563 34704 4037b4 35673 442d50 SendMessageA 34704->35673 34710 40313a 35590 442d50 SendMessageA 34710->35590 34712 403d37 35743 442d50 SendMessageA 34712->35743 34714 403643 35655 442d50 SendMessageA 34714->35655 34718 402c0b 35523 442d50 SendMessageA 34718->35523 34719 403efc 35764 442d50 SendMessageA 34719->35764 34720 403938 35692 442d50 SendMessageA 34720->35692 34721 40450f 35843 442d50 SendMessageA 34721->35843 34724 404410 35831 442d50 SendMessageA 34724->35831 34726 403e6f 35758 442d50 SendMessageA 34726->35758 34728 403c12 35729 442d50 SendMessageA 34728->35729 34730 4033ee 35625 442d50 SendMessageA 34730->35625 34731 402f31 35564 442d50 SendMessageA 34731->35564 34732 4037c7 35674 442d50 SendMessageA 34732->35674 34774 4046df 34733->34774 35486 442d50 SendMessageA 34733->35486 34736 40394b 35693 442d50 SendMessageA 34736->35693 34737 404522 35844 442d50 SendMessageA 34737->35844 34739 40314d 35591 442d50 SendMessageA 34739->35591 34741 403d4a 35744 442d50 SendMessageA 34741->35744 34743 403656 35656 442d50 SendMessageA 34743->35656 34748 402c1e 35524 442d50 SendMessageA 34748->35524 34749 403f0f 35765 442d50 SendMessageA 34749->35765 34752 404423 35832 442d50 SendMessageA 34752->35832 34754 403e82 35759 442d50 SendMessageA 34754->35759 34756 403c25 35730 442d50 SendMessageA 34756->35730 34758 403401 35626 442d50 SendMessageA 34758->35626 34759 402f44 35565 442d50 SendMessageA 34759->35565 34760 4037da 35675 442d50 SendMessageA 34760->35675 34761 40460e 35487 442d50 SendMessageA 34761->35487 34764 40395e 35694 442d50 SendMessageA 34764->35694 34765 404535 35845 442d50 SendMessageA 34765->35845 34767 403160 35592 442d50 SendMessageA 34767->35592 34769 403d5d 35745 442d50 SendMessageA 34769->35745 34771 403669 35657 442d50 SendMessageA 34771->35657 34812 404b48 34774->34812 35864 442d50 SendMessageA 34774->35864 34777 402c31 35525 442d50 SendMessageA 34777->35525 34778 403f22 35766 442d50 SendMessageA 34778->35766 34783 404436 35833 442d50 SendMessageA 34783->35833 34786 403c38 35731 442d50 SendMessageA 34786->35731 34788 403414 35627 442d50 SendMessageA 34788->35627 34789 402f57 35566 442d50 SendMessageA 34789->35566 34791 4037ed 35676 442d50 SendMessageA 34791->35676 34792 404621 35854 442d50 SendMessageA 34792->35854 34793 402c44 35526 442d50 SendMessageA 34793->35526 34794 403f35 35767 442d50 SendMessageA 34794->35767 34795 403971 35695 442d50 SendMessageA 34795->35695 34796 404548 35846 442d50 SendMessageA 34796->35846 34798 403173 35593 442d50 SendMessageA 34798->35593 34799 403d70 35746 442d50 SendMessageA 34799->35746 34801 40367c 35658 442d50 SendMessageA 34801->35658 34804 40470d 35865 442d50 SendMessageA 34804->35865 34811 404449 35834 442d50 SendMessageA 34811->35834 34852 404d51 34812->34852 35922 442d50 SendMessageA 34812->35922 34815 403c4b 35732 442d50 SendMessageA 34815->35732 34817 403427 35628 442d50 SendMessageA 34817->35628 34818 402f6a 35567 442d50 SendMessageA 34818->35567 34820 403800 35677 442d50 SendMessageA 34820->35677 34821 404634 35855 442d50 SendMessageA 34821->35855 34822 402c57 35527 442d50 SendMessageA 34822->35527 34823 403f48 35768 442d50 SendMessageA 34823->35768 34824 403984 35696 442d50 SendMessageA 34824->35696 34825 40455b 35847 442d50 SendMessageA 34825->35847 34828 403186 35594 442d50 SendMessageA 34828->35594 34829 403d83 35747 442d50 SendMessageA 34829->35747 34831 40368f 35659 442d50 SendMessageA 34831->35659 34834 404720 35866 442d50 SendMessageA 34834->35866 34837 403813 35678 442d50 SendMessageA 34837->35678 34838 404647 35856 442d50 SendMessageA 34838->35856 34843 40445c 35835 442d50 SendMessageA 34843->35835 34844 404b76 35923 442d50 SendMessageA 34844->35923 34847 403c5e 35733 442d50 SendMessageA 34847->35733 34849 40343a 35629 442d50 SendMessageA 34849->35629 34850 402f7d 35568 442d50 SendMessageA 34850->35568 34878 404f5a 34852->34878 35948 442d50 SendMessageA 34852->35948 34855 402c6a 35528 442d50 SendMessageA 34855->35528 34856 403f5b 35769 442d50 SendMessageA 34856->35769 34857 403997 35697 442d50 SendMessageA 34857->35697 34858 40456e 35848 442d50 SendMessageA 34858->35848 34861 403199 35595 442d50 SendMessageA 34861->35595 34862 403d96 35748 442d50 SendMessageA 34862->35748 34864 4036a2 35660 442d50 SendMessageA 34864->35660 34867 404733 35867 442d50 SendMessageA 34867->35867 34869 403826 35679 442d50 SendMessageA 34869->35679 34870 40465a 35857 442d50 SendMessageA 34870->35857 34875 40446f 35836 442d50 SendMessageA 34875->35836 34876 404b89 35924 442d50 SendMessageA 34876->35924 35099 405163 34878->35099 35974 442d50 SendMessageA 34878->35974 34880 403c71 35734 442d50 SendMessageA 34880->35734 34882 40344d 35630 442d50 SendMessageA 34882->35630 34883 402f90 35569 442d50 SendMessageA 34883->35569 34885 404d7f 35949 442d50 SendMessageA 34885->35949 34888 402c7d 34889 403f6e 35770 442d50 SendMessageA 34889->35770 34890 4039aa 35698 442d50 SendMessageA 34890->35698 34891 404581 35849 442d50 SendMessageA 34891->35849 34894 4031ac 35596 442d50 SendMessageA 34894->35596 34895 403da9 35749 442d50 SendMessageA 34895->35749 34897 4036b5 35661 442d50 SendMessageA 34897->35661 34900 404746 35868 442d50 SendMessageA 34900->35868 34902 403839 35680 442d50 SendMessageA 34902->35680 34903 40466d 35858 442d50 SendMessageA 34903->35858 34908 404482 35837 442d50 SendMessageA 34908->35837 34909 404b9c 35925 442d50 SendMessageA 34909->35925 34912 403c84 35735 442d50 SendMessageA 34912->35735 34914 403460 35631 442d50 SendMessageA 34914->35631 34915 402fa3 35570 442d50 SendMessageA 34915->35570 34917 404d92 35950 442d50 SendMessageA 34917->35950 34921 403f81 35771 442d50 SendMessageA 34921->35771 34922 4039bd 35699 442d50 SendMessageA 34922->35699 34923 404594 35850 442d50 SendMessageA 34923->35850 34926 4031bf 35597 442d50 SendMessageA 34926->35597 34928 403dbc 35750 442d50 SendMessageA 34928->35750 34932 404759 35869 442d50 SendMessageA 34932->35869 34934 40384c 35681 442d50 SendMessageA 34934->35681 34935 404680 35859 442d50 SendMessageA 34935->35859 34940 404495 35838 442d50 SendMessageA 34940->35838 34941 404baf 35926 442d50 SendMessageA 34941->35926 34943 404f88 35975 442d50 SendMessageA 34943->35975 34945 403473 35632 442d50 SendMessageA 34945->35632 34948 404da5 35951 442d50 SendMessageA 34948->35951 34952 403f94 35772 442d50 SendMessageA 34952->35772 34953 4039d0 35700 442d50 SendMessageA 34953->35700 34954 4045a7 35851 442d50 SendMessageA 34954->35851 34957 4031d2 34959 403dcf 35751 442d50 SendMessageA 34959->35751 34962 40476c 35870 442d50 SendMessageA 34962->35870 34963 403486 35633 442d50 SendMessageA 34963->35633 34967 404693 35860 442d50 SendMessageA 34967->35860 34972 4044a8 35839 442d50 SendMessageA 34972->35839 34973 404bc2 35927 442d50 SendMessageA 34973->35927 34975 404f9b 35976 442d50 SendMessageA 34975->35976 34979 40477f 35871 442d50 SendMessageA 34979->35871 34980 404db8 35952 442d50 SendMessageA 34980->35952 34983 403fa7 35773 442d50 SendMessageA 34983->35773 34984 4039e3 35701 442d50 SendMessageA 34984->35701 34985 4045ba 35852 442d50 SendMessageA 34985->35852 34986 405206 34994 453df5 ctype 23 API calls 34986->34994 34991 403499 35008 405212 34994->35008 34996 4046a6 35861 442d50 SendMessageA 34996->35861 35001 4044bb 35840 442d50 SendMessageA 35001->35840 35002 404bd5 35928 442d50 SendMessageA 35002->35928 35004 404fae 35977 442d50 SendMessageA 35004->35977 35007 404792 35872 442d50 SendMessageA 35007->35872 35022 453df5 ctype 23 API calls 35008->35022 35009 404dcb 35953 442d50 SendMessageA 35009->35953 35012 403fba 35774 442d50 SendMessageA 35012->35774 35013 4039f6 35702 442d50 SendMessageA 35013->35702 35014 4045cd 35853 442d50 SendMessageA 35014->35853 35019 404fc1 35978 442d50 SendMessageA 35019->35978 35035 405221 35022->35035 35024 4046b9 35862 442d50 SendMessageA 35024->35862 35029 4044ce 35841 442d50 SendMessageA 35029->35841 35030 404be8 35929 442d50 SendMessageA 35030->35929 35034 4047a5 35873 442d50 SendMessageA 35034->35873 35036 404dde 35954 442d50 SendMessageA 35036->35954 35039 403fcd 35775 442d50 SendMessageA 35039->35775 35040 403a09 35703 442d50 SendMessageA 35040->35703 35044 404fd4 35979 442d50 SendMessageA 35044->35979 35048 4046cc 35863 442d50 SendMessageA 35048->35863 35052 404bfb 35930 442d50 SendMessageA 35052->35930 35056 4047b8 35874 442d50 SendMessageA 35056->35874 35057 404df1 35955 442d50 SendMessageA 35057->35955 35060 403fe0 35776 442d50 SendMessageA 35060->35776 35061 403a1c 35065 404fe7 35980 442d50 SendMessageA 35065->35980 35072 404c0e 35931 442d50 SendMessageA 35072->35931 35076 4047cb 35875 442d50 SendMessageA 35076->35875 35077 404e04 35956 442d50 SendMessageA 35077->35956 35079 403ff3 35777 442d50 SendMessageA 35079->35777 35083 404ffa 35981 442d50 SendMessageA 35083->35981 35090 404c21 35932 442d50 SendMessageA 35090->35932 35094 4047de 35876 442d50 SendMessageA 35094->35876 35095 404e17 35957 442d50 SendMessageA 35095->35957 35097 404006 35778 442d50 SendMessageA 35097->35778 35099->34986 35128 442d50 SendMessageA 35099->35128 35101 404c34 35933 442d50 SendMessageA 35101->35933 35103 40500d 35982 442d50 SendMessageA 35103->35982 35114 4047f1 35877 442d50 SendMessageA 35114->35877 35115 404e2a 35958 442d50 SendMessageA 35115->35958 35117 404019 35779 442d50 SendMessageA 35117->35779 35119 404c47 35934 442d50 SendMessageA 35119->35934 35121 405020 35983 442d50 SendMessageA 35121->35983 35128->35099 35133 404804 35878 442d50 SendMessageA 35133->35878 35134 404e3d 35959 442d50 SendMessageA 35134->35959 35136 40402c 35780 442d50 SendMessageA 35136->35780 35139 404c5a 35935 442d50 SendMessageA 35139->35935 35141 405033 35984 442d50 SendMessageA 35141->35984 35152 404817 35879 442d50 SendMessageA 35152->35879 35153 404e50 35960 442d50 SendMessageA 35153->35960 35157 404c6d 35936 442d50 SendMessageA 35157->35936 35159 405046 35985 442d50 SendMessageA 35159->35985 35168 40482a 35880 442d50 SendMessageA 35168->35880 35169 404e63 35961 442d50 SendMessageA 35169->35961 35175 404c80 35937 442d50 SendMessageA 35175->35937 35177 405059 35986 442d50 SendMessageA 35177->35986 35186 40483d 35881 442d50 SendMessageA 35186->35881 35187 404e76 35962 442d50 SendMessageA 35187->35962 35191 404c93 35938 442d50 SendMessageA 35191->35938 35193 40506c 35987 442d50 SendMessageA 35193->35987 35201 404850 35882 442d50 SendMessageA 35201->35882 35202 404e89 35963 442d50 SendMessageA 35202->35963 35207 404ca6 35939 442d50 SendMessageA 35207->35939 35208 40507f 35988 442d50 SendMessageA 35208->35988 35210 404e9c 35964 442d50 SendMessageA 35210->35964 35222 405092 35989 442d50 SendMessageA 35222->35989 35224 404eaf 35236 4050a5 35990 442d50 SendMessageA 35236->35990 35452->34351 35453->34353 35454->34355 35455->34357 35456->34359 35457->34361 35458->34363 35459->34365 35460->34367 35461->34369 35462->34371 35463->34373 35464->34375 35465->34377 35466->34379 35467->34381 35468->34383 35469->34385 35470->34387 35471->34389 35472->34391 35473->34393 35474->34395 35475->34397 35476->34399 35477->34401 35478->34403 35479->34405 35480->34407 35481->34409 35482->34411 35483->34413 35484->34415 35485->34417 35486->34761 35487->34792 35488->34419 35489->34423 35490->34428 35491->34434 35492->34441 35493->34450 35494->34461 35495->34420 35496->34424 35497->34430 35498->34436 35499->34444 35500->34455 35501->34466 35502->34474 35503->34426 35504->34432 35505->34439 35506->34448 35507->34459 35508->34471 35509->34478 35510->34489 35511->34502 35512->34514 35513->34528 35514->34543 35515->34563 35516->34581 35517->34594 35518->34614 35519->34638 35520->34667 35521->34692 35522->34718 35523->34748 35524->34777 35525->34793 35526->34822 35527->34855 35528->34888 35546->34446 35547->34452 35548->34463 35549->34476 35550->34487 35551->34499 35552->34511 35553->34525 35554->34540 35555->34552 35556->34569 35557->34591 35558->34611 35559->34635 35560->34657 35561->34678 35562->34703 35563->34731 35564->34759 35565->34789 35566->34818 35567->34850 35568->34883 35569->34915 35574->34458 35575->34470 35576->34483 35577->34493 35578->34501 35579->34513 35580->34527 35581->34542 35582->34562 35583->34580 35584->34603 35585->34624 35586->34637 35587->34659 35588->34684 35589->34710 35590->34739 35591->34767 35592->34798 35593->34828 35594->34861 35595->34894 35596->34926 35597->34957 35610->34475 35611->34486 35612->34498 35613->34510 35614->34524 35615->34539 35616->34551 35617->34568 35618->34590 35619->34610 35620->34634 35621->34656 35622->34677 35623->34702 35624->34730 35625->34758 35626->34788 35627->34817 35628->34849 35629->34882 35630->34914 35631->34945 35632->34963 35633->34991 35642->34490 35643->34503 35644->34516 35645->34530 35646->34546 35647->34558 35648->34576 35649->34599 35650->34620 35651->34644 35652->34663 35653->34688 35654->34714 35655->34743 35656->34771 35657->34801 35658->34831 35659->34864 35660->34897 35661->34494 35662->34506 35663->34519 35664->34533 35665->34553 35666->34570 35667->34592 35668->34612 35669->34625 35670->34647 35671->34679 35672->34704 35673->34732 35674->34760 35675->34791 35676->34820 35677->34837 35678->34869 35679->34902 35680->34934 35681->34515 35682->34529 35683->34545 35684->34557 35685->34575 35686->34598 35687->34619 35688->34643 35689->34669 35690->34694 35691->34720 35692->34736 35693->34764 35694->34795 35695->34824 35696->34857 35697->34890 35698->34922 35699->34953 35700->34984 35701->35013 35702->35040 35703->35061 35720->34556 35721->34574 35722->34587 35723->34607 35724->34631 35725->34653 35726->34675 35727->34700 35728->34728 35729->34756 35730->34786 35731->34815 35732->34847 35733->34880 35734->34912 35735->34564 35736->34582 35737->34596 35738->34617 35739->34641 35740->34661 35741->34686 35742->34712 35743->34741 35744->34769 35745->34799 35746->34829 35747->34862 35748->34895 35749->34928 35750->34959 35751->34585 35752->34605 35753->34629 35754->34651 35755->34673 35756->34698 35757->34726 35758->34754 35759->34615 35760->34639 35761->34668 35762->34693 35763->34719 35764->34749 35765->34778 35766->34794 35767->34823 35768->34856 35769->34889 35770->34921 35771->34952 35772->34983 35773->35012 35774->35039 35775->35060 35776->35079 35777->35097 35778->35117 35779->35136 35828->34671 35829->34696 35830->34724 35831->34752 35832->34783 35833->34811 35834->34843 35835->34875 35836->34908 35837->34940 35838->34972 35839->35001 35840->35029 35841->34695 35842->34721 35843->34737 35844->34765 35845->34796 35846->34825 35847->34858 35848->34891 35849->34923 35850->34954 35851->34985 35852->35014 35853->34733 35854->34821 35855->34838 35856->34870 35857->34903 35858->34935 35859->34967 35860->34996 35861->35024 35862->35048 35863->34774 35864->34804 35865->34834 35866->34867 35867->34900 35868->34932 35869->34962 35870->34979 35871->35007 35872->35034 35873->35056 35874->35076 35875->35094 35876->35114 35877->35133 35878->35152 35879->35168 35880->35186 35881->35201 35922->34844 35923->34876 35924->34909 35925->34941 35926->34973 35927->35002 35928->35030 35929->35052 35930->35072 35931->35090 35932->35101 35933->35119 35934->35139 35935->35157 35936->35175 35937->35191 35938->35207 35948->34885 35949->34917 35950->34948 35951->34980 35952->35009 35953->35036 35954->35057 35955->35077 35956->35095 35957->35115 35958->35134 35959->35153 35960->35169 35961->35187 35962->35202 35963->35210 35964->35224 35974->34943 35975->34975 35976->35004 35977->35019 35978->35044 35979->35065 35980->35083 35981->35103 35982->35121 35983->35141 35984->35159 35985->35177 35986->35193 35987->35208 35988->35222 35989->35236 36000 446848 GetVersion 36032 449b70 HeapCreate 36000->36032 36002 4468a6 36003 4468b3 36002->36003 36004 4468ab 36002->36004 36039 448bdc 28 API calls 36003->36039 36047 446975 8 API calls ctype 36004->36047 36008 4468b8 36009 4468c4 36008->36009 36010 4468bc 36008->36010 36040 4499b4 25 API calls ctype 36009->36040 36048 446975 8 API calls ctype 36010->36048 36014 4468ce GetCommandLineA 36041 449882 28 API calls ctype 36014->36041 36016 4468de 36049 449635 40 API calls ctype 36016->36049 36018 4468e8 36042 44957c 39 API calls ctype 36018->36042 36020 4468ed 36021 4468f2 GetStartupInfoA 36020->36021 36043 449524 39 API calls 36021->36043 36023 446904 36024 44690d 36023->36024 36025 446916 GetModuleHandleA 36024->36025 36044 451607 36025->36044 36029 446931 36051 4493ac 27 API calls 36029->36051 36031 446942 36033 449ba5 36032->36033 36034 449b90 36032->36034 36033->36002 36052 449dd7 HeapAlloc 36034->36052 36036 449b95 36037 449ba8 36036->36037 36038 449b99 HeapDestroy 36036->36038 36037->36002 36038->36033 36039->36008 36040->36014 36041->36016 36042->36020 36043->36023 36053 4578e9 36044->36053 36049->36018 36050 446a57 23 API calls 36050->36029 36051->36031 36052->36036 36054 452858 28 API calls 36053->36054 36055 4578f4 36054->36055 36056 45bf76 ctype 28 API calls 36055->36056 36057 4578fb 36056->36057 36068 45cc0e SetErrorMode SetErrorMode 36057->36068 36061 446928 36061->36050 36062 457930 36526 45ce8d 51 API calls ctype 36062->36526 36066 453c62 22 API calls 36066->36062 36069 45bf76 ctype 28 API calls 36068->36069 36070 45cc25 36069->36070 36071 45bf76 ctype 28 API calls 36070->36071 36072 45cc34 36071->36072 36073 45cc5a 36072->36073 36527 45cc71 36072->36527 36074 45bf76 ctype 28 API calls 36073->36074 36076 45cc5f 36074->36076 36077 457913 36076->36077 36546 45286d 36076->36546 36077->36062 36077->36066 36079 401070 36077->36079 36256 4011e1 36077->36256 36410 401583 36077->36410 36468 4015ab 36077->36468 36570 45b7ef 36079->36570 36086 45b66c 10 API calls 36087 4010e9 36086->36087 36088 45b66c 10 API calls 36087->36088 36089 401106 36088->36089 36090 45b66c 10 API calls 36089->36090 36091 401124 36090->36091 36092 45b66c 10 API calls 36091->36092 36093 401141 36092->36093 36094 45b66c 10 API calls 36093->36094 36095 40115e 36094->36095 36096 45b66c 10 API calls 36095->36096 36097 40117b 36096->36097 36098 45b66c 10 API calls 36097->36098 36099 401195 36098->36099 36100 45b66c 10 API calls 36099->36100 36101 4011af 36100->36101 36102 45b66c 10 API calls 36101->36102 36103 4011c9 36102->36103 36104 4011f4 36103->36104 36145 40136c 36103->36145 36105 453e1f 58 API calls 36104->36105 36106 401204 36105->36106 36597 4519bf 36106->36597 36107 4013fe 36108 401408 36107->36108 36139 4016d2 36107->36139 36668 453eee 36108->36668 36110 453e1f 58 API calls 36110->36145 36115 4017a0 36117 4017b6 36115->36117 36122 453eee 26 API calls 36115->36122 36116 4519bf 53 API calls 36116->36145 36123 4017ec 36117->36123 36126 453eee 26 API calls 36117->36126 36118 453eee 26 API calls 36124 401428 36118->36124 36119 40122f 36603 45b6d8 36119->36603 36120 453e1f 58 API calls 36120->36139 36121 454026 25 API calls 36121->36145 36122->36117 36130 453eee 26 API calls 36123->36130 36151 4016cd 36123->36151 36127 453eee 26 API calls 36124->36127 36125 4519bf 53 API calls 36125->36139 36129 4017cc 36126->36129 36131 401438 36127->36131 36135 453eee 26 API calls 36129->36135 36130->36151 36132 453eee 26 API calls 36131->36132 36137 401448 36132->36137 36134 454026 25 API calls 36134->36139 36142 4017dc 36135->36142 36136 40183e 36633 45377e 36136->36633 36143 453eee 26 API calls 36137->36143 36139->36115 36139->36120 36139->36125 36139->36134 36154 45b6d8 71 API calls 36139->36154 36160 453e9e 26 API calls 36139->36160 36169 453df5 23 API calls ctype 36139->36169 36140 45b66c 10 API calls 36140->36145 36146 453eee 26 API calls 36142->36146 36148 401458 36143->36148 36145->36107 36145->36110 36145->36116 36145->36121 36145->36140 36150 453df5 ctype 23 API calls 36145->36150 36146->36123 36152 453eee 26 API calls 36148->36152 36149 453df5 ctype 23 API calls 36153 401292 36149->36153 36150->36145 36151->36136 36676 44602f 6 API calls ctype 36151->36676 36156 401468 36152->36156 36163 45b6d8 71 API calls 36153->36163 36154->36139 36155 40188e 36677 458717 36155->36677 36159 453eee 26 API calls 36156->36159 36157 4519bf 53 API calls 36164 401849 36157->36164 36162 401478 36159->36162 36160->36139 36167 453eee 26 API calls 36162->36167 36168 4012ba 36163->36168 36164->36155 36164->36157 36165 458717 11 API calls 36166 4018c7 36165->36166 36170 458717 11 API calls 36166->36170 36171 401488 36167->36171 36172 453e9e 26 API calls 36168->36172 36169->36139 36173 4018e3 36170->36173 36174 453eee 26 API calls 36171->36174 36175 4012e6 36172->36175 36176 458717 11 API calls 36173->36176 36177 401498 36174->36177 36178 453df5 ctype 23 API calls 36175->36178 36179 4018ff 36176->36179 36180 453eee 26 API calls 36177->36180 36181 4012f5 36178->36181 36182 458717 11 API calls 36179->36182 36183 4014a8 36180->36183 36186 45b6d8 71 API calls 36181->36186 36184 40191b 36182->36184 36185 453eee 26 API calls 36183->36185 36187 458717 11 API calls 36184->36187 36188 4014b8 36185->36188 36190 40131d 36186->36190 36191 401932 36187->36191 36189 453eee 26 API calls 36188->36189 36192 4014c8 36189->36192 36193 453e9e 26 API calls 36190->36193 36194 458717 11 API calls 36191->36194 36195 453eee 26 API calls 36192->36195 36196 401349 36193->36196 36197 401949 36194->36197 36198 4014d8 36195->36198 36199 453df5 ctype 23 API calls 36196->36199 36200 458717 11 API calls 36197->36200 36201 453eee 26 API calls 36198->36201 36202 401358 36199->36202 36203 401960 36200->36203 36204 4014e8 36201->36204 36206 458717 11 API calls 36203->36206 36207 453eee 26 API calls 36204->36207 36251 401977 36206->36251 36209 4014f8 36207->36209 36210 453eee 26 API calls 36209->36210 36212 401508 36210->36212 36211 453e1f 58 API calls 36211->36251 36213 453eee 26 API calls 36212->36213 36216 401518 36213->36216 36214 453e1f 58 API calls 36238 401a66 36214->36238 36215 4519bf 53 API calls 36215->36251 36217 453eee 26 API calls 36216->36217 36222 401528 36217->36222 36218 401b8d 36223 453df5 ctype 23 API calls 36218->36223 36219 453e1f 58 API calls 36242 401af7 36219->36242 36220 4519bf 53 API calls 36220->36238 36221 454026 25 API calls 36221->36251 36225 453eee 26 API calls 36222->36225 36224 401ba3 36223->36224 36684 401c20 52 API calls 2 library calls 36224->36684 36229 401538 36225->36229 36227 4519bf 53 API calls 36227->36242 36228 454026 25 API calls 36228->36238 36231 401bb5 36231->36062 36233 454026 25 API calls 36233->36242 36236 458717 11 API calls 36236->36238 36238->36214 36238->36220 36238->36228 36238->36236 36239 453df5 ctype 23 API calls 36238->36239 36238->36242 36239->36238 36240 45878c 13 API calls 36240->36242 36242->36218 36242->36219 36242->36227 36242->36233 36242->36240 36244 453df5 ctype 23 API calls 36242->36244 36244->36242 36248 45878c 13 API calls 36248->36251 36251->36211 36251->36215 36251->36221 36251->36238 36251->36248 36253 453df5 ctype 23 API calls 36251->36253 36253->36251 36257 4011ea 36256->36257 36258 4011f4 36257->36258 36298 40136c 36257->36298 36259 453e1f 58 API calls 36258->36259 36260 401204 36259->36260 36263 4519bf 53 API calls 36260->36263 36261 4013fe 36262 401408 36261->36262 36325 4016d2 36261->36325 36265 453eee 26 API calls 36262->36265 36266 40121d 36263->36266 36264 453e1f 58 API calls 36264->36298 36267 401418 36265->36267 36268 454026 25 API calls 36266->36268 36272 453eee 26 API calls 36267->36272 36273 40122f 36268->36273 36269 4017a0 36271 4017b6 36269->36271 36276 453eee 26 API calls 36269->36276 36270 4519bf 53 API calls 36270->36298 36277 4017ec 36271->36277 36280 453eee 26 API calls 36271->36280 36278 401428 36272->36278 36282 45b6d8 71 API calls 36273->36282 36274 453e1f 58 API calls 36274->36325 36275 454026 25 API calls 36275->36298 36276->36271 36284 453eee 26 API calls 36277->36284 36304 4016cd 36277->36304 36281 453eee 26 API calls 36278->36281 36279 4519bf 53 API calls 36279->36325 36283 4017cc 36280->36283 36285 401438 36281->36285 36287 401257 36282->36287 36289 453eee 26 API calls 36283->36289 36284->36304 36286 453eee 26 API calls 36285->36286 36291 401448 36286->36291 36292 453e9e 26 API calls 36287->36292 36288 454026 25 API calls 36288->36325 36295 4017dc 36289->36295 36290 40183e 36294 45377e 120 API calls 36290->36294 36296 453eee 26 API calls 36291->36296 36297 401283 36292->36297 36293 45b66c 10 API calls 36293->36298 36314 401849 36294->36314 36299 453eee 26 API calls 36295->36299 36301 401458 36296->36301 36302 453df5 ctype 23 API calls 36297->36302 36298->36261 36298->36264 36298->36270 36298->36275 36298->36293 36303 453df5 ctype 23 API calls 36298->36303 36299->36277 36305 453eee 26 API calls 36301->36305 36306 401292 36302->36306 36303->36298 36304->36290 36941 44602f 6 API calls ctype 36304->36941 36309 401468 36305->36309 36317 45b6d8 71 API calls 36306->36317 36307 45b6d8 71 API calls 36307->36325 36308 40188e 36311 458717 11 API calls 36308->36311 36312 453eee 26 API calls 36309->36312 36310 4519bf 53 API calls 36310->36314 36315 4018aa 36311->36315 36316 401478 36312->36316 36313 453e9e 26 API calls 36313->36325 36314->36308 36314->36310 36318 458717 11 API calls 36315->36318 36320 453eee 26 API calls 36316->36320 36321 4012ba 36317->36321 36319 4018c7 36318->36319 36322 458717 11 API calls 36319->36322 36323 401488 36320->36323 36324 453e9e 26 API calls 36321->36324 36326 4018e3 36322->36326 36327 453eee 26 API calls 36323->36327 36328 4012e6 36324->36328 36325->36269 36325->36274 36325->36279 36325->36288 36325->36307 36325->36313 36329 453df5 23 API calls ctype 36325->36329 36330 458717 11 API calls 36326->36330 36331 401498 36327->36331 36332 453df5 ctype 23 API calls 36328->36332 36329->36325 36333 4018ff 36330->36333 36334 453eee 26 API calls 36331->36334 36335 4012f5 36332->36335 36336 458717 11 API calls 36333->36336 36337 4014a8 36334->36337 36340 45b6d8 71 API calls 36335->36340 36338 40191b 36336->36338 36339 453eee 26 API calls 36337->36339 36341 458717 11 API calls 36338->36341 36342 4014b8 36339->36342 36344 40131d 36340->36344 36345 401932 36341->36345 36343 453eee 26 API calls 36342->36343 36346 4014c8 36343->36346 36347 453e9e 26 API calls 36344->36347 36348 458717 11 API calls 36345->36348 36349 453eee 26 API calls 36346->36349 36350 401349 36347->36350 36351 401949 36348->36351 36352 4014d8 36349->36352 36353 453df5 ctype 23 API calls 36350->36353 36354 458717 11 API calls 36351->36354 36355 453eee 26 API calls 36352->36355 36356 401358 36353->36356 36357 401960 36354->36357 36358 4014e8 36355->36358 36359 453df5 ctype 23 API calls 36356->36359 36360 458717 11 API calls 36357->36360 36361 453eee 26 API calls 36358->36361 36362 401367 36359->36362 36401 401977 36360->36401 36363 4014f8 36361->36363 36362->36062 36364 453eee 26 API calls 36363->36364 36366 401508 36364->36366 36365 453e1f 58 API calls 36365->36401 36367 453eee 26 API calls 36366->36367 36370 401518 36367->36370 36368 453e1f 58 API calls 36393 401a66 36368->36393 36369 4519bf 53 API calls 36369->36401 36371 453eee 26 API calls 36370->36371 36376 401528 36371->36376 36372 401b8d 36377 453df5 ctype 23 API calls 36372->36377 36373 453e1f 58 API calls 36397 401af7 36373->36397 36374 4519bf 53 API calls 36374->36393 36375 454026 25 API calls 36375->36401 36379 453eee 26 API calls 36376->36379 36378 401ba3 36377->36378 36942 401c20 52 API calls 2 library calls 36378->36942 36383 401538 36379->36383 36381 4519bf 53 API calls 36381->36397 36382 454026 25 API calls 36382->36393 36384 453eee 26 API calls 36383->36384 36386 401548 36384->36386 36385 401bb5 36385->36062 36388 453eee 26 API calls 36386->36388 36387 454026 25 API calls 36387->36397 36389 401558 36388->36389 36392 453eee 26 API calls 36389->36392 36390 458717 11 API calls 36390->36393 36391 45878c 13 API calls 36391->36401 36396 401568 36392->36396 36393->36368 36393->36374 36393->36382 36393->36390 36394 453df5 ctype 23 API calls 36393->36394 36393->36397 36394->36393 36395 45878c 13 API calls 36395->36397 36398 4016b9 36396->36398 36403 4015c7 36396->36403 36397->36372 36397->36373 36397->36381 36397->36387 36397->36395 36399 453df5 ctype 23 API calls 36397->36399 36400 401da0 23 API calls 36398->36400 36399->36397 36400->36304 36401->36365 36401->36369 36401->36375 36401->36391 36401->36393 36407 453df5 ctype 23 API calls 36401->36407 36402 40169e 36402->36062 36403->36402 36404 453e9e 26 API calls 36403->36404 36405 40161d 36404->36405 36406 453e9e 26 API calls 36405->36406 36408 40165f 36406->36408 36407->36401 36409 453e9e 26 API calls 36408->36409 36409->36402 36411 401592 36410->36411 36412 4016b9 36411->36412 36415 4015c7 36411->36415 36413 401da0 23 API calls 36412->36413 36424 4016cd 36413->36424 36414 40169e 36414->36062 36415->36414 36418 453e9e 26 API calls 36415->36418 36416 40183e 36417 45377e 120 API calls 36416->36417 36420 401849 36417->36420 36419 40161d 36418->36419 36421 453e9e 26 API calls 36419->36421 36425 40188e 36420->36425 36427 4519bf 53 API calls 36420->36427 36423 40165f 36421->36423 36426 453e9e 26 API calls 36423->36426 36424->36416 36943 44602f 6 API calls ctype 36424->36943 36428 458717 11 API calls 36425->36428 36426->36414 36427->36420 36429 4018aa 36428->36429 36430 458717 11 API calls 36429->36430 36431 4018c7 36430->36431 36432 458717 11 API calls 36431->36432 36433 4018e3 36432->36433 36434 458717 11 API calls 36433->36434 36435 4018ff 36434->36435 36436 458717 11 API calls 36435->36436 36437 40191b 36436->36437 36438 458717 11 API calls 36437->36438 36439 401932 36438->36439 36440 458717 11 API calls 36439->36440 36441 401949 36440->36441 36442 458717 11 API calls 36441->36442 36443 401960 36442->36443 36444 458717 11 API calls 36443->36444 36466 401977 36444->36466 36445 453e1f 58 API calls 36445->36466 36446 453e1f 58 API calls 36460 401a66 36446->36460 36447 4519bf 53 API calls 36447->36466 36448 401b8d 36452 453df5 ctype 23 API calls 36448->36452 36449 453e1f 58 API calls 36463 401af7 36449->36463 36450 4519bf 53 API calls 36450->36460 36451 454026 25 API calls 36451->36466 36453 401ba3 36452->36453 36944 401c20 52 API calls 2 library calls 36453->36944 36455 4519bf 53 API calls 36455->36463 36456 454026 25 API calls 36456->36460 36457 401bb5 36457->36062 36458 454026 25 API calls 36458->36463 36459 458717 11 API calls 36459->36460 36460->36446 36460->36450 36460->36456 36460->36459 36461 453df5 ctype 23 API calls 36460->36461 36460->36463 36461->36460 36462 45878c 13 API calls 36462->36463 36463->36448 36463->36449 36463->36455 36463->36458 36463->36462 36464 453df5 ctype 23 API calls 36463->36464 36464->36463 36465 45878c 13 API calls 36465->36466 36466->36445 36466->36447 36466->36451 36466->36460 36466->36465 36467 453df5 ctype 23 API calls 36466->36467 36467->36466 36469 4015ba 36468->36469 36470 4016b9 36469->36470 36473 4015c7 36469->36473 36471 401da0 23 API calls 36470->36471 36482 4016cd 36471->36482 36472 40169e 36472->36062 36473->36472 36474 453e9e 26 API calls 36473->36474 36475 40161d 36474->36475 36476 453e9e 26 API calls 36475->36476 36477 40165f 36476->36477 36479 453e9e 26 API calls 36477->36479 36478 40183e 36480 45377e 120 API calls 36478->36480 36479->36472 36486 401849 36480->36486 36482->36478 36945 44602f 6 API calls ctype 36482->36945 36483 40188e 36485 458717 11 API calls 36483->36485 36484 4519bf 53 API calls 36484->36486 36487 4018aa 36485->36487 36486->36483 36486->36484 36488 458717 11 API calls 36487->36488 36489 4018c7 36488->36489 36490 458717 11 API calls 36489->36490 36491 4018e3 36490->36491 36492 458717 11 API calls 36491->36492 36493 4018ff 36492->36493 36494 458717 11 API calls 36493->36494 36495 40191b 36494->36495 36496 458717 11 API calls 36495->36496 36497 401932 36496->36497 36498 458717 11 API calls 36497->36498 36499 401949 36498->36499 36500 458717 11 API calls 36499->36500 36501 401960 36500->36501 36502 458717 11 API calls 36501->36502 36524 401977 36502->36524 36503 453e1f 58 API calls 36503->36524 36504 453e1f 58 API calls 36518 401a66 36504->36518 36505 4519bf 53 API calls 36505->36524 36506 401b8d 36510 453df5 ctype 23 API calls 36506->36510 36507 453e1f 58 API calls 36521 401af7 36507->36521 36508 4519bf 53 API calls 36508->36518 36509 454026 25 API calls 36509->36524 36511 401ba3 36510->36511 36946 401c20 52 API calls 2 library calls 36511->36946 36513 4519bf 53 API calls 36513->36521 36514 454026 25 API calls 36514->36518 36515 401bb5 36515->36062 36516 454026 25 API calls 36516->36521 36517 458717 11 API calls 36517->36518 36518->36504 36518->36508 36518->36514 36518->36517 36519 453df5 ctype 23 API calls 36518->36519 36518->36521 36519->36518 36520 45878c 13 API calls 36520->36521 36521->36506 36521->36507 36521->36513 36521->36516 36521->36520 36522 453df5 ctype 23 API calls 36521->36522 36522->36521 36523 45878c 13 API calls 36523->36524 36524->36503 36524->36505 36524->36509 36524->36518 36524->36523 36525 453df5 ctype 23 API calls 36524->36525 36525->36524 36526->36061 36528 45bf76 ctype 28 API calls 36527->36528 36529 45cc84 GetModuleFileNameA 36528->36529 36557 4474c5 20 API calls ctype 36529->36557 36531 45ccb6 36558 45cd8e lstrlenA lstrcpynA 36531->36558 36533 45ccd2 36534 45cce8 36533->36534 36563 4469ff 36533->36563 36536 45cd22 36534->36536 36559 45726b 36534->36559 36537 45cd55 36536->36537 36538 45cd3a lstrcpyA 36536->36538 36541 45cd64 lstrcatA 36537->36541 36542 45cd82 36537->36542 36540 4469ff 20 API calls 36538->36540 36540->36537 36544 4469ff 20 API calls 36541->36544 36542->36073 36544->36542 36545 4469ff 20 API calls 36545->36536 36547 45bf76 ctype 28 API calls 36546->36547 36548 452872 36547->36548 36549 4528ca 36548->36549 36567 45bd3f 36548->36567 36549->36077 36552 45c679 ctype 7 API calls 36553 4528a8 36552->36553 36554 4528b5 36553->36554 36555 45bf76 ctype 28 API calls 36553->36555 36556 45c5e4 ctype 21 API calls 36554->36556 36555->36554 36556->36549 36557->36531 36558->36533 36560 45bf76 ctype 28 API calls 36559->36560 36561 457271 LoadStringA 36560->36561 36562 45728c 36561->36562 36562->36545 36564 446a08 ctype 36563->36564 36566 446a15 ctype 36563->36566 36565 447881 ctype 20 API calls 36564->36565 36565->36566 36566->36534 36568 45c5e4 ctype 21 API calls 36567->36568 36569 45287e GetCurrentThreadId SetWindowsHookExA 36568->36569 36569->36552 36571 45b803 36570->36571 36572 40109f 36570->36572 36573 45c679 ctype 7 API calls 36571->36573 36578 401fa5 36572->36578 36574 45b812 36573->36574 36575 45bf76 ctype 28 API calls 36574->36575 36576 45b85d 36574->36576 36575->36576 36576->36572 36577 45bf76 ctype 28 API calls 36576->36577 36577->36572 36579 401fcf Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot 36578->36579 36580 453eee 26 API calls 36579->36580 36581 40218c 36580->36581 36582 453eee 26 API calls 36581->36582 36583 40219f 36582->36583 36584 442900 28 API calls 36583->36584 36585 4021c3 36584->36585 36685 442f20 36585->36685 36587 4010ac 36588 45b557 36587->36588 36589 446b4a ctype 20 API calls 36588->36589 36590 45b563 36589->36590 36591 4469ff 20 API calls 36590->36591 36592 45b56c 36591->36592 36593 446b4a ctype 20 API calls 36592->36593 36594 45b580 36593->36594 36595 4469ff 20 API calls 36594->36595 36596 4010d2 36595->36596 36596->36086 36691 451672 36597->36691 36600 454026 36727 453fc7 36600->36727 36602 454038 36602->36119 36604 45b6e2 __EH_prolog 36603->36604 36605 45b79b GetPrivateProfileStringA 36604->36605 36606 45b6fb 36604->36606 36610 45b70a 36605->36610 36607 45b626 7 API calls 36606->36607 36609 45b703 36607->36609 36609->36610 36611 45b712 RegQueryValueExA 36609->36611 36612 453e1f 58 API calls 36610->36612 36613 45b765 RegCloseKey 36611->36613 36614 45b73c 36611->36614 36615 401257 36612->36615 36617 45b774 36613->36617 36618 45b782 36613->36618 36616 45403e 25 API calls 36614->36616 36625 453e9e 36615->36625 36619 45b74b RegQueryValueExA 36616->36619 36735 453b6a 27 API calls 36617->36735 36621 453e1f 58 API calls 36618->36621 36622 45408d 26 API calls 36619->36622 36623 45b780 36621->36623 36622->36613 36624 453df5 ctype 23 API calls 36623->36624 36624->36615 36626 453eae 36625->36626 36631 401283 36625->36631 36627 453ec5 36626->36627 36628 453ed2 36626->36628 36736 453e71 36627->36736 36739 453d2c 23 API calls ctype 36628->36739 36631->36149 36632 453ed9 InterlockedIncrement 36632->36631 36634 453788 __EH_prolog 36633->36634 36635 45bf76 ctype 28 API calls 36634->36635 36636 4537a4 36635->36636 36637 4537cb 36636->36637 36638 45bf76 ctype 28 API calls 36636->36638 36639 4537cf LockResource 36637->36639 36640 4537d9 36637->36640 36641 4537b2 FindResourceA LoadResource 36638->36641 36639->36640 36667 4537df 36640->36667 36747 453702 36640->36747 36641->36637 36646 453800 IsWindowEnabled 36647 45381e 36646->36647 36648 45380d EnableWindow 36646->36648 36763 454b04 36647->36763 36648->36647 36651 454652 49 API calls 36652 45382f 36651->36652 36770 45349a 36652->36770 36667->36164 36669 453efe lstrlenA 36668->36669 36670 453efa 36668->36670 36669->36670 36671 453e71 25 API calls 36670->36671 36672 401418 36671->36672 36672->36118 36676->36151 36678 458726 36677->36678 36679 45875c wsprintfA WritePrivateProfileStringA 36677->36679 36681 45b626 7 API calls 36678->36681 36680 4018aa 36679->36680 36680->36165 36682 45872e 36681->36682 36682->36680 36683 458734 RegSetValueExA RegCloseKey 36682->36683 36683->36680 36684->36231 36688 442f10 36685->36688 36689 45bf76 ctype 28 API calls 36688->36689 36690 442f18 LoadIconA 36689->36690 36690->36587 36701 45168b ctype 36691->36701 36692 45198f 36705 45403e 36692->36705 36697 45408d 26 API calls 36699 40121d 36697->36699 36698 447876 6 API calls 36698->36701 36699->36600 36701->36692 36701->36698 36702 4518b2 lstrlenA 36701->36702 36703 44775c 6 API calls 36701->36703 36716 44766d 20 API calls ctype 36701->36716 36717 44761b 39 API calls 36701->36717 36702->36701 36703->36701 36706 454051 36705->36706 36707 45199c 36706->36707 36708 453c62 22 API calls 36706->36708 36711 447537 36707->36711 36709 454068 36708->36709 36718 453d5d 23 API calls ctype 36709->36718 36719 44ae2f 36711->36719 36714 44756e 36714->36697 36716->36701 36717->36701 36718->36707 36720 447564 36719->36720 36725 44ae54 __aulldiv __aullrem ctype 36719->36725 36720->36714 36726 44ad17 35 API calls 36720->36726 36721 44b570 35 API calls 36721->36725 36722 44ce53 30 API calls 36722->36725 36723 44b5a5 35 API calls 36723->36725 36724 44b5d6 35 API calls 36724->36725 36725->36720 36725->36721 36725->36722 36725->36723 36725->36724 36726->36714 36728 453fd4 36727->36728 36731 453fea 36727->36731 36728->36731 36733 453f15 22 API calls 36728->36733 36730 45401a 36734 453d5d 23 API calls ctype 36730->36734 36731->36602 36733->36730 36734->36731 36735->36623 36740 453dcc 36736->36740 36738 453e7f 36738->36631 36739->36632 36741 453ddc 36740->36741 36742 453df0 36741->36742 36746 453d2c 23 API calls ctype 36741->36746 36742->36738 36744 453de8 36745 453c62 22 API calls 36744->36745 36745->36742 36746->36744 36748 45bf76 ctype 28 API calls 36747->36748 36749 45370b 36748->36749 36750 45371b 36749->36750 36848 4584c9 28 API calls 36749->36848 36831 45866f 36750->36831 36754 454b04 23 API calls 36755 453737 36754->36755 36756 454b50 36755->36756 36757 45c5e4 ctype 21 API calls 36756->36757 36758 454b60 36757->36758 36759 45bf76 ctype 28 API calls 36758->36759 36760 454b67 36759->36760 36761 4537f6 36760->36761 36762 454b74 UnhookWindowsHookEx 36760->36762 36761->36646 36761->36647 36762->36761 36764 45c5e4 ctype 21 API calls 36763->36764 36765 454b15 36764->36765 36766 453827 36765->36766 36767 454b26 GetCurrentThreadId SetWindowsHookExA 36765->36767 36766->36651 36767->36766 36768 454b43 36767->36768 36851 451a3e RaiseException ctype 36768->36851 36771 4534a4 __EH_prolog 36770->36771 36772 45bf76 ctype 28 API calls 36771->36772 36774 4534be 36771->36774 36772->36774 36773 45bf76 ctype 28 API calls 36774->36773 36832 458683 36831->36832 36833 4586e8 GetWindowLongA 36831->36833 36849 45870b 21 API calls 36832->36849 36834 4586f8 GetParent 36833->36834 36845 458695 36833->36845 36836 458691 36834->36836 36836->36833 36836->36845 36837 45869f GetParent 36837->36837 36838 4586a8 36837->36838 36840 4586b9 36838->36840 36842 4586b0 GetLastActivePopup 36838->36842 36839 458688 36839->36836 36850 445833 28 API calls 36839->36850 36843 4586c5 IsWindowEnabled 36840->36843 36844 45372f 36840->36844 36842->36840 36843->36844 36846 4586d0 36843->36846 36844->36754 36845->36837 36845->36838 36846->36844 36847 4586d4 EnableWindow 36846->36847 36847->36844 36848->36750 36849->36839 36850->36836 36941->36304 36942->36385 36943->36424 36944->36457 36945->36482 36946->36515 36947 452dca KiUserCallbackDispatcher 36948 452e04 36947->36948 36949 452de1 36947->36949 36949->36948 36950 452df6 TranslateMessage DispatchMessageA 36949->36950 36950->36948 36951 456daa 36952 456db1 SetWindowTextA 36951->36952 36953 456dc0 36951->36953 36952->36953

    Executed Functions

    Function 0045377E Relevance: 13.6, APIs: 9, Instructions: 113COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1622 45377e-4537ab call 4469e0 call 45bf76 1627 4537ad-4537c9 call 45bf76 FindResourceA LoadResource 1622->1627 1628 4537cb-4537cd 1622->1628 1627->1628 1630 4537cf-4537d6 LockResource 1628->1630 1631 4537d9-4537dd 1628->1631 1630->1631 1633 4537e7-4537fe call 453702 call 454b50 1631->1633 1634 4537df-4537e2 1631->1634 1640 453800-45380b IsWindowEnabled 1633->1640 1641 45381e-45383d call 454b04 call 454652 call 45349a 1633->1641 1635 4538cf-4538dd 1634->1635 1640->1641 1642 45380d-453817 EnableWindow 1640->1642 1649 453891-453898 1641->1649 1650 45383f-453843 1641->1650 1642->1641 1651 4538a5-4538a8 1649->1651 1652 45389a-45389f EnableWindow 1649->1652 1653 453845-453852 call 456d14 1650->1653 1654 45385f-453862 1650->1654 1656 4538be-4538cc call 45373c 1651->1656 1657 4538aa-4538b3 GetActiveWindow 1651->1657 1652->1651 1664 453854-453856 1653->1664 1665 453857-45385a call 4566d9 1653->1665 1654->1649 1655 453864-453875 call 456e2d 1654->1655 1655->1649 1656->1635 1657->1656 1660 4538b5-4538b8 SetActiveWindow 1657->1660 1660->1656 1664->1665 1665->1654
    APIs
    • __EH_prolog.LIBCMT ref: 00453783
    • FindResourceA.KERNEL32(?,00000000,00000005), ref: 004537BB
    • LoadResource.KERNEL32(?,00000000,?,?,?,00000007,Settings,KelvinDisplay,00000001,Joshua F. Madison,00000000), ref: 004537C3
      • Part of subcall function 00454B50: UnhookWindowsHookEx.USER32(?), ref: 00454B75
    • LockResource.KERNEL32(?,?,?,?,00000007,Settings,KelvinDisplay,00000001,Joshua F. Madison,00000000), ref: 004537D0
    • IsWindowEnabled.USER32(00000000), ref: 00453803
    • EnableWindow.USER32(00000000,00000000), ref: 00453811
    • EnableWindow.USER32(00000000,00000001), ref: 0045389F
    • GetActiveWindow.USER32 ref: 004538AA
    • SetActiveWindow.USER32(00000000,?,?,?,?,00000007,Settings,KelvinDisplay,00000001,Joshua F. Madison,00000000), ref: 004538B8
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Window$Resource$ActiveEnable$EnabledFindH_prologHookLoadLockUnhookWindows
    • String ID:
    • API String ID: 401145483-0
    • Opcode ID: da0154b7b507c22309a0e933e74a2908b68f94bed98c4217167b8df5d42b6508
    • Instruction ID: 98b93588d90e1e639b6a9742903b1d970df520c87f22e19d718b66114bf5fbd9
    • Opcode Fuzzy Hash: da0154b7b507c22309a0e933e74a2908b68f94bed98c4217167b8df5d42b6508
    • Instruction Fuzzy Hash: 5A41D271900704DFDB21AF65C84966EB7F5AF44757F10012FF902A2293C7799E488B6A
    Function 00455429 Relevance: 3.4, APIs: 2, Instructions: 422COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 0045542E
    • GetVersion.KERNEL32(00000007,?,?,00000000,00000000,?,0000C000,00000000,00000000,00000007), ref: 004555E1
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: H_prologVersion
    • String ID:
    • API String ID: 1836448879-0
    • Opcode ID: f5a1ea65f5b732627b2b53c13a19c61731209395b38841e45dc6b831e2805def
    • Instruction ID: d0705d98a940ea30a19c661afe863039a069756a253712f0fe6c95cf36b42a14
    • Opcode Fuzzy Hash: f5a1ea65f5b732627b2b53c13a19c61731209395b38841e45dc6b831e2805def
    • Instruction Fuzzy Hash: E5E18D70500609EFDB04EF55C8A0BBE37A9EF04316F10851AFC169A293D73CDA1ADB69
    Function 0045490E Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 170stringCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1462 45490e-45492a call 45c5e4 1465 454943-45495f call 45bf76 1462->1465 1466 45492c-45493e CallNextHookEx 1462->1466 1470 454961-454965 1465->1470 1471 454973-45497a 1465->1471 1467 454b00-454b01 1466->1467 1472 454ad4 1470->1472 1473 45496b-45496d 1470->1473 1474 45497c-45498a GetClassLongA 1471->1474 1475 4549c8-4549ca 1471->1475 1479 454ad7-454aec CallNextHookEx 1472->1479 1473->1471 1473->1472 1474->1472 1478 454990-45499b 1474->1478 1476 4549d0-4549f3 call 454697 1475->1476 1477 454a79-454a87 GetWindowLongA 1475->1477 1493 4549f5-4549f9 1476->1493 1494 454a56-454a69 call 45472d SetWindowLongA 1476->1494 1477->1472 1483 454a89-454a9a GetPropA 1477->1483 1484 4549b4-4549c2 lstrcmpiA 1478->1484 1485 45499d-4549b1 GlobalGetAtomNameA 1478->1485 1480 454aee-454af7 UnhookWindowsHookEx 1479->1480 1481 454afb-454aff 1479->1481 1480->1481 1481->1467 1483->1472 1487 454a9c-454aae SetPropA GetPropA 1483->1487 1484->1472 1484->1475 1485->1484 1487->1472 1488 454ab0-454ac3 GlobalAddAtomA 1487->1488 1490 454ac5 1488->1490 1491 454aca-454ace SetWindowLongA 1488->1491 1490->1491 1491->1472 1493->1494 1496 4549fb-454a03 1493->1496 1499 454a70-454a77 1494->1499 1500 454a6b-454a6e 1494->1500 1496->1494 1498 454a05-454a09 1496->1498 1498->1494 1501 454a0b-454a20 call 454491 1498->1501 1499->1479 1500->1499 1501->1494 1504 454a22-454a46 call 45472d GetWindowLongA 1501->1504 1504->1499 1508 454a48-454a54 SetWindowLongA 1504->1508 1508->1500
    APIs
      • Part of subcall function 0045C5E4: TlsGetValue.KERNEL32(00484E6C,?,00000000,0045BF85,0045B3E3,0045BFA1,0045285D,004578F4,?,00000000,?,0045161C,00000000,00000000,00000000,00000000), ref: 0045C623
    • CallNextHookEx.USER32(?,00000003,?,?), ref: 00454938
    • GetClassLongA.USER32(?,000000E6), ref: 0045497F
    • GlobalGetAtomNameA.KERNEL32(?,?,00000005,?,?,?,Function_0005B3E3), ref: 004549AB
    • lstrcmpiA.KERNEL32(?,ime), ref: 004549BA
    • GetWindowLongA.USER32(?,000000FC), ref: 00454A2D
    • SetWindowLongA.USER32(?,000000FC,00000000), ref: 00454A4E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Long$Window$AtomCallClassGlobalHookNameNextValuelstrcmpi
    • String ID: ,NH$AfxOldWndProc423$ime
    • API String ID: 3731301195-4050890372
    • Opcode ID: bb06be974000b555a9968e69b9b8a62ae5865538f0e9669415c8f0eb0cc1c02a
    • Instruction ID: 294483681e820a23548d41c0ad6a0cd06ca66f4dfaeac4df0ff63b736be1a18d
    • Opcode Fuzzy Hash: bb06be974000b555a9968e69b9b8a62ae5865538f0e9669415c8f0eb0cc1c02a
    • Instruction Fuzzy Hash: 6C51AD71500214ABCB119F64DC48B6F3BA8FF8436AF10452AFD15AB292D738DD88CB9D
    Function 0045C27D Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99memoryCOMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1509 45c27d-45c29a EnterCriticalSection 1510 45c29c-45c2a3 1509->1510 1511 45c2a9-45c2ae 1509->1511 1510->1511 1512 45c362-45c365 1510->1512 1513 45c2b0-45c2b3 1511->1513 1514 45c2cb-45c2d4 1511->1514 1515 45c367-45c36a 1512->1515 1516 45c36d-45c38e LeaveCriticalSection 1512->1516 1517 45c2b6-45c2b9 1513->1517 1518 45c2d6-45c2e7 GlobalAlloc 1514->1518 1519 45c2e9-45c305 GlobalHandle GlobalUnlock GlobalReAlloc 1514->1519 1515->1516 1521 45c2c3-45c2c5 1517->1521 1522 45c2bb-45c2c1 1517->1522 1520 45c30b-45c317 1518->1520 1519->1520 1523 45c334-45c361 GlobalLock call 446ba0 1520->1523 1524 45c319-45c32f GlobalHandle GlobalLock LeaveCriticalSection call 451a3e 1520->1524 1521->1512 1521->1514 1522->1517 1522->1521 1523->1512 1524->1523
    APIs
    • EnterCriticalSection.KERNEL32(00484E88,00484E2C,00000000,?,00484E6C,00484E6C,0045C618,?,00000000,0045BF85,0045B3E3,0045BFA1,0045285D,004578F4,?,00000000), ref: 0045C28C
    • GlobalAlloc.KERNELBASE(00002002,00000000,?,?,00484E6C,00484E6C,0045C618,?,00000000,0045BF85,0045B3E3,0045BFA1,0045285D,004578F4,?,00000000), ref: 0045C2E1
    • GlobalHandle.KERNEL32(004F2990), ref: 0045C2EA
    • GlobalUnlock.KERNEL32(00000000), ref: 0045C2F3
    • GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 0045C305
    • GlobalHandle.KERNEL32(004F2990), ref: 0045C31C
    • GlobalLock.KERNEL32(00000000), ref: 0045C323
    • LeaveCriticalSection.KERNEL32((iD,?,?,00484E6C,00484E6C,0045C618,?,00000000,0045BF85,0045B3E3,0045BFA1,0045285D,004578F4,?,00000000), ref: 0045C329
    • GlobalLock.KERNEL32(00000000), ref: 0045C338
    • LeaveCriticalSection.KERNEL32(?), ref: 0045C381
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
    • String ID: (iD
    • API String ID: 2667261700-210869037
    • Opcode ID: 6216e95ebef3376faa826885c5afe3325a3459ff50a032fe908c9552e028735b
    • Instruction ID: 7d93b703dbcdf73a29f2a2c4c93ed2fa9e318b32972637177b23b21e5689aa5f
    • Opcode Fuzzy Hash: 6216e95ebef3376faa826885c5afe3325a3459ff50a032fe908c9552e028735b
    • Instruction Fuzzy Hash: A031A3B56007099FD7209F64DC89A2AB7E9FB44306F00493EF852C3662E775EC08CB15
    Function 0045349A Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 172COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1528 45349a-4534b7 call 4469e0 1531 4534c4-4534ee call 45bf76 call 45691b * 2 1528->1531 1532 4534b9-4534c1 call 45bf76 1528->1532 1541 4534f0-453500 1531->1541 1542 45351a-45351d 1531->1542 1532->1531 1543 453502-453504 1541->1543 1548 453509-453517 1541->1548 1542->1543 1544 45351f-45354c call 4576cf 1542->1544 1545 4536ab-4536b9 1543->1545 1550 4535a1-4535d5 call 45751e call 457858 call 4575bb call 4575ad 1544->1550 1551 45354e-453558 GetSystemMetrics 1544->1551 1548->1542 1554 4535e3-4535f6 call 454b04 1550->1554 1583 4535d7-4535e0 GlobalLock 1550->1583 1551->1554 1555 45355e-45356f call 446cdf 1551->1555 1562 4535fc 1554->1562 1563 4535f8-4535fa 1554->1563 1565 453597-45359c 1555->1565 1566 453571-453582 call 446cdf 1555->1566 1567 4535ff-45361b CreateDialogIndirectParamA call 453df5 1562->1567 1563->1567 1565->1550 1568 45359e 1565->1568 1566->1565 1576 453584-453595 call 446cdf 1566->1576 1574 453620-453645 1567->1574 1568->1550 1581 453647-453655 1574->1581 1582 453662-453669 call 454b50 1574->1582 1576->1554 1576->1565 1581->1582 1587 453657-45365a 1581->1587 1588 453675-453678 1582->1588 1589 45366b-45366d 1582->1589 1583->1554 1587->1582 1590 45368c-45368f 1588->1590 1591 45367a-45367e 1588->1591 1589->1588 1593 453691-45369d GlobalUnlock GlobalFree 1590->1593 1594 4536a3-4536a8 1590->1594 1591->1590 1592 453680-453689 DestroyWindow 1591->1592 1592->1590 1593->1594 1594->1545
    APIs
    • __EH_prolog.LIBCMT ref: 0045349F
    • GetSystemMetrics.USER32(0000002A), ref: 00453550
    • GlobalLock.KERNEL32(00000000), ref: 004535DA
    • CreateDialogIndirectParamA.USER32(00000000,?,00000000,004532C0,00000000), ref: 0045360C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: CreateDialogGlobalH_prologIndirectLockMetricsParamSystem
    • String ID: Helv$MS Sans Serif$MS Shell Dlg
    • API String ID: 2364537584-2894235370
    • Opcode ID: 913fe67b96116e3149be5664a3a314f63f108ee41f8c32bbe04b137aaa7ad3c8
    • Instruction ID: 1c3becc7b9c527fe7ec71491e23523a39e55326b433cbffe80bc38fb2558441e
    • Opcode Fuzzy Hash: 913fe67b96116e3149be5664a3a314f63f108ee41f8c32bbe04b137aaa7ad3c8
    • Instruction Fuzzy Hash: 0661407190020AEFCF11EFA4D9859AEBBB1BF04346F10447FF905A6252D7388B49DB59
    Function 00454733 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1595 454733-45476a call 4469e0 GetPropA 1598 454770-454773 1595->1598 1599 45481d-454832 call 454652 * 2 call 4543ba 1595->1599 1600 4547fc-45481b call 454652 call 45441b 1598->1600 1601 454779-45477c 1598->1601 1619 454837-454839 1599->1619 1600->1619 1604 45477e-454783 1601->1604 1605 4547d8-4547fa SetWindowLongA RemovePropA GlobalFindAtomA GlobalDeleteAtom 1601->1605 1607 454789-4547bf call 454652 call 45431e CallWindowProcA call 454341 1604->1607 1608 45483b-454851 CallWindowProcA 1604->1608 1605->1608 1613 4547c4-4547d5 1607->1613 1608->1613 1619->1608 1619->1613
    APIs
    • __EH_prolog.LIBCMT ref: 00454738
    • GetPropA.USER32(?,AfxOldWndProc423), ref: 00454750
    • CallWindowProcA.USER32(?,?,00000110,?,00000000), ref: 004547AE
      • Part of subcall function 00454341: GetWindowRect.USER32(?,9EE), ref: 00454366
      • Part of subcall function 00454341: GetWindow.USER32(?,00000004), ref: 00454383
    • SetWindowLongA.USER32(?,000000FC,?), ref: 004547DE
    • RemovePropA.USER32(?,AfxOldWndProc423), ref: 004547E6
    • GlobalFindAtomA.KERNEL32(AfxOldWndProc423), ref: 004547ED
    • GlobalDeleteAtom.KERNEL32(00000000), ref: 004547F4
      • Part of subcall function 0045431E: GetWindowRect.USER32(?,75A2FA40), ref: 0045432A
    • CallWindowProcA.USER32(?,?,?,?,00000000), ref: 00454848
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prologLongRemove
    • String ID: AfxOldWndProc423
    • API String ID: 2397448395-1060338832
    • Opcode ID: 28a8a9f3c3169b00de703e8599db74a22ed2976df0b4a337f4da5975e223bc32
    • Instruction ID: ec6644ab14724eef9f371e594410334e9bf45840f7ea4456a8d4dd96faea53f4
    • Opcode Fuzzy Hash: 28a8a9f3c3169b00de703e8599db74a22ed2976df0b4a337f4da5975e223bc32
    • Instruction Fuzzy Hash: C731A672800119BBCB01AFA5DD49EFF7B78FF4531AF00012AFE11A6152C7398958DB69
    Function 00401FA5 Relevance: 12.1, APIs: 8, Instructions: 136COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 00401FDC
    • Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 00401FEE
    • Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 00402000
    • Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 00402012
    • Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 00402024
    • Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 00402036
    • Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 00402048
      • Part of subcall function 00444870: Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 0044487A
    • Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 0040205A
      • Part of subcall function 00453EEE: lstrlenA.KERNEL32(?,?,?,0040218C,0048323C,-00000309,00000010,00000016,00401D80,00401DA0,-000002B9,00000004,00000014,Function_00001DF0,00453DF5,-00000269), ref: 00453EFF
      • Part of subcall function 00442F20: LoadIconA.USER32(00000000,004010AC), ref: 00442F36
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: ProcessorVirtual$Concurrency::RootRoot::$IconLoadlstrlen
    • String ID:
    • API String ID: 1758334495-0
    • Opcode ID: 07a8150609c8a2098f8dac22d0bdaa32cbd043d7c5fe77f76b51809630121fb7
    • Instruction ID: 9b413a1501943506eb4122cafa848c137ca9335ad7291723035c35a5e3d77b8e
    • Opcode Fuzzy Hash: 07a8150609c8a2098f8dac22d0bdaa32cbd043d7c5fe77f76b51809630121fb7
    • Instruction Fuzzy Hash: 1D518CB0A00249ABEB04EB98CD56BBEB771AF41309F14446DF5113B3C3CABD1A04DB69
    Function 004566D9 Relevance: 10.6, APIs: 7, Instructions: 122windowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1716 4566d9-4566f4 1717 456706 1716->1717 1718 4566f6-456704 call 456d14 1716->1718 1720 45670a-456728 GetParent call 452858 1717->1720 1718->1717 1718->1720 1724 45672b-45672f 1720->1724 1725 4567a7-4567b5 call 452858 1724->1725 1726 456731-45673e PeekMessageA 1724->1726 1740 4567b7-4567bb 1725->1740 1741 45681c-456825 call 45ce11 1725->1741 1726->1725 1728 456740-456744 1726->1728 1730 456746-456754 call 456e7c UpdateWindow 1728->1730 1731 456758-45675d 1728->1731 1730->1731 1733 45675f-456763 1731->1733 1734 45677e-456783 1731->1734 1733->1734 1737 456765-456769 1733->1737 1738 456785-45679f SendMessageA 1734->1738 1739 4567a1-4567a5 1734->1739 1737->1734 1742 45676b-456778 SendMessageA 1737->1742 1738->1724 1738->1739 1739->1724 1743 4567e0-4567e9 1740->1743 1744 4567bd-4567c5 1740->1744 1750 45682e-456835 1741->1750 1742->1734 1753 456827-45682b 1743->1753 1754 4567eb-4567fa call 452858 1743->1754 1746 4567c7-4567cc 1744->1746 1747 4567ce-4567dc call 456e7c UpdateWindow 1744->1747 1746->1743 1746->1747 1747->1743 1753->1750 1758 4567fc-456804 1754->1758 1759 456808-456815 PeekMessageA 1754->1759 1758->1759 1759->1725 1760 456817 1759->1760 1760->1724
    APIs
    • GetParent.USER32(00000000), ref: 0045670D
    • PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00456736
    • UpdateWindow.USER32(00000000), ref: 00456752
    • SendMessageA.USER32(?,00000121,00000000,00000000), ref: 00456778
    • SendMessageA.USER32(00000000,0000036A,00000000,00000001), ref: 00456797
    • UpdateWindow.USER32(00000000), ref: 004567DA
    • PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 0045680D
      • Part of subcall function 00456D14: GetWindowLongA.USER32(00000000,000000F0), ref: 00456D20
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Message$Window$PeekSendUpdate$LongParent
    • String ID:
    • API String ID: 2853195852-0
    • Opcode ID: 8cdbcb6c4ca0c15e69e2745b258aa189284fe3fbe3b00540e88a65d96dfde682
    • Instruction ID: 44d22e18cf09cb2940c106192260cf572e0db62c290683bdd539b4d06806b1ae
    • Opcode Fuzzy Hash: 8cdbcb6c4ca0c15e69e2745b258aa189284fe3fbe3b00540e88a65d96dfde682
    • Instruction Fuzzy Hash: 7F4181306047419BD720AF268844A1BBAE4EFC5B5AF510A2EF85193253C779C84DCB9A
    Function 0045B592 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1761 45b592-45b5c8 RegOpenKeyExA 1762 45b604-45b60d 1761->1762 1763 45b5ca-45b5e7 RegCreateKeyExA 1761->1763 1765 45b614-45b617 1762->1765 1766 45b60f-45b612 RegCloseKey 1762->1766 1763->1762 1764 45b5e9-45b602 RegCreateKeyExA 1763->1764 1764->1762 1767 45b61e-45b625 1765->1767 1768 45b619-45b61c RegCloseKey 1765->1768 1766->1765 1768->1767
    APIs
    • RegOpenKeyExA.KERNELBASE(80000001,software,00000000,0002001F,00000000,?,00000000,?,Settings,KelvinDisplay,00000001,Joshua F. Madison,00000000), ref: 0045B5C0
    • RegCreateKeyExA.KERNELBASE(00000000,00000000,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000,?,Settings,KelvinDisplay,00000001,Joshua F. Madison), ref: 0045B5E3
    • RegCreateKeyExA.KERNELBASE(?,?,00000000,00000000,00000000,0002001F,00000000,00000001,?,?,00000000,?,Settings,KelvinDisplay,00000001,Joshua F. Madison), ref: 0045B602
    • RegCloseKey.KERNELBASE(00000000,?,00000000,?,Settings,KelvinDisplay,00000001,Joshua F. Madison,00000000), ref: 0045B612
    • RegCloseKey.ADVAPI32(?,?,00000000,?,Settings,KelvinDisplay,00000001,Joshua F. Madison,00000000), ref: 0045B61C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: CloseCreate$Open
    • String ID: software
    • API String ID: 1740278721-2010147023
    • Opcode ID: 8d4a95f6f07120ccfff84b860b8167118dbdd40b32547129c2c50c087fd93e60
    • Instruction ID: c61b4888db3ac8ff22d5cae91a86fce0ffa3fcf33db2878c6dc89867e9ab0747
    • Opcode Fuzzy Hash: 8d4a95f6f07120ccfff84b860b8167118dbdd40b32547129c2c50c087fd93e60
    • Instruction Fuzzy Hash: 9C11FB71900118FBCB21DB96DC84DEFFFBCEF85705F1440AAA504E2122D7709A04DBA5
    Function 0045878C Relevance: 9.1, APIs: 6, Instructions: 59registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1769 45878c-458795 1770 458797-45879b 1769->1770 1771 458811-458820 WritePrivateProfileStringA 1769->1771 1772 45879d-4587a6 call 45b592 1770->1772 1773 4587b8-4587bf 1770->1773 1774 458826-458829 1771->1774 1781 4587ac-4587b6 RegDeleteKeyA 1772->1781 1782 4587a8-4587aa 1772->1782 1776 4587c1-4587ca call 45b626 1773->1776 1777 4587d8-4587e1 call 45b626 1773->1777 1776->1782 1786 4587cc-4587d6 RegDeleteValueA 1776->1786 1777->1782 1787 4587e3-4587f9 lstrlenA RegSetValueExA 1777->1787 1785 4587ff-45880f RegCloseKey 1781->1785 1782->1774 1785->1774 1786->1785 1787->1785
    APIs
    • RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 004587B0
    • RegDeleteValueA.ADVAPI32(00000000,00000000,00000000,?,?,?,00401B79), ref: 004587D0
    • RegCloseKey.ADVAPI32(00000000,?,?,?,00401B79), ref: 00458802
      • Part of subcall function 0045B592: RegOpenKeyExA.KERNELBASE(80000001,software,00000000,0002001F,00000000,?,00000000,?,Settings,KelvinDisplay,00000001,Joshua F. Madison,00000000), ref: 0045B5C0
      • Part of subcall function 0045B592: RegCreateKeyExA.KERNELBASE(00000000,00000000,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000,?,Settings,KelvinDisplay,00000001,Joshua F. Madison), ref: 0045B5E3
      • Part of subcall function 0045B592: RegCreateKeyExA.KERNELBASE(?,?,00000000,00000000,00000000,0002001F,00000000,00000001,?,?,00000000,?,Settings,KelvinDisplay,00000001,Joshua F. Madison), ref: 0045B602
      • Part of subcall function 0045B592: RegCloseKey.KERNELBASE(00000000,?,00000000,?,Settings,KelvinDisplay,00000001,Joshua F. Madison,00000000), ref: 0045B612
      • Part of subcall function 0045B592: RegCloseKey.ADVAPI32(?,?,00000000,?,Settings,KelvinDisplay,00000001,Joshua F. Madison,00000000), ref: 0045B61C
    • WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,?), ref: 00458820
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Close$CreateDelete$OpenPrivateProfileStringValueWrite
    • String ID:
    • API String ID: 1886894508-0
    • Opcode ID: a9ee082286e0a3799e0f3d88705a2c50289139cfb249c0175c0e361eca5cccb1
    • Instruction ID: 6f3aeeb034ee4d5f55a730465e542814c4f863050b0a21a35300922f557e6870
    • Opcode Fuzzy Hash: a9ee082286e0a3799e0f3d88705a2c50289139cfb249c0175c0e361eca5cccb1
    • Instruction Fuzzy Hash: 01118236401615FBCB222F60DC04BAE3AA5EF08757F14443AFD15A5153DF39C8199B9A
    Function 0045718F Relevance: 9.0, APIs: 6, Instructions: 35COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • KiUserCallbackDispatcher.NTDLL(0000000B), ref: 0045719C
    • GetSystemMetrics.USER32(0000000C), ref: 004571A3
    • GetDC.USER32(00000000), ref: 004571BC
    • GetDeviceCaps.GDI32(00000000,00000058), ref: 004571CD
    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004571D5
    • ReleaseDC.USER32(00000000,00000000), ref: 004571DD
      • Part of subcall function 0045C8F9: GetSystemMetrics.USER32(00000002), ref: 0045C90B
      • Part of subcall function 0045C8F9: GetSystemMetrics.USER32(00000003), ref: 0045C915
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
    • String ID:
    • API String ID: 1031845853-0
    • Opcode ID: 32c645c64c0c88e21e1e6760fad600102734d806a6787bcc403c20c96d65a2b9
    • Instruction ID: f34d25d9a2cdcd1207266ea491497547b6c9698f3f97edf1555c46dd97d9979d
    • Opcode Fuzzy Hash: 32c645c64c0c88e21e1e6760fad600102734d806a6787bcc403c20c96d65a2b9
    • Instruction Fuzzy Hash: 03F0B4306407009EF3206F729C89F2777A4EB84B57F00443EEA05876D2DAB4D8098FA6
    Function 0045B6D8 Relevance: 7.6, APIs: 5, Instructions: 89registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1795 45b6d8-45b6f5 call 4469e0 call 446cb0 1800 45b79b-45b79e 1795->1800 1801 45b6fb-45b708 call 45b626 1795->1801 1803 45b7a7-45b7ce GetPrivateProfileStringA 1800->1803 1804 45b7a0 1800->1804 1807 45b712-45b73a RegQueryValueExA 1801->1807 1808 45b70a-45b70d 1801->1808 1806 45b7cf-45b7d2 call 453e1f 1803->1806 1804->1803 1812 45b7d7-45b7e6 1806->1812 1810 45b765-45b772 RegCloseKey 1807->1810 1811 45b73c-45b760 call 45403e RegQueryValueExA call 45408d 1807->1811 1808->1806 1814 45b774-45b780 call 453b6a 1810->1814 1815 45b782-45b788 call 453e1f 1810->1815 1811->1810 1821 45b78d-45b799 call 453df5 1814->1821 1815->1821 1821->1812
    APIs
    • __EH_prolog.LIBCMT ref: 0045B6DD
    • RegQueryValueExA.KERNELBASE(00000000,?,00000000,?,00000000,00000000,?,?,?,?,0040174E,?,Tab,00000000,00000000,?), ref: 0045B734
    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,00000000,00000000,?,?,?,?,0040174E,?,Tab,00000000,00000000), ref: 0045B757
    • RegCloseKey.ADVAPI32(?,?,?,?,?,0040174E,?,Tab,00000000,00000000,?,00000001,Joshua F. Madison,00000000), ref: 0045B768
    • GetPrivateProfileStringA.KERNEL32(?,?,?,?,00001000,?), ref: 0045B7C2
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: QueryValue$CloseH_prologPrivateProfileString
    • String ID:
    • API String ID: 1022837590-0
    • Opcode ID: e46ed812ebcd0eed735108aee520f9476822b1447999bf2f3e489e395b036338
    • Instruction ID: 44907345674a0b299d63f074b4e65c43dffae4fc687dd9db5401260e06cabd85
    • Opcode Fuzzy Hash: e46ed812ebcd0eed735108aee520f9476822b1447999bf2f3e489e395b036338
    • Instruction Fuzzy Hash: 37319C71800109EBCF11DF91CC80CEE7B79FF88356F10812BF925A61A2D7749A59DBA9
    Function 0045286D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27threadCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1824 45286d-452876 call 45bf76 1827 452878-4528a3 call 45bd3f GetCurrentThreadId SetWindowsHookExA call 45c679 1824->1827 1828 4528cb 1824->1828 1832 4528a8-4528ae 1827->1832 1833 4528b0-4528b5 call 45bf76 1832->1833 1834 4528bb-4528ca call 45c5e4 1832->1834 1833->1834 1834->1828
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00452880
    • SetWindowsHookExA.USER32(000000FF,00452BC2,00000000,00000000), ref: 00452890
      • Part of subcall function 0045C679: __EH_prolog.LIBCMT ref: 0045C67E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: CurrentH_prologHookThreadWindows
    • String ID: <RH$@RH
    • API String ID: 2183259885-1948969457
    • Opcode ID: b7ec6b67002c0b47ce432b1014fc6059fe3398819f5500cdb96c8e4f9cc51f81
    • Instruction ID: d396268bd43029e223e293a62ef1f7d3ae03ae05cb571d909f69779fdf1fafba
    • Opcode Fuzzy Hash: b7ec6b67002c0b47ce432b1014fc6059fe3398819f5500cdb96c8e4f9cc51f81
    • Instruction Fuzzy Hash: AEF03731500710ABD7213FF1AD0DB1A7690DB05717F154AAFBD11AA1E3CB6C994C87AE
    Function 0045C8D9 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1839 45c8d9-45c98a GetVersion 1841 45c98c-45c99b GetProcessVersion 1839->1841 1842 45c99e-45c9a0 call 45718f 1839->1842 1841->1842 1844 45c9a5-45c9e5 call 45714b LoadCursorA * 2 1842->1844
    APIs
    • GetVersion.KERNEL32(?,?,?,0045C8D4), ref: 0045C950
    • GetProcessVersion.KERNELBASE(00000000,?,?,?,0045C8D4), ref: 0045C98D
    • LoadCursorA.USER32(00000000,00007F02), ref: 0045C9BB
    • LoadCursorA.USER32(00000000,00007F00), ref: 0045C9C6
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: CursorLoadVersion$Process
    • String ID:
    • API String ID: 2246821583-0
    • Opcode ID: 94006e822738d8c0a952cc8d934e155c2ccaf511e89c357d3735fb82595d9940
    • Instruction ID: b48a6198f670fa47b188dfd69dbe823e9e9df5bc31cccfa3c1255626830e9c38
    • Opcode Fuzzy Hash: 94006e822738d8c0a952cc8d934e155c2ccaf511e89c357d3735fb82595d9940
    • Instruction Fuzzy Hash: 3E118CF1A00B508FD7249F3A988462ABBE5FB487067104D3FE18BC6B41D778E404CB54
    Function 00458717 Relevance: 6.0, APIs: 4, Instructions: 44registryCOMMON
    Download Yara Rule
    APIs
    • RegSetValueExA.KERNELBASE(00000000,00000001,00000000,00000004,?,00000004,?,?,?,KelvinDisplay,00000001,Joshua F. Madison,00000000), ref: 00458743
    • RegCloseKey.ADVAPI32(00000000,?,?,?,KelvinDisplay,00000001,Joshua F. Madison,00000000), ref: 0045874C
    • wsprintfA.USER32 ref: 00458768
    • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00458781
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: ClosePrivateProfileStringValueWritewsprintf
    • String ID:
    • API String ID: 1902064621-0
    • Opcode ID: b0650ab33bc79c6ef82f6a395923a50982506ce8dc2cd5190562353ec579e4d7
    • Instruction ID: dd32868c1ef65f31341a1bb3fc5d1545e0b16f7868a12cc30990e89297f8f6ce
    • Opcode Fuzzy Hash: b0650ab33bc79c6ef82f6a395923a50982506ce8dc2cd5190562353ec579e4d7
    • Instruction Fuzzy Hash: 3F01A232400619BBCB116F64DC05FAF3BA8FF08715F08443ABE11A6092EB74C9148B99
    Function 0045CC0E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNELBASE(00000000,00000000,00457913,00000000,00000000,00000000,00000000,?,00000000,?,0045161C,00000000,00000000,00000000,00000000,00446928), ref: 0045CC17
    • SetErrorMode.KERNELBASE(00000000,?,00000000,?,0045161C,00000000,00000000,00000000,00000000,00446928,00000000), ref: 0045CC1E
      • Part of subcall function 0045CC71: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 0045CCA2
      • Part of subcall function 0045CC71: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0045CD43
      • Part of subcall function 0045CC71: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 0045CD70
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: ErrorMode$FileModuleNamelstrcatlstrcpy
    • String ID: (iD
    • API String ID: 3389432936-210869037
    • Opcode ID: 4bc241f6ea99acc8e59851c3f0e31b09fcb7c30ff2c9a258b904a8c1d00a0c27
    • Instruction ID: a53af810a2dbace94bb21e2f8d3ce39be7d8af20c2c112e3bc959ff89a48d23e
    • Opcode Fuzzy Hash: 4bc241f6ea99acc8e59851c3f0e31b09fcb7c30ff2c9a258b904a8c1d00a0c27
    • Instruction Fuzzy Hash: 41F037B59043109FC715AF65D584A097BE4AF48712F05849FF8488B3A3CB78D848CF9A
    Function 00454B04 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25threadCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0045C5E4: TlsGetValue.KERNEL32(00484E6C,?,00000000,0045BF85,0045B3E3,0045BFA1,0045285D,004578F4,?,00000000,?,0045161C,00000000,00000000,00000000,00000000), ref: 0045C623
    • GetCurrentThreadId.KERNEL32 ref: 00454B26
    • SetWindowsHookExA.USER32(00000005,0045490E,00000000,00000000), ref: 00454B36
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: CurrentHookThreadValueWindows
    • String ID: ,NH
    • API String ID: 933525246-3639332287
    • Opcode ID: c06ef7ee82b170c591540f6efe32f56ac8f6f7cf81c1def2283c28d1a12e491b
    • Instruction ID: 6a169f95c0a047cfc12d40dde56c961d2103461f51a8918edd89d5a6ca4a0dd8
    • Opcode Fuzzy Hash: c06ef7ee82b170c591540f6efe32f56ac8f6f7cf81c1def2283c28d1a12e491b
    • Instruction Fuzzy Hash: 27E0E5306007009ED3305B659805717B6E5EBC0717F00053FFA0586142D334E84CCB6E
    Function 0044A474 Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • HeapReAlloc.KERNEL32(00000000,00000060,00000000,00000000,0044A23C,00000000,?,?,?,004468B8), ref: 0044A49C
    • HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,0044A23C,00000000,?,?,?,004468B8), ref: 0044A4D0
    • VirtualAlloc.KERNELBASE(00000000,00100000,00002000,00000004,?,004468B8), ref: 0044A4EA
    • HeapFree.KERNEL32(00000000,?,?,004468B8), ref: 0044A501
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: AllocHeap$FreeVirtual
    • String ID:
    • API String ID: 3499195154-0
    • Opcode ID: 61af974347b872a07f4b7306607b6dda1dca58ce8006f179ac9acdc2834f604b
    • Instruction ID: 55dd626d8b783c385f77cc67d7b969fb17b259d8f25e45d9803cbc5e8e79af4c
    • Opcode Fuzzy Hash: 61af974347b872a07f4b7306607b6dda1dca58ce8006f179ac9acdc2834f604b
    • Instruction Fuzzy Hash: 07113D70200740AFD7618F19ED45E2A7BB6FB54711B124E3EE552E61B1E3719815CF09
    Function 0045B66C Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
    Download Yara Rule
    APIs
    • RegQueryValueExA.KERNELBASE(00000000,00000001,00000000,?,00000000,?,?,?,?,?,?,?,004010E9,Settings,KelvinDisplay,00000001), ref: 0045B6A5
    • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,004010E9,Settings,KelvinDisplay,00000001), ref: 0045B6AE
    • GetPrivateProfileIntA.KERNEL32(?,00000001,?,?), ref: 0045B6CD
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: ClosePrivateProfileQueryValue
    • String ID:
    • API String ID: 1423431592-0
    • Opcode ID: 862bd0827794025fae14a527a14a470708bcde9ac6e78e6483119b93491d697b
    • Instruction ID: c9eb61f766163713eb6570c6a68a409d02ed976402ecb9f183aa15fb62a42d16
    • Opcode Fuzzy Hash: 862bd0827794025fae14a527a14a470708bcde9ac6e78e6483119b93491d697b
    • Instruction Fuzzy Hash: 33012832000208FBCB129F50DC44FDF3BB9EB44756F14402AFD059A152D735DA1A9B99
    Function 00452DCA Relevance: 4.5, APIs: 3, Instructions: 29windowCOMMON
    Download Yara Rule
    APIs
    • KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 00452DD7
    • TranslateMessage.USER32(?), ref: 00452DF7
    • DispatchMessageA.USER32(?), ref: 00452DFE
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Message$CallbackDispatchDispatcherTranslateUser
    • String ID:
    • API String ID: 2960505505-0
    • Opcode ID: 6d7b628f998d36c49933c3f22c51a096f8bed9a6c218e4199f7b96ff2ff12ca7
    • Instruction ID: 114a34e5ab7a9e3be72936cf454a402f9512b4fe0d2c037285c9c2bdb0269713
    • Opcode Fuzzy Hash: 6d7b628f998d36c49933c3f22c51a096f8bed9a6c218e4199f7b96ff2ff12ca7
    • Instruction Fuzzy Hash: ABE01B722006006BE7255B659E4CD7B77ACFFC5B13704043FFD01D5551C7A4EC4A8A66
    Function 00454491 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 73COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 00454496
      • Part of subcall function 0045C5E4: TlsGetValue.KERNEL32(00484E6C,?,00000000,0045BF85,0045B3E3,0045BFA1,0045285D,004578F4,?,00000000,?,0045161C,00000000,00000000,00000000,00000000), ref: 0045C623
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: H_prologValue
    • String ID: ,NH
    • API String ID: 3700342317-3639332287
    • Opcode ID: 205a8cc612772d84a78a5cd90d98d7b5b8806f966a5420d8c696290ac5a4ec49
    • Instruction ID: 476cb90345a7b26f2641065122c46203d4e468b54fd79bc93206c29508aecda2
    • Opcode Fuzzy Hash: 205a8cc612772d84a78a5cd90d98d7b5b8806f966a5420d8c696290ac5a4ec49
    • Instruction Fuzzy Hash: EE213972900209EFDF01DF54C481AEE7BB9FB44359F10006AFD05AB642D374AA99CBA4
    Function 004024B6 Relevance: 3.1, APIs: 2, Instructions: 73COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00442A90: IsIconic.USER32(?), ref: 00442A9E
      • Part of subcall function 00457F70: __EH_prolog.LIBCMT ref: 00457F75
      • Part of subcall function 00457F70: BeginPaint.USER32(?,?,?,?,004024F9,?), ref: 00457F9E
      • Part of subcall function 00442A30: SendMessageA.USER32(?,00000000,00000000,00000027), ref: 00442A4A
    • GetSystemMetrics.USER32(0000000B), ref: 0040251A
    • GetSystemMetrics.USER32(0000000C), ref: 00402525
      • Part of subcall function 00442AD0: GetClientRect.USER32(?,E%@), ref: 00442AE2
      • Part of subcall function 004429A0: DrawIcon.USER32(00000000,?,?,?), ref: 004429BA
      • Part of subcall function 00457FE2: __EH_prolog.LIBCMT ref: 00457FE7
      • Part of subcall function 00457FE2: EndPaint.USER32(?,?,?,?,0040259D,?,?,?,?), ref: 00458004
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: H_prologMetricsPaintSystem$BeginClientDrawIconIconicMessageRectSend
    • String ID:
    • API String ID: 1530917984-0
    • Opcode ID: ac7fe77c354bd69772595e0a909d5f1603444fc2f62261e7f99027e1d3fb95b8
    • Instruction ID: 798e7ee3c695d11fd0cc983b99a1a29eb3c57542b4c828615645bff47f22bcc4
    • Opcode Fuzzy Hash: ac7fe77c354bd69772595e0a909d5f1603444fc2f62261e7f99027e1d3fb95b8
    • Instruction Fuzzy Hash: 02215C719002099BDB24EFA4DE52BEEB774FB08304F60426AF915A32D2DF786900CB58
    Function 0045B626 Relevance: 3.0, APIs: 2, Instructions: 33registryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0045B592: RegOpenKeyExA.KERNELBASE(80000001,software,00000000,0002001F,00000000,?,00000000,?,Settings,KelvinDisplay,00000001,Joshua F. Madison,00000000), ref: 0045B5C0
      • Part of subcall function 0045B592: RegCreateKeyExA.KERNELBASE(00000000,00000000,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000,?,Settings,KelvinDisplay,00000001,Joshua F. Madison), ref: 0045B5E3
      • Part of subcall function 0045B592: RegCreateKeyExA.KERNELBASE(?,?,00000000,00000000,00000000,0002001F,00000000,00000001,?,?,00000000,?,Settings,KelvinDisplay,00000001,Joshua F. Madison), ref: 0045B602
      • Part of subcall function 0045B592: RegCloseKey.KERNELBASE(00000000,?,00000000,?,Settings,KelvinDisplay,00000001,Joshua F. Madison,00000000), ref: 0045B612
      • Part of subcall function 0045B592: RegCloseKey.ADVAPI32(?,?,00000000,?,Settings,KelvinDisplay,00000001,Joshua F. Madison,00000000), ref: 0045B61C
    • RegCreateKeyExA.KERNELBASE(00000000,?,00000000,00000000,00000000,0002001F,00000000,00000000,?,?,?,?,?,?,0045B680,?), ref: 0045B656
    • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,0045B680,?,?,?,?,?,004010E9,Settings,KelvinDisplay,00000001), ref: 0045B65D
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: CloseCreate$Open
    • String ID:
    • API String ID: 1740278721-0
    • Opcode ID: ece89ff9e27392351063d3da15b131e84b9e1b289f6a5605be3dfad71202d11b
    • Instruction ID: d74613434f6e8538f058d287375a677dbbae4dc778eedcd368bb9b45f7b053be
    • Opcode Fuzzy Hash: ece89ff9e27392351063d3da15b131e84b9e1b289f6a5605be3dfad71202d11b
    • Instruction Fuzzy Hash: AEE0E576100128BB87219B92DC48CEFBF7CDE4ABA17000026FA05D2002E7749A04E7F6
    Function 00454ECF Relevance: 3.0, APIs: 2, Instructions: 27COMMON
    Download Yara Rule
    APIs
    • DefWindowProcA.USER32(?,?,?,?), ref: 00454EF6
    • CallWindowProcA.USER32(?,?,?,?,?), ref: 00454F0B
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: ProcWindow$Call
    • String ID:
    • API String ID: 2316559721-0
    • Opcode ID: 7f8b2ae733801aa31f9fcb09af72d71580687bb7c9c6fb80734d74b62beb4dc7
    • Instruction ID: 6f6274d84f339fa319656e092030713e6ea8177d3648f4f4380c13f1ff765eaf
    • Opcode Fuzzy Hash: 7f8b2ae733801aa31f9fcb09af72d71580687bb7c9c6fb80734d74b62beb4dc7
    • Instruction Fuzzy Hash: 63F01536100218FFCF218F98DC04D9B7BBAFF08356B048429FA45CA931D732E864AB54
    Function 00449B70 Relevance: 3.0, APIs: 2, Instructions: 20memoryCOMMON
    Download Yara Rule
    APIs
    • HeapCreate.KERNELBASE(00000000,00001000,00000000,004468A6,00000001), ref: 00449B81
      • Part of subcall function 00449DD7: HeapAlloc.KERNEL32(00000000,00000140,00449B95), ref: 00449DE4
    • HeapDestroy.KERNEL32 ref: 00449B9F
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Heap$AllocCreateDestroy
    • String ID:
    • API String ID: 2236781399-0
    • Opcode ID: c1590b95cbf526d1b6628b7873dc2edbac3bbc338dd40ce35fd812d1e8cd4a67
    • Instruction ID: ab74aa89f519fd71b8fbe14c357845d094e55221ae37e337c0e77ec6d58037b3
    • Opcode Fuzzy Hash: c1590b95cbf526d1b6628b7873dc2edbac3bbc338dd40ce35fd812d1e8cd4a67
    • Instruction Fuzzy Hash: AFE012706503415AFB501B30BD05B6B36D4AF54783F15883AF904D41E1FB65C980E609
    Function 00453399 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Parent
    • String ID:
    • API String ID: 975332729-0
    • Opcode ID: 08f4c2bd48526c9cfb8c3a7313729ba8a41c582d9f40741d302698e66cf575a4
    • Instruction ID: 12f98c70ef10b89fa042fee519576ab3c4eb5d567def964ff8e27f7b3fcad0b8
    • Opcode Fuzzy Hash: 08f4c2bd48526c9cfb8c3a7313729ba8a41c582d9f40741d302698e66cf575a4
    • Instruction Fuzzy Hash: 9D01A5312006456FDF215E61DD44EAB7769FF863A7B04463BFD1182293D639CD149628
    Function 004478BF Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,004478A3,000000E0,00447890,?,00449D81,00000018,00000000,?,?,0044A94C,00000009), ref: 00447904
      • Part of subcall function 00449D61: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0044A94C,00000009,?,?,?,00448BFB,00000001,00000074,?,004468B8), ref: 00449D9E
      • Part of subcall function 00449D61: EnterCriticalSection.KERNEL32(?,?,?,0044A94C,00000009,?,?,?,00448BFB,00000001,00000074,?,004468B8), ref: 00449DB9
      • Part of subcall function 00449DC2: LeaveCriticalSection.KERNEL32(?,004478E3,00000009,?,00000009,00000000,?,004478A3,000000E0,00447890,?,00449D81,00000018,00000000,?), ref: 00449DCF
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: CriticalSection$AllocateEnterHeapInitializeLeave
    • String ID:
    • API String ID: 495028619-0
    • Opcode ID: 61126d368c5eb4e0dd7a4b0c7549888455258f13e7de5de0f299ab65840813c1
    • Instruction ID: 41bd63fb9085bba79c2f24d571cf3d11cd07bb8ba6db70164324e86721868a75
    • Opcode Fuzzy Hash: 61126d368c5eb4e0dd7a4b0c7549888455258f13e7de5de0f299ab65840813c1
    • Instruction Fuzzy Hash: 9CE02B33D4462063F52132246C05B8B22409F50760F2E0136FD04BB2D1E7585C0293DD
    Function 00455D0D Relevance: 1.5, APIs: 1, Instructions: 29COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Parent
    • String ID:
    • API String ID: 975332729-0
    • Opcode ID: 3a58532f6f7df2c9b0ba7cb571ef937022752a45bdb41f7a942dbd2b474571e9
    • Instruction ID: f4a9b55db240ca2c250a95c7a84196b8897aa33e03b0442244e38fc37f39f453
    • Opcode Fuzzy Hash: 3a58532f6f7df2c9b0ba7cb571ef937022752a45bdb41f7a942dbd2b474571e9
    • Instruction Fuzzy Hash: CCE065336046119BD6105A25481877BA3B4AF91753F158827FC01EB202D36CAC4E45A9
    Function 00456CE1 Relevance: 1.5, APIs: 1, Instructions: 17windowCOMMON
    Download Yara Rule
    APIs
    • IsDialogMessageA.USER32(?,00442790,?,004566D2,?,00453394,?,?,?,?,00442790,?), ref: 00456D0A
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: DialogMessage
    • String ID:
    • API String ID: 547518314-0
    • Opcode ID: 805a2b1335c19945732ff63014e9b3d6bd41c3f5670a70f4461dc6766ab70b9b
    • Instruction ID: 4512f4996a5bebb4b272478126e4e917de99f22bd9d8a73d4536355e1e60e972
    • Opcode Fuzzy Hash: 805a2b1335c19945732ff63014e9b3d6bd41c3f5670a70f4461dc6766ab70b9b
    • Instruction Fuzzy Hash: A7E086311042029FC3119B54D804A8B7BF1AF89311B0689AAF84587232C7759899CB49
    Function 00442B10 Relevance: 1.5, APIs: 1, Instructions: 16windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageA.USER32(?,00000080,?,00000001), ref: 00442B2B
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: MessageSend
    • String ID:
    • API String ID: 3850602802-0
    • Opcode ID: f941b5fdf46dfd4267327040be8346ee89cb3ced6b5c347970432cde5f1bd2dc
    • Instruction ID: 3f75bca768d374a156aba251a72f36df4d15edc6a312130f617f666c627a3d02
    • Opcode Fuzzy Hash: f941b5fdf46dfd4267327040be8346ee89cb3ced6b5c347970432cde5f1bd2dc
    • Instruction Fuzzy Hash: 9FD05EB5A0420CBBD744CF88D845D5AB7ACFB08300F108198FD0887300C631EE008BE4
    Function 00442D50 Relevance: 1.5, APIs: 1, Instructions: 15windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageA.USER32(?,00000180,00000000,?), ref: 00442D69
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: MessageSend
    • String ID:
    • API String ID: 3850602802-0
    • Opcode ID: 1ba1eacaa75fa3447a7a28400f2db2e59ce313f9ce17f641ff442b34e2ca2365
    • Instruction ID: f427ec7693af7c509973b2cedd14604df3c7b2afe657c4f2031cb8f95b468294
    • Opcode Fuzzy Hash: 1ba1eacaa75fa3447a7a28400f2db2e59ce313f9ce17f641ff442b34e2ca2365
    • Instruction Fuzzy Hash: 6ED09EB5645208BBD704CF84DC41E6A7768E748701F208199FE0457341C571AE1197D9
    Function 0045726B Relevance: 1.5, APIs: 1, Instructions: 14COMMON
    Download Yara Rule
    APIs
    • LoadStringA.USER32(?,?,?,?), ref: 00457282
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: LoadString
    • String ID:
    • API String ID: 2948472770-0
    • Opcode ID: 10169ac30c0d2cb54471ec7d1adf86448e6d29b0ba182f2bd7d4f1c29b20be10
    • Instruction ID: d4b7c4c26dac0776ceaf7030a1f258f3e8310c78a0ba04107466acb386b970cb
    • Opcode Fuzzy Hash: 10169ac30c0d2cb54471ec7d1adf86448e6d29b0ba182f2bd7d4f1c29b20be10
    • Instruction Fuzzy Hash: 6BD0A77650D3629BC711DF609C04C4FBBA8BF54311F044C9EFC8083112C329D408CB66
    Function 00442F20 Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
    Download Yara Rule
    APIs
    • LoadIconA.USER32(00000000,004010AC), ref: 00442F36
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: IconLoad
    • String ID:
    • API String ID: 2457776203-0
    • Opcode ID: bbe1fe7061d80a883b27332858ff83816a9bda51d39bd289755170f992d3d992
    • Instruction ID: 73e4ab46f59bb8b7f3d15ecd6c5a13c762f622c74e8ced92e8edcf229f7b7b40
    • Opcode Fuzzy Hash: bbe1fe7061d80a883b27332858ff83816a9bda51d39bd289755170f992d3d992
    • Instruction Fuzzy Hash: B7C012B18083096B9700AB95EC0692AB7ACDF05341B40457ABC04D3305C939D92455AD
    Function 00456DAA Relevance: 1.5, APIs: 1, Instructions: 12COMMON
    Download Yara Rule
    APIs
    • SetWindowTextA.USER32(?,00000001), ref: 00456DB8
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: TextWindow
    • String ID:
    • API String ID: 530164218-0
    • Opcode ID: 12b161bcd9e75f1b888a572112c44781bbc0576cfc20599dba1ced74c39ed207
    • Instruction ID: 861068de24ad344938fdfe7c7a2e485c1d1c3da7141f22d378cbd8097d36c4a7
    • Opcode Fuzzy Hash: 12b161bcd9e75f1b888a572112c44781bbc0576cfc20599dba1ced74c39ed207
    • Instruction Fuzzy Hash: DAD09E743042019FDB458F60C948A1AB7B1BF94705F619979F4468B126D736DC1EEB05
    Function 00456E7C Relevance: 1.5, APIs: 1, Instructions: 12COMMON
    Download Yara Rule
    APIs
    • ShowWindow.USER32(00000000,00000004,0045674F,00000001), ref: 00456E8A
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: ShowWindow
    • String ID:
    • API String ID: 1268545403-0
    • Opcode ID: 269e9099fa06fdd6cf444dbdeba75f542f5c9b875810315aa21e485c2abd5f8b
    • Instruction ID: 8ddd1a6a3c87dc1787ba2f188bfa9a1ab466d6095c115c74ab3e566f78352d12
    • Opcode Fuzzy Hash: 269e9099fa06fdd6cf444dbdeba75f542f5c9b875810315aa21e485c2abd5f8b
    • Instruction Fuzzy Hash: 89D09E342052009FCF059F60C948A16B7A2BF94705FA18579F4498B122D736DC16EB45
    Function 0044A916 Relevance: 1.3, APIs: 1, Instructions: 56memoryCOMMON
    Download Yara Rule
    APIs
    • HeapAlloc.KERNEL32(00000008,?,?,?,?,00448BFB,00000001,00000074,?,004468B8), ref: 0044A96B
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: AllocHeap
    • String ID:
    • API String ID: 4292702814-0
    • Opcode ID: 12b899011d5b14afe1234b8e966710f407b067cafd2ccaefc2e16218df47993a
    • Instruction ID: 6b460d658860f0a34e7cc12fb820d9cb4fe933037b74f9edceb3fd36004f3c82
    • Opcode Fuzzy Hash: 12b899011d5b14afe1234b8e966710f407b067cafd2ccaefc2e16218df47993a
    • Instruction Fuzzy Hash: 090128B2980A1076F72266251C41B5F22189B907B5F1B0A3BFD54673E2DB2C8C1053AF

    Non-executed Functions

    Function 0044F3D0 Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 298COMMON
    Download Yara Rule
    APIs
    • GetPropA.USER32(?,00000000), ref: 0044F415
    • CallWindowProcA.USER32(00000000), ref: 0044F437
      • Part of subcall function 0044E120: CallWindowProcA.USER32(00000000,?,?,?,?), ref: 0044E146
      • Part of subcall function 0044E120: RemovePropA.USER32(?,00000000), ref: 0044E15E
      • Part of subcall function 0044E120: RemovePropA.USER32(?,00000000), ref: 0044E16A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Prop$CallProcRemoveWindow
    • String ID: #32770
    • API String ID: 2276450057-463685578
    • Opcode ID: 6f0463397d14bdb65bdd8239633e9b6b9758ae977eab37f47e40db2de9541177
    • Instruction ID: 04f3067fadea49d501e4fea9a5c3d1be9916b7ddd1b6c972520d7f3c784b89ca
    • Opcode Fuzzy Hash: 6f0463397d14bdb65bdd8239633e9b6b9758ae977eab37f47e40db2de9541177
    • Instruction Fuzzy Hash: B781F63270130477F610BB15EC44EAF775CEB96765F40083BFA4183252D729A90A87BB
    Function 0044BE7C Relevance: 26.7, Strings: 21, Instructions: 417COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID:
    • String ID: +$+$-$-$0$0$0$0$0$1$1$9$9$9$9$9$9$C$E$c$e
    • API String ID: 0-1157002505
    • Opcode ID: 56b21115e3039a55b992c6c24b6dec10e2047b2b5065f12bc7b26b63e2393686
    • Instruction ID: ab315fc37b25b0874ef0f8e9977bb22301f8eb590a81d3722905248c9db57bd4
    • Opcode Fuzzy Hash: 56b21115e3039a55b992c6c24b6dec10e2047b2b5065f12bc7b26b63e2393686
    • Instruction Fuzzy Hash: 34E1BD31D46249DEFB658FA4C8917FEBBB1EB44304F2C406BD401E6282D7BD8982DB59
    Function 0044EC20 Relevance: 19.7, APIs: 13, Instructions: 220windowCOMMON
    Download Yara Rule
    APIs
    • CallWindowProcA.USER32(00000000,00000000,?,?,?), ref: 0044EC5A
    • DefWindowProcA.USER32(00000000,?,?,?), ref: 0044EC6D
    • IsIconic.USER32(00000000), ref: 0044EC8F
    • SendMessageA.USER32(00000000,000011EF,00000000,00000001), ref: 0044ECBC
    • GetWindowLongA.USER32(00000000,000000F0), ref: 0044ECCB
    • GetWindowDC.USER32(00000000), ref: 0044ED0C
    • GetWindowRect.USER32(00000000,?), ref: 0044ED1A
    • InflateRect.USER32(?,000000FF,000000FF), ref: 0044ED5D
    • InflateRect.USER32(?,000000FF,000000FF), ref: 0044ED80
    • SelectObject.GDI32(00000000,00000000), ref: 0044ED8E
    • OffsetRect.USER32(?,?,00000000), ref: 0044EDE4
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Window$Rect$InflateProc$CallIconicLongMessageObjectOffsetSelectSend
    • String ID:
    • API String ID: 2215177122-0
    • Opcode ID: 9096c6537060c45b65de663de7f86eac3484782fb5f67c6b651282e0749f665c
    • Instruction ID: e45655a65217ef7d55729dd72c06eadf1864866102b75462febfb58216b9d507
    • Opcode Fuzzy Hash: 9096c6537060c45b65de663de7f86eac3484782fb5f67c6b651282e0749f665c
    • Instruction Fuzzy Hash: 57818A71508301AFD300CF69DC85E6BBBE8FB88718F148A2EF98497291D775E905CB66
    Function 0044C828 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 50libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00449D09,?,Microsoft Visual C++ Runtime Library,00012010,?,004673DC,?,0046742C,?,?,?,Runtime Error!Program: ), ref: 0044C83A
    • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0044C852
    • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0044C863
    • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0044C870
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: AddressProc$LibraryLoad
    • String ID: ,tF$GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
    • API String ID: 2238633743-3657989805
    • Opcode ID: 07dad6bc0fcfb431e2441b77d96014447e09aaf89f89b46655ea6e1a91e8c6ab
    • Instruction ID: 38a94bf91023067f81d8986411577e6cded91bc7ff83c9e3405c4d9af4f1e50e
    • Opcode Fuzzy Hash: 07dad6bc0fcfb431e2441b77d96014447e09aaf89f89b46655ea6e1a91e8c6ab
    • Instruction Fuzzy Hash: 66014831B05711BFD751AFB59CC095F3EE9AA48792314083FE105C2225E779C845DB5D
    Function 00451470 Relevance: 12.2, APIs: 8, Instructions: 163COMMON
    Download Yara Rule
    APIs
    • FindResourceA.KERNEL32(?,?,00000002), ref: 00451483
    • SizeofResource.KERNEL32(?,00000000,?,75A44920,00000000,75A3CF90,?,?,?,?,?,?,?,?,0044F0C1,00000001), ref: 0045149D
    • LoadResource.KERNEL32(?,00000000,?,75A44920,00000000,75A3CF90,?,?,?,?,?,?,?,?,0044F0C1,00000001), ref: 004514A7
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Resource$FindLoadSizeof
    • String ID:
    • API String ID: 507330600-0
    • Opcode ID: 060a04dba71a98dc694b900d63f153f605b6b467a75d166a3c6f00940cfe8094
    • Instruction ID: b9ad16fa2e07dc23ab9736d7445d30646d3623cd559dd939402308f3dde518fc
    • Opcode Fuzzy Hash: 060a04dba71a98dc694b900d63f153f605b6b467a75d166a3c6f00940cfe8094
    • Instruction Fuzzy Hash: F841DD323047155BE70CCE299856AAF77D2EBC9351F048A3EF946C3382CB75D909C2A6
    Function 004560CD Relevance: 6.0, APIs: 4, Instructions: 38keyboardwindowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00456D14: GetWindowLongA.USER32(00000000,000000F0), ref: 00456D20
    • GetKeyState.USER32(00000010), ref: 004560F1
    • GetKeyState.USER32(00000011), ref: 004560FA
    • GetKeyState.USER32(00000012), ref: 00456103
    • SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 00456119
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: State$LongMessageSendWindow
    • String ID:
    • API String ID: 1063413437-0
    • Opcode ID: 6be3c9b72b0f71bf2ce85cffb0d6049bce25e4ce3c043166b1e4cee5040837c8
    • Instruction ID: 8f54c0375ccd941a27c1d2196513093acca5702bc2ef27c8b8990537eb5c854e
    • Opcode Fuzzy Hash: 6be3c9b72b0f71bf2ce85cffb0d6049bce25e4ce3c043166b1e4cee5040837c8
    • Instruction Fuzzy Hash: 8BF0E972700B4626E92033579C41FBD05544B40BDAF52063AFF01AB1D7899D880A4278
    Function 00445986 Relevance: 4.5, APIs: 3, Instructions: 37COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 585d5d74d3cd7d479584df758bea8d504f3d112cd754a0eeb72701c0602a9e6a
    • Instruction ID: 7167ebfada025e3e4a02c64d86556d1939cc32b8bff48ed9ef7e527fbaa4d526
    • Opcode Fuzzy Hash: 585d5d74d3cd7d479584df758bea8d504f3d112cd754a0eeb72701c0602a9e6a
    • Instruction Fuzzy Hash: 36F03CB1100609FBFF01AF61CC059AF3B6CAF00365B44802BFC16D5162EB38CA55EB5A
    Function 00452C1A Relevance: 4.5, APIs: 3, Instructions: 29keyboardCOMMON
    Download Yara Rule
    APIs
    • GetKeyState.USER32(00000010), ref: 00452C41
    • GetKeyState.USER32(00000011), ref: 00452C4A
    • GetKeyState.USER32(00000012), ref: 00452C53
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: State
    • String ID:
    • API String ID: 1649606143-0
    • Opcode ID: bae5e39ec2c45d0456b1b0aad6012a5b38e217533565ba2da5d45849e8de58ce
    • Instruction ID: 9f948d4526c63fbe5bfb71a8ee088b272acec2408ced8b181ccad04ac819f452
    • Opcode Fuzzy Hash: bae5e39ec2c45d0456b1b0aad6012a5b38e217533565ba2da5d45849e8de58ce
    • Instruction Fuzzy Hash: 35E09B3570125B9DEE09A2548B00FDD77905B037D2F008467EF44AB1AFC6E8D84BA769
    Function 00442A90 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Iconic
    • String ID: $@
    • API String ID: 110040809-1661285546
    • Opcode ID: 6e08d12cc0a8983e1a769ca19d97ea331bd7e4365c821f8963b03fa420bf5a7a
    • Instruction ID: b3eef7d6ba28f44eb5ea11bf9b7590eb8c1a32cac2c26afeef82ca5222a7781f
    • Opcode Fuzzy Hash: 6e08d12cc0a8983e1a769ca19d97ea331bd7e4365c821f8963b03fa420bf5a7a
    • Instruction Fuzzy Hash: D9C08C7091830CEB8708CFC8E800C1AB7BCEB08321B0002EDFC0883301DA32EE108A99
    Function 004597D5 Relevance: 3.0, APIs: 2, Instructions: 37keyboardwindowCOMMON
    Download Yara Rule
    APIs
    • GetAsyncKeyState.USER32(00000011), ref: 004597F2
    • SendMessageA.USER32(?,00000475,00000000,?), ref: 0045981A
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: AsyncMessageSendState
    • String ID:
    • API String ID: 929296675-0
    • Opcode ID: fc7a4ba6a77f202cfb716dae4a16191c8cadd1e866b8b6cdfddd284e7f3f0bde
    • Instruction ID: dc6a4b2696d44a39bbce16041ef1d63b54cd5d5a5b442bbf147e5bca472b7c23
    • Opcode Fuzzy Hash: fc7a4ba6a77f202cfb716dae4a16191c8cadd1e866b8b6cdfddd284e7f3f0bde
    • Instruction Fuzzy Hash: C0F0B435220701EADE242A159C44BAF2298AB56712F60443BF902D6292C698DC8981ED
    Function 0044B865 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32(Function_0004B81F), ref: 0044B86A
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled
    • String ID:
    • API String ID: 3192549508-0
    • Opcode ID: e5e189204656cb01ef1273a0acc651df7c657344f95e4d47acacab6e57b664db
    • Instruction ID: 7dee9ab5ac3f178706456eda9818325ac9f53c089aeadc4391a134732a196e17
    • Opcode Fuzzy Hash: e5e189204656cb01ef1273a0acc651df7c657344f95e4d47acacab6e57b664db
    • Instruction Fuzzy Hash: D7A002B4542B40CFEB407F60EC496087A64EA45B03B248D7BE951C2376DB74C484BBAE
    Function 0044B877 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32 ref: 0044B87C
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled
    • String ID:
    • API String ID: 3192549508-0
    • Opcode ID: c646c560611be07d48e28c2905ba54f700b34fc8bab0143ca62da25bb652adfd
    • Instruction ID: 7e5ce99fa8e3ba7c662aa20d0136c199dd1490983f33dcc9ebc7b2bfe5d7f4ef
    • Opcode Fuzzy Hash: c646c560611be07d48e28c2905ba54f700b34fc8bab0143ca62da25bb652adfd
    • Instruction Fuzzy Hash:
    Function 0044A620 Relevance: .3, Instructions: 259COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
    • Instruction ID: c7680e2bbcb83ed5b8c641c15e97bc60505aff7dde7ac397ddd3aeca95614676
    • Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
    • Instruction Fuzzy Hash: 92B19E7594020ADFEB25CF04C5D0AA9BBA1FF58318F24C1AED85A5B342C735EE52CB90
    Function 00450860 Relevance: 51.0, APIs: 28, Strings: 1, Instructions: 263windowstringCOMMON
    Download Yara Rule
    APIs
    • GetWindowLongA.USER32(?,000000F0), ref: 0045086E
    • SendMessageA.USER32(?,00000157,00000000,00000000), ref: 0045089A
    • HideCaret.USER32(?), ref: 004508B0
    • GetWindowRect.USER32(?,?), ref: 004508BC
    • GetParent.USER32(?), ref: 004508C3
    • ScreenToClient.USER32(00000000,?), ref: 004508D7
    • ScreenToClient.USER32(00000000,?), ref: 004508E3
    • GetDC.USER32(00000000), ref: 004508E6
    • GetWindowLongA.USER32(?,000000F4), ref: 00450918
    • SendMessageA.USER32(00000000,00001944,00000000,0000029A), ref: 00450945
    • SendMessageA.USER32(00000000,00001943,00000000,0000029A), ref: 00450966
    • GetClassNameA.USER32(00000000,?,00000010), ref: 00450978
    • lstrcmpA.KERNEL32(?,ComboBox), ref: 00450988
    • GetParent.USER32(00000000), ref: 004509AC
    • MapWindowPoints.USER32(00000000,0000029A,?,00000002), ref: 004509C3
    • ReleaseDC.USER32(00000000,00000000), ref: 004509CB
    • GetDC.USER32(?), ref: 004509D6
    • GetWindowLongA.USER32(00000000,000000F0), ref: 004509EC
    • GetWindow.USER32(00000000,00000005), ref: 00450A07
    • GetWindowRect.USER32(00000000,?), ref: 00450A13
    • SendMessageA.USER32(00000000,00000157,00000000,00000000), ref: 00450A50
    • ReleaseDC.USER32(?,00000000), ref: 00450A60
    • ShowCaret.USER32(?), ref: 00450A67
    • GetSystemMetrics.USER32(00000002), ref: 00450AA8
    • GetSystemMetrics.USER32(00000002), ref: 00450B07
    • GetSystemMetrics.USER32(00000015), ref: 00450B58
    • ReleaseDC.USER32(00000000,00000000), ref: 00450B7A
    • ShowCaret.USER32(?), ref: 00450B88
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Window$MessageSend$CaretLongMetricsReleaseSystem$ClientParentRectScreenShow$ClassHideNamePointslstrcmp
    • String ID: ComboBox
    • API String ID: 930961256-1152790111
    • Opcode ID: 4b2ca26e7a594a790a2dec069ad3a96b87dcc36fe59f609416c0d7e9f39aeb91
    • Instruction ID: f5147c4b033b9d93762802ae08093f6761e9fd95ea63cc5852bb2a7ebcdd4689
    • Opcode Fuzzy Hash: 4b2ca26e7a594a790a2dec069ad3a96b87dcc36fe59f609416c0d7e9f39aeb91
    • Instruction Fuzzy Hash: 90918075508305AFE3109F64CC89F6FB7A8FB8571AF00092EFA4196292D778D909CB5B
    Function 0044EF70 Relevance: 45.6, APIs: 18, Strings: 8, Instructions: 136COMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(004869C0,?,?,?,?,?,?,?,?,?,?,?,?,0044E4E7), ref: 0044EF7B
    • GetDC.USER32(00000000), ref: 0044EF83
    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0044EF94
    • GetDeviceCaps.GDI32(00000000,0000000E), ref: 0044EF9B
    • GetSystemMetrics.USER32(00000001), ref: 0044EFB9
    • GetSystemMetrics.USER32(00000000), ref: 0044EFC4
    • ReleaseDC.USER32(00000000,00000000), ref: 0044EFDA
    • GlobalAddAtomA.KERNEL32(C3d), ref: 0044EFF4
    • LeaveCriticalSection.KERNEL32(004869C0,?,?,?,?,?,?,?,?,?,?,?,?,0044E4E7), ref: 0044F010
    • GlobalAddAtomA.KERNEL32(C3dNew), ref: 0044F027
    • GlobalAddAtomA.KERNEL32(C3dL), ref: 0044F039
    • GlobalAddAtomA.KERNEL32(C3dH), ref: 0044F046
    • GlobalAddAtomA.KERNEL32(C3dLNew), ref: 0044F06A
    • GlobalAddAtomA.KERNEL32(C3dHNew), ref: 0044F077
    • GlobalAddAtomA.KERNEL32(C3dD), ref: 0044F09B
    • GetSystemMetrics.USER32(0000002A), ref: 0044F0AE
    • GetClassInfoA.USER32(00000000,00467608,?), ref: 0044F0F1
    • GetClassInfoA.USER32(00000000,00008002,?), ref: 0044F10E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: AtomGlobal$MetricsSystem$CapsClassCriticalDeviceInfoSection$EnterLeaveRelease
    • String ID: @tH$C3d$C3dD$C3dH$C3dHNew$C3dL$C3dLNew$C3dNew
    • API String ID: 1233821986-2076519394
    • Opcode ID: 42f675b9099dbfe8f6312d69e4b1d4e1020238b1d82b51919c972022c5c79b86
    • Instruction ID: 397aeb2101c05f1bf1ba85f28c133a4b07b683c0c5a28ca5a6feff08b39ed30c
    • Opcode Fuzzy Hash: 42f675b9099dbfe8f6312d69e4b1d4e1020238b1d82b51919c972022c5c79b86
    • Instruction Fuzzy Hash: 3341D6B4A403009AF750EF64EC46B5F77A4BB44B55F11087BE800972E1DBB9C9498B6E
    Function 0044FCF0 Relevance: 37.8, APIs: 25, Instructions: 294windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0044E200: SetBkColor.GDI32(?), ref: 0044E21D
      • Part of subcall function 0044E200: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0044E26A
      • Part of subcall function 0044E200: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0044E299
      • Part of subcall function 0044E200: SetBkColor.GDI32(?,?), ref: 0044E2B7
      • Part of subcall function 0044E200: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0044E2E2
      • Part of subcall function 0044E200: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0044E31C
    • InflateRect.USER32(?,000000FF,000000FF), ref: 0044FD32
    • IsWindowEnabled.USER32(?), ref: 0044FD45
    • InflateRect.USER32(?,000000FF,000000FF), ref: 0044FD6C
    • PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 0044FD83
    • PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 0044FD9C
    • PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 0044FDB4
    • PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 0044FDCE
    • SelectObject.GDI32(?,00000000), ref: 0044FDF3
    • PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 0044FE17
    • PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 0044FE37
    • SelectObject.GDI32(?,00000000), ref: 0044FE4D
    • PatBlt.GDI32(?,00000000,?,?,00000001,00F00021), ref: 0044FE7B
    • PatBlt.GDI32(?,00000000,00000000,00000001,00000000,00F00021), ref: 0044FE9C
    • InflateRect.USER32(?,000000FF,000000FF), ref: 0044FEB2
    • SelectObject.GDI32(?,00000000), ref: 0044FECC
    • PatBlt.GDI32(?,00000000,?,?,?,00F00021), ref: 0044FEF4
    • IsWindowEnabled.USER32(?), ref: 0044FEFF
    • SetTextColor.GDI32(?,00000000), ref: 0044FF10
    • OffsetRect.USER32(?,00000001,00000001), ref: 0044FF9C
      • Part of subcall function 0044E200: SetBkColor.GDI32(?,00000000), ref: 0044E324
    • DrawTextA.USER32(?,?,?,?,00000020), ref: 0044FFD4
    • GetFocus.USER32 ref: 0044FFE0
    • InflateRect.USER32(?,00000001,00000001), ref: 0044FFF1
    • IntersectRect.USER32(?,?,?), ref: 00450002
    • DrawFocusRect.USER32(?,?), ref: 0045000E
    • SelectObject.GDI32(?,00000000), ref: 00450021
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Rect$Text$ColorInflateObjectSelect$DrawEnabledFocusWindow$IntersectOffset
    • String ID:
    • API String ID: 1611134597-0
    • Opcode ID: 64d775622533a21e220d4ae0205307bdb6521d46f92e4c71f8f5d3f70b2ae6bc
    • Instruction ID: 482c56d6678bdf716fbb3a76561fb12629bb58070e0fb16d5a232d5d047e60c4
    • Opcode Fuzzy Hash: 64d775622533a21e220d4ae0205307bdb6521d46f92e4c71f8f5d3f70b2ae6bc
    • Instruction Fuzzy Hash: B4B15871208301AFE300DF58CD88E6BB7E8FB88715F004A2DF559D2292D775E949CB66
    Function 00450580 Relevance: 30.2, APIs: 20, Instructions: 246COMMON
    Download Yara Rule
    APIs
    • GetPropA.USER32(?,00000000), ref: 004505C5
    • CallWindowProcA.USER32(00000000), ref: 004505ED
      • Part of subcall function 0044E120: CallWindowProcA.USER32(00000000,?,?,?,?), ref: 0044E146
      • Part of subcall function 0044E120: RemovePropA.USER32(?,00000000), ref: 0044E15E
      • Part of subcall function 0044E120: RemovePropA.USER32(?,00000000), ref: 0044E16A
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Prop$CallProcRemoveWindow
    • String ID:
    • API String ID: 2276450057-0
    • Opcode ID: e3351b2e6c3c1e552f273ab11ae49265e9547592f73b94d650992a0afac3cf68
    • Instruction ID: 08df090749a6c86d03e1448c2218fc783d203d679a388a40f9cb91f8c021fa9e
    • Opcode Fuzzy Hash: e3351b2e6c3c1e552f273ab11ae49265e9547592f73b94d650992a0afac3cf68
    • Instruction Fuzzy Hash: 29611A766413156BE220AB14EC44FAF3758EB85763F100536FE4093393D71DA90986BF
    Function 00459C2A Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 168COMMON
    Download Yara Rule
    APIs
    • GetDlgItem.USER32(?,00003020), ref: 00459C46
    • GetDlgItem.USER32(?,00003020), ref: 00459C7F
    • GetWindowRect.USER32(00000000,?), ref: 00459C8D
    • MapDialogRect.USER32(?,?), ref: 00459CB1
    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,00000020,00000016), ref: 00459CDE
    • GetDlgItem.USER32(?,00481E50), ref: 00459CF3
    • GetWindowRect.USER32(00000000,?), ref: 00459D05
    • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000015,?), ref: 00459D24
    • GetWindowRect.USER32(?,?), ref: 00459D3E
    • GetWindowRect.USER32(?,?), ref: 00459D85
    • GetDlgItem.USER32(?,00000001), ref: 00459D8C
    • GetWindowRect.USER32(00000000,?), ref: 00459D97
    • GetDlgItem.USER32(?,00481E50), ref: 00459DBD
    • ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00444B96), ref: 00459DCC
    • EnableWindow.USER32(?,00000000), ref: 00459DD6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Window$Rect$Item$DialogEnableShow
    • String ID:
    • API String ID: 763981185-3916222277
    • Opcode ID: 4f5bace98bce3194aaca412c0a00ce4b1a0b49e6e12e4649228dc11adc283f3f
    • Instruction ID: 40afbb5e2e47bb1826aea24485709fc0d7b03dc913777e156ab87fe6f2222d84
    • Opcode Fuzzy Hash: 4f5bace98bce3194aaca412c0a00ce4b1a0b49e6e12e4649228dc11adc283f3f
    • Instruction Fuzzy Hash: AF51EAB1900209EFDF11AFA5DD89DAFBBBDEF08345F10452AF901A2152D7389D09CB28
    Function 004563CE Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 174windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00456D14: GetWindowLongA.USER32(00000000,000000F0), ref: 00456D20
    • GetParent.USER32(?), ref: 004563F9
    • SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 0045641C
    • GetWindowRect.USER32(?,?), ref: 00456435
    • GetWindowLongA.USER32(00000000,000000F0), ref: 00456448
    • CopyRect.USER32(?,?), ref: 00456495
    • CopyRect.USER32(?,?), ref: 0045649F
    • GetWindowRect.USER32(00000000,?), ref: 004564A8
    • CopyRect.USER32(?,?), ref: 004564C4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Rect$Window$Copy$Long$MessageParentSend
    • String ID: ($@
    • API String ID: 808654186-1311469180
    • Opcode ID: 347572b96a1f165e280f6a36f9653e422315dd223811af27d6f77145a25b9c97
    • Instruction ID: cd12697c8c048b51ec6cfe59020c4f8684575f30c3091c4fcf409b7f890b6b06
    • Opcode Fuzzy Hash: 347572b96a1f165e280f6a36f9653e422315dd223811af27d6f77145a25b9c97
    • Instruction Fuzzy Hash: E5519272900219AFDF10DBA8DC45EEEBBB9AF44311F15412AFD01F3286DA34E8098B58
    Function 00445858 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 68libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleA.KERNEL32(USER32,00000000,?,75A44A40,00445991,?,?,?,?,?,?,?,004564B6,00000000,00000002,00000028), ref: 0044587A
    • GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 00445892
    • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 004458A3
    • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 004458B4
    • GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 004458C5
    • GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 004458D6
    • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 004458E7
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: AddressProc$HandleModule
    • String ID: EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
    • API String ID: 667068680-2376520503
    • Opcode ID: 7026af3d613aa0c3700aeaa3f9c097e269384c4b12618694bcc19e0677dc46b4
    • Instruction ID: 8c46abafa513193f1d07c3da810188802d7ce7fc46f2c6a62fcabed473a56ce0
    • Opcode Fuzzy Hash: 7026af3d613aa0c3700aeaa3f9c097e269384c4b12618694bcc19e0677dc46b4
    • Instruction Fuzzy Hash: 3811E271A06712ABE711AF6ABCC152EBEACB688750767083FD004D2652EF784445AB2D
    Function 0044EED0 Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 44stringCOMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(004869C0,75A44920,771AB510,?,?,?,?,?,?,?,?,?,?,?,?,0044E4E7), ref: 0044EEE7
    • GetProfileStringA.KERNEL32(windows,kanjimenu,roman,?,00000009), ref: 0044EF10
    • lstrcmpiA.KERNEL32(?,kanji), ref: 0044EF22
    • GetProfileStringA.KERNEL32(windows,hangeulmenu,english,?,00000009), ref: 0044EF45
    • lstrcmpiA.KERNEL32(?,hangeul), ref: 0044EF51
    • LeaveCriticalSection.KERNEL32(004869C0,?,?,?,?,?,?,?,?,?,?,?,?,0044E4E7), ref: 0044EF63
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: CriticalProfileSectionStringlstrcmpi$EnterLeave
    • String ID: english$hangeul$hangeulmenu$kanji$kanjimenu$roman$windows
    • API String ID: 1105401458-111014456
    • Opcode ID: 4c3af4a1db09fd1b8f7beec5f6aab5d4b90bdf55bcc45b86bb883ddb7bde3641
    • Instruction ID: 191212876157a78d561bbd920da455072d5ba219b2de2d19bdb3031a40892c90
    • Opcode Fuzzy Hash: 4c3af4a1db09fd1b8f7beec5f6aab5d4b90bdf55bcc45b86bb883ddb7bde3641
    • Instruction Fuzzy Hash: 8001D4B6644305BAD220FB64ED06F8E3F989745F65F200C77F504A20DAD6A9D20C876F
    Function 0045A259 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 209windowCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 0045A25E
      • Part of subcall function 0045C679: __EH_prolog.LIBCMT ref: 0045C67E
    • SendMessageA.USER32(?,000001A1,00000000,00000000), ref: 0045A2B4
    • GetSysColor.USER32(00000005), ref: 0045A2CC
      • Part of subcall function 00456EA3: IsWindowEnabled.USER32(?), ref: 00456EAD
    • GetSysColor.USER32(0000000D), ref: 0045A301
    • CreateCompatibleDC.GDI32(00000000), ref: 0045A32C
    • SelectObject.GDI32(?,?), ref: 0045A356
    • CopyRect.USER32(?,?), ref: 0045A36D
    • CopyRect.USER32(?,?), ref: 0045A3A6
    • FillRect.USER32(?,?,?), ref: 0045A417
    • BitBlt.GDI32(?,?,?,?,?,?,?,00000000,00CC0020), ref: 0045A44D
    • SelectObject.GDI32(?,?), ref: 0045A459
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Rect$ColorCopyH_prologObjectSelect$CompatibleCreateEnabledFillMessageSendWindow
    • String ID: `NH
    • API String ID: 2145091578-2708191515
    • Opcode ID: 9f95f27956812d5a72cd40a5f052fcec92d8a0a6ffe557a0f1b67f95e691388b
    • Instruction ID: 70bc50098859aece617cdcab2df485cc50c0f84c97a0012ec716c5704940e02c
    • Opcode Fuzzy Hash: 9f95f27956812d5a72cd40a5f052fcec92d8a0a6ffe557a0f1b67f95e691388b
    • Instruction Fuzzy Hash: 99818931D00209AFDF11DFA4C885AAEBBB5FF08305F14826AEC05E7292DB74A949CF55
    Function 0044E821 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 107COMMON
    Download Yara Rule
    APIs
    • GetWindowLongA.USER32(?,000000FC), ref: 0044E83D
    • RemovePropA.USER32(?,00000000), ref: 0044E873
    • SetWindowLongA.USER32(?,000000FC,00000000), ref: 0044E879
    • RemovePropA.USER32(?,00000000), ref: 0044E8A7
    • SetWindowLongA.USER32(?,000000FC,00000000), ref: 0044E8AD
    • GetWindow.USER32(?,00000005), ref: 0044E902
    • GetWindow.USER32(00000000,00000002), ref: 0044E913
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Window$Long$PropRemove
    • String ID: iH
    • API String ID: 3256693057-671714768
    • Opcode ID: 71bbb19fc30a0a8a53cc650c85607471b80cb6831db3aa6405de9dc21c46187c
    • Instruction ID: d784b0b894c1bb10fbbcaf2406d950b1b81471438916dcd71e91cf1a1a67c3ff
    • Opcode Fuzzy Hash: 71bbb19fc30a0a8a53cc650c85607471b80cb6831db3aa6405de9dc21c46187c
    • Instruction Fuzzy Hash: 46213AB65015216AFB407779BC40E7F228CEF49715B12063AF910C3292FB69CC0287BD
    Function 0044DF40 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 83stringCOMMON
    Download Yara Rule
    APIs
    • GetPropA.USER32(?,00000000), ref: 0044DF59
    • GetPropA.USER32(?,00000000), ref: 0044DF6D
    • GetPropA.USER32(?,00000000), ref: 0044DF81
    • GetPropA.USER32(?,00000000), ref: 0044DF95
    • GetPropA.USER32(?,00000000), ref: 0044DFA9
    • GetPropA.USER32(?,00000000), ref: 0044DFB9
    • IsWindowUnicode.USER32(?), ref: 0044DFD6
    • GetClassNameA.USER32(?,?,00000010), ref: 0044DFE8
    • lstrcmpiA.KERNEL32(?,edit), ref: 0044DFF8
    • SetWindowLongA.USER32(?,000000FC,?), ref: 0044E008
    • SetPropA.USER32(?,00000000,00000000), ref: 0044E019
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Prop$Window$ClassLongNameUnicodelstrcmpi
    • String ID: edit
    • API String ID: 4088303749-2167791130
    • Opcode ID: 4977a0ca70fbd462df30f69a24d0f194bad25583e6eec4894d691e1561da5d7e
    • Instruction ID: 61505c5790e136d37025cb11f14072e73272d11d50699b1b3379778df887dd02
    • Opcode Fuzzy Hash: 4977a0ca70fbd462df30f69a24d0f194bad25583e6eec4894d691e1561da5d7e
    • Instruction Fuzzy Hash: B721C6A65021226AB350BB79AC05FBF26DCAF49645B010839FD14C2151F76AC942877E
    Function 00444366 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 88stringprocessCOMMON
    Download Yara Rule
    APIs
    • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,004440DC), ref: 004443A8
      • Part of subcall function 0044411B: RegOpenKeyExA.ADVAPI32(?,80000000,00000000,00000001,?), ref: 0044413A
      • Part of subcall function 0044411B: RegQueryValueA.ADVAPI32(?,00000000,?,00000104), ref: 00444167
      • Part of subcall function 0044411B: lstrcpyA.KERNEL32(004443D7,?), ref: 00444178
      • Part of subcall function 0044411B: RegCloseKey.ADVAPI32(?), ref: 00444182
    • lstrcatA.KERNEL32(?,\shell\open\command,80000000,.htm,?), ref: 004443EB
    • lstrlenA.KERNEL32(?,?,?,?,?), ref: 00444464
    • lstrcatA.KERNEL32(00000000,00481988,?,?), ref: 00444499
    • lstrcatA.KERNEL32(00000000,00000000), ref: 004444AA
    • WinExec.KERNEL32(?,004440DC), ref: 004444BB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: lstrcat$CloseExecExecuteOpenQueryShellValuelstrcpylstrlen
    • String ID: $"%1"$.htm$\shell\open\command$open
    • API String ID: 2095745534-2117809343
    • Opcode ID: a4b4687578586a3d41bfcb3d09f533bd23965947a11887b6bdc35d530c439532
    • Instruction ID: a3c79ad545996efa026fd2fb51d2bbf3220b69afb3cc17673bc816c52ba152af
    • Opcode Fuzzy Hash: a4b4687578586a3d41bfcb3d09f533bd23965947a11887b6bdc35d530c439532
    • Instruction Fuzzy Hash: A2318DB9D41318ABEB10DB90DC89BDD7778AB58301F108AEAF51DA3241D3B49A84CF55
    Function 00444386 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 83stringprocessCOMMON
    Download Yara Rule
    APIs
    • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,004440DC), ref: 004443A8
      • Part of subcall function 0044411B: RegOpenKeyExA.ADVAPI32(?,80000000,00000000,00000001,?), ref: 0044413A
      • Part of subcall function 0044411B: RegQueryValueA.ADVAPI32(?,00000000,?,00000104), ref: 00444167
      • Part of subcall function 0044411B: lstrcpyA.KERNEL32(004443D7,?), ref: 00444178
      • Part of subcall function 0044411B: RegCloseKey.ADVAPI32(?), ref: 00444182
    • lstrcatA.KERNEL32(?,\shell\open\command,80000000,.htm,?), ref: 004443EB
    • lstrlenA.KERNEL32(?,?,?,?,?), ref: 00444464
    • lstrcatA.KERNEL32(00000000,00481988,?,?), ref: 00444499
    • lstrcatA.KERNEL32(00000000,00000000), ref: 004444AA
    • WinExec.KERNEL32(?,004440DC), ref: 004444BB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: lstrcat$CloseExecExecuteOpenQueryShellValuelstrcpylstrlen
    • String ID: $"%1"$.htm$\shell\open\command$open
    • API String ID: 2095745534-2117809343
    • Opcode ID: 3ce191d076076bd43ed04a0d09b9f119ac7e7a7a11a376a283e35f8f9bc092c4
    • Instruction ID: f046a019f503a7fc56761149c3aa06bdd61ee2a759f7292e8e074a5db26a18eb
    • Opcode Fuzzy Hash: 3ce191d076076bd43ed04a0d09b9f119ac7e7a7a11a376a283e35f8f9bc092c4
    • Instruction Fuzzy Hash: BC319EB994031CABDB10DF90DC89BDDB778BB58305F104AEAF519A3281D3B49A84CF65
    Function 004513A0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 52libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?), ref: 004513B4
    • GetProcAddress.KERNEL32(00000000,DisableThreadLibraryCalls), ref: 004513C0
    • EnterCriticalSection.KERNEL32(004869C0), ref: 004513DC
    • GetVersion.KERNEL32 ref: 004513EE
    • GetSystemMetrics.USER32(00000007), ref: 00451432
    • GetSystemMetrics.USER32(00000008), ref: 0045143C
    • GetSystemMetrics.USER32(00000004), ref: 00451446
    • GetSystemMetrics.USER32(0000001E), ref: 0045144F
    • LeaveCriticalSection.KERNEL32(004869C0), ref: 0045145B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: MetricsSystem$CriticalSection$AddressEnterHandleLeaveModuleProcVersion
    • String ID: DisableThreadLibraryCalls$KERNEL32.DLL
    • API String ID: 1414939872-3863293605
    • Opcode ID: f7abba66597511521dab04471458c54eb54ecae5de7d3b1772180962d425a6fe
    • Instruction ID: fb0f9484f22d2e5e5095961da27c472b94919276c693382aba93f78b4b1cbc42
    • Opcode Fuzzy Hash: f7abba66597511521dab04471458c54eb54ecae5de7d3b1772180962d425a6fe
    • Instruction Fuzzy Hash: DC1151B0814715EAD750BF24ED1975F3E60EB01B16F11883EE985972B1E779C8488B4E
    Function 0044F740 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 128threadwindowCOMMON
    Download Yara Rule
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 0044F747
    • EnterCriticalSection.KERNEL32(004869C0), ref: 0044F754
    • LeaveCriticalSection.KERNEL32(004869C0), ref: 0044F79C
    • CallNextHookEx.USER32(00000000,?,?,?), ref: 0044F7B3
    • LeaveCriticalSection.KERNEL32(004869C0), ref: 0044F7CE
    • GetWindowLongA.USER32(?,000000F0), ref: 0044F812
    • SendMessageA.USER32(?,000011F0,00000000,00000001), ref: 0044F839
    • GetParent.USER32(?), ref: 0044F8A1
    • CallNextHookEx.USER32(00000000,?,?,?), ref: 0044F8DE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: CriticalSection$CallHookLeaveNext$CurrentEnterLongMessageParentSendThreadWindow
    • String ID: DjH
    • API String ID: 1151315845-1875359361
    • Opcode ID: 6a64dae5912ba8e52ce471284cfdbeabbd804498d55e49b02759bcae75d365ee
    • Instruction ID: d68dca49f87fbffe5f9d7aaddebd40d9e196b6bb7031100808ebbe94d78ffa97
    • Opcode Fuzzy Hash: 6a64dae5912ba8e52ce471284cfdbeabbd804498d55e49b02759bcae75d365ee
    • Instruction Fuzzy Hash: B7419CB19003419BE714EF18EC45B6B73A4FB55719F01483AF90597692E778A80CCB6A
    Function 00459584 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 68windowCOMMON
    Download Yara Rule
    APIs
    • GetDlgItem.USER32(?,?), ref: 004595A5
    • GetWindowLongA.USER32(00000000,000000F0), ref: 004595B6
    • IsWindowEnabled.USER32(00000000), ref: 004595C0
    • GetDlgItem.USER32(?,004666A8), ref: 004595D9
    • GetWindowLongA.USER32(00000000,000000F0), ref: 004595E2
    • IsWindowEnabled.USER32(?), ref: 004595EF
    • GetFocus.USER32 ref: 00459617
    • IsWindowEnabled.USER32(00000000), ref: 0045961E
    • SetFocus.USER32(?), ref: 0045962C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Window$Enabled$FocusItemLong
    • String ID: \F
    • API String ID: 1558694495-1837130337
    • Opcode ID: 24b16d1bf5114749864de1890cbeb364abea97ee20588e21ff449420f15ab95e
    • Instruction ID: c6882aa29c24beebf7dfe9a8a867be32a38a24ee3ed0a77ce138ddb2fa7c5efd
    • Opcode Fuzzy Hash: 24b16d1bf5114749864de1890cbeb364abea97ee20588e21ff449420f15ab95e
    • Instruction Fuzzy Hash: D1116D71104305EBDB11AF65EC48A1BBBA8FF54353F10453AFD42822B3EB29DC1C8A5A
    Function 0044F160 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 54COMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(004869C0,?,0044E5BF), ref: 0044F166
    • GlobalDeleteAtom.KERNEL32(00000000), ref: 0044F1A2
    • GlobalDeleteAtom.KERNEL32(00000000), ref: 0044F1BD
    • GlobalDeleteAtom.KERNEL32(00000000), ref: 0044F1D0
    • GlobalDeleteAtom.KERNEL32(00000000), ref: 0044F1E3
    • GlobalDeleteAtom.KERNEL32(00000000), ref: 0044F1F6
    • GlobalDeleteAtom.KERNEL32(00000000), ref: 0044F209
    • GlobalDeleteAtom.KERNEL32(00000000), ref: 0044F21C
    • LeaveCriticalSection.KERNEL32(004869C0,?,0044E5BF), ref: 0044F22D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: AtomDeleteGlobal$CriticalSection$EnterLeave
    • String ID: @tH
    • API String ID: 3843206905-3163496834
    • Opcode ID: 6b5cf8d5651c0e2ede6e4fb9c9bca488bf361a519a309a20dee0486d30686d84
    • Instruction ID: 366b6ecb6c0cc8fd04b4a142062c83e7bde9017afde63cfdeea87f4fff5a362b
    • Opcode Fuzzy Hash: 6b5cf8d5651c0e2ede6e4fb9c9bca488bf361a519a309a20dee0486d30686d84
    • Instruction Fuzzy Hash: 9B112BE9C02611D1E7557BA4EC097AE3668A708714F06497AE810876F1D7BC8CC9CBAD
    Function 00450D20 Relevance: 16.7, APIs: 11, Instructions: 199COMMON
    Download Yara Rule
    APIs
    • GetPropA.USER32(?,00000000), ref: 00450D64
    • CallWindowProcA.USER32(00000000), ref: 00450D89
      • Part of subcall function 0044E120: CallWindowProcA.USER32(00000000,?,?,?,?), ref: 0044E146
      • Part of subcall function 0044E120: RemovePropA.USER32(?,00000000), ref: 0044E15E
      • Part of subcall function 0044E120: RemovePropA.USER32(?,00000000), ref: 0044E16A
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Prop$CallProcRemoveWindow
    • String ID:
    • API String ID: 2276450057-0
    • Opcode ID: 0325b7a9fd1aa84b178b40ad3b7d3711d88a5607fac080c6ceaefec6557843b5
    • Instruction ID: 1fc2387ce81d80cd78a752a48189347c9a285ef9ccc9efb136f60511dafa7fe4
    • Opcode Fuzzy Hash: 0325b7a9fd1aa84b178b40ad3b7d3711d88a5607fac080c6ceaefec6557843b5
    • Instruction Fuzzy Hash: 4F51917AA04200BFD254DB55DC85D7FB7B8EBCA716F44482EFD4483212E239AC498766
    Function 004510B0 Relevance: 16.6, APIs: 11, Instructions: 140windowCOMMON
    Download Yara Rule
    APIs
    • GetWindowLongA.USER32(?,000000F0), ref: 004510BE
    • GetClientRect.USER32(?,?), ref: 004510D9
    • SendMessageA.USER32(?,00000031,00000000,00000000), ref: 0045110B
    • SelectObject.GDI32(?,00000000), ref: 00451119
    • SetBkMode.GDI32(?,00000002), ref: 0045112A
    • GetParent.USER32(?), ref: 00451138
    • SendMessageA.USER32(00000000), ref: 0045113F
    • SelectObject.GDI32(?,00000000), ref: 00451149
    • SelectObject.GDI32(?,00000000), ref: 0045116B
    • SelectObject.GDI32(?,00000000), ref: 0045117B
    • OffsetRect.USER32(?,000000FF,000000FF), ref: 004511D2
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: ObjectSelect$MessageRectSend$ClientLongModeOffsetParentWindow
    • String ID:
    • API String ID: 3606012576-0
    • Opcode ID: 8ef5488d82fcf8ffecbe8806a5e055cc3fa00ea10724d77ba6061b25ed431504
    • Instruction ID: dde9e1e2fa3cd7ba32b1e11d4ed19899c7b70c36a2a825e0908bb1268dd4ae3b
    • Opcode Fuzzy Hash: 8ef5488d82fcf8ffecbe8806a5e055cc3fa00ea10724d77ba6061b25ed431504
    • Instruction Fuzzy Hash: 444117762443017BE210AB44AC46F7F33ACEB85B26F4405B9FB01A61D3D669D90987BB
    Function 00449BE5 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100fileCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 00449C52
    • GetStdHandle.KERNEL32(000000F4,004673DC,00000000,?,00000000,?), ref: 00449D28
    • WriteFile.KERNEL32(00000000), ref: 00449D2F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: File$HandleModuleNameWrite
    • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program: $p'H
    • API String ID: 3784150691-660142619
    • Opcode ID: 5390a25a3750ea5658afd050b1b6d435617a8f97822e91970f44ce2234eed55c
    • Instruction ID: 7457db582058daa92303dab0c13eb31fafe36f930245dacd1f1243bcfb482f54
    • Opcode Fuzzy Hash: 5390a25a3750ea5658afd050b1b6d435617a8f97822e91970f44ce2234eed55c
    • Instruction Fuzzy Hash: D231C572A00218AEEF20EA61CD45F9F37ACEB45308F50086BF148D6151EA78DD458B5A
    Function 0045A75A Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0045C679: __EH_prolog.LIBCMT ref: 0045C67E
      • Part of subcall function 00456D14: GetWindowLongA.USER32(00000000,000000F0), ref: 00456D20
    • SendMessageA.USER32(?,000001A1,00000000,00000000), ref: 0045A7A3
    • SendMessageA.USER32(?,0000018B,00000000,00000000), ref: 0045A7B2
    • SendMessageA.USER32(?,0000018E,00000000,00000000), ref: 0045A7CB
    • SendMessageA.USER32(?,0000018E,00000000,00000000), ref: 0045A7F3
    • SendMessageA.USER32(?,0000018B,00000000,00000000), ref: 0045A802
    • SendMessageA.USER32(?,00000198,?,?), ref: 0045A818
    • PtInRect.USER32(?,000000FF,?), ref: 0045A824
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: MessageSend$H_prologLongRectWindow
    • String ID: `NH
    • API String ID: 2846605207-2708191515
    • Opcode ID: 7721bee9cac3cee2f3940bb2810650675d3d59f0025003bc4f8f2e6e1f441eaf
    • Instruction ID: 1c424adacdfc6fb3f40e3886e759d3497867bfd24a21c0cc36754b90bf3d89a9
    • Opcode Fuzzy Hash: 7721bee9cac3cee2f3940bb2810650675d3d59f0025003bc4f8f2e6e1f441eaf
    • Instruction Fuzzy Hash: BC315C70A0020DFFDB10DF94CC80DAEB7F9EB44349B20856AF911A72A1D734AE56DB14
    Function 00457858 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58COMMON
    Download Yara Rule
    APIs
    • GetStockObject.GDI32(00000011), ref: 00457874
    • GetStockObject.GDI32(0000000D), ref: 0045787C
    • GetObjectA.GDI32(00000000,0000003C,?), ref: 00457889
    • GetDC.USER32(00000000), ref: 00457898
    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004578AF
    • MulDiv.KERNEL32(?,00000048,00000000), ref: 004578BB
    • ReleaseDC.USER32(00000000,00000000), ref: 004578C6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Object$Stock$CapsDeviceRelease
    • String ID: System
    • API String ID: 46613423-3470857405
    • Opcode ID: 8bd566eca733602bd7c54c4663d2516961db3fb6eff9eb229e298b4e0f1d23ee
    • Instruction ID: 4c17c03f74adb425e6832893047fbe7024611f9ec729ff1b75e06c6a5946294a
    • Opcode Fuzzy Hash: 8bd566eca733602bd7c54c4663d2516961db3fb6eff9eb229e298b4e0f1d23ee
    • Instruction Fuzzy Hash: D6117731A00318ABEB106B91DD49F9F3BB8AB04756F004035FA05E61C2D7759D09C7A5
    Function 004568A4 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleA.KERNEL32(COMCTL32.DLL,00000800,00000000,00000400,00456B9E,00000000,00020000,?,?,00000000), ref: 004568AD
    • LoadLibraryA.KERNEL32(COMCTL32.DLL,?,00000000,?,?,?,?,?,?,?,?,004534E2,00000010,00000000), ref: 004568B6
    • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004568CA
    • #17.COMCTL32(?,00000000,?,?,?,?,?,?,?,?,004534E2,00000010,00000000), ref: 004568E5
    • #17.COMCTL32(?,00000000,?,?,?,?,?,?,?,?,004534E2,00000010,00000000), ref: 00456901
    • FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,004534E2,00000010,00000000), ref: 0045690D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Library$AddressFreeHandleLoadModuleProc
    • String ID: COMCTL32.DLL$InitCommonControlsEx
    • API String ID: 1437655972-4218389149
    • Opcode ID: eaae830ffc490a080bcc8b500297ae7eeb38d6ff8276ab9b27e8ae68237090cc
    • Instruction ID: 0026f93c61030dfd8041533a1903991f27fd15e8a5e372a56f892ad58c08b69e
    • Opcode Fuzzy Hash: eaae830ffc490a080bcc8b500297ae7eeb38d6ff8276ab9b27e8ae68237090cc
    • Instruction Fuzzy Hash: 64F0A476600712D783116BA4DC4895B77E8AB847637560436FD40E3213DB38CC098BBF
    Function 0044A9EA Relevance: 13.7, APIs: 9, Instructions: 177COMMON
    Download Yara Rule
    APIs
    • LCMapStringW.KERNEL32(00000000,00000100,0046746C,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 0044AA2C
    • LCMapStringA.KERNEL32(00000000,00000100,00467468,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 0044AA48
    • LCMapStringA.KERNEL32(?,00000100,00000020,00000001,00000000,00000100,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 0044AA91
    • MultiByteToWideChar.KERNEL32(00000000,00000101,00000020,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 0044AAC9
    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000020,00000001,00000100,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 0044AB21
    • LCMapStringW.KERNEL32(?,00000100,00000100,00000000,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 0044AB37
    • LCMapStringW.KERNEL32(?,00000100,00000100,00000000,00000000,00000100,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 0044AB6A
    • LCMapStringW.KERNEL32(?,00000100,00000100,00000100,?,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 0044ABD2
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: String$ByteCharMultiWide
    • String ID:
    • API String ID: 352835431-0
    • Opcode ID: 5d03075eaee799eaab2f2c0cda81d02038ba3afc7d2971726a915066aef551e5
    • Instruction ID: e9160448b05074c11c83fb93dafd07d3ba8640c47529e9f32b01884e274a85b5
    • Opcode Fuzzy Hash: 5d03075eaee799eaab2f2c0cda81d02038ba3afc7d2971726a915066aef551e5
    • Instruction Fuzzy Hash: 0A51AF31540649EFEF218F94CC45EAF7FB9FB49744F10412AF910A2260C3399C60DB6A
    Function 0045990E Relevance: 13.6, APIs: 9, Instructions: 133windowCOMMON
    Download Yara Rule
    APIs
    • IsWindowEnabled.USER32(00000000), ref: 0045997C
    • EnableWindow.USER32(00000000,00000000), ref: 00459988
    • GetCapture.USER32 ref: 00459996
    • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 004599A5
    • PropertySheetA.COMCTL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 004599C1
    • EnableWindow.USER32(00000000,00000001), ref: 00459A2A
    • GetActiveWindow.USER32 ref: 00459A34
    • SetActiveWindow.USER32(00000000,?,?,?,?,00000000,00000000), ref: 00459A40
    • EnableWindow.USER32(?,00000001), ref: 00459A6A
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Window$Enable$Active$CaptureEnabledMessagePropertySendSheet
    • String ID:
    • API String ID: 61310451-0
    • Opcode ID: 1f8f90d0c93405f245c6e28c9c070102e81c42d15f52ea049057e8a4fdff6bcb
    • Instruction ID: 700f715ac8be9d74ff4e9923eba93b49295d174e3bf3eb500676cc98484c3ba1
    • Opcode Fuzzy Hash: 1f8f90d0c93405f245c6e28c9c070102e81c42d15f52ea049057e8a4fdff6bcb
    • Instruction Fuzzy Hash: 4641B870200745DBD720AF66C849A2F77D9AB44B13F10092EF94697293DB79DC4C8A6E
    Function 0045CB09 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 63memorystringCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0045C679: __EH_prolog.LIBCMT ref: 0045C67E
    • GetModuleHandleA.KERNEL32(COMCTL32.DLL,0045CBB9,00000000,?,00000000,?,00459118,?,?,00459B9F,?,?,?,00459B9F,?), ref: 0045CB32
    • FindResourceA.KERNEL32(00000000,51E800FC,00000005), ref: 0045CB56
    • LoadResource.KERNEL32(?,00000000,?,00459118,?,?,00459B9F,?,?,?,00459B9F,?), ref: 0045CB60
    • GlobalAlloc.KERNEL32(00000040,?,?,00459118,?,?,00459B9F,?,?,?,00459B9F,?), ref: 0045CB7E
    • lstrcpyA.KERNEL32(00000000,?,?,00459118,?,?,00459B9F,?,?,?,00459B9F,?), ref: 0045CB8A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Resource$AllocFindGlobalH_prologHandleLoadModulelstrcpy
    • String ID: COMCTL32.DLL$PRH
    • API String ID: 2873249453-3910225594
    • Opcode ID: 9652763ab29abc54da5b5a2e876ed3a15ae4f7f064f59f1b8d8517a3eef3dae0
    • Instruction ID: 583d652d788cd64b103c78e33a8f9ef976a52c7c19ea301d5215e51c7902548f
    • Opcode Fuzzy Hash: 9652763ab29abc54da5b5a2e876ed3a15ae4f7f064f59f1b8d8517a3eef3dae0
    • Instruction Fuzzy Hash: 17118675500704AFD7105F62EC89E7B77A8EF45762B00842AFD46C72A1DA34DD44C769
    Function 00449882 Relevance: 12.1, APIs: 8, Instructions: 132COMMON
    Download Yara Rule
    APIs
    • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,004468DE), ref: 0044989D
    • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,004468DE), ref: 004498B1
    • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,004468DE), ref: 004498DD
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,004468DE), ref: 00449915
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,004468DE), ref: 00449937
    • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,004468DE), ref: 00449950
    • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,004468DE), ref: 00449963
    • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004499A1
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: EnvironmentStrings$ByteCharFreeMultiWide
    • String ID:
    • API String ID: 1823725401-0
    • Opcode ID: b3292558ff180e2b0d11a7dca15f5ac3a0993d9b26b5e16da60fd2ec5182a278
    • Instruction ID: 2a3d4880afff4fb191ef2fd030393cbeac246ebb7bea17e55ebffad9b4ce5788
    • Opcode Fuzzy Hash: b3292558ff180e2b0d11a7dca15f5ac3a0993d9b26b5e16da60fd2ec5182a278
    • Instruction Fuzzy Hash: 6B3138F25082616FF7203F799CC493B769CEA46768715093FF942C3301DA299C45A3AE
    Function 004527AB Relevance: 12.1, APIs: 8, Instructions: 65memorystringCOMMON
    Download Yara Rule
    APIs
    • GlobalLock.KERNEL32(?), ref: 004527CB
    • lstrcmpA.KERNEL32(?,?), ref: 004527D7
    • OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 004527E9
    • DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 0045280C
    • GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00452814
    • GlobalLock.KERNEL32(00000000), ref: 00452821
    • DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 0045282E
    • ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 0045284C
      • Part of subcall function 004582F4: GlobalFlags.KERNEL32(?), ref: 004582FE
      • Part of subcall function 004582F4: GlobalUnlock.KERNEL32(?), ref: 00458315
      • Part of subcall function 004582F4: GlobalFree.KERNEL32(?), ref: 00458320
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
    • String ID:
    • API String ID: 168474834-0
    • Opcode ID: 069c3bafd60a2c41e47fe54d5531a40b6420b5ff857b1e6df0e75553219b0aea
    • Instruction ID: 50f9f10b6d1f2abd7f7addf3e0cb699295217664b34100745cac7f4410f29db0
    • Opcode Fuzzy Hash: 069c3bafd60a2c41e47fe54d5531a40b6420b5ff857b1e6df0e75553219b0aea
    • Instruction Fuzzy Hash: 6311E371500600BAEB21ABB6CD4AEAF7ABDEF81705F10042EFA08C5113DB79ED01D728
    Function 00451241 Relevance: 10.6, APIs: 7, Instructions: 140COMMON
    Download Yara Rule
    APIs
    • GetPropA.USER32(?,00000000), ref: 00451293
    • CallWindowProcA.USER32(00000000), ref: 004512B5
      • Part of subcall function 0044E120: CallWindowProcA.USER32(00000000,?,?,?,?), ref: 0044E146
      • Part of subcall function 0044E120: RemovePropA.USER32(?,00000000), ref: 0044E15E
      • Part of subcall function 0044E120: RemovePropA.USER32(?,00000000), ref: 0044E16A
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Prop$CallProcRemoveWindow
    • String ID:
    • API String ID: 2276450057-0
    • Opcode ID: 2930514d60974a4fe9434182ca6338801401d6968415ae75531059d30f00c42b
    • Instruction ID: c9c559a4b73dd02660d94846fd9b01b92250e4340c3a6b8665e55215ec00dc4c
    • Opcode Fuzzy Hash: 2930514d60974a4fe9434182ca6338801401d6968415ae75531059d30f00c42b
    • Instruction Fuzzy Hash: B031D7766012106BE2019799AC45E9F776CEBD5366F04043BFE05C7252E239990A87BB
    Function 0045AA09 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageA.USER32(?,0000019F,00000000,00000000), ref: 0045AA2D
    • GetParent.USER32(?), ref: 0045AA34
      • Part of subcall function 00456D14: GetWindowLongA.USER32(00000000,000000F0), ref: 00456D20
    • SendMessageA.USER32(?,00000187,00000000,00000000), ref: 0045AA87
    • SendMessageA.USER32(?,00000111,?,?), ref: 0045AAD8
    • SendMessageA.USER32(?,00000185,00000000,00000000), ref: 0045AB63
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: MessageSend$LongParentWindow
    • String ID:
    • API String ID: 779260966-3916222277
    • Opcode ID: a26c7ac25dc8cb317ecafe63ef74fd9602cee214648a5c1e44bda1fa0e3807c6
    • Instruction ID: dc05e6654dcace5e50168eb004c85ac35bfee2bcfdef00d082189895d863d84b
    • Opcode Fuzzy Hash: a26c7ac25dc8cb317ecafe63ef74fd9602cee214648a5c1e44bda1fa0e3807c6
    • Instruction Fuzzy Hash: E231C8707103146FCA247A768C44D3F76DDEB44B4AB114A2EFE42D72C3CA2DEC19866A
    Function 0045A0E0 Relevance: 10.6, APIs: 7, Instructions: 131windowCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 0045A0E5
    • SendMessageA.USER32(?,000001A1,?,00000000), ref: 0045A122
      • Part of subcall function 00456EA3: IsWindowEnabled.USER32(?), ref: 00456EAD
    • GetSysColor.USER32(00000008), ref: 0045A159
    • GetSysColor.USER32(00000005), ref: 0045A168
    • GetSysColor.USER32(0000000E), ref: 0045A188
    • GetSysColor.USER32(0000000D), ref: 0045A197
    • DrawFocusRect.USER32(?,?), ref: 0045A242
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Color$DrawEnabledFocusH_prologMessageRectSendWindow
    • String ID:
    • API String ID: 338454814-0
    • Opcode ID: 8bbb38d88341ea49e5dd207e5d9ebc32b5bb2cc3a7adb3f5f4410ed9f4b49c25
    • Instruction ID: 44261271046533f2b43b390b51872b877eabfbd689529b650b18e0acb6df31e2
    • Opcode Fuzzy Hash: 8bbb38d88341ea49e5dd207e5d9ebc32b5bb2cc3a7adb3f5f4410ed9f4b49c25
    • Instruction Fuzzy Hash: E441AD70600605AFDB04DF64C889BAEBBB5BF48306F10862AED4597392CB78D958CF95
    Function 0044E200 Relevance: 10.6, APIs: 7, Instructions: 109COMMON
    Download Yara Rule
    APIs
    • SetBkColor.GDI32(?), ref: 0044E21D
    • ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0044E26A
    • ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0044E299
    • SetBkColor.GDI32(?,?), ref: 0044E2B7
    • ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0044E2E2
    • ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0044E31C
    • SetBkColor.GDI32(?,00000000), ref: 0044E324
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Text$Color
    • String ID:
    • API String ID: 3751486306-0
    • Opcode ID: 430047934fa1ee890450ab0ee3858bfb6cccff8bc77f43618346c9b19d7ce5ff
    • Instruction ID: aa6ef8d3b081ebc78c5bdb76412d51329c27497cf9ca4539dbcf152f6aa073be
    • Opcode Fuzzy Hash: 430047934fa1ee890450ab0ee3858bfb6cccff8bc77f43618346c9b19d7ce5ff
    • Instruction Fuzzy Hash: BD416F70644301AFE320DF14DC86F2AB7E4FB85B00F188869FA549B2C1D774E809CB6A
    Function 0044E5E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 78COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID:
    • String ID: DjH
    • API String ID: 0-1875359361
    • Opcode ID: 24505fc770218e36500d0a997682f7db0c18a796312e30a9ac9f3b5d094c7646
    • Instruction ID: 8dbc6434fd214016bf2a20539dc4ca31f1f876eef12620df58c2b00de6982f80
    • Opcode Fuzzy Hash: 24505fc770218e36500d0a997682f7db0c18a796312e30a9ac9f3b5d094c7646
    • Instruction Fuzzy Hash: 8A3180726001108BE3A8EF2DED4971A33A1F791315F13C93EE506A7AA1C37A8845CF1D
    Function 00458C3C Relevance: 10.6, APIs: 7, Instructions: 72windowCOMMON
    Download Yara Rule
    APIs
    • GetCapture.USER32 ref: 00458C45
    • SendMessageA.USER32(00000000,00000365,00000000,00000000), ref: 00458C62
    • GetFocus.USER32 ref: 00458C74
    • SendMessageA.USER32(00000000,00000365,00000000,00000000), ref: 00458C84
    • GetLastActivePopup.USER32(?), ref: 00458CA7
    • SendMessageA.USER32(00000000,00000365,00000000,00000000), ref: 00458CB7
    • SendMessageA.USER32(?,00000111,0000E147,00000000), ref: 00458CD6
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: MessageSend$ActiveCaptureFocusLastPopup
    • String ID:
    • API String ID: 3219385341-0
    • Opcode ID: 6074c2259d7d6f20f88ee4415e2269e291cc46dfc16c43fc054c126e490ed0cd
    • Instruction ID: 65bf77bb3fca10cb3b214c45128794493886788594644a91a7f01707161b7b32
    • Opcode Fuzzy Hash: 6074c2259d7d6f20f88ee4415e2269e291cc46dfc16c43fc054c126e490ed0cd
    • Instruction Fuzzy Hash: 281186722022087BD6126B71DD89C3F7A6CDB81797711042FFD01A3213DF29EC0A567A
    Function 0044FBC0 Relevance: 10.6, APIs: 7, Instructions: 69COMMON
    Download Yara Rule
    APIs
    • GetWindowRect.USER32(?), ref: 0044FBD0
    • GetWindowLongA.USER32(?,000000F0), ref: 0044FBD9
    • InflateRect.USER32(?,00000001,00000001), ref: 0044FC38
    • GetParent.USER32(?), ref: 0044FC3F
    • ScreenToClient.USER32(00000000,?), ref: 0044FC53
    • ScreenToClient.USER32(00000000,?), ref: 0044FC5B
    • InvalidateRect.USER32(00000000,?,00000000), ref: 0044FC71
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Rect$ClientScreenWindow$InflateInvalidateLongParent
    • String ID:
    • API String ID: 1809568455-0
    • Opcode ID: 7e29218d984d874019a9a9b17c704a3a65a7578f46dd44b122e8715e901cecf8
    • Instruction ID: 3e329220eba7502826ee1f454a4ef46d235abcaef2a2a1c4c223e5823c063fb9
    • Opcode Fuzzy Hash: 7e29218d984d874019a9a9b17c704a3a65a7578f46dd44b122e8715e901cecf8
    • Instruction Fuzzy Hash: D821473160430AAFE714EEA4D8D4FBB73A9FF84761F00092EF95597291D728D809CB26
    Function 004459F1 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 61stringCOMMON
    Download Yara Rule
    APIs
    • SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 00445A2F
    • GetSystemMetrics.USER32(00000000), ref: 00445A47
    • GetSystemMetrics.USER32(00000001), ref: 00445A4E
    • lstrcpyA.KERNEL32(-00000028,DISPLAY,00000028), ref: 00445A72
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: System$Metrics$InfoParameterslstrcpy
    • String ID: B$DISPLAY
    • API String ID: 1409579217-3316187204
    • Opcode ID: 7ce1779621b5bdaf5485de3222eb1d81ff225035a6d4f69c03f487b2d3f2b113
    • Instruction ID: cb1a3cc462325bad5ec5ad112b9cd7a5d40b75c93c29aa6e017ad07e2646434c
    • Opcode Fuzzy Hash: 7ce1779621b5bdaf5485de3222eb1d81ff225035a6d4f69c03f487b2d3f2b113
    • Instruction Fuzzy Hash: 4F110E71600724ABEF119F64DCC0A9BBFA8EF09751B004127FC08AE103D7B5D900CBA9
    Function 0044FC80 Relevance: 10.5, APIs: 7, Instructions: 42COMMON
    Download Yara Rule
    APIs
    • GetWindowLongA.USER32(?,000000F0), ref: 0044FC8D
    • GetWindowRect.USER32(?,?), ref: 0044FC9B
    • InflateRect.USER32(?,00000001,00000001), ref: 0044FCAA
    • GetParent.USER32(?), ref: 0044FCB1
    • ScreenToClient.USER32(00000000,?), ref: 0044FCC5
    • ScreenToClient.USER32(00000000,?), ref: 0044FCCD
    • ValidateRect.USER32(00000000,?), ref: 0044FCE1
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Rect$ClientScreenWindow$InflateLongParentValidate
    • String ID:
    • API String ID: 2275295265-0
    • Opcode ID: 7e1eda5d023dd568fd00bdf09ed67e9ef3acf6c86ae1b31e95ce6af231a49037
    • Instruction ID: b7c19843ba9a5fec512c4dd0c822a6f8c26b96dead2388d02158e9b13764862a
    • Opcode Fuzzy Hash: 7e1eda5d023dd568fd00bdf09ed67e9ef3acf6c86ae1b31e95ce6af231a49037
    • Instruction Fuzzy Hash: C3F06D72000301BFE3019B54DC88DBF37B8EB89722F004579F91992191E734D80A8767
    Function 0045714B Relevance: 10.5, APIs: 7, Instructions: 29COMMON
    Download Yara Rule
    APIs
    • GetSysColor.USER32(0000000F), ref: 00457157
    • GetSysColor.USER32(00000010), ref: 0045715E
    • GetSysColor.USER32(00000014), ref: 00457165
    • GetSysColor.USER32(00000012), ref: 0045716C
    • GetSysColor.USER32(00000006), ref: 00457173
    • GetSysColorBrush.USER32(0000000F), ref: 00457180
    • GetSysColorBrush.USER32(00000006), ref: 00457187
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Color$Brush
    • String ID:
    • API String ID: 2798902688-0
    • Opcode ID: b82f98f422e048540b0d9802d75b0b7299a817efb6003bf83e6b88dbc82437f4
    • Instruction ID: 6768d0c464b0b3ac0ffd1b9e1131cc2d91e7d13007f42d0cd2dbd3c615ef5cc4
    • Opcode Fuzzy Hash: b82f98f422e048540b0d9802d75b0b7299a817efb6003bf83e6b88dbc82437f4
    • Instruction Fuzzy Hash: 92F0F8719407489BE720BB729D09B47BAE4FFC4B10F02092EE2858BA90E6B5E440DF44
    Function 0045AFA6 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 25registrywindowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Version$MessageRegisterWindow
    • String ID: MSWHEEL_ROLLMSG
    • API String ID: 303823969-2485103130
    • Opcode ID: 549c368be25b31dcdffd92cec92e9280346d0567c771499ea51e61cb96255844
    • Instruction ID: 4d12476597aaf63f5de4ac756bc4e5327fdfae0370c8a78838d76e68ec83f894
    • Opcode Fuzzy Hash: 549c368be25b31dcdffd92cec92e9280346d0567c771499ea51e61cb96255844
    • Instruction Fuzzy Hash: 11E080B780461656D7912764AC0076A26944B84373F214177DD0153352997C489B8B7F
    Function 0044B678 Relevance: 9.1, APIs: 6, Instructions: 117COMMON
    Download Yara Rule
    APIs
    • GetStringTypeW.KERNEL32(00000001,0046746C,00000001,00000000,?,00000100,00000000,00447FD2,00000001,00000020,00000100,?,00000000), ref: 0044B6B7
    • GetStringTypeA.KERNEL32(00000000,00000001,00467468,00000001,00000000,?,00000100,00000000,00447FD2,00000001,00000020,00000100,?,00000000), ref: 0044B6D1
    • GetStringTypeA.KERNEL32(00000000,?,00000100,00000020,00000001,?,00000100,00000000,00447FD2,00000001,00000020,00000100,?,00000000), ref: 0044B705
    • MultiByteToWideChar.KERNEL32(00447FD2,00000101,00000100,00000020,00000000,00000000,?,00000100,00000000,00447FD2,00000001,00000020,00000100,?,00000000), ref: 0044B73D
    • MultiByteToWideChar.KERNEL32(00447FD2,00000001,00000100,00000020,?,00000100,?,00000100,00000000,00447FD2,00000001,00000020,00000100,?), ref: 0044B793
    • GetStringTypeW.KERNEL32(?,?,00000000,00000001,?,00000100,?,00000100,00000000,00447FD2,00000001,00000020,00000100,?), ref: 0044B7A5
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: StringType$ByteCharMultiWide
    • String ID:
    • API String ID: 3852931651-0
    • Opcode ID: 06fc04ef040910f8f79f839d041fd37d5d7f57e4f59d200660cb6a22a51d0b95
    • Instruction ID: a47e9cf34e0c02f317f252a143f5328f9bddcade5a9d48ccd31db0373c51acf2
    • Opcode Fuzzy Hash: 06fc04ef040910f8f79f839d041fd37d5d7f57e4f59d200660cb6a22a51d0b95
    • Instruction Fuzzy Hash: B0418C75600219AFEF119F94CC85EAF3F68EB09751F10442AF911E6250D338C9509BEA
    Function 0045C3EC Relevance: 9.1, APIs: 6, Instructions: 85memoryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • TlsGetValue.KERNEL32(00484E6C,00484E2C,00000000,?,00484E6C,?,0045C654,00484E2C,00000000,?,00000000,0045BF85,0045B3E3,0045BFA1,0045285D,004578F4), ref: 0045C3F7
    • EnterCriticalSection.KERNEL32(00484E88,00000010,?,00484E6C,?,0045C654,00484E2C,00000000,?,00000000,0045BF85,0045B3E3,0045BFA1,0045285D,004578F4), ref: 0045C446
    • LeaveCriticalSection.KERNEL32(00484E88,00000000,?,00484E6C,?,0045C654,00484E2C,00000000,?,00000000,0045BF85,0045B3E3,0045BFA1,0045285D,004578F4), ref: 0045C459
    • LocalAlloc.KERNEL32(00000000,00000004,?,00484E6C,?,0045C654,00484E2C,00000000,?,00000000,0045BF85,0045B3E3,0045BFA1,0045285D,004578F4), ref: 0045C46F
    • LocalReAlloc.KERNEL32(?,00000004,00000002,?,00484E6C,?,0045C654,00484E2C,00000000,?,00000000,0045BF85,0045B3E3,0045BFA1,0045285D,004578F4), ref: 0045C481
    • TlsSetValue.KERNEL32(00484E6C,00000000), ref: 0045C4BD
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: AllocCriticalLocalSectionValue$EnterLeave
    • String ID:
    • API String ID: 4117633390-0
    • Opcode ID: e88355d704f4e7011cfbe568c99c04ce8a9dacf05dd0fba6b01952fe5a691730
    • Instruction ID: 5e0bcb7284746374af975430f0e7b5d1c32eea6fcfd80269ae41fb1f90a347cc
    • Opcode Fuzzy Hash: e88355d704f4e7011cfbe568c99c04ce8a9dacf05dd0fba6b01952fe5a691730
    • Instruction Fuzzy Hash: CC319C71100B05EFD724DF25C895F66B7A8FB46356F00852AE81AC7652E738EC09CFA5
    Function 00450FD0 Relevance: 9.1, APIs: 6, Instructions: 83windowCOMMON
    Download Yara Rule
    APIs
    • PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 00450FF8
    • GetWindowTextLengthA.USER32(?), ref: 00451002
    • GetWindowTextA.USER32(?,00000000,00000000), ref: 0045102A
    • SetTextColor.GDI32(?,00000000), ref: 0045106B
    • DrawTextA.USER32(?,00000000,000000FF,?,?), ref: 00451083
    • SetTextColor.GDI32(?,?), ref: 00451095
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Text$ColorWindow$DrawLength
    • String ID:
    • API String ID: 1177705772-0
    • Opcode ID: 9a0358f5430bf4f67fa1ba3122191cc4d3e643214d63ba01e2cba7aa5fddfd41
    • Instruction ID: f41c9ae1a9354a2db28ee752b7d8aa4d3cd2a0daf88fa0d3b7ceb4dc7ffc750a
    • Opcode Fuzzy Hash: 9a0358f5430bf4f67fa1ba3122191cc4d3e643214d63ba01e2cba7aa5fddfd41
    • Instruction Fuzzy Hash: 76218D76600209AFD710DF58DC88EBB77B8EB84722F188129FD15933A2C635ED44CB65
    Function 004552BD Relevance: 9.1, APIs: 6, Instructions: 82windowCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 004552C2
    • SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 0045530F
    • SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 00455331
    • GetCapture.USER32 ref: 00455343
    • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00455352
    • WinHelpA.USER32(?,?,?,?), ref: 00455366
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: MessageSend$CaptureH_prologHelp
    • String ID:
    • API String ID: 432264411-0
    • Opcode ID: 959bbd9e9a9027a3a0ec82b286e714aa3c2846223432dbaa2c5b289426be75ea
    • Instruction ID: f20c1a9b3b5470a4893ecba354125f9055336a2690fea5e53fb2a168e56f4bc1
    • Opcode Fuzzy Hash: 959bbd9e9a9027a3a0ec82b286e714aa3c2846223432dbaa2c5b289426be75ea
    • Instruction Fuzzy Hash: 2421A171600709BFEB206F65CC8AF7A77A9EF04785F14817DBA01971E3CBB59C089A14
    Function 0045866F Relevance: 9.1, APIs: 6, Instructions: 67COMMON
    Download Yara Rule
    APIs
    • GetParent.USER32(?), ref: 004586A2
    • GetLastActivePopup.USER32(?), ref: 004586B1
    • IsWindowEnabled.USER32(?), ref: 004586C6
    • EnableWindow.USER32(?,00000000), ref: 004586D9
    • GetWindowLongA.USER32(?,000000F0), ref: 004586EB
    • GetParent.USER32(?), ref: 004586F9
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
    • String ID:
    • API String ID: 670545878-0
    • Opcode ID: 5abb7185847ad048905f5470c1fbda88ac70f99abd59c37c3fbfbc3376f63fd1
    • Instruction ID: 98893062cd16cca5554cb7c8b222b3c13564cbcc449660ed99e6fd6592b18276
    • Opcode Fuzzy Hash: 5abb7185847ad048905f5470c1fbda88ac70f99abd59c37c3fbfbc3376f63fd1
    • Instruction Fuzzy Hash: 9911827260272297D7316A6A8C44B2BB2986F94B53F15012EED00F7347DF68DC0986AE
    Function 0045820E Relevance: 9.0, APIs: 6, Instructions: 46COMMON
    Download Yara Rule
    APIs
    • ClientToScreen.USER32(?,?), ref: 0045821D
    • GetWindow.USER32(?,00000005), ref: 0045822E
    • GetDlgCtrlID.USER32(00000000), ref: 00458237
    • GetWindowLongA.USER32(00000000,000000F0), ref: 00458246
    • GetWindowRect.USER32(00000000,?), ref: 00458258
    • PtInRect.USER32(?,?,?), ref: 00458268
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Window$Rect$ClientCtrlLongScreen
    • String ID:
    • API String ID: 1315500227-0
    • Opcode ID: 2eb3ff082a73497aeddea9306bf482c20ef1f7f0fbfe68b5006fd4256c791410
    • Instruction ID: c862fca544ec638608f6556b7bdfa1a15e91985fb7deb5b22b8b4d4b826d3903
    • Opcode Fuzzy Hash: 2eb3ff082a73497aeddea9306bf482c20ef1f7f0fbfe68b5006fd4256c791410
    • Instruction Fuzzy Hash: 4301A235100615ABDB115B65DC08EEF7B6CEF05302F404176FD12E21A6EF34C91ACB99
    Function 00454D5E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageA.USER32(00000000,00000405,00000000,?), ref: 00454E17
    • GetWindowLongA.USER32(?,000000FC), ref: 00454E28
    • GetWindowLongA.USER32(?,000000FC), ref: 00454E38
    • SetWindowLongA.USER32(?,000000FC,?), ref: 00454E54
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: LongWindow$MessageSend
    • String ID: (
    • API String ID: 2178440468-3887548279
    • Opcode ID: 951032c57ce6b570b190293df62e8bb8520d5c1ecd4466d2cf8e18cbfa23c505
    • Instruction ID: 21c1947cc18818a01e093a68b613681f02dde7b98d34444b58d13f12800ef9ee
    • Opcode Fuzzy Hash: 951032c57ce6b570b190293df62e8bb8520d5c1ecd4466d2cf8e18cbfa23c505
    • Instruction Fuzzy Hash: 4531C3316007049FDB20AF65C885A5EB7F4FF8471AF11466EE9419B693CB38E84C8F98
    Function 0044FAD0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97stringCOMMON
    Download Yara Rule
    APIs
    • GetClassNameA.USER32(?,?,00000010), ref: 0044FB01
    • lstrcmpA.KERNEL32(00467608,?), ref: 0044FB1A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: ClassNamelstrcmp
    • String ID: $vF$vF
    • API String ID: 3770760073-738459937
    • Opcode ID: b1e097e0f5cdf6367a95c5a31a65ee6a379d3992b588ff1f0e0773483fe0b06f
    • Instruction ID: 8100cabb1a35eb0160872ae59893a99333c8acfb13458d1b0b7273885cd1b27c
    • Opcode Fuzzy Hash: b1e097e0f5cdf6367a95c5a31a65ee6a379d3992b588ff1f0e0773483fe0b06f
    • Instruction Fuzzy Hash: D021E7B67142145FF710AB58EC45CBB335CEA85325F4409BBF915C2221F62AA51D82A6
    Function 0045CC71 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88stringCOMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 0045CCA2
      • Part of subcall function 0045CD8E: lstrlenA.KERNEL32(00000104,00000000,?,0045CCD2), ref: 0045CDC5
    • lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0045CD43
    • lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 0045CD70
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: FileModuleNamelstrcatlstrcpylstrlen
    • String ID: .HLP$.INI
    • API String ID: 2421895198-3011182340
    • Opcode ID: ec02cb1e9e616b0f0f0f2c6b02e269c5bd88a7e7fdd51a2c504925cee9a5bbef
    • Instruction ID: 7b523a5cf4c6f84a9be146c96d921cc908aa6168115fd5c69af64c1df258cdc6
    • Opcode Fuzzy Hash: ec02cb1e9e616b0f0f0f2c6b02e269c5bd88a7e7fdd51a2c504925cee9a5bbef
    • Instruction Fuzzy Hash: 663181B6404708AFDB21DF75D884BC6B7F8AB04305F1049BBE599D3152EB78A9888F54
    Function 0045B477 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 81windowCOMMON
    Download Yara Rule
    APIs
    • GetMenuCheckMarkDimensions.USER32 ref: 0045B483
    • CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 0045B532
    • LoadBitmapA.USER32(00000000,00007FE3), ref: 0045B54A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu
    • String ID: $|SF
    • API String ID: 2596413745-2071042934
    • Opcode ID: 81be6982dc507e0235c9395d11210e398c159e5065f3d83f88612e8ef9b7ca03
    • Instruction ID: 8a707a000dd98248e43aeee05436efa862ba98229a4d92996eabc47a3b711e10
    • Opcode Fuzzy Hash: 81be6982dc507e0235c9395d11210e398c159e5065f3d83f88612e8ef9b7ca03
    • Instruction Fuzzy Hash: F2210A71E00319AFEB10CB78DC85BAE7BB8EB44715F0545B6E905EB2C3D7749A088B94
    Function 00446848 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81COMMON
    Download Yara Rule
    APIs
    • GetVersion.KERNEL32 ref: 0044686E
      • Part of subcall function 00449B70: HeapCreate.KERNELBASE(00000000,00001000,00000000,004468A6,00000001), ref: 00449B81
      • Part of subcall function 00449B70: HeapDestroy.KERNEL32 ref: 00449B9F
    • GetCommandLineA.KERNEL32 ref: 004468CE
    • GetStartupInfoA.KERNEL32(?), ref: 004468F9
    • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0044691C
      • Part of subcall function 00446975: ExitProcess.KERNEL32 ref: 00446992
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
    • String ID: X'N
    • API String ID: 2057626494-3595532520
    • Opcode ID: 57b90c5321c01e1555b8e797171603c44826d9ab7960472cd091431f0f65c8ce
    • Instruction ID: 31e782ecb260f3c8a28d1ab5f1785e9cac55f411158fd523cb42c6ac5d24599c
    • Opcode Fuzzy Hash: 57b90c5321c01e1555b8e797171603c44826d9ab7960472cd091431f0f65c8ce
    • Instruction Fuzzy Hash: 642185B1940704AFFB04AFA5DC06A6E7BB8EB45705F10052FF5059B2A1DF788C40DB59
    Function 00453300 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56windowCOMMON
    Download Yara Rule
    APIs
    • GetWindowLongA.USER32(?,000000F0), ref: 00453341
    • GetDlgItem.USER32(?,00000002), ref: 00453360
    • IsWindowEnabled.USER32(00000000), ref: 0045336B
    • SendMessageA.USER32(00000000,00000111,00000002,00000000), ref: 00453381
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Window$EnabledItemLongMessageSend
    • String ID: Edit
    • API String ID: 3499652902-554135844
    • Opcode ID: d89d93a26a7f05e5220dcfbd61c7f866cd0a978dbd3ff35e9c24465512cfcadf
    • Instruction ID: 737ef2495f03e9a17fd55647b0e6f7d335fe3de496c40b6eef516f4fe40ac575
    • Opcode Fuzzy Hash: d89d93a26a7f05e5220dcfbd61c7f866cd0a978dbd3ff35e9c24465512cfcadf
    • Instruction Fuzzy Hash: A001C430200301AAEB202E258C09B6FEA94AB40797F60452FFC01E62F3CF6CDA59C55D
    Function 0044EA71 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54COMMON
    Download Yara Rule
    APIs
    • GetWindow.USER32(?,00000005), ref: 0044EA93
    • GetWindow.USER32(00000000,00000005), ref: 0044EAAF
    • GetWindow.USER32(00000000,00000002), ref: 0044EAC5
    • GetWindow.USER32(00000000,00000002), ref: 0044EAD0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Window
    • String ID: iH
    • API String ID: 2353593579-671714768
    • Opcode ID: 9ea8b6c9fcd9a527d7b6f020c392c45934ec63dee5248b6ac29361610f1db3f3
    • Instruction ID: d16641cf0922139ce98d30a59fb1e5a87a174807cc6a51a1ae692f573ce6f487
    • Opcode Fuzzy Hash: 9ea8b6c9fcd9a527d7b6f020c392c45934ec63dee5248b6ac29361610f1db3f3
    • Instruction Fuzzy Hash: 41F0C8A734070532E221B16B2CC6F6FB79CABE1B51F54043BF600A6283FD99D815422D
    Function 0044EB61 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53COMMON
    Download Yara Rule
    APIs
    • GetWindow.USER32(?,00000005), ref: 0044EB95
    • GetWindowLongA.USER32(?,000000F0), ref: 0044EBA2
    • SetTextColor.GDI32(?,00000000), ref: 0044EBBF
    • SetBkColor.GDI32(?,00000000), ref: 0044EBCD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: ColorWindow$LongText
    • String ID: iH
    • API String ID: 3945788684-671714768
    • Opcode ID: 784e3b3f7e82907916225a9c6afd95eed788538ed7268f3e1624d5d3300f78d0
    • Instruction ID: a2982971148418fa05cd0e76e475995fef10c7f182eee413fa034086a32c8f92
    • Opcode Fuzzy Hash: 784e3b3f7e82907916225a9c6afd95eed788538ed7268f3e1624d5d3300f78d0
    • Instruction Fuzzy Hash: B601DE362092908BEB60D725AC48D9F7754F792321B054C7BF542D2291D628E986876E
    Function 004499B4 Relevance: 7.6, APIs: 5, Instructions: 150COMMON
    Download Yara Rule
    APIs
    • GetStartupInfoA.KERNEL32(?), ref: 00449A12
    • GetFileType.KERNEL32(?,?,00000000), ref: 00449ABD
    • GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 00449B20
    • GetFileType.KERNEL32(00000000,?,00000000), ref: 00449B2E
    • SetHandleCount.KERNEL32 ref: 00449B65
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: FileHandleType$CountInfoStartup
    • String ID:
    • API String ID: 1710529072-0
    • Opcode ID: 10f7a34f89d25c0276b527fbfa3fc386474ba43181868b7c8d9e31d87257ea86
    • Instruction ID: c93d299871968292d968e08d8d090304554857a9e6fa4dc361f4cc84b9032bbc
    • Opcode Fuzzy Hash: 10f7a34f89d25c0276b527fbfa3fc386474ba43181868b7c8d9e31d87257ea86
    • Instruction Fuzzy Hash: AC51F8715042818FEB10CF28D88876B77E0FB11328F29466ED596AB2D1D738DC05E759
    Function 004551D6 Relevance: 7.6, APIs: 5, Instructions: 52stringregistryCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 004551DB
    • GetClassInfoA.USER32(?,?,?), ref: 004551F6
    • RegisterClassA.USER32(00000004), ref: 00455201
    • lstrcatA.KERNEL32(00000034,?,00000001), ref: 00455238
    • lstrcatA.KERNEL32(00000034,?), ref: 00455246
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Classlstrcat$H_prologInfoRegister
    • String ID:
    • API String ID: 106226465-0
    • Opcode ID: 1b400a5d402ebb0615891c03d7c62ac55957928c88af3c551a9f640050bdfb35
    • Instruction ID: 045e7567eb7a0e8624655e238e4eb87d7ae917a33e3e1d2d79e6ab7a173c4d3d
    • Opcode Fuzzy Hash: 1b400a5d402ebb0615891c03d7c62ac55957928c88af3c551a9f640050bdfb35
    • Instruction Fuzzy Hash: FF110C76900304BFD710AF64DC41A9E7BB8EF05715F0045ABFC05A7153C375D6099B59
    Function 00448C43 Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMON
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,00000000,004493B7,00000000,?,?,?,00446942,?,?,00000000,00000000), ref: 00448C45
    • TlsGetValue.KERNEL32(?,00000000,004493B7,00000000,?,?,?,00446942,?,?,00000000,00000000), ref: 00448C53
    • SetLastError.KERNEL32(00000000,?,00000000,004493B7,00000000,?,?,?,00446942,?,?,00000000,00000000), ref: 00448C9F
      • Part of subcall function 0044A916: HeapAlloc.KERNEL32(00000008,?,?,?,?,00448BFB,00000001,00000074,?,004468B8), ref: 0044A96B
    • TlsSetValue.KERNEL32(00000000,?,00000000,004493B7,00000000,?,?,?,00446942,?,?,00000000,00000000), ref: 00448C77
    • GetCurrentThreadId.KERNEL32 ref: 00448C88
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: ErrorLastValue$AllocCurrentHeapThread
    • String ID:
    • API String ID: 2020098873-0
    • Opcode ID: c578e14be505be8b04a593cba1388d9f3855f724a3e76ce9984da2ee61447bfb
    • Instruction ID: c2cb04aa9fb85632d2e288068d8adf68535442758467a6373e1eddb41ff30d49
    • Opcode Fuzzy Hash: c578e14be505be8b04a593cba1388d9f3855f724a3e76ce9984da2ee61447bfb
    • Instruction Fuzzy Hash: 2BF09632902B11ABE7312F70EE4961E3A50AF057B2711057EF649A62D1DF68CC41866A
    Function 0045C226 Relevance: 7.5, APIs: 5, Instructions: 35COMMON
    Download Yara Rule
    APIs
    • TlsFree.KERNEL32(00000000,?,?,0045C733,00000000,00000001), ref: 0045C232
    • GlobalHandle.KERNEL32(004F2990), ref: 0045C25A
    • GlobalUnlock.KERNEL32(00000000), ref: 0045C263
    • GlobalFree.KERNEL32(00000000), ref: 0045C26A
    • DeleteCriticalSection.KERNEL32(00484E50,?,?,0045C733,00000000,00000001), ref: 0045C274
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Global$Free$CriticalDeleteHandleSectionUnlock
    • String ID:
    • API String ID: 2159622880-0
    • Opcode ID: cb6dd7b65f104f1a5de6956517ff886244e02a773499e6e7fad95545452a54db
    • Instruction ID: 36aad5cafefc9a3075fdbe8aaefcb4cfacf86059b2e92811cc635aa3f84ab009
    • Opcode Fuzzy Hash: cb6dd7b65f104f1a5de6956517ff886244e02a773499e6e7fad95545452a54db
    • Instruction Fuzzy Hash: 8BF0B4356007009FD6209B78EC88A2B76ACAF85713B15017AFC55D7352CB34DC0A86AA
    Function 0045936A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00455A54: GetDlgCtrlID.USER32 ref: 00455A65
    • GetParent.USER32(?), ref: 00459397
    • GetParent.USER32(?), ref: 004593BD
    • SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 004594A3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Parent$CtrlMessageSend
    • String ID: pfF
    • API String ID: 478998718-128489926
    • Opcode ID: 56ff2378c3abcd52b7e8f5eb38c79e7ac89dd938b8f233161059c26f7d266ab1
    • Instruction ID: 2c5c266bbd89ce17b198446332db6f13211b3b13fe86ca1922dbd76eda0f9856
    • Opcode Fuzzy Hash: 56ff2378c3abcd52b7e8f5eb38c79e7ac89dd938b8f233161059c26f7d266ab1
    • Instruction Fuzzy Hash: 3531A230308205DFDB105F64D849E6E73A9AF59716F20446AFD56CB2D2CB399C0A8B99
    Function 0045773E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109COMMON
    Download Yara Rule
    APIs
    • GlobalLock.KERNEL32(?), ref: 0045775A
    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 004577AD
    • GlobalUnlock.KERNEL32(?), ref: 00457844
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Global$ByteCharLockMultiUnlockWide
    • String ID: System
    • API String ID: 231414890-3470857405
    • Opcode ID: 0904d1f6f09a1139863621877f3405626eb5198cf4fd1309eec62aef69507732
    • Instruction ID: 17947315b98e569a80136a266303467a07a9156ddbb54b14e5cd40f7152ecbd6
    • Opcode Fuzzy Hash: 0904d1f6f09a1139863621877f3405626eb5198cf4fd1309eec62aef69507732
    • Instruction Fuzzy Hash: 2A412976804215EFDB10DFA4E8819AEBBB4FF04355F20C17AEC159B246D334AA4ACF58
    Function 0044C51A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44COMMON
    Download Yara Rule
    APIs
    • InterlockedIncrement.KERNEL32(00486648), ref: 0044C540
    • InterlockedDecrement.KERNEL32(00486648), ref: 0044C555
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Interlocked$DecrementIncrement
    • String ID: HfH
    • API String ID: 2172605799-3395813609
    • Opcode ID: dfae8396305e1f720c3396fb5c9e4bf70f563b17f3d8aa01f60969e488181996
    • Instruction ID: 8481decabe9385dd68b9315b0d21b0ecdb0ff5bb5e76252472fa535241b88341
    • Opcode Fuzzy Hash: dfae8396305e1f720c3396fb5c9e4bf70f563b17f3d8aa01f60969e488181996
    • Instruction Fuzzy Hash: BFF0C872503761ABF760AF65ACC194F6358EF81755F18083FF100D5151C778ED41966D
    Function 0044B883 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44COMMON
    Download Yara Rule
    APIs
    • InterlockedIncrement.KERNEL32(00486648), ref: 0044B8A9
    • InterlockedDecrement.KERNEL32(00486648), ref: 0044B8BE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Interlocked$DecrementIncrement
    • String ID: HfH
    • API String ID: 2172605799-3395813609
    • Opcode ID: e94a8e04219682cb1a8aa36e9d8efb7c1c4cf8d368a1c645589b7ace32656d82
    • Instruction ID: b7433846ccfb6046c671f62af97ff66561373ace2af40a33bc2205eebbb9c7ab
    • Opcode Fuzzy Hash: e94a8e04219682cb1a8aa36e9d8efb7c1c4cf8d368a1c645589b7ace32656d82
    • Instruction Fuzzy Hash: C9F0A9721013019BF720BF6AEC8294B639CEF91316F20083FF100D5291CB68DD86A6AE
    Function 0044CE53 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
    Download Yara Rule
    APIs
    • InterlockedIncrement.KERNEL32(00486648), ref: 0044CE5F
    • InterlockedDecrement.KERNEL32(00486648), ref: 0044CE76
      • Part of subcall function 00449D61: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0044A94C,00000009,?,?,?,00448BFB,00000001,00000074,?,004468B8), ref: 00449D9E
      • Part of subcall function 00449D61: EnterCriticalSection.KERNEL32(?,?,?,0044A94C,00000009,?,?,?,00448BFB,00000001,00000074,?,004468B8), ref: 00449DB9
    • InterlockedDecrement.KERNEL32(00486648), ref: 0044CEA2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Interlocked$CriticalDecrementSection$EnterIncrementInitialize
    • String ID: HfH
    • API String ID: 2038102319-3395813609
    • Opcode ID: d008e868df8238eb06fb1f96f7db9d1fd18462d9d24a9da823e135b0834c03a2
    • Instruction ID: d912916ba0858e41861d8b92124c2d262c6abad5cf5d5d6e972e20c73260c364
    • Opcode Fuzzy Hash: d008e868df8238eb06fb1f96f7db9d1fd18462d9d24a9da823e135b0834c03a2
    • Instruction Fuzzy Hash: 01F0BE32102209AEFB102F96EC8198F7758DF85329B24803FFA04591518B7A8E029A69
    Function 00458199 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON
    Download Yara Rule
    APIs
    • GetWindowLongA.USER32(00000000,000000F0), ref: 004581AA
    • GetClassNameA.USER32(00000000,?,0000000A), ref: 004581C5
    • lstrcmpiA.KERNEL32(?,combobox), ref: 004581D4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: ClassLongNameWindowlstrcmpi
    • String ID: combobox
    • API String ID: 2054663530-2240613097
    • Opcode ID: b0b816f5a53bcb7331ff24a482828b79b87d2b19e87be3cc0b901a6a141aca87
    • Instruction ID: adf1c15f529c3279ce3f4ecf9fe0a5a20f6cb63b383380f27c2162b5e4d2c279
    • Opcode Fuzzy Hash: b0b816f5a53bcb7331ff24a482828b79b87d2b19e87be3cc0b901a6a141aca87
    • Instruction Fuzzy Hash: BCE06535654209BBCF116F60DC4AA5E3768A705343F108531FC16E5191DF34D549875A
    Function 00448DB1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleA.KERNEL32(KERNEL32,00446376), ref: 00448DB6
    • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00448DC6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: AddressHandleModuleProc
    • String ID: IsProcessorFeaturePresent$KERNEL32
    • API String ID: 1646373207-3105848591
    • Opcode ID: 746c5ac73a99b88ffec6b0d368a65c737497fd777897e10702cc42876ae05332
    • Instruction ID: 9d5e2538847efef907d675037dd5aa8011663000a5980d645d0ba85e3d76f014
    • Opcode Fuzzy Hash: 746c5ac73a99b88ffec6b0d368a65c737497fd777897e10702cc42876ae05332
    • Instruction Fuzzy Hash: 34C08090B85701A6FB101B704C4DF1F35640B10B13F14007B7402D02C4FE5CC900502F
    Function 0044CAFB Relevance: 6.1, APIs: 4, Instructions: 135fileCOMMON
    Download Yara Rule
    APIs
    • WriteFile.KERNEL32(?,?,?,00000108,00000000,00000001,?,?), ref: 0044CBC2
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: FileWrite
    • String ID:
    • API String ID: 3934441357-0
    • Opcode ID: f710dbbbddebecf5e14c0372aeb00d2bc787fabcf263efde4c7ebb7c8effb1a1
    • Instruction ID: dafe0882485206c9d108d31603713a44860ce15c590c4c632c4fce39c5ee2dfb
    • Opcode Fuzzy Hash: f710dbbbddebecf5e14c0372aeb00d2bc787fabcf263efde4c7ebb7c8effb1a1
    • Instruction Fuzzy Hash: DA51D571901248EFEB51CF68C8C5A9E7BB4FF41340F2881ABE819DB251D734DA41CB59
    Function 00450BA0 Relevance: 6.1, APIs: 4, Instructions: 131COMMON
    Download Yara Rule
    APIs
    • GetPropA.USER32(?,00000000), ref: 00450BE6
    • CallWindowProcA.USER32(00000000), ref: 00450C11
      • Part of subcall function 0044E120: CallWindowProcA.USER32(00000000,?,?,?,?), ref: 0044E146
      • Part of subcall function 0044E120: RemovePropA.USER32(?,00000000), ref: 0044E15E
      • Part of subcall function 0044E120: RemovePropA.USER32(?,00000000), ref: 0044E16A
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Prop$CallProcRemoveWindow
    • String ID:
    • API String ID: 2276450057-0
    • Opcode ID: 3500b8d814c6a2c7979aa12b6edd02703451e01eb66768eb6e55b5ae53a59f96
    • Instruction ID: e1e0f6583abb9198a400ce09fbec8b1fc6f829ff40b8a650b12bc06beca60701
    • Opcode Fuzzy Hash: 3500b8d814c6a2c7979aa12b6edd02703451e01eb66768eb6e55b5ae53a59f96
    • Instruction Fuzzy Hash: 1731097AA0070457D6259A09FC859AF7398FB87327F44063BFD0593243D72DA94D826F
    Function 004584F7 Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0045866F: GetParent.USER32(?), ref: 004586A2
      • Part of subcall function 0045866F: GetLastActivePopup.USER32(?), ref: 004586B1
      • Part of subcall function 0045866F: IsWindowEnabled.USER32(?), ref: 004586C6
      • Part of subcall function 0045866F: EnableWindow.USER32(?,00000000), ref: 004586D9
    • SendMessageA.USER32(?,00000376,00000000,00000000), ref: 0045852D
    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,?,00000000,00000000,?), ref: 0045859B
    • MessageBoxA.USER32(?,?,?,?), ref: 004585A9
    • EnableWindow.USER32(00000000,00000001), ref: 004585C5
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Window$EnableMessage$ActiveEnabledFileLastModuleNameParentPopupSend
    • String ID:
    • API String ID: 1958756768-0
    • Opcode ID: 9db504ace6b8c0ba2d245f74dd9de871bf8237cbea2887079c629b1e034f77ee
    • Instruction ID: a8a4fc3eaa43955be28a332d267dca651f096c5473f24f2903ba6b81da32258b
    • Opcode Fuzzy Hash: 9db504ace6b8c0ba2d245f74dd9de871bf8237cbea2887079c629b1e034f77ee
    • Instruction Fuzzy Hash: 7521847290021DBBDB209F94CC81AAEB7B9EB04742F14047EE915F7252EF749D488B55
    Function 0044E9C0 Relevance: 6.1, APIs: 4, Instructions: 65windowCOMMON
    Download Yara Rule
    APIs
    • GetPropA.USER32(?,00000000), ref: 0044E9FD
    • SendMessageA.USER32(?,00001944,00000000,?), ref: 0044EA22
    • SendMessageA.USER32(?,00001943,00000000,?), ref: 0044EA37
    • RemovePropA.USER32(?,00000000), ref: 0044EA4D
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: MessagePropSend$Remove
    • String ID:
    • API String ID: 2793251306-0
    • Opcode ID: be75cc786e75667fdbc42011a7121e7277911163dd5f8303a7d4564c3ddd784f
    • Instruction ID: d1e6a14a0802acb91a6809bdc800c0cc3379bacf0ecc976b2ddf8af856f6cac0
    • Opcode Fuzzy Hash: be75cc786e75667fdbc42011a7121e7277911163dd5f8303a7d4564c3ddd784f
    • Instruction Fuzzy Hash: DB1177B56003116AF200AB15AC05FBF7358FB85765F004439FD5592281E27C990A8BBF
    Function 0044E030 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
    Download Yara Rule
    APIs
    • CallNextHookEx.USER32(00000000,?,?,?), ref: 0044E04B
    • UnhookWindowsHookEx.USER32(00000000), ref: 0044E064
    • GetWindowLongA.USER32(?,000000F0), ref: 0044E07B
    • SendMessageA.USER32(00000001,000011F0,00000000,00000001), ref: 0044E0A5
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Hook$CallLongMessageNextSendUnhookWindowWindows
    • String ID:
    • API String ID: 4187046592-0
    • Opcode ID: 3302cdf68d1cd0736dcdeb9e4740fc1d62dbd917a8cf5f7e0b1b25d073cdfaa1
    • Instruction ID: ce796089d7245919357ac611034a1b4b1b9192b2176c11225935cdbb7b56c542
    • Opcode Fuzzy Hash: 3302cdf68d1cd0736dcdeb9e4740fc1d62dbd917a8cf5f7e0b1b25d073cdfaa1
    • Instruction Fuzzy Hash: A91107B5600700AFE314DF19E848E5B7BE9BB88351F50893DF959D32A0E774E844CB5A
    Function 0044E510 Relevance: 6.1, APIs: 4, Instructions: 52threadCOMMON
    Download Yara Rule
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 0044E516
    • EnterCriticalSection.KERNEL32(004869C0), ref: 0044E523
    • UnhookWindowsHookEx.USER32(?), ref: 0044E566
    • LeaveCriticalSection.KERNEL32(004869C0), ref: 0044E5AB
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: CriticalSection$CurrentEnterHookLeaveThreadUnhookWindows
    • String ID:
    • API String ID: 1197249173-0
    • Opcode ID: 02fff41e51cb16e7047f087b089b71e0f3235e3f25a40252e412b15ccfd6bffc
    • Instruction ID: 7566153b7af60f9babedc6225006cf6a0c2c8fb152290c1b6cb9e62aebcde72e
    • Opcode Fuzzy Hash: 02fff41e51cb16e7047f087b089b71e0f3235e3f25a40252e412b15ccfd6bffc
    • Instruction Fuzzy Hash: 57118F721006049FE360AFA9ED4466F37A5FB01306F028C3BE50697951E736A854CF58
    Function 00459203 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
    Download Yara Rule
    APIs
    • FindResourceA.KERNEL32(?,?,00000005), ref: 00459221
    • LoadResource.KERNEL32(?,00000000,?,00459B9F,?,?,0045DA36,000000FF,?,0040544F,Options,00000000,00000000), ref: 0045922B
    • LockResource.KERNEL32(00000000,?,00459B9F,?,?,0045DA36,000000FF,?,0040544F,Options,00000000,00000000), ref: 00459232
    • GlobalFree.KERNEL32(?), ref: 00459266
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Resource$FindFreeGlobalLoadLock
    • String ID:
    • API String ID: 3898064442-0
    • Opcode ID: 138fa318ada80ed4d969c9857b35368f2981e21bd80c57c3c1685fa579b82c26
    • Instruction ID: 8259d1026734a5c98cec335c69c3e419057c79747e18e2273f24bc4e32fc83f2
    • Opcode Fuzzy Hash: 138fa318ada80ed4d969c9857b35368f2981e21bd80c57c3c1685fa579b82c26
    • Instruction Fuzzy Hash: 4D113C31200701FFDB109BA5D888A57BBE8AB08366F04846AFA5A86662D775EC58CB54
    Function 00451E26 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
    Download Yara Rule
    APIs
    • WindowFromPoint.USER32(?,?), ref: 00451E3E
    • GetParent.USER32(00000000), ref: 00451E4B
    • ScreenToClient.USER32(00000000,?), ref: 00451E6C
    • IsWindowEnabled.USER32(00000000), ref: 00451E85
      • Part of subcall function 00458199: GetWindowLongA.USER32(00000000,000000F0), ref: 004581AA
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Window$ClientEnabledFromLongParentPointScreen
    • String ID:
    • API String ID: 2204725058-0
    • Opcode ID: 68be2cb5d201b1680685a3f932c1f2bf62d40358be3145194102c47f8e9a620e
    • Instruction ID: d811637cbedc71064c6a1053cdf43ec493c14be2e09e138e69b8d91d2768b4b9
    • Opcode Fuzzy Hash: 68be2cb5d201b1680685a3f932c1f2bf62d40358be3145194102c47f8e9a620e
    • Instruction Fuzzy Hash: D4018476600A04BB87125B69DC05E7FBAB9AF89B42B14407AFD05D7322DB34CD098759
    Function 00455BEC Relevance: 6.0, APIs: 4, Instructions: 49COMMON
    Download Yara Rule
    APIs
    • GetDlgItem.USER32(?,?), ref: 00455BF7
    • GetTopWindow.USER32(00000000), ref: 00455C0A
    • GetTopWindow.USER32(?), ref: 00455C3A
    • GetWindow.USER32(00000000,00000002), ref: 00455C55
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Window$Item
    • String ID:
    • API String ID: 369458955-0
    • Opcode ID: 74859cb0b7930ab71f09b6365b5fbe7b93a2f03efe5b9124e6d1f3ae3f9edcc1
    • Instruction ID: 71054cff417c6b186497c2a16514dd6dacc0f7306127e340783df21b2c9176cf
    • Opcode Fuzzy Hash: 74859cb0b7930ab71f09b6365b5fbe7b93a2f03efe5b9124e6d1f3ae3f9edcc1
    • Instruction Fuzzy Hash: 5401A232101B19B7CF232FA18D14FBF3B989F51396F054026FD1095223D739C9199AAD
    Function 00455C65 Relevance: 6.0, APIs: 4, Instructions: 49windowCOMMON
    Download Yara Rule
    APIs
    • GetTopWindow.USER32(?), ref: 00455C73
    • SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00455CA9
    • GetTopWindow.USER32(00000000), ref: 00455CB6
    • GetWindow.USER32(00000000,00000002), ref: 00455CD4
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Window$MessageSend
    • String ID:
    • API String ID: 1496643700-0
    • Opcode ID: 83e7080c94eeaa78e0da3e2f000964efb2c51a30a372f56b5641a872a232ec2c
    • Instruction ID: ff574306b593f6f1813472f8f42b3db0e305bd24733fecdda7b19a66a3132ca9
    • Opcode Fuzzy Hash: 83e7080c94eeaa78e0da3e2f000964efb2c51a30a372f56b5641a872a232ec2c
    • Instruction Fuzzy Hash: 5B014C3200061ABBCF135F95DD04EEF3B29AF45352F144026FE0195122C73AC96AEBAA
    Function 00453121 Relevance: 6.0, APIs: 4, Instructions: 48windowCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Item$EnableFocusMenuNextParent
    • String ID:
    • API String ID: 988757621-0
    • Opcode ID: 55d879d9cccdcc970db3387cd405d36e294a6b4a454a24d4a224764bd3ba7893
    • Instruction ID: 95f0ae98580645c6dcd204a9222a7a5d939300ff6f7a762cb757841e5680666d
    • Opcode Fuzzy Hash: 55d879d9cccdcc970db3387cd405d36e294a6b4a454a24d4a224764bd3ba7893
    • Instruction Fuzzy Hash: 5311A571100B009BDB289F30DC59B27B7B5EF40357F10462EF956476A2C738E849CB59
    Function 0044E750 Relevance: 6.0, APIs: 4, Instructions: 45threadCOMMON
    Download Yara Rule
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 0044E756
    • EnterCriticalSection.KERNEL32(004869C0), ref: 0044E763
    • UnhookWindowsHookEx.USER32(?), ref: 0044E79A
    • LeaveCriticalSection.KERNEL32(004869C0), ref: 0044E7D9
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: CriticalSection$CurrentEnterHookLeaveThreadUnhookWindows
    • String ID:
    • API String ID: 1197249173-0
    • Opcode ID: 4ea7ca517efe5f1c239fee7f040888953e7afeace8f38304937a3ae160377b9c
    • Instruction ID: 17ed6b75d534075faf2bd657ece35fdb3ff81aa8c7563eccaa417138a8097c07
    • Opcode Fuzzy Hash: 4ea7ca517efe5f1c239fee7f040888953e7afeace8f38304937a3ae160377b9c
    • Instruction Fuzzy Hash: 0101C0321006088FD360AF6AED84B6A33A4F701312F028C3AF50697911E736A8148F58
    Function 00456299 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
    Download Yara Rule
    APIs
    • GetObjectA.GDI32(00000000,0000000C,?), ref: 004562D7
    • SetBkColor.GDI32(00000000,00000000), ref: 004562E3
    • GetSysColor.USER32(00000008), ref: 004562F3
    • SetTextColor.GDI32(00000000,?), ref: 004562FD
      • Part of subcall function 00458199: GetWindowLongA.USER32(00000000,000000F0), ref: 004581AA
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Color$LongObjectTextWindow
    • String ID:
    • API String ID: 2871169696-0
    • Opcode ID: 7a0bd4e41a6a6d83b061f305f1f32cfd1cea0eef52f6dc8650b360a4918c767d
    • Instruction ID: 4a4d7756b2a169ec345dadbe210ea9c204f115ad00d305e2c8f72d01e7a40e7c
    • Opcode Fuzzy Hash: 7a0bd4e41a6a6d83b061f305f1f32cfd1cea0eef52f6dc8650b360a4918c767d
    • Instruction Fuzzy Hash: D7014B30100309ABDF615F64DC49AAF3B65AB00762F954522FD02D61E3CB78D99CCB5A
    Function 0044411B Relevance: 6.0, APIs: 4, Instructions: 37registrystringCOMMON
    Download Yara Rule
    APIs
    • RegOpenKeyExA.ADVAPI32(?,80000000,00000000,00000001,?), ref: 0044413A
    • RegQueryValueA.ADVAPI32(?,00000000,?,00000104), ref: 00444167
    • lstrcpyA.KERNEL32(004443D7,?), ref: 00444178
    • RegCloseKey.ADVAPI32(?), ref: 00444182
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: CloseOpenQueryValuelstrcpy
    • String ID:
    • API String ID: 534897748-0
    • Opcode ID: aac25e3ad50ad51bd91bdf64e720bfae32ada970b23fa056b136235924896c35
    • Instruction ID: 0be568a99d572359911d6cbdfdbd943521631dd326f2f2a70c68724549109f26
    • Opcode Fuzzy Hash: aac25e3ad50ad51bd91bdf64e720bfae32ada970b23fa056b136235924896c35
    • Instruction Fuzzy Hash: D001EC7990020CEBDB14DF90DC85FEEB778AB48711F0085A9AA0597281D6749A89DFA1
    Function 00458283 Relevance: 6.0, APIs: 4, Instructions: 29stringCOMMON
    Download Yara Rule
    APIs
    • lstrlenA.KERNEL32(00458C18,?), ref: 00458290
    • GetWindowTextA.USER32(00000000,?,00000100), ref: 004582AC
    • lstrcmpA.KERNEL32(?,00458C18), ref: 004582C0
    • SetWindowTextA.USER32(00000000,00458C18), ref: 004582D0
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: TextWindow$lstrcmplstrlen
    • String ID:
    • API String ID: 330964273-0
    • Opcode ID: 9ffe68257827fb8fe416e4638dd97950f30d5a909f4ddbc3c3ea2dab918feda8
    • Instruction ID: fc5cb885d51bf257b262d6afab8d580395231c4d8915b7dbda408f981f2d6571
    • Opcode Fuzzy Hash: 9ffe68257827fb8fe416e4638dd97950f30d5a909f4ddbc3c3ea2dab918feda8
    • Instruction Fuzzy Hash: 2AF082B9500118BBCF226F60DC08ADE7F68FB18392F0080B1FC46E2161DB75C9598B99
    Function 00447CE0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 143COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00449D61: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0044A94C,00000009,?,?,?,00448BFB,00000001,00000074,?,004468B8), ref: 00449D9E
      • Part of subcall function 00449D61: EnterCriticalSection.KERNEL32(?,?,?,0044A94C,00000009,?,?,?,00448BFB,00000001,00000074,?,004468B8), ref: 00449DB9
    • GetCPInfo.KERNEL32(00000000,?,?,00000000,00000000,?,?,004468E8), ref: 00447D31
      • Part of subcall function 00449DC2: LeaveCriticalSection.KERNEL32(?,004478E3,00000009,?,00000009,00000000,?,004478A3,000000E0,00447890,?,00449D81,00000018,00000000,?), ref: 00449DCF
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: CriticalSection$EnterInfoInitializeLeave
    • String ID: `"H$p!H
    • API String ID: 1866836854-3137644630
    • Opcode ID: 47ea538de3513f4e2864953190bcc365222c5e8dd4a2a5187cda664894383772
    • Instruction ID: 2ef6b1c74d0fa5fb8c03ee6c831c18cf36cc25a28ec31f3a4bc5797bdeb8cc81
    • Opcode Fuzzy Hash: 47ea538de3513f4e2864953190bcc365222c5e8dd4a2a5187cda664894383772
    • Instruction Fuzzy Hash: 454130B191C2409EFB51DB74D88437E7BE09F04719F3549AFE2898A292C77D4C86878D
    Function 0044F240 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMON
    Download Yara Rule
    APIs
    • GetSysColor.USER32(00000000), ref: 0044F271
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Color
    • String ID: $jH
    • API String ID: 2811717613-655392161
    • Opcode ID: 5497d61591c8d0864669fa11e9d44682eed6d9a1957b779e4e6b8bc9ccf318f2
    • Instruction ID: b2b72fe96b04069a1b453e5e17e9a52a5b298b85c6d7c49115aa3ff0e0814017
    • Opcode Fuzzy Hash: 5497d61591c8d0864669fa11e9d44682eed6d9a1957b779e4e6b8bc9ccf318f2
    • Instruction Fuzzy Hash: 3141B07A6083009BE714DF29E84066BB7E4FBC4314F84893EF98893250D379D84ECB56
    Function 00447F33 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON
    Download Yara Rule
    APIs
    • GetCPInfo.KERNEL32(?,00000000), ref: 00447F47
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Info
    • String ID: $
    • API String ID: 1807457897-3032137957
    • Opcode ID: 1cf2bf554c8011b1e17e1831ec7bbcf9395ee30d9d1d15e5ae04f675cd80f2ce
    • Instruction ID: a23dbbd77fd61b4427a3d8ae072150f254234d3fdc0dba7f5a23efa459c9b82f
    • Opcode Fuzzy Hash: 1cf2bf554c8011b1e17e1831ec7bbcf9395ee30d9d1d15e5ae04f675cd80f2ce
    • Instruction Fuzzy Hash: D24147311042585EFF129724CD49BFF3FD9DB02704F1608EAE589C7293CA694988C7AA
    Function 00443197 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00458F61: __EH_prolog.LIBCMT ref: 00458F66
    • Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 004431D2
    • Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 004431E4
      • Part of subcall function 00453EEE: lstrlenA.KERNEL32(?,?,?,0040218C,0048323C,-00000309,00000010,00000016,00401D80,00401DA0,-000002B9,00000004,00000014,Function_00001DF0,00453DF5,-00000269), ref: 00453EFF
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: ProcessorVirtual$Concurrency::RootRoot::$H_prologlstrlen
    • String ID: leration
    • API String ID: 2021088600-845416379
    • Opcode ID: df5ff5b2b4e0b89d2f099b25a662a88aff3fd7f9df338edac7f19523d2598d0b
    • Instruction ID: ab4e1e42f26e6d53577dbd998897a5daa6e005dae180c36d3b08b3ee997ec27d
    • Opcode Fuzzy Hash: df5ff5b2b4e0b89d2f099b25a662a88aff3fd7f9df338edac7f19523d2598d0b
    • Instruction Fuzzy Hash: 0A315CB0A40249EBEB14DB98CC56BAEB771FF41708F14456DE6112B3C2CBB91604C799
    Function 00449635 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Convert.exe,00000104,?,00000000,?,?,?,?,004468E8), ref: 00449658
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: FileModuleName
    • String ID: C:\Users\user\Desktop\Convert.exe$X'N
    • API String ID: 514040917-1225163981
    • Opcode ID: cccded4e98959345a003e56c9c083b7dde57060ed6cc8f09d1e8f29990886825
    • Instruction ID: 7d257add516cd09f664d1a238d62f1144ae973b114c9b134ecb58b6bda9e4f56
    • Opcode Fuzzy Hash: cccded4e98959345a003e56c9c083b7dde57060ed6cc8f09d1e8f29990886825
    • Instruction Fuzzy Hash: 53115EB6900218BFE711EB95DC81CAF7BACEB05358B0204AFF50597211EA749E449BA9
    Function 0045A66D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 0045A672
      • Part of subcall function 0045C679: __EH_prolog.LIBCMT ref: 0045C67E
      • Part of subcall function 00456D14: GetWindowLongA.USER32(00000000,000000F0), ref: 00456D20
      • Part of subcall function 00457EBC: __EH_prolog.LIBCMT ref: 00457EC1
      • Part of subcall function 00457EBC: GetDC.USER32(?), ref: 00457EEA
      • Part of subcall function 00444770: SendMessageA.USER32(?,00000031,00000000,00000000), ref: 00444784
      • Part of subcall function 00457B90: SelectObject.GDI32(?,00000000), ref: 00457BB2
      • Part of subcall function 00457B90: SelectObject.GDI32(?,00000000), ref: 00457BC8
    • GetTextMetricsA.GDI32(?,?), ref: 0045A6C4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: H_prolog$ObjectSelect$LongMessageMetricsSendTextWindow
    • String ID: `NH
    • API String ID: 2410843227-2708191515
    • Opcode ID: 1f597b3c1714061f587612e37637dd542d30a42a7441af5f7abd66e8f08f72cb
    • Instruction ID: 6fd32f38aa185da26feb20da513a290c53bd380ca3a1b480f205ea951e26fee9
    • Opcode Fuzzy Hash: 1f597b3c1714061f587612e37637dd542d30a42a7441af5f7abd66e8f08f72cb
    • Instruction Fuzzy Hash: 6511E933A005149BDB04A7A5DC81ADEB7B9EB84316F14453FF412E3293DF786D098758
    Function 004592CE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Parent
    • String ID: @fF$pfF
    • API String ID: 975332729-130061076
    • Opcode ID: 9ce0c56aba0225eebca70d9d781e00fdff3e6a68a7f8f42f320241f2f1d1f7d9
    • Instruction ID: d0f4dd8e877e853238a70565877cc88b238c8963feefbac8d7d17da4c9c98843
    • Opcode Fuzzy Hash: 9ce0c56aba0225eebca70d9d781e00fdff3e6a68a7f8f42f320241f2f1d1f7d9
    • Instruction Fuzzy Hash: B201D832604602DBDB248B59D884D2B73A8DFC9323725443FEC45977D6CA38EC09CB58
    Function 00459F2C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 00459F31
    • GetObjectA.GDI32(00000000,00000018,?), ref: 00459F89
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: H_prologObject
    • String ID: DmF
    • API String ID: 3423075018-3342732609
    • Opcode ID: c0ca89050b369644a38a83c574d61124dfed634ed9f680e9bf15ee68e45838a9
    • Instruction ID: 20348e6802007e86812f4e8494e644a74938644df081601828a5ff610165990a
    • Opcode Fuzzy Hash: c0ca89050b369644a38a83c574d61124dfed634ed9f680e9bf15ee68e45838a9
    • Instruction Fuzzy Hash: AE118CB1D00209DFDB10DFA4D546BEEBBB0EB08716F00845EE905A2282D7B85A48CB99
    Function 00454341 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00456D14: GetWindowLongA.USER32(00000000,000000F0), ref: 00456D20
    • GetWindowRect.USER32(?,9EE), ref: 00454366
    • GetWindow.USER32(?,00000004), ref: 00454383
      • Part of subcall function 00456EA3: IsWindowEnabled.USER32(?), ref: 00456EAD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Window$EnabledLongRect
    • String ID: 9EE
    • API String ID: 3170195891-1598228818
    • Opcode ID: bec8a3f6d294940cd19a789a4048cdd166aaf2698ddbbf8e3aa935eccbefb5cb
    • Instruction ID: 95a0ac723b0fdb612912c4e180363d21aedf26402ea194c0cade108880a4b963
    • Opcode Fuzzy Hash: bec8a3f6d294940cd19a789a4048cdd166aaf2698ddbbf8e3aa935eccbefb5cb
    • Instruction Fuzzy Hash: 8A0171307002149BDF21AF61C915BAF77E5AF9030EF40445AED419B3A3DB38DC888A98
    Function 0045A708 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0045C679: __EH_prolog.LIBCMT ref: 0045C67E
    • SendMessageA.USER32(?,00000198,00000016,?), ref: 0045A732
    • InvalidateRect.USER32(?,?,00000000,?,?,?,00445051,00000016,?), ref: 0045A74E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: H_prologInvalidateMessageRectSend
    • String ID: `NH
    • API String ID: 222458238-2708191515
    • Opcode ID: 74d93525197368fbe666b3c827feef32069fa4be1f0fba11491c781bf2edd773
    • Instruction ID: e1be53b3195a22e54227850b2a17e946f329571c735514a26f0645833d53dd5b
    • Opcode Fuzzy Hash: 74d93525197368fbe666b3c827feef32069fa4be1f0fba11491c781bf2edd773
    • Instruction Fuzzy Hash: 75F05E36500319AFD710EF95DC45DEEB7B9FB84301F00453AE90192192DA70A919CB94
    Function 0045C7F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON
    Download Yara Rule
    APIs
    • DeleteCriticalSection.KERNEL32(00485018,?,?,?,0045164B,00000000,00000001), ref: 0045C816
    • DeleteCriticalSection.KERNEL32(00485030,?,?,?,0045164B,00000000,00000001), ref: 0045C828
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: CriticalDeleteSection
    • String ID: 0PH
    • API String ID: 166494926-429303924
    • Opcode ID: 734cd1f48ad902bef1377236a5d2ae1c959059f187229abeb41842255851d5a2
    • Instruction ID: 1c6eaba41cd9c1205f92842ddf1e431811c5a6e4572121cad594ed2ce94db9fe
    • Opcode Fuzzy Hash: 734cd1f48ad902bef1377236a5d2ae1c959059f187229abeb41842255851d5a2
    • Instruction Fuzzy Hash: A9E01A729107049FD7203B5DECC875E66B8EB9132BF25683BE94051262837E4C88DBD9
    Function 0044F920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23stringCOMMON
    Download Yara Rule
    APIs
    • GetClassNameA.USER32(?,?,00000010), ref: 0044F93E
    • lstrcmpA.KERNEL32(?,ComboBox,?,00000010), ref: 0044F94E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: ClassNamelstrcmp
    • String ID: ComboBox
    • API String ID: 3770760073-1152790111
    • Opcode ID: 32e2b560d3036ae37218e0666ec08a67b997f10deb92cd32c17fa390c41c5dde
    • Instruction ID: aad108a5c13fdbb8d374251ef1e111310be8c608e497c704e010c88afefd153b
    • Opcode Fuzzy Hash: 32e2b560d3036ae37218e0666ec08a67b997f10deb92cd32c17fa390c41c5dde
    • Instruction Fuzzy Hash: D3E0DFB16103026BEB14BB28CC49B2A32A4F700706F844DACF149C22A1F77BD548831B
    Function 00454584 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16windowtimeCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0045C5E4: TlsGetValue.KERNEL32(00484E6C,?,00000000,0045BF85,0045B3E3,0045BFA1,0045285D,004578F4,?,00000000,?,0045161C,00000000,00000000,00000000,00000000), ref: 0045C623
    • GetMessageTime.USER32 ref: 00454596
    • GetMessagePos.USER32 ref: 0045459F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: Message$TimeValue
    • String ID: ,NH
    • API String ID: 3832333830-3639332287
    • Opcode ID: 132c36ad26fafd264b327fcdd59cf038ca79a631843e9cdc625e677bddb90e61
    • Instruction ID: ef02e1a127f41357c4e2308cd101474db07e1f253c9caf6b5ab26e4c13208a59
    • Opcode Fuzzy Hash: 132c36ad26fafd264b327fcdd59cf038ca79a631843e9cdc625e677bddb90e61
    • Instruction Fuzzy Hash: 48D01774801B308FC720AFB5A5881AB7BE8EB44713340087FE986C7A12DB39E405CF89
    Function 0045C4F2 Relevance: 5.1, APIs: 4, Instructions: 62COMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(?), ref: 0045C54F
    • LeaveCriticalSection.KERNEL32(?,?), ref: 0045C55F
    • LocalFree.KERNEL32(?), ref: 0045C568
    • TlsSetValue.KERNEL32(?,00000000), ref: 0045C57E
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: CriticalSection$EnterFreeLeaveLocalValue
    • String ID:
    • API String ID: 2949335588-0
    • Opcode ID: 97464f0800e32f4addc31103b94fe96cea5ae0b998ccbbb92bed81ac5f6551b5
    • Instruction ID: 9f45e29cdf5384dc5223a5cd649a4a84178ae0e223aacdcb1813034ac009809f
    • Opcode Fuzzy Hash: 97464f0800e32f4addc31103b94fe96cea5ae0b998ccbbb92bed81ac5f6551b5
    • Instruction Fuzzy Hash: 90219A32200724EFC7248F94D884B6A77A4FF45712F50846EF9029B2A2DB75FC49CB55
    Function 0045C83E Relevance: 5.0, APIs: 4, Instructions: 36COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(00485018,?,00000000,?,?,0045C69A,00000010,?,00000000,?,?,?,0045BF9B,0045BFE8,0045B3E3,0045BFA1), ref: 0045C879
    • InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,0045C69A,00000010,?,00000000,?,?,?,0045BF9B,0045BFE8,0045B3E3,0045BFA1), ref: 0045C88B
    • LeaveCriticalSection.KERNEL32(00485018,?,00000000,?,?,0045C69A,00000010,?,00000000,?,?,?,0045BF9B,0045BFE8,0045B3E3,0045BFA1), ref: 0045C894
    • EnterCriticalSection.KERNEL32(00000000,00000000,?,?,0045C69A,00000010,?,00000000,?,?,?,0045BF9B,0045BFE8,0045B3E3,0045BFA1,0045285D), ref: 0045C8A6
      • Part of subcall function 0045C7AB: GetVersion.KERNEL32(?,0045C84E,?,0045C69A,00000010,?,00000000,?,?,?,0045BF9B,0045BFE8,0045B3E3,0045BFA1,0045285D,004578F4), ref: 0045C7BE
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: CriticalSection$Enter$InitializeLeaveVersion
    • String ID:
    • API String ID: 1193629340-0
    • Opcode ID: 82d8909e6e37444d8dfbb15c22fe58dafd969bddfd6c5660865929499fe4e119
    • Instruction ID: 9e463c43c45708ed4bf3e52174e50b6dab29c542ec9a95fdc5e2302c6ce34ca1
    • Opcode Fuzzy Hash: 82d8909e6e37444d8dfbb15c22fe58dafd969bddfd6c5660865929499fe4e119
    • Instruction Fuzzy Hash: 04F0447140070ADFC710AF94ECC4A5AB36CFB55317B40083FE60552022D735B858CBA9
    Function 00449D38 Relevance: 5.0, APIs: 4, Instructions: 12COMMON
    Download Yara Rule
    APIs
    • InitializeCriticalSection.KERNEL32(?,00448BE2,?,004468B8), ref: 00449D45
    • InitializeCriticalSection.KERNEL32(?,00448BE2,?,004468B8), ref: 00449D4D
    • InitializeCriticalSection.KERNEL32(?,00448BE2,?,004468B8), ref: 00449D55
    • InitializeCriticalSection.KERNEL32(?,00448BE2,?,004468B8), ref: 00449D5D
    Memory Dump Source
    • Source File: 00000000.00000002.2500661664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2500608179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500784189.000000000045F000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500835825.000000000046C000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500898000.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2500949260.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Convert.jbxd
    Similarity
    • API ID: CriticalInitializeSection
    • String ID:
    • API String ID: 32694325-0
    • Opcode ID: 83f02653c4530bd4f504e3cacb83d55f4c36d964e2eeccf4222e36c17539273a
    • Instruction ID: ede4b82885997495e84dd53f1c457f97974f8fb30d58a21cc7fb583a4370909e
    • Opcode Fuzzy Hash: 83f02653c4530bd4f504e3cacb83d55f4c36d964e2eeccf4222e36c17539273a
    • Instruction Fuzzy Hash: 3FC00232811434DBCE163B55FF0584E3FA5EB042613090676A1045103486A21C10DFD8