Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe

Overview

General Information

Sample name:SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
Analysis ID:1436354
MD5:38d8fa19104d2d053ecdf2fc8ffebfc8
SHA1:ce20991750224314d5d3f6884881200868a946d2
SHA256:1ed93111b00286598577dee8817e4992154f5bebe7f6355c251b6e8bef8a6985
Tags:exe
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe (PID: 7412 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe" MD5: 38D8FA19104D2D053ECDF2FC8FFEBFC8)
    • taskkill.exe (PID: 7444 cmdline: TASKKILL /F /IM WebActiveEXE.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • conhost.exe (PID: 7452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • taskkill.exe (PID: 7508 cmdline: TASKKILL /F /IM TimeGridEXE.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • conhost.exe (PID: 7516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WebActiveEXE.exe (PID: 7600 cmdline: "C:\Program Files (x86)\webrec\WEB30\WebPlugin\WebActiveEXE.exe" /regserver MD5: 9243C61FEF74004CBA9DA20A9BC013E7)
    • TimeGridEXE.exe (PID: 7608 cmdline: "C:\Program Files (x86)\webrec\WEB30\WebPlugin\TimeGridEXE.exe" /regserver MD5: 722C00AC501CFDE5C34A1F002A31DC3C)
    • regsvr32.exe (PID: 7624 cmdline: regsvr32 /s "atl.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeVirustotal: Detection: 10%Perma Link
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Binary string: D:\test\H265-DEC\Branches\P_2015.06.15_H265_DEC_OpenHevcDec\build\vs2010\Release\HevcdecLib.pdb source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002D55000.00000004.00000020.00020000.00000000.sdmp, nsbA248.tmp.0.dr, hevcdec.dll.0.dr
Source: Binary string: E:\fish_eye_from_wangsong0416\testbed\vs2008\Release\fisheye.pdb source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002CBA000.00000004.00000020.00020000.00000000.sdmp, nsbA248.tmp.0.dr, fisheye.dll.0.dr
Source: Binary string: D:\newpath\JPEG-DEC\Trunk\build\vs2010\demo\Release\jpeg_dec.pdb source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002B15000.00000004.00000020.00020000.00000000.sdmp, nsbA248.tmp.0.dr, mjpegdec.dll.0.dr
Source: Binary string: D:\newpath\JPEG-DEC\Trunk\build\vs2010\demo\Release\jpeg_dec.pdbP source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002B15000.00000004.00000020.00020000.00000000.sdmp, nsbA248.tmp.0.dr, mjpegdec.dll.0.dr
Source: Binary string: D:\1h264dec_test\mpeg4_postprocess\build\vs2010\demo\Release\postproc.pdb source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002BD5000.00000004.00000020.00020000.00000000.sdmp, nsbA248.tmp.0.dr, postproc.dll.0.dr
Source: Binary string: D:\projects\gun_PTZ\export\x86\win\MCL_FPTZ_Win32.pdb source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002D55000.00000004.00000020.00020000.00000000.sdmp, MCL_FPTZ.dll.0.dr, nsbA248.tmp.0.dr
Source: Binary string: d:\SC_NEW\StreamConvertor\Lib\Win32\C-vs2005shared\StreamConvertor.pdb source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.00000000028A0000.00000004.00000020.00020000.00000000.sdmp, nsbA248.tmp.0.dr, StreamConvertor.dll.0.dr
Source: Binary string: D:\projects\gun_PTZ\export\x86\win\MCL_FPTZ_Win32.pdbP source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002D55000.00000004.00000020.00020000.00000000.sdmp, MCL_FPTZ.dll.0.dr, nsbA248.tmp.0.dr
Source: Binary string: D:\1h264dec_test\mpeg4_postprocess\build\vs2010\demo\Release\postproc.pdb`W`t` source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002BD5000.00000004.00000020.00020000.00000000.sdmp, nsbA248.tmp.0.dr, postproc.dll.0.dr
Source: Binary string: T:\codec\mpeg4\PC_Mpeg4_DEC_Windows\build\vs2010_x86\mpeg4dec_x86\dllmpeg4dec\Release\mpeg4dec.pdb source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002E7E000.00000004.00000020.00020000.00000000.sdmp, nsbA248.tmp.0.dr, mpeg4dec.dll.0.dr
Source: Binary string: D:\Work\Codecs\SVAC_1.0\Branches\svac_vs2005_test\platform\windows\lib\Win32\dll_svac_dec.pdb source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002F4F000.00000004.00000020.00020000.00000000.sdmp, nsbA248.tmp.0.dr, svac_dec.dll.0.dr
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeCode function: 0_2_00405E61 FindFirstFileA,FindClose,0_2_00405E61
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeCode function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_0040548B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeCode function: 0_2_0040263E FindFirstFileA,0_2_0040263E
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.00000000028A0000.00000004.00000020.00020000.00000000.sdmp, aacdec.dll.0.dr, nsbA248.tmp.0.drString found in binary or memory: http://10.6.5.2/svnpl/CODEC/ARI/AUDIO_CODEC/Audio-AAC-DEC/Trunk
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.00000000028A0000.00000004.00000020.00020000.00000000.sdmp, aacdec.dll.0.dr, nsbA248.tmp.0.drString found in binary or memory: http://10.6.5.2/svnpl/CODEC/ARI/AUDIO_CODEC/Audio-AAC-DEC/Trunkw
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.00000000028A0000.00000004.00000020.00020000.00000000.sdmp, g7221dec.dll.0.dr, nsbA248.tmp.0.drString found in binary or memory: http://10.6.5.2/svnpl/CODEC/ARI/AUDIO_CODEC/Audio-G7221-DEC/Trunk
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.00000000028A0000.00000004.00000020.00020000.00000000.sdmp, g7221dec.dll.0.dr, nsbA248.tmp.0.drString found in binary or memory: http://10.6.5.2/svnpl/CODEC/ARI/AUDIO_CODEC/Audio-G7221-DEC/Trunk8
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.00000000028A0000.00000004.00000020.00020000.00000000.sdmp, g729dec.dll.0.dr, nsbA248.tmp.0.drString found in binary or memory: http://10.6.5.2/svnpl/CODEC/ARI/AUDIO_CODEC/Audio_G729AB_DEC/Trunk
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.00000000028A0000.00000004.00000020.00020000.00000000.sdmp, g729dec.dll.0.dr, nsbA248.tmp.0.drString found in binary or memory: http://10.6.5.2/svnpl/CODEC/ARI/AUDIO_CODEC/Audio_G729AB_DEC/Trunklsp_stability
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.00000000028A0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmp, mp2dec.dll.0.dr, nsbA248.tmp.0.drString found in binary or memory: http://10.6.5.2/svnpl/CODEC/ARI/AUDIO_CODEC/Audio_Mpeg2l2_Dec/Trunk
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.00000000028A0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmp, mp2dec.dll.0.dr, nsbA248.tmp.0.drString found in binary or memory: http://10.6.5.2/svnpl/CODEC/ARI/AUDIO_CODEC/Audio_Mpeg2l2_Dec/TrunkCorExitProcessmscoree.dllruntime
Source: fisheye.dll.0.drString found in binary or memory: http://10.6.5.2/svnpl/CODEC/ARI/BaseAlg/ImageProcess/FishEye/Trunk/fish_eye_from_wangsong
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002D55000.00000004.00000020.00020000.00000000.sdmp, nsbA248.tmp.0.dr, hevcdec.dll.0.drString found in binary or memory: http://10.6.5.2/svnpl/CODEC/ARI/VIDEO_CODEC/H265-DEC/Branches/P_2015.06.15_H265_DEC_OpenHevcDec
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002D55000.00000004.00000020.00020000.00000000.sdmp, nsbA248.tmp.0.dr, hevcdec.dll.0.drString found in binary or memory: http://10.6.5.2/svnpl/CODEC/ARI/VIDEO_CODEC/H265-DEC/Branches/P_2015.06.15_H265_DEC_OpenHevcDecCould
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002B15000.00000004.00000020.00020000.00000000.sdmp, nsbA248.tmp.0.dr, mjpegdec.dll.0.drString found in binary or memory: http://10.6.5.2/svnpl/CODEC/ARI/VIDEO_CODEC/JPEG-DEC/Trunk
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002B15000.00000004.00000020.00020000.00000000.sdmp, nsbA248.tmp.0.dr, mjpegdec.dll.0.drString found in binary or memory: http://10.6.5.2/svnpl/CODEC/ARI/VIDEO_CODEC/JPEG-DEC/TrunkX
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.00000000028A0000.00000004.00000020.00020000.00000000.sdmp, nsbA248.tmp.0.dr, swscale.dll.0.drString found in binary or memory: http://10.6.5.2/svnpl/CODEC/ARI/VIDEO_CODEC/TOOLS/bilinear_scale/Trunk
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.00000000028A0000.00000004.00000020.00020000.00000000.sdmp, nsbA248.tmp.0.dr, StreamConvertor.dll.0.drString found in binary or memory: http://10.6.5.2/svnpl/CODEC/PC/ENC_AAC/Trunk
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.00000000028A0000.00000004.00000020.00020000.00000000.sdmp, nsbA248.tmp.0.dr, StreamConvertor.dll.0.drString found in binary or memory: http://10.6.5.2/svnpl/CODEC/PC/ENC_AAC/Trunkknipsycho
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002E7E000.00000004.00000020.00020000.00000000.sdmp, nsbA248.tmp.0.dr, mpeg4dec.dll.0.drString found in binary or memory: http://10.6.5.2/svnpl/CODEC/PC/MPEG4_DEC_FAST/Trunk/PC_Mpeg4_DEC_Windows
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002E7E000.00000004.00000020.00020000.00000000.sdmp, nsbA248.tmp.0.dr, mpeg4dec.dll.0.drString found in binary or memory: http://10.6.5.2/svnpl/CODEC/PC/MPEG4_DEC_FAST/Trunk/PC_Mpeg4_DEC_Windows(null)(null)
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002D55000.00000004.00000020.00020000.00000000.sdmp, MCL_FPTZ.dll.0.dr, nsbA248.tmp.0.drString found in binary or memory: http://10.6.5.2/svnpl/CODEC/VIDEO_ARITH/PTZ/MTracking_PTZ/Trunk/SIML_PTZ/MS_zhucong
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, uninst.exe.0.drString found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, uninst.exe.0.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: StreamConvertor.dll.0.drString found in binary or memory: http://www.audiocoding.com/)
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.00000000028A0000.00000004.00000020.00020000.00000000.sdmp, nsbA248.tmp.0.dr, StreamConvertor.dll.0.drString found in binary or memory: http://www.openssl.org/support/faq.html
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.00000000028A0000.00000004.00000020.00020000.00000000.sdmp, nsbA248.tmp.0.dr, StreamConvertor.dll.0.drString found in binary or memory: http://www.openssl.org/support/faq.html....................
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeCode function: 0_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405042
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002A1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DirectDrawCreateExmemstr_72a38721-5
Source: C:\Program Files (x86)\webrec\WEB30\WebPlugin\WebActiveEXE.exeCode function: 5_2_0040C479 GetKeyState,GetKeyState,GetKeyState,GetKeyState,5_2_0040C479
Source: C:\Program Files (x86)\webrec\WEB30\WebPlugin\TimeGridEXE.exeCode function: 6_2_0040415E GetKeyState,GetKeyState,GetKeyState,GetKeyState,6_2_0040415E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeCode function: 0_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_0040323C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeCode function: 0_2_004048530_2_00404853
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeCode function: 0_2_004061310_2_00406131
Source: C:\Program Files (x86)\webrec\WEB30\WebPlugin\WebActiveEXE.exeCode function: 5_2_0040598A5_2_0040598A
Source: C:\Program Files (x86)\webrec\WEB30\WebPlugin\WebActiveEXE.exeCode function: String function: 0040E2F0 appears 46 times
Source: C:\Program Files (x86)\webrec\WEB30\WebPlugin\WebActiveEXE.exeCode function: String function: 00410150 appears 38 times
Source: C:\Program Files (x86)\webrec\WEB30\WebPlugin\TimeGridEXE.exeCode function: String function: 10009CBC appears 44 times
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002E7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFileOperator.DLLd" vs SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002E7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002A7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002D55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMCL_FPTZ.dll, vs SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002D55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHevcdecLib.dll vs SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002CBA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIvsDrawer.dll vs SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002CBA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefisheye.dll, vs SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002CBA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFisheyeCtrl.DLLb! vs SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002C53000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebActiveEXE.EXEH vs SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002BD5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamenpTimeGrid.dll vs SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002BD5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenametimeAxesDll.DLLb! vs SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002BD5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTimeGridEXE.EXEF vs SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002BD5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameVideoWindow.DLL vs SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002B15000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameH264decLib.dll vs SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.00000000028A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.00000000028A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameaacDec.dll vs SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.00000000028A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameg729Dec.dll vs SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.00000000028A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameg7221Dec.dll vs SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.00000000028A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMP2L2Dec.dll vs SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.00000000028A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedhnetsdk.dll vs SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameMP2L2Dec.dll vs SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002F4F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedll_svac_dec.dll vs SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002BCF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamenpmedia.dll vs SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: DHSurveillanceDll.dll.0.drBinary string: Protocol Not SupportProtocolDisablePlayBackShowFluxIndexPosCustomWndPostotalWndNumerdetailEnableLargePicAdjOldDigest%s:%s:%sUserNoteRandomRealmEncryptionMinSectionSectionNumParam IllegalPicturePathShowTypeDirectionStatReportTypeMakeReportBeginTimeCreateHeatMapEnableHeatMapOprationbTmpFileAuthenticationpasswordusernameURLFileExtLoginIDSETGETFileSizeFileTypeFAILEDDOWNLOADSUCCESSDownloadPathDataErrorPLAYHttpDownloadTaskIDSTOPDOWNLOADSETDATACalibrationOperation failed!SetCoordProperty missing color or coordination!coordinationColorSetCoordPropertyGetClibrationAndExpect return %sGetIPCCalibrationVauleenableEnableCalibrationCBFixedFrameenableDrawdetailinfoEnableCalibrationDrawService ErrorD:\jk_win7\workspace\NVR_DH3.1373_X86_64_Windows\tmp_build_dir\webplugin\Device\Src\DVR\ProtocolWithWeb.cppOpration format is errorWANkeyArrayfuncNameIVSTypemodeShowMaxRowCountsFileModeFileBufferFunNameSheetNameIndexsStatusnSensorIdmSensorIddeleteaddOperationDestIndexDecSourceIndexPolicyRealPlayTypeParam Illegal: 'Operation': Operation not supportParam Illegal: 'TaskId'StopByTimeTaskIdStopByFileParam Illegal: 'Channel', 'StreamType', 'StartTime' or 'EndTime'Param Illegal: 'DownloadInfo'DownloadInfoParam Illegal: 'SavePath' or 'Ext'ExtSavePathDownloadByTimeDownloadByFileParam Illegal: 'Operation'Directory not exist, and create failed!Too much task is running, start task failed!ReSetVideoWndTextTextColorSetVideoWndTextColorTextSetVideoWndTextReSetCanSelCanSelSetWinCanSelChannelIDDayMonthYearFilterfile count out of size, allow max count is 200PersonSNNumstrDecryptTypeExcelPathfromatCLIENT_QueryDevState--DH_DEVSTATE_BACKUP_DEV_INFO, ErrorCode:%dD:\jk_win7\workspace\NVR_DH3.1373_X86_64_Windows\tmp_build_dir\webplugin\Device\Src\DVR\remoteBackupManager.cppCLIENT_QueryDevState--DH_DEVSTATE_BACKUP_DEV, ErrorCode:%dCLIENT_QueryDevState(DH_DEVSTATE_BACKUP_DEV
Source: DHSurveillanceDll.dll.0.drBinary string: %04ld%02ld%02ld%02ld%02ld%02ld%04ld%02ld%02ld%02ld%02ld%02ld-%02d-%d-%d-%d-%d-%d%04ld-%02ld-%02ld %02ld:%02ld:%02ldTimeSection0kbps%ldKbps DDMMYYYYDisk25D:\jk_win7\workspace\NVR_DH3.1373_X86_64_Windows\tmp_build_dir\webplugin\Device\Src\Trans\Parse.cppchmod(%s):[%s]image/gifimage/jpegimage/pngimage/tiff image/bmp
Source: DHSurveillanceDll.dll.0.drBinary string: D:\jk_win7\workspace\NVR_DH3.1373_X86_64_Windows\tmp_build_dir\webplugin\Device\Src\Trans\IvsPlayDraw.cpp
Source: DHSurveillanceDll.dll.0.drBinary string: D:\jk_win7\workspace\NVR_DH3.1373_X86_64_Windows\tmp_build_dir\webplugin\Device\Src\DVR\ProtocolWithWeb.cpp
Source: DHSurveillanceDll.dll.0.drBinary string: D:\jk_win7\workspace\NVR_DH3.1373_X86_64_Windows\tmp_build_dir\webplugin\Device\Src\Trans\videoMode.cpp
Source: DHSurveillanceDll.dll.0.drBinary string: D:\jk_win7\workspace\NVR_DH3.1373_X86_64_Windows\tmp_build_dir\webplugin\Device\Src\DVR\DownloadAviRecordModule.cpp
Source: DHSurveillanceDll.dll.0.drBinary string: D:\jk_win7\workspace\NVR_DH3.1373_X86_64_Windows\tmp_build_dir\webplugin\Device\Src\DVR\SyncMultiNetPlaybackAdapter.cppOnEndNetPlayEventInform -->StardChnlID:%d , playChnlID:%d , nFileIndex:%d Get Time Failed!
Source: DHSurveillanceDll.dll.0.drBinary string: D:\jk_win7\workspace\NVR_DH3.1373_X86_64_Windows\tmp_build_dir\webplugin\Device\Src\Trans\downloadRecordManage.cpp
Source: DHSurveillanceDll.dll.0.drBinary string: D:\jk_win7\workspace\NVR_DH3.1373_X86_64_Windows\tmp_build_dir\webplugin\Device\Src\DVR\SyncMultiNetPlaybackAdapter.cpp
Source: DHSurveillanceDll.dll.0.drBinary string: D:\jk_win7\workspace\NVR_DH3.1373_X86_64_Windows\tmp_build_dir\webplugin\Device\Src\Trans\transaction.cpp
Source: DHSurveillanceDll.dll.0.drBinary string: ItemUnit PriceOtyAmountD:\jk_win7\workspace\NVR_DH3.1373_X86_64_Windows\tmp_build_dir\webplugin\Device\Src\Trans\IvsPlayDraw.cppivsDrawer last error :%d /n%cEncryptTypeFileNameRetEncryptInfoSuccessRetPSWDInfoDefaultEventsSaveNameFilePathDateFormatEndoffsetBeforeoffsetUseOffsetPlayerIDRecordInfoParams%.0f%s %d%s %u%s~%s %sExitedSubtotalEnteredSubtotalinfoExitedTotalEnteredTotalShowNumberYCountMaxData
Source: DHSurveillanceDll.dll.0.drBinary string: VideoAnalysepermissionIVSDrawerStreamConvertordhplaydeviceportdeviceipDeviceDisConnectedAutoDeviceConnectedPointWinIndexMousePositionc:\play_Restrict.bmpADTCDJF_1CDJFBydemesusernameEncryptWatchNetD:\jk_win7\workspace\NVR_DH3.1373_X86_64_Windows\tmp_build_dir\webplugin\Device\Src\Trans\transaction.cppGetUserInfo Error, ErrorID:%d%s_%02dActivemouseAndKeyActiveEventHigh PicQualityLow PicQualityFluency Level3Fluency Level2Fluency Level1Real Level1Real Level2Real Level3Default LevelrCTransaction::ReadFile strResult is empty m_strSheetName:%s /nCTransaction::ReadFile m_strSheetName:%s /n.mp4.asf.davIsFullScreenPicWndIndexPicWndModePicWndNumVideoWndIndexVideoWndModeVideoWndNumWndState\*%s%.4d%.2d%.2d%.2d%.2d%.2d[%d]_%d%s%s.%s_P_C_R_A_M%d*%dmpegvideoStartClusterCurPlayTimeCurPlayFileInfoC:\RecordDownload\C:\PictureDownload\USERPROFILEInsufficient resourcesfunction failedCompression playback failedTalkFailedDisableRealplayAudioAuthAudioChannelChooseencryptionopr_ocx.Capture Picture faild!com_msg.netovertimecom_error.FailedTalkToIpcBroadcastopr_ocx.micSourceopr_ocx.Close Channel Audio first!com_msg.fish.notfishstreamconf_ivs.fish.fisheyecom_msg.multiscreen_nosupportfisheye_nosupportopr_ocx.No Rightopr_ocx.Stop talking first!opr_ocx.Insufficient resourcesopr_ocx.function failedopr_ocx.Compression playback failedSubCodeDescriptionWinIDWebPluginInfo%s\%s[%d]%s][%s\*.*CLIENT_TransmitInfoForWeb errorCode = %d
Source: DHSurveillanceDll.dll.0.drBinary string: D:\jk_win7\workspace\NVR_DH3.1373_X86_64_Windows\tmp_build_dir\webplugin\Device\Src\DVR\remoteBackupManager.cpp
Source: DHSurveillanceDll.dll.0.drBinary string: D:\jk_win7\workspace\NVR_DH3.1373_X86_64_Windows\tmp_build_dir\webplugin\Device\Src\DVR\dvrTransaction.cpp
Source: DHSurveillanceDll.dll.0.drBinary string: %2d:%2d:%2dDVRPlugin-InfoD:\jk_win7\workspace\NVR_DH3.1373_X86_64_Windows\tmp_build_dir\webplugin\Device\Src\DVR\dvrTransaction.cppChannelTotal:%dCloseVideoAudio9C9C9C%02d%02d%02d%02d|%s: %s %sPlayingX%sPause168421(1/2)(1/4)(1/8)(1/16)opentotalTimeplayTimeReturnLocalState%s_%d_%s%s_%s_%sPLAY_Preview%s_%d_%s_%sS%d0Kbps%d-%d-%d %swinIDstreamtypestatechannelRealVideoChannelStateNetwork Unstable, Please Waiting...QuickPlayChannelStateMultiScreeninfoMultiScreenfisheyeinfoFisheyedirectionnormalbackwardsNetPlayState%s: %s %dWan ReConnectRealVideo Failed: ECode=%dWan ConnectRealVideo: ECode=%dCLIENT_MultiRealPlay Failed: ECode=%dfileListRecTypeSizeEndTimeStartTime%04u%02u%02u%02u%02u%02uStreamTypeChannelClusterDriveNoFileInfofileIndexDownloadByFilePosDownloadByTimePoserrorInfohttpDownloadTaskIDtotalDataSizedownloadDataSizeDownloadSizeProcessfailednmutotalcountdownloadcountBatchDownloadProcesserroridstreamidfailedDownLoadBigFilesPosRemoteBackupPosFileSearchEndZoomInstartDirectionisReversewinHightwinWidthbottomrightlefttopselRegionPTZPositionSnapshotRecordIsPlayBackCanSnapshotFisheyeCtrlfluencyqualityverticalptzReturnWindInfoisSwitchwinstatustotalWaterMarkPostimeerrTypeerrNowaterMarkNowaterMarkWaterMarkInfo%s%s_ch%d_%s_%.4d%.2d%.2d%.2d%.2d%.2d_%.4d%.2d%.2d%.2d%.2d%.2d%s.%s%s%s_ch%d_%s_%.4d%.2d%.2d%.2d%.2d%.2d_%.4d%.2d%.2d%.2d%.2d%.2d%s_%s.%s%s%s_ch%d_%s_%.4d%.2d%.2d%.2d%.2d%.2d_%.4d%.2d%.2d%.2d%.2d%.2d%s_%d.%s%s%s_ch%d_%s_%.4d%.2d%.2d%.2d%.2d%.2d_%.4d%.2d%.2d%.2d%.2d%.2d%s_%s_%d.%s_*.%.4d%.2d%.2d%.2d%.2d%.2dch%d_%s_%svehicleMachineCAM %d%sMDVR_ID-%s_CH%d_B_%.4d-%.2d-%.2d_%.2d-%.2d-%.2d_E_%.4d-%.2d-%.2d_%.2d-%.2d-%.2d_%s_%s.%sGS2S1N%s%s_ch%d_%.4d%.2d%.2d%.2d%.2d%.2d_%.4d%.2d%.2d%.2d%.2d%.2d_%d%2d%d.%sIJGroupHCMARFF%saudio_%s_ch%d_%s_%.4d%.2d%.2d%.2d%.2d%.2d_%.4d%.2d%.2d%.2d%.2d%.2d.%sextra3extra2extra1main%s%s_%.4d%.2d%.2d%.2d%.2d%.2d_%.4d%.2d%.2d%.2d%.2d%.2d.%spreTorus_Audio%s%s_ch%d_jpg_%.4d%.2d%.2d%.2d%.2d%.2d%s.%s_%dVehicle_Grouparg%darg3arg2arg1arg0parammaxNumberendTimestartTimerecTypestreamType%s\%s_ch%d_%s_%04lu%02lu%02lu%02lu%02lu%02lu.%sextra%d%s%s_preview_chn_%04lu%02lu%02lu_%02lu%02lu%02lu.%sIpv6_\Preview Channel\ChannelsNumberMachineTypeIsMultiPreviewShowLocalChannelsNumberMachineNameszResolutionnBitRatenFPSTypechannelnum%s %sLockindexEnableMasterSlaveTrackerOperationMasterSlaveTrackerDeviceIDRecordRestrictMotionDetectYpointNotifyCalibrationValueendtimestarttimeSynopsisClickInfo%4d/%.2d/%.2d %.2d:%.2d:%.2dpicStrOnGetPictureCreateIvslogicIvsLogicReleaseIvsLogicOnGetRemoteDevPicture%s\%04lu%02lu%02lu_%02lu%02lu%02lu.%sconf_img.channelconf_info.maxLeaveconf_info.maxEnterconf_ArrowDire.Leaveconf_ArrowDire.Enterconf_info.videostatgraphicHeatMap%s\%04lu%02lu%02lu_%02lu%02lu%02lu_Report.%scsvw_TimeClassNameObjectIDObjectradiusoriginYoriginXfisheyeOptzParamWndIDMasterSlaverTrackoperation failed!ExpectClibrationCoordIPCClibrationVauleSetMaxRowCountsWritefileCancelReadfileEx{}ReadfileExReadfileCLIENT_QueryDevState--DH_DEVSTATE_DSP_EX, ErrorCode:%dFileOper
Source: DHSurveillanceDll.dll.0.drBinary string: Stop talking first!a+bnPacketPeriodnAudioBitdwSampleRateencodeTyperbwbabrb+wb+ab+EFasfaviPlaySDK ErrorD:\jk_win7\workspace\NVR_DH3.1373_X86_64_Windows\tmp_build_dir\webplugin\Device\Src\DVR\DownloadAviRecordModule.cpplast error : %d-%s[[%-5s]:%-5s] %s:%d [%ld] C:\pluin-log.txta+.avi_%d.aviC:\temp.dav\temp.dav\pstsflvmp4mp3txtgpsbmpjpgdavDecryptkey_aes256Async m_BatchDownloadByTimeHandleAsync m_lDownloadByTimeHandleAsync m_lDownloadByFileHandleYYYY-MM-DD hh:mm:ss~|NetSDK ErrorD:\jk_win7\workspace\NVR_DH3.1373_X86_64_Windows\tmp_build_dir\webplugin\Device\Src\Trans\downloadRecordManage.cpp%s~%s Download Error! ErrorCode:%dconnect error !invalid socket !GET HTTP/1.1
Source: DHSurveillanceDll.dll.0.drBinary string: D:\jk_win7\workspace\NVR_DH3.1373_X86_64_Windows\tmp_build_dir\webplugin\Device\Src\Trans\Parse.cpp
Source: DHSurveillanceDll.dll.0.drBinary string: Local Rangemultiscreen_nosupportLocal RecordBackupChannelRecordStateCapture PictureClose VideoLeftDownDownRightDownRightUpUpLeftUpSwitchVideoWinReleaseFisheyeFishEyeVisualRangeModeShowModeInstallModecloseChangeEventCreateFisheyenot_fisheye_streamMasterSlaveMutiDisplaytalktoipc_nosupportSPL17THALES00000D:\jk_win7\workspace\NVR_DH3.1373_X86_64_Windows\tmp_build_dir\webplugin\Device\Src\Trans\videoMode.cppErrorCode:%d, nChannelID:%d, nStreamType:%dC:\1.bmp
Source: classification engineClassification label: mal48.winEXE@13/34@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeCode function: 0_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404356
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeCode function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,0_2_00402020
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeFile created: C:\Program Files (x86)\webrecJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WebPluginJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7452:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7516:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeFile created: C:\Users\user\AppData\Local\Temp\nslA237.tmpJump to behavior
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WebActiveEXE.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "TimeGridEXE.exe")
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeVirustotal: Detection: 10%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeProcess created: C:\Windows\SysWOW64\taskkill.exe TASKKILL /F /IM WebActiveEXE.exe
Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeProcess created: C:\Windows\SysWOW64\taskkill.exe TASKKILL /F /IM TimeGridEXE.exe
Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeProcess created: C:\Program Files (x86)\webrec\WEB30\WebPlugin\WebActiveEXE.exe "C:\Program Files (x86)\webrec\WEB30\WebPlugin\WebActiveEXE.exe" /regserver
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeProcess created: C:\Program Files (x86)\webrec\WEB30\WebPlugin\TimeGridEXE.exe "C:\Program Files (x86)\webrec\WEB30\WebPlugin\TimeGridEXE.exe" /regserver
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 /s "atl.dll"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeProcess created: C:\Windows\SysWOW64\taskkill.exe TASKKILL /F /IM WebActiveEXE.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeProcess created: C:\Windows\SysWOW64\taskkill.exe TASKKILL /F /IM TimeGridEXE.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeProcess created: C:\Program Files (x86)\webrec\WEB30\WebPlugin\WebActiveEXE.exe "C:\Program Files (x86)\webrec\WEB30\WebPlugin\WebActiveEXE.exe" /regserverJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeProcess created: C:\Program Files (x86)\webrec\WEB30\WebPlugin\TimeGridEXE.exe "C:\Program Files (x86)\webrec\WEB30\WebPlugin\TimeGridEXE.exe" /regserverJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 /s "atl.dll"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Program Files (x86)\webrec\WEB30\WebPlugin\WebActiveEXE.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\webrec\WEB30\WebPlugin\WebActiveEXE.exeSection loaded: msvcp60.dllJump to behavior
Source: C:\Program Files (x86)\webrec\WEB30\WebPlugin\WebActiveEXE.exeSection loaded: atl.dllJump to behavior
Source: C:\Program Files (x86)\webrec\WEB30\WebPlugin\WebActiveEXE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\webrec\WEB30\WebPlugin\WebActiveEXE.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files (x86)\webrec\WEB30\WebPlugin\TimeGridEXE.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\webrec\WEB30\WebPlugin\TimeGridEXE.exeSection loaded: atl.dllJump to behavior
Source: C:\Program Files (x86)\webrec\WEB30\WebPlugin\TimeGridEXE.exeSection loaded: msvcp60.dllJump to behavior
Source: C:\Program Files (x86)\webrec\WEB30\WebPlugin\TimeGridEXE.exeSection loaded: timeaxesdll.dllJump to behavior
Source: C:\Program Files (x86)\webrec\WEB30\WebPlugin\TimeGridEXE.exeSection loaded: mfc42.dllJump to behavior
Source: C:\Program Files (x86)\webrec\WEB30\WebPlugin\TimeGridEXE.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Program Files (x86)\webrec\WEB30\WebPlugin\TimeGridEXE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\webrec\WEB30\WebPlugin\TimeGridEXE.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: atl.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: Uninstall.lnk.0.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files (x86)\webrec\WEB30\WebPlugin\uninst.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeFile written: C:\Program Files (x86)\webrec\WEB30\WebPlugin\Version.iniJump to behavior
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeStatic file information: File size 2839473 > 1048576
Source: Binary string: D:\test\H265-DEC\Branches\P_2015.06.15_H265_DEC_OpenHevcDec\build\vs2010\Release\HevcdecLib.pdb source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002D55000.00000004.00000020.00020000.00000000.sdmp, nsbA248.tmp.0.dr, hevcdec.dll.0.dr
Source: Binary string: E:\fish_eye_from_wangsong0416\testbed\vs2008\Release\fisheye.pdb source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002CBA000.00000004.00000020.00020000.00000000.sdmp, nsbA248.tmp.0.dr, fisheye.dll.0.dr
Source: Binary string: D:\newpath\JPEG-DEC\Trunk\build\vs2010\demo\Release\jpeg_dec.pdb source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002B15000.00000004.00000020.00020000.00000000.sdmp, nsbA248.tmp.0.dr, mjpegdec.dll.0.dr
Source: Binary string: D:\newpath\JPEG-DEC\Trunk\build\vs2010\demo\Release\jpeg_dec.pdbP source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002B15000.00000004.00000020.00020000.00000000.sdmp, nsbA248.tmp.0.dr, mjpegdec.dll.0.dr
Source: Binary string: D:\1h264dec_test\mpeg4_postprocess\build\vs2010\demo\Release\postproc.pdb source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002BD5000.00000004.00000020.00020000.00000000.sdmp, nsbA248.tmp.0.dr, postproc.dll.0.dr
Source: Binary string: D:\projects\gun_PTZ\export\x86\win\MCL_FPTZ_Win32.pdb source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002D55000.00000004.00000020.00020000.00000000.sdmp, MCL_FPTZ.dll.0.dr, nsbA248.tmp.0.dr
Source: Binary string: d:\SC_NEW\StreamConvertor\Lib\Win32\C-vs2005shared\StreamConvertor.pdb source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.00000000028A0000.00000004.00000020.00020000.00000000.sdmp, nsbA248.tmp.0.dr, StreamConvertor.dll.0.dr
Source: Binary string: D:\projects\gun_PTZ\export\x86\win\MCL_FPTZ_Win32.pdbP source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002D55000.00000004.00000020.00020000.00000000.sdmp, MCL_FPTZ.dll.0.dr, nsbA248.tmp.0.dr
Source: Binary string: D:\1h264dec_test\mpeg4_postprocess\build\vs2010\demo\Release\postproc.pdb`W`t` source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002BD5000.00000004.00000020.00020000.00000000.sdmp, nsbA248.tmp.0.dr, postproc.dll.0.dr
Source: Binary string: T:\codec\mpeg4\PC_Mpeg4_DEC_Windows\build\vs2010_x86\mpeg4dec_x86\dllmpeg4dec\Release\mpeg4dec.pdb source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002E7E000.00000004.00000020.00020000.00000000.sdmp, nsbA248.tmp.0.dr, mpeg4dec.dll.0.dr
Source: Binary string: D:\Work\Codecs\SVAC_1.0\Branches\svac_vs2005_test\platform\windows\lib\Win32\dll_svac_dec.pdb source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002F4F000.00000004.00000020.00020000.00000000.sdmp, nsbA248.tmp.0.dr, svac_dec.dll.0.dr
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeCode function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405E88
Source: svac_dec.dll.0.drStatic PE information: section name: _RDATA
Source: h264dec.dll.0.drStatic PE information: section name: .rodata
Source: hevcdec.dll.0.drStatic PE information: section name: .rodata
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 /s "atl.dll"
Source: C:\Program Files (x86)\webrec\WEB30\WebPlugin\WebActiveEXE.exeCode function: 5_2_0040E2F0 push eax; ret 5_2_0040E30E
Source: C:\Program Files (x86)\webrec\WEB30\WebPlugin\WebActiveEXE.exeCode function: 5_2_0040E2B0 push eax; ret 5_2_0040E2DE
Source: C:\Program Files (x86)\webrec\WEB30\WebPlugin\TimeGridEXE.exeCode function: 6_2_00407650 push eax; ret 6_2_0040766E
Source: C:\Program Files (x86)\webrec\WEB30\WebPlugin\TimeGridEXE.exeCode function: 6_2_00407610 push eax; ret 6_2_0040763E
Source: C:\Program Files (x86)\webrec\WEB30\WebPlugin\TimeGridEXE.exeCode function: 6_2_10009CBC push eax; ret 6_2_10009CDA
Source: swscale.dll.0.drStatic PE information: section name: .text entropy: 6.801335135011194
Source: h264dec.dll.0.drStatic PE information: section name: .text entropy: 6.856476922963937
Source: postproc.dll.0.drStatic PE information: section name: .text entropy: 6.80252341011728
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeFile created: C:\Program Files (x86)\webrec\WEB30\WebPlugin\uninst.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeFile created: C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeFile created: C:\Program Files (x86)\webrec\WEB30\WebPlugin\DHSurveillanceDll.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeFile created: C:\Program Files (x86)\webrec\WEB30\WebPlugin\dhplay.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeFile created: C:\Program Files (x86)\webrec\WEB30\WebPlugin\WebActiveEXE.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeFile created: C:\Program Files (x86)\webrec\WEB30\WebPlugin\VideoWindow.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeFile created: C:\Program Files (x86)\webrec\WEB30\WebPlugin\g729dec.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeFile created: C:\Program Files (x86)\webrec\WEB30\WebPlugin\mpeg4dec.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeFile created: C:\Program Files (x86)\webrec\WEB30\WebPlugin\fisheye.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeFile created: C:\Program Files (x86)\webrec\WEB30\WebPlugin\VideoAnalyse.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeFile created: C:\Program Files (x86)\webrec\WEB30\WebPlugin\mp2dec.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeFile created: C:\Program Files (x86)\webrec\WEB30\WebPlugin\TimeGridEXE.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeFile created: C:\Program Files (x86)\webrec\WEB30\WebPlugin\FisheyeCtrl.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeFile created: C:\Program Files (x86)\webrec\WEB30\WebPlugin\h264dec.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeFile created: C:\Program Files (x86)\webrec\WEB30\WebPlugin\StreamConvertor.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeFile created: C:\Program Files (x86)\webrec\WEB30\WebPlugin\IVSJsonSdk.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeFile created: C:\Program Files (x86)\webrec\WEB30\WebPlugin\IvsDrawer.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeFile created: C:\Program Files (x86)\webrec\WEB30\WebPlugin\aacdec.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeFile created: C:\Program Files (x86)\webrec\WEB30\WebPlugin\postproc.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeFile created: C:\Program Files (x86)\webrec\WEB30\WebPlugin\swscale.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeFile created: C:\Program Files (x86)\webrec\WEB30\WebPlugin\IvsLogic.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeFile created: C:\Program Files (x86)\webrec\WEB30\WebPlugin\npTimeGrid.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeFile created: C:\Program Files (x86)\webrec\WEB30\WebPlugin\FileOperator.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeFile created: C:\Program Files (x86)\webrec\WEB30\WebPlugin\g7221dec.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeFile created: C:\Program Files (x86)\webrec\WEB30\WebPlugin\npmedia.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeFile created: C:\Program Files (x86)\webrec\WEB30\WebPlugin\hevcdec.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeFile created: C:\Program Files (x86)\webrec\WEB30\WebPlugin\MCL_FPTZ.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeFile created: C:\Program Files (x86)\webrec\WEB30\WebPlugin\mjpegdec.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeFile created: C:\Program Files (x86)\webrec\WEB30\WebPlugin\timeAxesDll.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeFile created: C:\Program Files (x86)\webrec\WEB30\WebPlugin\dhnetsdk.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeFile created: C:\Program Files (x86)\webrec\WEB30\WebPlugin\svac_dec.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WebPluginJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WebPlugin\Uninstall.lnkJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\webrec\WEB30\WebPlugin\TimeGridEXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\webrec\WEB30\WebPlugin\TimeGridEXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\webrec\WEB30\WebPlugin\TimeGridEXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeDropped PE file which has not been started: C:\Program Files (x86)\webrec\WEB30\WebPlugin\uninst.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeDropped PE file which has not been started: C:\Program Files (x86)\webrec\WEB30\WebPlugin\DHSurveillanceDll.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeDropped PE file which has not been started: C:\Program Files (x86)\webrec\WEB30\WebPlugin\dhplay.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeDropped PE file which has not been started: C:\Program Files (x86)\webrec\WEB30\WebPlugin\VideoWindow.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeDropped PE file which has not been started: C:\Program Files (x86)\webrec\WEB30\WebPlugin\g729dec.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeDropped PE file which has not been started: C:\Program Files (x86)\webrec\WEB30\WebPlugin\mpeg4dec.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeDropped PE file which has not been started: C:\Program Files (x86)\webrec\WEB30\WebPlugin\fisheye.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeDropped PE file which has not been started: C:\Program Files (x86)\webrec\WEB30\WebPlugin\mp2dec.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeDropped PE file which has not been started: C:\Program Files (x86)\webrec\WEB30\WebPlugin\VideoAnalyse.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeDropped PE file which has not been started: C:\Program Files (x86)\webrec\WEB30\WebPlugin\FisheyeCtrl.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeDropped PE file which has not been started: C:\Program Files (x86)\webrec\WEB30\WebPlugin\h264dec.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeDropped PE file which has not been started: C:\Program Files (x86)\webrec\WEB30\WebPlugin\StreamConvertor.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeDropped PE file which has not been started: C:\Program Files (x86)\webrec\WEB30\WebPlugin\IVSJsonSdk.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeDropped PE file which has not been started: C:\Program Files (x86)\webrec\WEB30\WebPlugin\aacdec.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeDropped PE file which has not been started: C:\Program Files (x86)\webrec\WEB30\WebPlugin\IvsDrawer.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeDropped PE file which has not been started: C:\Program Files (x86)\webrec\WEB30\WebPlugin\postproc.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeDropped PE file which has not been started: C:\Program Files (x86)\webrec\WEB30\WebPlugin\IvsLogic.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeDropped PE file which has not been started: C:\Program Files (x86)\webrec\WEB30\WebPlugin\swscale.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeDropped PE file which has not been started: C:\Program Files (x86)\webrec\WEB30\WebPlugin\npTimeGrid.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeDropped PE file which has not been started: C:\Program Files (x86)\webrec\WEB30\WebPlugin\g7221dec.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeDropped PE file which has not been started: C:\Program Files (x86)\webrec\WEB30\WebPlugin\FileOperator.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeDropped PE file which has not been started: C:\Program Files (x86)\webrec\WEB30\WebPlugin\npmedia.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeDropped PE file which has not been started: C:\Program Files (x86)\webrec\WEB30\WebPlugin\hevcdec.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeDropped PE file which has not been started: C:\Program Files (x86)\webrec\WEB30\WebPlugin\MCL_FPTZ.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeDropped PE file which has not been started: C:\Program Files (x86)\webrec\WEB30\WebPlugin\mjpegdec.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeDropped PE file which has not been started: C:\Program Files (x86)\webrec\WEB30\WebPlugin\dhnetsdk.dllJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeDropped PE file which has not been started: C:\Program Files (x86)\webrec\WEB30\WebPlugin\svac_dec.dllJump to dropped file
Source: C:\Program Files (x86)\webrec\WEB30\WebPlugin\WebActiveEXE.exeAPI coverage: 2.0 %
Source: C:\Program Files (x86)\webrec\WEB30\WebPlugin\TimeGridEXE.exeAPI coverage: 2.4 %
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeCode function: 0_2_00405E61 FindFirstFileA,FindClose,0_2_00405E61
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeCode function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_0040548B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeCode function: 0_2_0040263E FindFirstFileA,0_2_0040263E
Source: hevcdec.dll.0.drBinary or memory string: 0123456789ABCDEFabcdefbikeshed%M:%S%J:%M:%Snowvdpauyuva444p16leyuva444p16beyuva422p16leyuva422p16beyuva420p16leyuva420p16beyuva444p10leyuva444p10beyuva422p10leyuva422p10beyuva420p10leyuva420p10beyuva444p9leyuva444p9beyuva422p9leyuva422p9beyuva420p9leyuva420p9begbrp16legbrp16begbrp10legbrp10begbrp9legbrp9begbrpvda_vldyuv422p9leyuv422p9beyuv444p10leyuv444p10beyuv444p9leyuv444p9beyuv422p10leyuv422p10beyuv420p10leyuv420p10beyuv420p9leyuv420p9bebgr48lebgr48begray8abgr444bebgr444lergb444bergb444ledxva2_vldvdpau_mpeg4yuv444p16beyuv444p16leyuv422p16beyuv422p16leyuv420p16beyuv420p16levaapi_vldvaapi_idctvaapi_mocobgr555lebgr555bebgr565lebgr565bergb555lergb555bergb565lergb565bergb48lergb48bevdpau_vc1vdpau_wmv3vdpau_mpeg2vdpau_mpeg1vdpau_h264yuva420pyuvj440pyuv440pgray16legray16bebgraabgrrgbaargbnv21nv12rgb4_bytergb4rgb8bgr4_bytebgr4bgr8uyyvyy411uyvy422xvmcidctxvmcmcyuvj444pyuvj422pyuvj420ppal8monobmonowgrayyuv411pyuv410pyuv444pyuv422pbgr24rgb24yuyv422yuv420p
Source: hevcdec.dll.0.drBinary or memory string: xvmcidct
Source: nsbA248.tmp.0.drBinary or memory string: bt2020cbt2020ncycgcogbrbt2020-20bt2020-10iec61966-2-1bt1361eiec61966-2-4log316log100reservedpctvbayer_grbg16bebayer_grbg16lebayer_gbrg16bebayer_gbrg16lebayer_rggb16bebayer_rggb16lebayer_bggr16bebayer_bggr16lebayer_grbg8bayer_gbrg8bayer_rggb8bayer_bggr8yuvj411pgbrap16legbrap16begbrapgbrp14legbrp14begbrp12legbrp12beyuv444p14leyuv444p14beyuv444p12leyuv444p12beyuv422p14leyuv422p14beyuv422p12leyuv422p12beyuv420p14leyuv420p14beyuv420p12leyuv420p12beyuva422pyuva444pbgr00bgrrgb00rgbbgra64lebgra64bergba64lergba64beya16leya16bevdayvyu422nv20benv20lenv16xyz12bexyz12levdpauyuva444p16leyuva444p16beyuva422p16leyuva422p16beyuva420p16leyuva420p16beyuva444p10leyuva444p10beyuva422p10leyuva422p10beyuva420p10leyuva420p10beyuva444p9leyuva444p9beyuva422p9leyuva422p9beyuva420p9leyuva420p9begbrp16legbrp16begbrp10legbrp10begbrp9legbrp9begbrpvda_vldyuv422p9leyuv422p9beyuv444p10leyuv444p10beyuv444p9leyuv444p9beyuv422p10leyuv422p10beyuv420p10leyuv420p10beyuv420p9leyuv420p9bebgr48lebgr48begray8aya8bgr444bebgr444lergb444bergb444ledxva2_vldvdpau_mpeg4yuv444p16beyuv444p16leyuv422p16beyuv422p16leyuv420p16beyuv420p16levaapi_vldvaapi_idctvaapi_mocobgr555lebgr555bebgr565lebgr565bergb555lergb555bergb565lergb565bergb48lergb48bevdpau_vc1vdpau_wmv3vdpau_mpeg2vdpau_mpeg1vdpau_h264yuva420pyuvj440pyuv440py16legray16ley16begray16bebgraabgrrgbaargbnv21nv12rgb4_bytergb4rgb8bgr4_bytebgr4bgr8uyyvyy411uyvy422xvmcidctxvmcmcyuvj444pyuvj422pyuvj420ppal8monobmonowgray8,y8yuv411pyuv410pyuv444pyuv422pbgr24rgb24yuyv422yuv420p
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeAPI call chain: ExitProcess graph end nodegraph_0-3575
Source: C:\Program Files (x86)\webrec\WEB30\WebPlugin\WebActiveEXE.exeCode function: 5_2_0040A81E GetModuleFileNameA,OutputDebugStringA,strlen,strcat,strcat,OutputDebugStringA,LoadLibraryExA,GetLastError,sprintf,OutputDebugStringA,5_2_0040A81E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeCode function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405E88
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Program Files (x86)\webrec\WEB30\WebPlugin\WebActiveEXE.exeCode function: 5_2_0040160D _strdup,SetUnhandledExceptionFilter,5_2_0040160D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeProcess created: C:\Windows\SysWOW64\taskkill.exe TASKKILL /F /IM WebActiveEXE.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeProcess created: C:\Windows\SysWOW64\taskkill.exe TASKKILL /F /IM TimeGridEXE.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeProcess created: C:\Windows\SysWOW64\taskkill.exe TASKKILL /F /IM WebActiveEXE.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeProcess created: C:\Windows\SysWOW64\taskkill.exe TASKKILL /F /IM TimeGridEXE.exeJump to behavior
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002BD5000.00000004.00000020.00020000.00000000.sdmp, nsbA248.tmp.0.dr, VideoWindow.dll.0.drBinary or memory string: MS Sans Serif%s\%simage/jpegrbBlurLockRecordPlayTalkToIpcMultiScreenMasterSlaveTrackerQuickplaybackReverseDirectionFisheyeSnapshotRecordAudioCloseVideoZoomInFixedSys%s:%d~%d%s:%dFluency level3Fluency level2Fluency level1MiddleLatency level3Latency level2Latency level1Low picture QualityHigh picture QualityGetMonitorInfoAEnumDisplayMonitorsMonitorFromPointMonitorFromRectMonitorFromWindowGetSystemMetricsUSER32DISPLAYShell_TrayWnd0123456789abcdefLengthSeparateArrayWndEdgeLengthWndEdgeWidthWndIDWndEdgeColorSelPicWndEdgeColorSelVideoWndEdgeColorWndBGColorArrayColorwb
Source: SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002BD5000.00000004.00000020.00020000.00000000.sdmp, nsbA248.tmp.0.dr, VideoWindow.dll.0.drBinary or memory string: Shell_TrayWnd
Source: C:\Program Files (x86)\webrec\WEB30\WebPlugin\TimeGridEXE.exeCode function: 6_2_1000403D GetSystemTime,memcmp,6_2_1000403D
Source: C:\Program Files (x86)\webrec\WEB30\WebPlugin\WebActiveEXE.exeCode function: 5_2_00407D58 GetTimeZoneInformation,5_2_00407D58
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exeCode function: 0_2_00405B88 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,0_2_00405B88

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
Registry Run Keys / Startup Folder		12
Process Injection		2
Masquerading		2
Input Capture		2
System Time Discovery		Remote Services2
Input Capture		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Native API		1
DLL Side-Loading		1
Registry Run Keys / Startup Folder		1
Disable or Modify Tools		LSASS Memory11
Security Software Discovery		Remote Desktop Protocol1
Archive Collected Data		Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		12
Process Injection		Security Account Manager1
Process Discovery		SMB/Windows Admin Shares1
Clipboard Data		SteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Deobfuscate/Decode Files or Information		NTDS3
File and Directory Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
Obfuscated Files or Information		LSA Secrets5
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Regsvr32		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Software Packing		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1436354 Sample: SecuriteInfo.com.Trojan.Mul... Startdate: 04/05/2024 Architecture: WINDOWS Score: 48 30 Multi AV Scanner detection for submitted file 2->30 7 SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe 4 58 2->7         started        process3 file4 22 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 7->22 dropped 24 C:\Program Files (x86)\webrec\...\uninst.exe, PE32 7->24 dropped 26 C:\Program Files (x86)\...\timeAxesDll.dll, PE32 7->26 dropped 28 28 other files (none is malicious) 7->28 dropped 10 taskkill.exe 1 7->10         started        12 taskkill.exe 1 7->12         started        14 regsvr32.exe 7->14         started        16 2 other processes 7->16 process5 process6 18 conhost.exe 10->18         started        20 conhost.exe 12->20         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe15%ReversingLabs
SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe11%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\webrec\WEB30\WebPlugin\DHSurveillanceDll.dll0%ReversingLabs
C:\Program Files (x86)\webrec\WEB30\WebPlugin\DHSurveillanceDll.dll1%VirustotalBrowse
C:\Program Files (x86)\webrec\WEB30\WebPlugin\FileOperator.dll0%ReversingLabs
C:\Program Files (x86)\webrec\WEB30\WebPlugin\FileOperator.dll1%VirustotalBrowse
C:\Program Files (x86)\webrec\WEB30\WebPlugin\FisheyeCtrl.dll0%ReversingLabs
C:\Program Files (x86)\webrec\WEB30\WebPlugin\FisheyeCtrl.dll1%VirustotalBrowse
C:\Program Files (x86)\webrec\WEB30\WebPlugin\IVSJsonSdk.dll0%ReversingLabs
C:\Program Files (x86)\webrec\WEB30\WebPlugin\IVSJsonSdk.dll1%VirustotalBrowse
C:\Program Files (x86)\webrec\WEB30\WebPlugin\IvsDrawer.dll0%ReversingLabs
C:\Program Files (x86)\webrec\WEB30\WebPlugin\IvsDrawer.dll2%VirustotalBrowse
C:\Program Files (x86)\webrec\WEB30\WebPlugin\IvsLogic.dll0%ReversingLabs
C:\Program Files (x86)\webrec\WEB30\WebPlugin\IvsLogic.dll1%VirustotalBrowse
C:\Program Files (x86)\webrec\WEB30\WebPlugin\MCL_FPTZ.dll0%ReversingLabs
C:\Program Files (x86)\webrec\WEB30\WebPlugin\MCL_FPTZ.dll0%VirustotalBrowse
C:\Program Files (x86)\webrec\WEB30\WebPlugin\StreamConvertor.dll2%ReversingLabs
C:\Program Files (x86)\webrec\WEB30\WebPlugin\StreamConvertor.dll0%VirustotalBrowse
C:\Program Files (x86)\webrec\WEB30\WebPlugin\TimeGridEXE.exe0%ReversingLabs
C:\Program Files (x86)\webrec\WEB30\WebPlugin\TimeGridEXE.exe3%VirustotalBrowse
C:\Program Files (x86)\webrec\WEB30\WebPlugin\VideoAnalyse.dll0%ReversingLabs
C:\Program Files (x86)\webrec\WEB30\WebPlugin\VideoAnalyse.dll2%VirustotalBrowse
C:\Program Files (x86)\webrec\WEB30\WebPlugin\VideoWindow.dll0%ReversingLabs
C:\Program Files (x86)\webrec\WEB30\WebPlugin\VideoWindow.dll1%VirustotalBrowse
C:\Program Files (x86)\webrec\WEB30\WebPlugin\WebActiveEXE.exe5%ReversingLabs
C:\Program Files (x86)\webrec\WEB30\WebPlugin\WebActiveEXE.exe4%VirustotalBrowse
C:\Program Files (x86)\webrec\WEB30\WebPlugin\aacdec.dll0%ReversingLabs
C:\Program Files (x86)\webrec\WEB30\WebPlugin\aacdec.dll0%VirustotalBrowse
C:\Program Files (x86)\webrec\WEB30\WebPlugin\dhnetsdk.dll0%ReversingLabs
C:\Program Files (x86)\webrec\WEB30\WebPlugin\dhnetsdk.dll1%VirustotalBrowse
C:\Program Files (x86)\webrec\WEB30\WebPlugin\dhplay.dll2%ReversingLabs
C:\Program Files (x86)\webrec\WEB30\WebPlugin\dhplay.dll1%VirustotalBrowse
C:\Program Files (x86)\webrec\WEB30\WebPlugin\fisheye.dll0%ReversingLabs
C:\Program Files (x86)\webrec\WEB30\WebPlugin\fisheye.dll0%VirustotalBrowse
C:\Program Files (x86)\webrec\WEB30\WebPlugin\g7221dec.dll0%ReversingLabs
C:\Program Files (x86)\webrec\WEB30\WebPlugin\g7221dec.dll0%VirustotalBrowse
C:\Program Files (x86)\webrec\WEB30\WebPlugin\g729dec.dll0%ReversingLabs
C:\Program Files (x86)\webrec\WEB30\WebPlugin\g729dec.dll0%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://10.6.5.2/svnpl/CODEC/ARI/VIDEO_CODEC/H265-DEC/Branches/P_2015.06.15_H265_DEC_OpenHevcDec0%Avira URL Cloudsafe
http://10.6.5.2/svnpl/CODEC/ARI/AUDIO_CODEC/Audio_G729AB_DEC/Trunklsp_stability0%Avira URL Cloudsafe
http://10.6.5.2/svnpl/CODEC/ARI/AUDIO_CODEC/Audio-AAC-DEC/Trunkw0%Avira URL Cloudsafe
http://10.6.5.2/svnpl/CODEC/ARI/AUDIO_CODEC/Audio-G7221-DEC/Trunk0%Avira URL Cloudsafe
http://10.6.5.2/svnpl/CODEC/ARI/AUDIO_CODEC/Audio_Mpeg2l2_Dec/Trunk0%Avira URL Cloudsafe
http://10.6.5.2/svnpl/CODEC/ARI/VIDEO_CODEC/H265-DEC/Branches/P_2015.06.15_H265_DEC_OpenHevcDecCould0%Avira URL Cloudsafe
http://10.6.5.2/svnpl/CODEC/ARI/AUDIO_CODEC/Audio-AAC-DEC/Trunk0%Avira URL Cloudsafe
http://10.6.5.2/svnpl/CODEC/ARI/AUDIO_CODEC/Audio-AAC-DEC/Trunkw0%VirustotalBrowse
http://www.audiocoding.com/)0%Avira URL Cloudsafe
http://10.6.5.2/svnpl/CODEC/ARI/VIDEO_CODEC/H265-DEC/Branches/P_2015.06.15_H265_DEC_OpenHevcDec0%VirustotalBrowse
http://10.6.5.2/svnpl/CODEC/ARI/AUDIO_CODEC/Audio_G729AB_DEC/Trunklsp_stability0%VirustotalBrowse
http://10.6.5.2/svnpl/CODEC/ARI/AUDIO_CODEC/Audio-G7221-DEC/Trunk0%VirustotalBrowse
http://10.6.5.2/svnpl/CODEC/ARI/AUDIO_CODEC/Audio_Mpeg2l2_Dec/TrunkCorExitProcessmscoree.dllruntime0%Avira URL Cloudsafe
http://10.6.5.2/svnpl/CODEC/ARI/AUDIO_CODEC/Audio-AAC-DEC/Trunk0%VirustotalBrowse
http://10.6.5.2/svnpl/CODEC/ARI/AUDIO_CODEC/Audio_Mpeg2l2_Dec/Trunk0%VirustotalBrowse
http://www.audiocoding.com/)0%VirustotalBrowse
http://10.6.5.2/svnpl/CODEC/PC/MPEG4_DEC_FAST/Trunk/PC_Mpeg4_DEC_Windows(null)(null)0%Avira URL Cloudsafe
http://10.6.5.2/svnpl/CODEC/PC/ENC_AAC/Trunk0%Avira URL Cloudsafe
http://10.6.5.2/svnpl/CODEC/ARI/AUDIO_CODEC/Audio-G7221-DEC/Trunk80%Avira URL Cloudsafe
http://10.6.5.2/svnpl/CODEC/VIDEO_ARITH/PTZ/MTracking_PTZ/Trunk/SIML_PTZ/MS_zhucong0%Avira URL Cloudsafe
http://10.6.5.2/svnpl/CODEC/ARI/VIDEO_CODEC/JPEG-DEC/TrunkX0%Avira URL Cloudsafe
http://10.6.5.2/svnpl/CODEC/ARI/AUDIO_CODEC/Audio_Mpeg2l2_Dec/TrunkCorExitProcessmscoree.dllruntime0%VirustotalBrowse
http://10.6.5.2/svnpl/CODEC/ARI/VIDEO_CODEC/TOOLS/bilinear_scale/Trunk0%Avira URL Cloudsafe
http://10.6.5.2/svnpl/CODEC/ARI/BaseAlg/ImageProcess/FishEye/Trunk/fish_eye_from_wangsong0%Avira URL Cloudsafe
http://10.6.5.2/svnpl/CODEC/ARI/AUDIO_CODEC/Audio_G729AB_DEC/Trunk0%Avira URL Cloudsafe
http://10.6.5.2/svnpl/CODEC/PC/MPEG4_DEC_FAST/Trunk/PC_Mpeg4_DEC_Windows(null)(null)0%VirustotalBrowse
http://10.6.5.2/svnpl/CODEC/ARI/AUDIO_CODEC/Audio-G7221-DEC/Trunk80%VirustotalBrowse
http://10.6.5.2/svnpl/CODEC/VIDEO_ARITH/PTZ/MTracking_PTZ/Trunk/SIML_PTZ/MS_zhucong0%VirustotalBrowse
http://10.6.5.2/svnpl/CODEC/PC/MPEG4_DEC_FAST/Trunk/PC_Mpeg4_DEC_Windows0%Avira URL Cloudsafe
http://10.6.5.2/svnpl/CODEC/ARI/VIDEO_CODEC/TOOLS/bilinear_scale/Trunk0%VirustotalBrowse
http://10.6.5.2/svnpl/CODEC/ARI/VIDEO_CODEC/JPEG-DEC/Trunk0%Avira URL Cloudsafe
http://10.6.5.2/svnpl/CODEC/ARI/VIDEO_CODEC/H265-DEC/Branches/P_2015.06.15_H265_DEC_OpenHevcDecCould0%VirustotalBrowse
http://10.6.5.2/svnpl/CODEC/ARI/AUDIO_CODEC/Audio_G729AB_DEC/Trunk0%VirustotalBrowse
http://10.6.5.2/svnpl/CODEC/ARI/BaseAlg/ImageProcess/FishEye/Trunk/fish_eye_from_wangsong0%VirustotalBrowse
http://10.6.5.2/svnpl/CODEC/PC/ENC_AAC/Trunkknipsycho0%Avira URL Cloudsafe
http://10.6.5.2/svnpl/CODEC/PC/ENC_AAC/Trunk0%VirustotalBrowse
http://10.6.5.2/svnpl/CODEC/PC/MPEG4_DEC_FAST/Trunk/PC_Mpeg4_DEC_Windows0%VirustotalBrowse
http://10.6.5.2/svnpl/CODEC/PC/ENC_AAC/Trunkknipsycho0%VirustotalBrowse
http://10.6.5.2/svnpl/CODEC/ARI/VIDEO_CODEC/JPEG-DEC/TrunkX0%VirustotalBrowse
http://10.6.5.2/svnpl/CODEC/ARI/VIDEO_CODEC/JPEG-DEC/Trunk0%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://10.6.5.2/svnpl/CODEC/ARI/AUDIO_CODEC/Audio_G729AB_DEC/Trunklsp_stabilitySecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.00000000028A0000.00000004.00000020.00020000.00000000.sdmp, g729dec.dll.0.dr, nsbA248.tmp.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://10.6.5.2/svnpl/CODEC/ARI/AUDIO_CODEC/Audio-G7221-DEC/TrunkSecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.00000000028A0000.00000004.00000020.00020000.00000000.sdmp, g7221dec.dll.0.dr, nsbA248.tmp.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://10.6.5.2/svnpl/CODEC/ARI/AUDIO_CODEC/Audio-AAC-DEC/TrunkwSecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.00000000028A0000.00000004.00000020.00020000.00000000.sdmp, aacdec.dll.0.dr, nsbA248.tmp.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://10.6.5.2/svnpl/CODEC/ARI/VIDEO_CODEC/H265-DEC/Branches/P_2015.06.15_H265_DEC_OpenHevcDecSecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002D55000.00000004.00000020.00020000.00000000.sdmp, nsbA248.tmp.0.dr, hevcdec.dll.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://nsis.sf.net/NSIS_ErrorSecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, uninst.exe.0.drfalse
    		high
    http://10.6.5.2/svnpl/CODEC/ARI/AUDIO_CODEC/Audio_Mpeg2l2_Dec/TrunkSecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.00000000028A0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmp, mp2dec.dll.0.dr, nsbA248.tmp.0.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://10.6.5.2/svnpl/CODEC/ARI/AUDIO_CODEC/Audio-AAC-DEC/TrunkSecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.00000000028A0000.00000004.00000020.00020000.00000000.sdmp, aacdec.dll.0.dr, nsbA248.tmp.0.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://www.openssl.org/support/faq.html....................SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.00000000028A0000.00000004.00000020.00020000.00000000.sdmp, nsbA248.tmp.0.dr, StreamConvertor.dll.0.drfalse
      		high
      http://10.6.5.2/svnpl/CODEC/ARI/VIDEO_CODEC/H265-DEC/Branches/P_2015.06.15_H265_DEC_OpenHevcDecCouldSecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002D55000.00000004.00000020.00020000.00000000.sdmp, nsbA248.tmp.0.dr, hevcdec.dll.0.drfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      http://www.audiocoding.com/)StreamConvertor.dll.0.drfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      http://10.6.5.2/svnpl/CODEC/ARI/AUDIO_CODEC/Audio_Mpeg2l2_Dec/TrunkCorExitProcessmscoree.dllruntimeSecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.00000000028A0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmp, mp2dec.dll.0.dr, nsbA248.tmp.0.drfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      http://10.6.5.2/svnpl/CODEC/PC/MPEG4_DEC_FAST/Trunk/PC_Mpeg4_DEC_Windows(null)(null)SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002E7E000.00000004.00000020.00020000.00000000.sdmp, nsbA248.tmp.0.dr, mpeg4dec.dll.0.drfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      http://10.6.5.2/svnpl/CODEC/PC/ENC_AAC/TrunkSecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.00000000028A0000.00000004.00000020.00020000.00000000.sdmp, nsbA248.tmp.0.dr, StreamConvertor.dll.0.drfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      http://10.6.5.2/svnpl/CODEC/ARI/AUDIO_CODEC/Audio-G7221-DEC/Trunk8SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.00000000028A0000.00000004.00000020.00020000.00000000.sdmp, g7221dec.dll.0.dr, nsbA248.tmp.0.drfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      http://10.6.5.2/svnpl/CODEC/VIDEO_ARITH/PTZ/MTracking_PTZ/Trunk/SIML_PTZ/MS_zhucongSecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002D55000.00000004.00000020.00020000.00000000.sdmp, MCL_FPTZ.dll.0.dr, nsbA248.tmp.0.drfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      http://10.6.5.2/svnpl/CODEC/ARI/VIDEO_CODEC/JPEG-DEC/TrunkXSecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002B15000.00000004.00000020.00020000.00000000.sdmp, nsbA248.tmp.0.dr, mjpegdec.dll.0.drfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      http://10.6.5.2/svnpl/CODEC/ARI/VIDEO_CODEC/TOOLS/bilinear_scale/TrunkSecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.00000000028A0000.00000004.00000020.00020000.00000000.sdmp, nsbA248.tmp.0.dr, swscale.dll.0.drfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      http://10.6.5.2/svnpl/CODEC/ARI/BaseAlg/ImageProcess/FishEye/Trunk/fish_eye_from_wangsongfisheye.dll.0.drfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      http://nsis.sf.net/NSIS_ErrorErrorSecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, uninst.exe.0.drfalse
        		high
        http://10.6.5.2/svnpl/CODEC/ARI/AUDIO_CODEC/Audio_G729AB_DEC/TrunkSecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.00000000028A0000.00000004.00000020.00020000.00000000.sdmp, g729dec.dll.0.dr, nsbA248.tmp.0.drfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://10.6.5.2/svnpl/CODEC/PC/MPEG4_DEC_FAST/Trunk/PC_Mpeg4_DEC_WindowsSecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002E7E000.00000004.00000020.00020000.00000000.sdmp, nsbA248.tmp.0.dr, mpeg4dec.dll.0.drfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://www.openssl.org/support/faq.htmlSecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.00000000028A0000.00000004.00000020.00020000.00000000.sdmp, nsbA248.tmp.0.dr, StreamConvertor.dll.0.drfalse
          		high
          http://10.6.5.2/svnpl/CODEC/ARI/VIDEO_CODEC/JPEG-DEC/TrunkSecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.0000000002B15000.00000004.00000020.00020000.00000000.sdmp, nsbA248.tmp.0.dr, mjpegdec.dll.0.drfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://10.6.5.2/svnpl/CODEC/PC/ENC_AAC/TrunkknipsychoSecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, 00000000.00000002.1660658529.00000000028A0000.00000004.00000020.00020000.00000000.sdmp, nsbA248.tmp.0.dr, StreamConvertor.dll.0.drfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1436354
          Start date and time:2024-05-04 15:31:05 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 3m 34s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:8
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
          Detection:MAL
          Classification:mal48.winEXE@13/34@0/0
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 56
          • Number of non-executed functions: 225
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Stop behavior analysis, all processes terminated

          Warnings

          • Not all processes where analyzed, report is missing behavior information
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.

          Simulations

          Behavior and APIs

          No simulations

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          C:\Program Files (x86)\webrec\WEB30\WebPlugin\MCL_FPTZ.dllGeneral_Player_Eng_WIN32_V3.44.0.R.170421.exeGet hashmaliciousUnknownBrowse

            Created / dropped Files

            C:\Program Files (x86)\webrec\WEB30\WebPlugin\DHSurveillanceDll.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):585728
            Entropy (8bit):6.583617342020423
            Encrypted:false
            SSDEEP:12288:5XxZkfdOJrkL5IejPQGF5oSjlGnvy8XXQdTpTsw0j:txwLtbpoulGnK8XXn
            MD5:3357C36FAC53214BF1AD65CBC067AD05
            SHA1:4722D36199ED131A0283D0C38F2C619E55E070D3
            SHA-256:FBDE0CDC4672E35E4410C25D52E782999EDF15D6081C53316E4E4DC1AF8AB93D
            SHA-512:B4516569F837D5194454D3A2E1EE3687600C804293F0495F777E8A040BA9DDCBF095463C50CF500DB7B8762F3A24CDD7956EE0BEE93C4A5B956B09358C409F39
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            • Antivirus: Virustotal, Detection: 1%, Browse
            Reputation:low
            Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ZH.o.)f<.)f<.)f<9..<.)f<.)f<.)f<.!;<.)f<(.m<.)f<..b<.)f<e5j<.)f<.5h<.)f<q6l<.)f<q6b<.)f<q6m<.)f<J.V<.)f<|6u<.)f<.)g<.(f<.6m<w)f<.6b<.)f<Rich.)f<................PE..L......\...........!................v................................................................................n..`...hR...............................0..4m......................................................,............................text............................... ..`.rdata...n.......p..................@..@.data...0...........................@....reloc..>....0......................@..B................................................................................................................................................................................................................................................................................................................

            C:\Program Files (x86)\webrec\WEB30\WebPlugin\FileOperator.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):98304
            Entropy (8bit):5.966026020485647
            Encrypted:false
            SSDEEP:1536:DO4OFhFditHVkRNhVUKvzKR9E37Bd+h0TAnrFoXa2wZhbJIc7T6r:D4diDkTCR9YBQ0snrFoqPbJIc7mr
            MD5:C2277D8B6954DBB7633AADE74ECDB561
            SHA1:B6D548D2E39A4301E0A5C22B80B2015D39C3780A
            SHA-256:4D2AD0C105EA59D5BDE58B84577F8896517F5F9B4FED87DEF58ECF4AA4B6BE37
            SHA-512:51FBE094E1E5825F50AACA85351EE608F9CC0D3C45A5CDB0CFF902FE771182563A8E94BD8DE59E7761E1DF65749C77E7F19380324C910FE330BC66BCDF5A45C9
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            • Antivirus: Virustotal, Detection: 1%, Browse
            Reputation:low
            Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........a.Oe..Oe..Oe..4y..Me..Oe..Me...z..Ge..-z..Ie...y..Me.. z..Ke.. z..Ke.. z..Le..yC..Ie..yC..Le..Oe...e...z..Ne...z..Ge...c..Ne...z..Ne..RichOe..................PE..L......\...........!................I............................................................................... 4.......!.......`..p....................p.......................................................................................text............................... ..`.rdata...%.......0..................@..@.data........@.......@..............@....rsrc...p....`.......P..............@..@.reloc..*....p... ...`..............@..B........................................................................................................................................................................................................................................................................

            C:\Program Files (x86)\webrec\WEB30\WebPlugin\FisheyeCtrl.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):61440
            Entropy (8bit):4.735735652234811
            Encrypted:false
            SSDEEP:768:LKUoghLJBjmfI176dCCTqyqeu/FFL0MKjzL9V9cn0Vx+Hhjtkq:OcpbmfIOTqyFuz0PUn2x+HhjGq
            MD5:0E56FB2B4DE5C9EA9769F31DEB7E42FF
            SHA1:9C319AEBB20090F1331377F3BC185E2D4F599467
            SHA-256:4CB7F63126F6F102AA0FE4156E29994C9D26A627D87D7E50A05C62C780917A07
            SHA-512:AC1EF81D2B4B9200359DE44B2FD68131C4CFCBA2BC4E77906B89821D66BB6FA28900004DC585F503EA3C9BAF7BF10629ECA12A6B97247CF37C0DD62F519D4370
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            • Antivirus: Virustotal, Detection: 1%, Browse
            Reputation:low
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0n.}t...t...t.......r.......u.......v.......p.......v...B)..w...B)..w...t...........n.......u.......u...Richt...................PE..L...s..\...........!.........p.............................................../.........................................i...`...x.......h............................................................................................................text...V........................... ..`.rdata..............................@..@.data...,...........................@....rsrc...h...........................@..@.reloc...$.......0..................@..B........................................................................................................................................................................................................................................................................................................

            C:\Program Files (x86)\webrec\WEB30\WebPlugin\IVSJsonSdk.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):143360
            Entropy (8bit):6.101143342730928
            Encrypted:false
            SSDEEP:3072:o/VaV4ou5ro4PikbXzFvtcdzBowbOOxfPpzJULOrnyfVHtQqcvvk:o/VaV4oT4PvDI9H4Or+HQqc
            MD5:1A183E268241B6AF83E317B02C297EC5
            SHA1:B97D7BC12A37CF3D82E63A2203B2A7EAB5FD89F8
            SHA-256:7A1A3B6D36A668CD168574A0ECFA4B23CE4FD0E65B3AC70F3545F0A54F7EE3CF
            SHA-512:DFD7719ABF60D648D57E7C6A81C0D679896950350E84DAA14BDF8C6F547121C466DB6F3C1BA8B85071BD56C28DA6E1742466B1DCDFD59CBA81A8CBDD5C1A674E
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            • Antivirus: Virustotal, Detection: 1%, Browse
            Reputation:low
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)x.H...H...H...n...H...W...H...T...H...W...H...W...H...W...H...H...H..aW...H..aW...H..Rich.H..........................PE..L...[..\...........!.........`......._.......................................0...................................... ...v.......P....................................................................................................................text...o........................... ..`.rdata........... ..................@..@.data............ ..................@....reloc........... ..................@..B........................................................................................................................................................................................................................................................................................................................................................

            C:\Program Files (x86)\webrec\WEB30\WebPlugin\IvsDrawer.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):143360
            Entropy (8bit):5.923764883013945
            Encrypted:false
            SSDEEP:3072:SYMcER7ot0QNCmJFueMVAtb+FE9VYlXhplTn209r3VrpW:SYieJFu+6TnTZFt
            MD5:AD8FEDE1C767714E78E6BCBEB8CBCDA1
            SHA1:FAFB101A48181D9C0EC482D6C2632C5C5FB9745F
            SHA-256:B431FE3B999981FA9BB5D968BB824852D7C8F186B2E1B37B95546172AA4DF7CD
            SHA-512:A8E2EC62BB47CA2EEFBEA4D022F678BCC4819A412ECD765B35BFF3486454669D2D81F48C577332E019C6C58B53FFED2BF7567695C40671EF6733336FCE498624
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            • Antivirus: Virustotal, Detection: 2%, Browse
            Reputation:low
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'.A.F...F...F...Z...F...Y...F...Y...F...Y...F...F...F...Y...F...e...F..N@...F..vf...F..Rich.F..................PE..L....d.[...........!.........................................................0..................................................................................\....................................................................................text...^........................... ..`.rdata...!.......0..................@..@.data...p........ ..................@....rsrc...............................@..@.reloc..@........ ..................@..B........................................................................................................................................................................................................................................................................................................................

            C:\Program Files (x86)\webrec\WEB30\WebPlugin\IvsLogic.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):126976
            Entropy (8bit):6.158261899975804
            Encrypted:false
            SSDEEP:1536:7orYR5j2iFreuwwgvZv4zlKJ8oIIGjh0ZYSZHxsSvDvIsKphGi3TcAhFx:eHupgxGw8dSZHnbAsovDcC
            MD5:250000FD2D98BEB30DEC3BB1932A85F8
            SHA1:BD1087746EDC64EB6F13CEE4F87FD51EFEC457A2
            SHA-256:D41F6F39E8AC4B3B6310C6B6E12B98BAB7892B1E18AF0D3B1326D18DC5ED4F88
            SHA-512:1A84595D524973533C13AFFB6D93C66BCE97067FC060A68D517B7D9B5D0F271FFC736E14CE1AF0A7099362DCB2D7E8F69D9D1CF1D0F4EF7966756F630DA5CE9C
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            • Antivirus: Virustotal, Detection: 1%, Browse
            Reputation:low
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............................................`...`...Rich..........PE..L...c..\...........!.........`..............................................................................................x...P...............................T....................................................................................text............................... ..`.rdata..8........ ..................@..@.data...t...........................@....reloc..J/.......0..................@..B........................................................................................................................................................................................................................................................................................................................................................................

            C:\Program Files (x86)\webrec\WEB30\WebPlugin\MCL_FPTZ.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):251904
            Entropy (8bit):6.612916418107458
            Encrypted:false
            SSDEEP:6144:2MXNP3juUAIuo/nkfdEfPIiAel8S0C01sYB+af7Mrew:2MXNP3jnILXtx1sYB+Gm
            MD5:8DD4A6171ACDE8EA960EBB8A06FCB799
            SHA1:4E318B7C668CD3E61E06ADB6AE8BC6CF334EDB73
            SHA-256:65D634F1EE67145FB01C07793D217F6E9F5E7A4B7287447F485FCEE0DD600DEA
            SHA-512:6944C6BE617BF110A2DFE8B58AFCBB82A7075D2DCE571B1F25693E122A8DF49275F4C34801187DEB5AA2D1EA2D67A8D230FA254312071BEFB6652F7C0F26815C
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            • Antivirus: Virustotal, Detection: 0%, Browse
            Joe Sandbox View:
            • Filename: General_Player_Eng_WIN32_V3.44.0.R.170421.exe, Detection: malicious, Browse
            Reputation:low
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.8u~.V&~.V&~.V&...&Z.V&w..&}.V&~.W&..V&...&[.V&...&..V&...&..V&...&..V&...&..V&Rich~.V&........................PE..L...hnOX...........!.........................................................0.......!....@.............................;...L...(...................................`...............................X...@............................................text............................... ..`.rdata.............................@..@.data...(P.......4..................@....rsrc...............................@..@.reloc.."...........................@..B........................................................................................................................................................................................................................................................................................................................

            C:\Program Files (x86)\webrec\WEB30\WebPlugin\StreamConvertor.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):1654784
            Entropy (8bit):6.694802389804064
            Encrypted:false
            SSDEEP:24576:bG3bpslai74JVUUU+Lg3ZFeMVRnoc/xmwomttKoeHGzuSOtYZ7:bqbli74TUNPZFF8imwoWI9+uVG7
            MD5:054F28D01219B0C4F42139B16A5405F3
            SHA1:6328FB649AA9E333BB0D0C3C839D009B6FC3AE4A
            SHA-256:87DEB26D60D6227CCBE6964440ACDE86362EDF5D4FD655EFBE41B6BBD8EB6AD8
            SHA-512:2C35FB5CCB77A8A4CAA147F27E11E92AEBFC2DB55362762FB1DB1302A799640A4C9622985DB02B686B9996BBE37324747E6EF070ADA6394C678ECF963F4A6B54
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 2%
            • Antivirus: Virustotal, Detection: 0%, Browse
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t.y...*...*...*H..*...*...*...*...*...*...*O..*...*...*.c.*...*..*...*...*...*...*...*...*...*...*...*Rich...*................PE..L...o..Z...........!.....0..................@......................................"...............................@..."....{..d.......$........................... C..................................@............@..P............................text...$/.......0.................. ..`.rdata..bJ...@...P...@..............@..@.data....n..........................@....rsrc...$............`..............@..@.reloc..`............p..............@..B........................................................................................................................................................................................................................................................................................................

            C:\Program Files (x86)\webrec\WEB30\WebPlugin\TimeGridEXE.exe

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):53248
            Entropy (8bit):5.48867482752557
            Encrypted:false
            SSDEEP:768:erodc9KW4hIIy1y5GhESEcXo4jdXvupIyaymdBnNmV:efKW47yectXvu91mdB
            MD5:722C00AC501CFDE5C34A1F002A31DC3C
            SHA1:3806AE73F09C0995F42712A396D2665DD9B1C029
            SHA-256:CF1F698B13EE9A9CD8E1B655E99A687434B36855DB27896DE4814DD4D0ED371E
            SHA-512:D6E735359876CD9E3D84A667EB8C34A3B71B4D9711E5157C24F0ACE9B30938FEC878474EF3EBC474CB88CD376248C14874740E786EC8173DFB6695446A2C554B
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            • Antivirus: Virustotal, Detection: 3%, Browse
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......M]h6.<.e.<.e.<.e. .e.<.ef#.e.<.eW..e.<.e...e.<.ef#.e.<.ef#.e.<.e?..e.<.e.<.e.<.e_#.e.<.ek#.e.<.e.<.e.<.e.#.e.<.e.:.e.<.eRich.<.e................PE..L......\.................p...P.......v............@..................................................................................................................................................................................................text...Rh.......p.................. ..`.rdata..~........ ..................@..@.data...............................@....rsrc............ ..................@..@................................................................................................................................................................................................................................................................................................................................

            C:\Program Files (x86)\webrec\WEB30\WebPlugin\Version.ini

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):26
            Entropy (8bit):4.026986833359286
            Encrypted:false
            SSDEEP:3:BXWQW6U13n:BdO
            MD5:CC434E69E4472E3413BE33484BE5481B
            SHA1:CBA349863C9854874E1892381F533CB911729EB8
            SHA-256:06C488C780A857201F3AF0D7EB1FA452B78542C29D8E7DB5C051EF5A441306C0
            SHA-512:8819E6F215343938A45A48A973547E4E82FEC56DEF0BBD3310CA847D7D0C43ED68DA2C683BCE1356826E1190CB962BB35DE8299E805FFA135E51B52EA624B2CA
            Malicious:false
            Preview:pluginVersion=3.1.0.614644

            C:\Program Files (x86)\webrec\WEB30\WebPlugin\VideoAnalyse.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):106496
            Entropy (8bit):6.07723701778751
            Encrypted:false
            SSDEEP:1536:USgP9311o6BEXIlDlolPYDYjhzIw/uTYf50Qw64Jvnt+t+/+Z9+Ocw+l++Qhc:431R2QDYtNt50Qw6qPoo2ZYOcdg+Qhc
            MD5:A036102BBC9BFB5AF9D29435A553327F
            SHA1:9AC39E2035819087E73EAFE92C633F001FFD4EC7
            SHA-256:367EB5B57F90DB687909E642149B483F2C1A8E962D890A474962F43728256C07
            SHA-512:42DE6214686CF68950E47F09F5392BDF887B63732521F74F0D66ADC6E6C7AAA73AB984DBCD931D761CF71A1BB2D0C6123FC76CD950DE80664E6E9FED71D1F5CD
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            • Antivirus: Virustotal, Detection: 2%, Browse
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^..I............,......u......u.............u..........Y...x....................Rich....................PE..L......\...........!.....0...`...............@......................................................................0[.......O..P............................p.......................................................@...............................text...'........0.................. ..`.rdata.......@... ...@..............@..@.data........`.......`..............@....reloc...$...p...0...p..............@..B................................................................................................................................................................................................................................................................................................................................................................

            C:\Program Files (x86)\webrec\WEB30\WebPlugin\VideoWindow.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):237568
            Entropy (8bit):5.717998549131739
            Encrypted:false
            SSDEEP:3072:1XhB5IvWRT0smmSv8IO3oA8kvxQOOCr1QZuylb261uhX3a:1XhB5IG0sgv8IO3oA8kLOC+ZukDyX
            MD5:AA0204B891863D5011CBB8A4CB18BD01
            SHA1:89FB35A7305B3C197CEA9FA726BF2C774109436C
            SHA-256:550B5991AC49A0D15EF66B4ADAAF70E80F95649BE0220C69AD5D969F6C4A0FE2
            SHA-512:E79E26290E4A90A643E0433D02329B9B204E2D8176999ACF93213098F8370C62EF7CBCA5562BBBA2DFC264115DA9E78D970FBB0DAA1F4670CF14F90916E942CF
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            • Antivirus: Virustotal, Detection: 1%, Browse
            Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$..........T..o...o...o..cc...o..\v...o..`|...o...o...o..`|...o.vca...o..`e...o..`k...o..`d...o..Yd...o..Yk...o...n..~o..`d...o.2yi...o..`k...o.Rich..o.........................PE..L......\...........!.....P...P...............`..........................................................................q............... ............................................................................`...............................text....K.......P.................. ..`.rdata..!>...`...@...`..............@..@.data...,...........................@....rsrc... ...........................@..@.reloc...&.......0...p..............@..B................................................................................................................................................................................................................................................................

            C:\Program Files (x86)\webrec\WEB30\WebPlugin\WebActiveEXE.exe

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):151552
            Entropy (8bit):5.902249491247737
            Encrypted:false
            SSDEEP:3072:8wOLiaCrlGGAGpJtYzyzrmm/1CVkP3n5LU+y/I+0HqTGj:DGxADzrR1CVKZU+QrGj
            MD5:9243C61FEF74004CBA9DA20A9BC013E7
            SHA1:AD2B56CF741746A461AAD81AF7E3D8967BC662BD
            SHA-256:3EFF581F3CCB3BA2549C9A1B9C6C9B89B04D5C79AE3ABE20304919F218F766A4
            SHA-512:58BCBFA0D2DE94156C17104946EDEF6D7ADC6E58EC429D31DC11A87DDF8A241E7735B81E43D7E3287442437E05DC2045AEC0E643F2B1D7F044C250A73D2192D5
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 5%
            • Antivirus: Virustotal, Detection: 4%, Browse
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........l]....................................v...................................................................&...........2.......Rich....................PE..L......\.................P...................`....@..........................P..............................................P........................................................................................`...............................text....C.......P.................. ..`.rdata..N9...`...@...`..............@..@.data............ ..................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................

            C:\Program Files (x86)\webrec\WEB30\WebPlugin\aacdec.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):91648
            Entropy (8bit):7.069578553069577
            Encrypted:false
            SSDEEP:1536:l+X70QdpCB6faUJhVtUpbn/qVDbPSKTwKfCSGitiBYMEjhwrDdXtZX:0X70UggfaKjtE/IPSfutt0YMEsXtZX
            MD5:1C84F59DCA5CD24ED39B2B21E5382B78
            SHA1:C7CD82492B19F342C490F31C88924952061070F7
            SHA-256:CFE1BAF7477F2FEF0D2A42323C50CCCFE31A109142F05337E8FE680786EB53D7
            SHA-512:4624693B208A7568172EB415A704CEE1BCD1FC7689F241F2A0C5053A0BDFDE2C8EAD50AC3FDC3B9ACBD6370F9B443FDE6F8E1B29DA60F53502727566E7959EBC
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            • Antivirus: Virustotal, Detection: 0%, Browse
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$%..`Dg.`Dg.`Dg.{...iDg.{...iDg.i<..cDg.`Df.]Dg.{...5Dg.{...aDg.{...aDg.{...aDg.Rich`Dg.................PE..L......Z...........!.................b....................................................@.........................pb......\]..(.......D...........................................................@[..@............................................text.............................. ..`.rdata..............................@..@.data........p.......J..............@....rsrc...D............V..............@..@.reloc..\............\..............@..B................................................................................................................................................................................................................................................................................................................................

            C:\Program Files (x86)\webrec\WEB30\WebPlugin\dhnetsdk.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):1523712
            Entropy (8bit):6.60937819417428
            Encrypted:false
            SSDEEP:24576:ZT40je5dnkAPPnJOeqQ2oyLhPQAEG+SRVyUyMVLFvgIIjGF:l40je5dk7ZEGzRVyUyMVpYIrF
            MD5:650CD4A2E457EE899E1229D14E7B24CE
            SHA1:C1BE56A9B119FB1DE68A52F9ED989D40852D98B2
            SHA-256:81B02C7991885F94FF14C0AACC96C99150BD9E0AFE0CF72574C253C5F24379C3
            SHA-512:9369059B4171A5B84A3109F2BD6A0681211E771BF02939689017B009CDF6D62925F3821C2A766B4B4E7B7C7CE98DDA12FE54198D57C55E960393FD3FDB232302
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            • Antivirus: Virustotal, Detection: 1%, Browse
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......YR...3.Z.3.Z.3.Z.,.Z.3.Zf/.Z.3.Z./.Z.3.Zr,.Z.3.Zr,.Z.3.Zr,.Z.3.Z.3.Z.3.Z.,.Z.3.Z:..Z.3.ZI..Z.3.ZI..Z.3.Z.5.Z.3.Z...Z.3.ZRich.3.Z................PE..L.....P[...........!.......................................................................................................|........`.......................p...1...................................................................................text...U........................... ..`.rdata..............................@..@.data...P....@.......@..............@....rsrc........`......................@..@.reloc..X....p... ... ..............@..B........................................................................................................................................................................................................................................................................................

            C:\Program Files (x86)\webrec\WEB30\WebPlugin\dhplay.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):438272
            Entropy (8bit):6.52388905581182
            Encrypted:false
            SSDEEP:6144:TTFgMqs8kFWB43FldpYxM49whZsrS1B/kCvLjcldtkCI:TTtokFWaXpYm6S1ZTj0O/
            MD5:CF2031671AF6A80CCA812A5734A5935A
            SHA1:DD5F8D7B8510DFF794030110467D86AB9A1FF87C
            SHA-256:D90A71345C0F6BFB8FC3D36961F48A48543E54355E448BFCCC200FDB444CB984
            SHA-512:64AF813C830888C06C50609CF9E69C6B5CD19ED3D5A8415BBD07D959CE3A89B2CBE5A8B865B9D21262CA05EF3CF6300E624FB51F1D7BD3A8766C1359260CA960
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 2%
            • Antivirus: Virustotal, Detection: 1%, Browse
            Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........f.V..`...`...`.N$y...`.n$}...`...l...`...k...`.7.n...`...j.-.`..$P...`.......`.......`.\.j...`...s...`...a...`..$Q...`.s.f...`.K'd...`.Rich..`.........................PE..L.....M[...........!......................... ...........................................................................!...........p..p........................>................................................... ..d............................text............................... ..`.rdata....... ....... ..............@..@.data...yv.......`..................@....rsrc...p....p.......P..............@..@.reloc...N.......P...`..............@..B................................................................................................................................................................................................................................................................

            C:\Program Files (x86)\webrec\WEB30\WebPlugin\fisheye.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):432128
            Entropy (8bit):6.853739298593476
            Encrypted:false
            SSDEEP:12288:KoiL9bZMaDQkJ+OkPQB+7mygutfjQC/5oEf72k:CHDQkoOkPQIlNjQymE72
            MD5:3C7D938D38AC4960701B562039F7B84F
            SHA1:01E6FD8EF0C1C0FCF64F1888F140009B2F01B57D
            SHA-256:7DDD3DC1A816EC52EEB4CDECB5C0327B50D3122AA2D82B7625FF7DD9DC02ED0E
            SHA-512:E4016480F7B2D668EBBE6939CF63807F7DA6F68663995CA4447E3FB96C7C5BC9C4E2DFB2DBAB74132F3F766EF3ABCC08541E9CC9778256C71E1C693687B87C11
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            • Antivirus: Virustotal, Detection: 0%, Browse
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*H..n)..n)..n)..._8.o)..._..F)..._=..)..gQ..m)..n)..>)..._<.S)..._..o)...^.o)..._..o)..Richn)..........PE..L....e.Z...........!...............................................................x.....@.............................3...|...(...............................8(..................................(...@...............D............................text............................... ..`.rdata..............................@..@.data...............................@....rsrc................h..............@..@.reloc..j).......*...n..............@..B................................................................................................................................................................................................................................................................................................................................

            C:\Program Files (x86)\webrec\WEB30\WebPlugin\g7221dec.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):58880
            Entropy (8bit):6.161058087322189
            Encrypted:false
            SSDEEP:768:K14OHFWsavdzGqQlyCKwp4wbhl1PeED8unmJrNSlzvOIxKBtmzaOsVw:KKaF2qqQf9hRiszvOIABtpM
            MD5:B7A85A8A456CFEAA6A5108AC43CAA69A
            SHA1:15CC8131A0ED8F3D540A282BA97EC14BA050D5D9
            SHA-256:F0485763729EF3AEC97D2B374CFE9136C9DAE6DA3B8E631820F0366706402137
            SHA-512:05D9846096739276FC81B1909D1981D487D1B5BB9C2E7F825940DB9185E4D8F63CFEB10FD285B087F4011822451C8265CD9A38334A514085CAB8898208A17BE4
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            • Antivirus: Virustotal, Detection: 0%, Browse
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../..BN..BN..BN..Y...KN..Y.!.JN..K6,.AN..BN...N..Y....N..Y.$.CN..Y.%.CN..Y.".CN..RichBN..........PE..L......Z...........!.....j...x.......:.......................................0......:u....@.........................@.......,...(.......T.................... ..T.......................................@............................................text....h.......j.................. ..`.rdata... ......."...n..............@..@.data....T.......H..................@....rsrc...T...........................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................

            C:\Program Files (x86)\webrec\WEB30\WebPlugin\g729dec.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):73728
            Entropy (8bit):6.42486208231672
            Encrypted:false
            SSDEEP:1536:DbhBemXH/ZkQ3tX0XtVDPqPNW9cwfkm6:DbhvXH/ZV3h0Xt9cwMP
            MD5:7FE33A95592385A2713355BE7774C427
            SHA1:C50403F11BFB5087184BEE77F5A00AFF30A3DD12
            SHA-256:5713965A97C19458A7DDBC1959A25C19E46EF688F81BCA9F2A2540835A25FF1B
            SHA-512:150A3F7C8F8884D8E75085E92BD8115127905CCC68540AED23819A1A84A402563ED477B969172066B9D1B3647F7C1326C1E5DE97FF017135BF39140AE1B21FEA
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            • Antivirus: Virustotal, Detection: 0%, Browse
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../.tCN.'CN.'CN.'X.K'UN.'X.~'MN.'J6s'@N.'CN.'.N.'X.J'-N.'X.{'BN.'X.z'BN.'X.}'BN.'RichCN.'........PE..L......Z...........!.........`......>e.......................................p.......4....@.........................`...........(....P..L....................`......................................`...@............................................text...z........................... ..`.rdata...#.......$..................@..@.data....E.......(..................@....rsrc...L....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................................................................................

            C:\Program Files (x86)\webrec\WEB30\WebPlugin\h264dec.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):549888
            Entropy (8bit):6.7682901104899305
            Encrypted:false
            SSDEEP:12288:4gYGy2OmaeOKSZWENziSxXW/VH7GN0rVZR7ar6cj3Vd8XkN:4pWm+StHNCR7Qj3I
            MD5:01EA4CA9CFA92DA495BD03FD30392A09
            SHA1:AF72A3FEA7A23E44A976C740623C82C5F52FE89D
            SHA-256:847DD0BA208E7666F33711F1D4233A6D617473B313CC81DA71587BA11CB153C5
            SHA-512:CF10A4F6C23C7E6BCD0FE40B9031C9FABE4D0CEFC97EF6AB9DF65204EBFFE965AE8B9C09C52AADF62299D368DE6B9BC331297BB067DF495C6A70A365BA81D6AA
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8J..|+..|+..|+..uS...+..|+...+...e..}+...]?.]+...]>.+..|+..q+...]..X+...]..}+..[...}+...]..}+..Rich|+..........PE..L.....:[...........!.........,............................................................@.....................................(................................1......................................................D............................text............................... ..`.rdata...|.......~..................@..@.data....f... ......................@....rodata.............................@..@.rsrc................ ..............@..@.reloc..(?.......@...$..............@..B................................................................................................................................................................................................................................................................................

            C:\Program Files (x86)\webrec\WEB30\WebPlugin\hevcdec.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):964096
            Entropy (8bit):6.650382595146014
            Encrypted:false
            SSDEEP:24576:jOCVqj3qjxazuomNEBJnF4qZD+HzYhQbs:jOCVqj3qjxazuomN6NqqV+H3bs
            MD5:9D81FEDD07D73926207DE78BB22AED5E
            SHA1:518F32847E9A401D926B3B10C73D3FAC6A0847A6
            SHA-256:20AFCC350786D0160B7459069BB939AA36A7E273604EEC16C789071C71F78B5F
            SHA-512:AED5DE82279CCB3575E27C92AE58D1C1E0382E22AF03812ADFD77051B3E6602D425142CA0A099B3551743996AC0C6C2E82275EC2B37393F1A7595ABCEF8218B8
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........^...^...^.....*.]...E.......E.,.f...W.!.]...^.......^...I...E.......E.)._...E.(._...E./._...Rich^...................PE..L....."[...........!.................................................................T....@..........................6......t/..(....p..........................PQ...................................*..@...............@............................text............................... ..`.rodata............................. ..`.rdata...G.......H..................@..@.data....!...@.......$..............@....rsrc........p.......B..............@..@.reloc...l.......n...H..............@..B........................................................................................................................................................................................................................................................................

            C:\Program Files (x86)\webrec\WEB30\WebPlugin\mjpegdec.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):99840
            Entropy (8bit):6.591230438765368
            Encrypted:false
            SSDEEP:1536:9NN2MgfVtpzr7g6KHns7B8FZem0JTSpEmZnZ2xPDw1UR9J:9NNotkhHZem5y1mURv
            MD5:9F6CFFA6B503E540EEDD92AD5AB12B19
            SHA1:DAD9E84315B42D371636985C34B33E5F9626A2FE
            SHA-256:7BCA2A7BF52793725C9216823A3355A70FBDFD53BBDA002E9183A31FE1B5F865
            SHA-512:F4B8CAAC1C72926D4AC18DD6D05F94436F62CFC33D06E412E5D8F7B220AB785C3AB1E699D2DC6A9AB782BE591D1233CD1C773DE136B4FEFC3DCDBECCCBD4D98D
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L.qV.......................................A...............c...................Rich............................PE..L......Z...........!.....(...Z......2........@............................................@.........................Pn.......h..(...............................L...@A...............................d..@............@...............................text...z&.......(.................. ..`.rdata.../...@...0...,..............@..@.data...|3...p.......\..............@....rsrc................r..............@..@.reloc..X............t..............@..B........................................................................................................................................................................................................................................................................................................................

            C:\Program Files (x86)\webrec\WEB30\WebPlugin\mp2dec.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):48128
            Entropy (8bit):6.136085636843009
            Encrypted:false
            SSDEEP:768:HkMZWZDyP7KQAwiL+/6hvAdu8tEDCunI9rNP86c:HkM6yz4wQgu8IoP8V
            MD5:5D6D28E48256972F0F486A61A4C3ADC3
            SHA1:3EC3590F5AE381B71ADA0F059A149035252D7285
            SHA-256:D5D9F7FA9D2604A98EC75AC9B61EE9683ED203AF05E1E8C7EADCEFB23550D7A4
            SHA-512:D8E8D314381CACEC9A995F0B252FC5EF95762BFC01BCEDFBCA020D5654D2FA3C0137E683659C513DF0AB46565EC2F05C9D5F8290936AF98CD48D1DABACA9ABB5
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2.n.S.=.S.=.S.=...=.S.=..?=.S.=.+2=.S.=.S.=.S.=...=.S.=..:=.S.=..;=.S.=..<=.S.=Rich.S.=........................PE..L....G.Z...........!.....p...H......e@...............................................h....@.....................................(.......L.......................x.......................................@............................................text..."n.......p.................. ..`.rdata..\-...........t..............@..@.data...@...........................@....rsrc...L...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

            C:\Program Files (x86)\webrec\WEB30\WebPlugin\mpeg4dec.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):183808
            Entropy (8bit):6.607279387847157
            Encrypted:false
            SSDEEP:3072:ZYhhvWGlXvjIgdULxkAHw/ejMpgNeozfoj8FRvJlih:ZYhTRekH/ejMGNewoh
            MD5:8F5751AE7D6F04C0F3EF1E046763F086
            SHA1:DC7758BE1473158F6EA9E8BD31EA3F9A2207C5F7
            SHA-256:BC7F6B6C1270693245237E8B6FDBE68013146977E87660512E778CE1248B5B3C
            SHA-512:25F60CD8DF4474255950823566A774326065AB90CF28AC45BFE607E77AE717D6BF68D8D8DEC00B82E59352EC245AC440ACA5B12335ACCD4C1536C6552C46C683
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@S..!=.!=.!=..W..!=.Y..!=.!<..!=..W..!=.!=.!=..W...!=..W..!=....!=..W..!=.Rich.!=.................PE..L.....X...........!.....6...........D.......P......................................-.....@.........................P...U......(...................................`Q...............................................P.. ............................text....5.......6.................. ..`.rdata...X...P...Z...:..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

            C:\Program Files (x86)\webrec\WEB30\WebPlugin\npTimeGrid.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):53248
            Entropy (8bit):4.863661697975896
            Encrypted:false
            SSDEEP:768:b8qkVVuCQh8wEo2s//RQTAg0n80rLwU+xLun:b8171Qh8wEo2s//eTlkr0xLun
            MD5:480C8BB87FB638ACB088646D8A1283B8
            SHA1:0AEBCA2E91CE989547216F0608D2FCD2B449F0CD
            SHA-256:1E3C70CA95A0B17B70D385BE76430B22C89B3FCF4FCD9551355706FF1D5E610D
            SHA-512:8DF3E8AD7E197952B5E37446D02CF5399D798660971C5A0508B9970121718707EB871E41172F7915A0A2939E35528BFF957A855C26E9E5C06F7E92B6C4DBCDA6
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......I.j..O...O...O...o...O..bP...O..S...O..bP...O..bP...O..;i...O..;i...O..oP...O...O..CO...P...O...I...O...P...O..Rich.O..................PE..L......\...........!.....p...`......-n..................................................................................~...h...........8.......................t.......................................................L............................text....c.......p.................. ..`.rdata..~........ ..................@..@.data...............................@....rsrc...8...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

            C:\Program Files (x86)\webrec\WEB30\WebPlugin\npmedia.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):135168
            Entropy (8bit):5.948585082351693
            Encrypted:false
            SSDEEP:1536:J73+bVYYCj2pcLhWKJt2APiMiS3e/YGQDdAjdByFzB6mxDvZ:sy52pcLYUAoil/YGQhEDylB6m5Z
            MD5:F7053460B3B2B57321BE6B67BD86B788
            SHA1:E959023AA1C0B6B189F4BCA3A350F2FEA6FF7418
            SHA-256:B4AC3439041170E7631A4D52B69BC5CC066F90AB27C721A13ED26944FAB6E3F1
            SHA-512:848F402FAE9A136D34162782DF5243D8DAA5A8E5D59E1756E7CEE6146424E13F3500D5023C01E452F9A6135FD53B2E117996AF4D43FCC38B85E886822ADB128A
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[.._...............d.............p.....p.....p.....)......)......}........`....................Rich...................PE..L......\...........!.....`...................p............................... ...................................... ...~....}..........`.......................D....................................................p...............................text...W[.......`.................. ..`.rdata.......p... ...p..............@..@.data....H.......@..................@....rsrc...`...........................@..@.reloc..v .......0..................@..B........................................................................................................................................................................................................................................................................................

            C:\Program Files (x86)\webrec\WEB30\WebPlugin\postproc.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):74752
            Entropy (8bit):6.525055666916631
            Encrypted:false
            SSDEEP:1536:qVqigXvQBlPHdwB08d4d2xsr2Unhw9Pf9:QYvQBhdwddc2yEV9
            MD5:458B35C52A2F5D0E22EAFB52A6489C03
            SHA1:A334CF193271C1DE02E365DF498EE11B4BA08EA1
            SHA-256:06EEAA574164FD7A40B29EFFF9BA641D29361ABF541A8B238D1CDC1393BB4516
            SHA-512:5394E148F56E18C82EB4CED58B91ECA7457D722AEF1984DEB1BF09E5C0C101A41F702B80531F4773A47C42BB2D2105A5EF20C2F59A9F8D98D96373B58BE8FD0F
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X......D...D...Ds.KD...Ds.~D...Ds.JDH..D..sD...D...D^..D...D...Ds.ND...Ds.{D...Ds.}D...DRich...D........................PE..L....phY...........!.........Z......6F.......................................p......z-....@.................................\...(....P.......................`..@... ...................................@............................................text............................... ..`.rdata..H6.......8..................@..@.data... ,... ......................@....rsrc........P......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................

            C:\Program Files (x86)\webrec\WEB30\WebPlugin\svac_dec.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):667648
            Entropy (8bit):5.966563240278712
            Encrypted:false
            SSDEEP:6144:n5LOrsp2brBYcFcKJmxJPO/SWtbJS8a+XxIR54TjnZQhqKnpZqqDLS:nsrsp2bZFcmmxJWKGaAjS9yqnS
            MD5:FFEC2E4561724C2611B001EADAB19A8A
            SHA1:006A87D972A2124DA54D187DCD8B60B11C1754AB
            SHA-256:5B05417CE8B1CB3F864789444D8ACCCE00F9403E34920758C1C4AC552514240B
            SHA-512:197618058CEB8FB8F329C3CD33553BCEA1C2D4905A4D47B6DF883616D51F47BCF5A5085C501F7C002245AAD68156C50F934E89092A4FDC265559485BC0A81C1D
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*...K...K...K...i;..K....l..K.......K....|..K..ZDL..K...K...K....k..K....m..K...K...K....i..K..Rich.K..........PE..L...FG.Z...........!.........................................................`......................................p...b.......(............................ ...*..@................................................................................text............................... ..`.rdata..............................@..@.data....D....... ..................@....idata..s...........................@..._RDATA..>........ ..................@..@.rsrc...............................@..@.reloc..e2... ...@..................@..B........................................................................................................................................................................................................................................

            C:\Program Files (x86)\webrec\WEB30\WebPlugin\swscale.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):204800
            Entropy (8bit):6.648266945598466
            Encrypted:false
            SSDEEP:6144:lqy4DFwC2rgai19IafSqLbUOFuAOignE:lqpFwC2rgp9IavLbZFuf
            MD5:FDD5E339984972C9A5589FD99BD93E6D
            SHA1:C435AAED6FA9C240CED6EB5A1A085E26D6891FDE
            SHA-256:7B5E314DD678D7366426DFABE76D4E84520FDF014B58D7DD0AB9BEA9474DB618
            SHA-512:5DA0E02F95EE0F27A82FF286DE05D5B41D17E3E8D43E1ED836E8F9AAFD604EDF368C6D67F34ACDA3544AB37A5090989E6F196726F503C2BB757BE528FB68679E
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......FG:a.&T2.&T2.&T2%.:2"&T2%.)2*&T2.).2.&T2.&U2T&T2.&T2.&T2%.92.&T2%..2.&T2%.,2.&T2Rich.&T2........................PE..L......Z...........!.....0...........W.......@...............................@..............................................,...(............................ ..........................................@............@.. ............................text...(,.......0.................. ..`.rdata..%....@.......@..............@..@.data...P7....... ..................@....rsrc...............................@..@.reloc.. .... ... ..................@..B........................................................................................................................................................................................................................................................................................................................

            C:\Program Files (x86)\webrec\WEB30\WebPlugin\timeAxesDll.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):98304
            Entropy (8bit):5.760733549243463
            Encrypted:false
            SSDEEP:1536:8XmPTHqTmlvilG73dvxczF8hqOB1c9Wa0qKCwlK4Oc7OR9F:8qTHq7ANmF8hqOB1c1KE4Oc7O5
            MD5:64EC54057FEB19F38F85BB594E13ABB3
            SHA1:6E7D21B00A303EFBC38A261A9C7A0C792A95DC01
            SHA-256:AFAC18CABB4D3C2B188E845DFA382ECE9A5438EEDCA8068669BD78C11C7214F8
            SHA-512:24EAB97F7FD51F6F93B4C2D7D6E67338951F6562087DF84F9A2B315A8827121232E47D6EB5A4D61480EF7D0FB2DC94C49849DBE39054F9406287321CA2F48483
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m..)...)...)...)...*...K..!.....+...F..-...F..-...F..*....../......*...)..........8.......(......(...Rich)...................PE..L......\...........!.................................................................................................3..t...h#.......`..h....................p..0....................................................... ............................text............................... ..`.rdata..d$.......0..................@..@.data...l....@.......@..............@....rsrc...h....`.......P..............@..@.reloc.......p... ...`..............@..B................................................................................................................................................................................................................................................................................................

            C:\Program Files (x86)\webrec\WEB30\WebPlugin\uninst.exe

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
            Category:dropped
            Size (bytes):57262
            Entropy (8bit):6.389481069091073
            Encrypted:false
            SSDEEP:768:c1cVhpQI2EQK0iPDh84nScF15GYbWjXO3XJXgZl2iZQAm6kRRS+NoJRnKB6z7iwR:6QpQ5EP0ijnRTXJXgZlLeAyNlBa719L
            MD5:C51BEA2FDE15CE6E1615A51F5C49047F
            SHA1:F041406C55B113E02B8D27ACBFD74A2318D5F41D
            SHA-256:79F2C663F98B1E6BDC45ED9840EC345F652771172FD24E0129EA7979A0CF9BA1
            SHA-512:C3CD3C063D74577ACD2473058D8A706F45F144DAFC0985B64757867B1ED2B339BBA7F33B8B2E70C231B49AA9E7C84C225004D50E52C88F65B7BC889243473697
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i..iw..iu..i...i..id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................0...............................................s..........xW...........................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc...xW.......X...v..............@..@................................................................................................................................................................................................................................................................................................................................................

            C:\Users\user\AppData\Local\Temp\nsbA248.tmp

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
            File Type:OpenPGP Public Key
            Category:dropped
            Size (bytes):9361777
            Entropy (8bit):6.635851023212013
            Encrypted:false
            SSDEEP:196608:2xjyAxn9n+EI6DPFHP72yHCVqj3qj2mNkrTrsUbLQIoi0:2xjy89n+EI6DtH/ZLLr0
            MD5:B2F7A710806315BEF71E35C4BEEEF0BA
            SHA1:D805ED888654B73DD7D993CE25AF9BA57169C6D9
            SHA-256:FEF0381452EB8FE0C09D3F4B87D723885C0A3AAB838B064EAE5E342A38B7D107
            SHA-512:8ADFF94E1DB1D3562531E05C2CEB43BEFB9933AA6B375570A1B5BF63559F546A8951E11B8145729EA53B2A82325BD136AA228DFF63A3554DCEDAA000FFD38659
            Malicious:false
            Preview:."......,...................i...p........!......i".........................................................................."...................................................................................................................................................................................j.......................J...................................................................................................................#.../....#..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\nsExec.dll

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):6656
            Entropy (8bit):5.036651327230889
            Encrypted:false
            SSDEEP:96:M7GUb+YNfwgcr8zyKwZ5S4JxN8BS0ef9/3VI9d0qqyVgNk32E:eKgfwgcr8zylsB49Ud0qJVgNX
            MD5:ACC2B699EDFEA5BF5AAE45ABA3A41E96
            SHA1:D2ACCF4D494E43CEB2CFF69ABE4DD17147D29CC2
            SHA-256:168A974EAA3F588D759DB3F47C1A9FDC3494BA1FA1A73A84E5E3B2A4D58ABD7E
            SHA-512:E29EA10ADA98C71A18273B04F44F385B120D4E8473E441CE5748CFA44A23648814F2656F429B85440157988C88DE776C6AC008DC38BF09CBB746C230A46C69FE
            Malicious:false
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........PE..L......K...........!......................... ...............................P.......................................$..l.... ..P............................@....................................................... ...............................text...H........................... ..`.rdata..,.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WebPlugin\Uninstall.lnk

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
            File Type:MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
            Category:dropped
            Size (bytes):1054
            Entropy (8bit):3.2773720782343556
            Encrypted:false
            SSDEEP:12:8wl0Wa/ledp8WHbCQqaFmSK4GbdpYSVYbdpYS5Q/CNUvH4t2YZ/elFlSJm:8sdOot04idhVMdhqOUFqy
            MD5:C735D8A97CAC99B7DB89CE6D9E6A7145
            SHA1:67E83E284B670D8E39DDF29A5B905122F32FFC0D
            SHA-256:2A41A33A79F5D89DBC38B0C38E6FD3453EF349EBB30F4A39E9E8517999F8404B
            SHA-512:5047837D2B50F751AAA2B0B647D24AA5ECCEA5E5610816BD105385DC727D0D556AB4389ACC5851AD847B94686D256028C4AE31079B93F8303F6B45F7D948707B
            Malicious:false
            Preview:L..................F.............................................................P.O. .:i.....+00.../C:\...................z.1...........Program Files (x86).X............................................P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...".T.1...........webrec..>............................................w.e.b.r.e.c.....P.1...........WEB30.<............................................W.E.B.3.0.....\.1...........WebPlugin.D............................................W.e.b.P.l.u.g.i.n.....`.2...........uninst.exe..F............................................u.n.i.n.s.t...e.x.e.......P.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.w.e.b.r.e.c.\.W.E.B.3.0.\.W.e.b.P.l.u.g.i.n.\.u.n.i.n.s.t...e.x.e.-.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.w.e.b.r.e.c.\.W.E.B.3.0.\.W.e.b.P.l.u.g.i.n.........*................@Z|...K.J.....................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
            Entropy (8bit):7.9928855231345
            TrID:
            • Win32 Executable (generic) a (10002005/4) 92.16%
            • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
            File size:2'839'473 bytes
            MD5:38d8fa19104d2d053ecdf2fc8ffebfc8
            SHA1:ce20991750224314d5d3f6884881200868a946d2
            SHA256:1ed93111b00286598577dee8817e4992154f5bebe7f6355c251b6e8bef8a6985
            SHA512:594096d0a4573b0a91dbb26f904b980749ecb9a7a663addf2974e7453e37f503c0b66432235355b865dac270d0b6357dd16504e017ea7ac95a03f676a6b40ee6
            SSDEEP:49152:Qcw+rtYw905Tv/oqb356sDrsJVM86o1uD/59kE9l8lHbCc7H5qA6uc4UQcK3Gdrc:Qe705j/oqbp6sPoVB6DheE9kHesHAFJu
            TLSH:3AD533C465128882E5236FF89F13D1BD9260BBD98434253763D13E0AF56C8B96F6C0AF
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\.........

            File Icon

            Icon Hash:2a8eb0e0ec2f3396

            Static PE Info

            General

            Entrypoint:0x40323c
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            DLL Characteristics:TERMINAL_SERVER_AWARE
            Time Stamp:0x4B1AE3C6 [Sat Dec 5 22:50:46 2009 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:099c0646ea7282d232219f8807883be0

            Entrypoint Preview

            Instruction
            sub esp, 00000180h
            push ebx
            push ebp
            push esi
            xor ebx, ebx
            push edi
            mov dword ptr [esp+18h], ebx
            mov dword ptr [esp+10h], 00409130h
            xor esi, esi
            mov byte ptr [esp+14h], 00000020h
            call dword ptr [00407030h]
            push 00008001h
            call dword ptr [004070B4h]
            push ebx
            call dword ptr [0040727Ch]
            push 00000008h
            mov dword ptr [00423F58h], eax
            call 00007F30789124AEh
            mov dword ptr [00423EA4h], eax
            push ebx
            lea eax, dword ptr [esp+34h]
            push 00000160h
            push eax
            push ebx
            push 0041F458h
            call dword ptr [00407158h]
            push 004091B8h
            push 004236A0h
            call 00007F3078912161h
            call dword ptr [004070B0h]
            mov edi, 00429000h
            push eax
            push edi
            call 00007F307891214Fh
            push ebx
            call dword ptr [0040710Ch]
            cmp byte ptr [00429000h], 00000022h
            mov dword ptr [00423EA0h], eax
            mov eax, edi
            jne 00007F307890F8ACh
            mov byte ptr [esp+14h], 00000022h
            mov eax, 00429001h
            push dword ptr [esp+14h]
            push eax
            call 00007F3078911C42h
            push eax
            call dword ptr [0040721Ch]
            mov dword ptr [esp+1Ch], eax
            jmp 00007F307890F905h
            cmp cl, 00000020h
            jne 00007F307890F8A8h
            inc eax
            cmp byte ptr [eax], 00000020h
            je 00007F307890F89Ch
            cmp byte ptr [eax], 00000022h
            mov byte ptr [eax+eax+00h], 00000000h

            Rich Headers

            Programming Language:
            • [EXP] VC++ 6.0 SP5 build 8804

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x73a40xb4.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x2d0000x5778.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x70000x28c.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x5a5a0x5c000bc2ffd32265a08d72b795b18265828dFalse0.6604534646739131data6.417698236857409IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rdata0x70000x11900x1200f179218a059068529bdb4637ef5fa28eFalse0.4453125data5.181627099249737IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0x90000x1af980x400975304d6dd6c4a4f076b15511e2bbbc0False0.55859375data4.70902740305165IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .ndata0x240000x90000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .rsrc0x2d0000x57780x58004715176b8052e0405be8250a0d7dd56cFalse0.14923650568181818data2.8392075012550144IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_ICON0x2d2f80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.19263485477178424
            RT_ICON0x2f8a00xea8dataEnglishUnited States0.007196162046908316
            RT_ICON0x307480x8a8dataEnglishUnited States0.01128158844765343
            RT_ICON0x30ff00x568dataEnglishUnited States0.014450867052023121
            RT_ICON0x315580x468dataEnglishUnited States0.015957446808510637
            RT_ICON0x319c00x2e8dataEnglishUnited States0.020161290322580645
            RT_ICON0x31ca80x128dataEnglishUnited States0.04391891891891892
            RT_DIALOG0x31dd00x202dataEnglishUnited States0.4085603112840467
            RT_DIALOG0x31fd80xf8dataEnglishUnited States0.6290322580645161
            RT_DIALOG0x320d00xeedataEnglishUnited States0.6260504201680672
            RT_GROUP_ICON0x321c00x68dataEnglishUnited States0.8076923076923077
            RT_VERSION0x322280x18cPGP symmetric key encrypted data - Plaintext or unencrypted data0.5050505050505051
            RT_MANIFEST0x323b80x3beXML 1.0 document, ASCII text, with very long lines (958), with no line terminatorsEnglishUnited States0.5198329853862212

            Imports

            DLLImport
            KERNEL32.dllCompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
            USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
            GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
            SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
            ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
            COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
            ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
            VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishUnited States

            Network Behavior

            No network behavior found

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:15:31:50
            Start date:04/05/2024
            Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe"
            Imagebase:0x400000
            File size:2'839'473 bytes
            MD5 hash:38D8FA19104D2D053ECDF2FC8FFEBFC8
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:1
            Start time:15:31:50
            Start date:04/05/2024
            Path:C:\Windows\SysWOW64\taskkill.exe
            Wow64 process (32bit):true
            Commandline:TASKKILL /F /IM WebActiveEXE.exe
            Imagebase:0x5c0000
            File size:74'240 bytes
            MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:moderate
            Has exited:true

            General

            Target ID:2
            Start time:15:31:50
            Start date:04/05/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7699e0000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:3
            Start time:15:31:51
            Start date:04/05/2024
            Path:C:\Windows\SysWOW64\taskkill.exe
            Wow64 process (32bit):true
            Commandline:TASKKILL /F /IM TimeGridEXE.exe
            Imagebase:0x5c0000
            File size:74'240 bytes
            MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:moderate
            Has exited:true

            General

            Target ID:4
            Start time:15:31:51
            Start date:04/05/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7699e0000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:5
            Start time:15:31:54
            Start date:04/05/2024
            Path:C:\Program Files (x86)\webrec\WEB30\WebPlugin\WebActiveEXE.exe
            Wow64 process (32bit):true
            Commandline:"C:\Program Files (x86)\webrec\WEB30\WebPlugin\WebActiveEXE.exe" /regserver
            Imagebase:0x400000
            File size:151'552 bytes
            MD5 hash:9243C61FEF74004CBA9DA20A9BC013E7
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Antivirus matches:
            • Detection: 5%, ReversingLabs
            • Detection: 4%, Virustotal, Browse
            Reputation:low
            Has exited:true

            General

            Target ID:6
            Start time:15:31:54
            Start date:04/05/2024
            Path:C:\Program Files (x86)\webrec\WEB30\WebPlugin\TimeGridEXE.exe
            Wow64 process (32bit):true
            Commandline:"C:\Program Files (x86)\webrec\WEB30\WebPlugin\TimeGridEXE.exe" /regserver
            Imagebase:0x400000
            File size:53'248 bytes
            MD5 hash:722C00AC501CFDE5C34A1F002A31DC3C
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Antivirus matches:
            • Detection: 0%, ReversingLabs
            • Detection: 3%, Virustotal, Browse
            Reputation:low
            Has exited:true

            General

            Target ID:7
            Start time:15:31:54
            Start date:04/05/2024
            Path:C:\Windows\SysWOW64\regsvr32.exe
            Wow64 process (32bit):true
            Commandline:regsvr32 /s "atl.dll"
            Imagebase:0xa90000
            File size:20'992 bytes
            MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:26%
              Dynamic/Decrypted Code Coverage:0%
              Signature Coverage:22.2%
              Total number of Nodes:1264
              Total number of Limit Nodes:41
              execution_graph 3738 401cc1 GetDlgItem GetClientRect 3739 4029f6 18 API calls 3738->3739 3740 401cf1 LoadImageA SendMessageA 3739->3740 3741 401d0f DeleteObject 3740->3741 3742 40288b 3740->3742 3741->3742 3743 401dc1 3744 4029f6 18 API calls 3743->3744 3745 401dc7 3744->3745 3746 4029f6 18 API calls 3745->3746 3747 401dd0 3746->3747 3748 4029f6 18 API calls 3747->3748 3749 401dd9 3748->3749 3750 4029f6 18 API calls 3749->3750 3751 401de2 3750->3751 3752 401423 25 API calls 3751->3752 3753 401de9 ShellExecuteA 3752->3753 3754 401e16 3753->3754 3014 405042 3015 405063 GetDlgItem GetDlgItem GetDlgItem 3014->3015 3016 4051ee 3014->3016 3060 403f4d SendMessageA 3015->3060 3018 4051f7 GetDlgItem CreateThread FindCloseChangeNotification 3016->3018 3019 40521f 3016->3019 3018->3019 3083 404fd6 OleInitialize 3018->3083 3021 40524a 3019->3021 3022 405236 ShowWindow ShowWindow 3019->3022 3023 40526c 3019->3023 3020 4050d4 3025 4050db GetClientRect GetSystemMetrics SendMessageA SendMessageA 3020->3025 3024 4052a8 3021->3024 3027 405281 ShowWindow 3021->3027 3028 40525b 3021->3028 3065 403f4d SendMessageA 3022->3065 3069 403f7f 3023->3069 3024->3023 3034 4052b3 SendMessageA 3024->3034 3032 40514a 3025->3032 3033 40512e SendMessageA SendMessageA 3025->3033 3030 4052a1 3027->3030 3031 405293 3027->3031 3066 403ef1 3028->3066 3037 403ef1 SendMessageA 3030->3037 3036 404f04 25 API calls 3031->3036 3038 40515d 3032->3038 3039 40514f SendMessageA 3032->3039 3033->3032 3040 4052cc CreatePopupMenu 3034->3040 3041 40527a 3034->3041 3036->3030 3037->3024 3061 403f18 3038->3061 3039->3038 3042 405b88 18 API calls 3040->3042 3044 4052dc AppendMenuA 3042->3044 3046 405302 3044->3046 3047 4052ef GetWindowRect 3044->3047 3045 40516d 3048 405176 ShowWindow 3045->3048 3049 4051aa GetDlgItem SendMessageA 3045->3049 3051 40530b TrackPopupMenu 3046->3051 3047->3051 3052 405199 3048->3052 3053 40518c ShowWindow 3048->3053 3049->3041 3050 4051d1 SendMessageA SendMessageA 3049->3050 3050->3041 3051->3041 3054 405329 3051->3054 3064 403f4d SendMessageA 3052->3064 3053->3052 3055 405345 SendMessageA 3054->3055 3055->3055 3057 405362 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3055->3057 3058 405384 SendMessageA 3057->3058 3058->3058 3059 4053a5 GlobalUnlock SetClipboardData CloseClipboard 3058->3059 3059->3041 3060->3020 3062 405b88 18 API calls 3061->3062 3063 403f23 SetDlgItemTextA 3062->3063 3063->3045 3064->3049 3065->3021 3067 403ef8 3066->3067 3068 403efe SendMessageA 3066->3068 3067->3068 3068->3023 3070 403f97 GetWindowLongA 3069->3070 3071 404020 3069->3071 3070->3071 3072 403fa8 3070->3072 3071->3041 3073 403fb7 GetSysColor 3072->3073 3074 403fba 3072->3074 3073->3074 3075 403fc0 SetTextColor 3074->3075 3076 403fca SetBkMode 3074->3076 3075->3076 3077 403fe2 GetSysColor 3076->3077 3078 403fe8 3076->3078 3077->3078 3079 403ff9 3078->3079 3080 403fef SetBkColor 3078->3080 3079->3071 3081 404013 CreateBrushIndirect 3079->3081 3082 40400c DeleteObject 3079->3082 3080->3079 3081->3071 3082->3081 3090 403f64 3083->3090 3085 404ff9 3089 405020 3085->3089 3093 401389 3085->3093 3086 403f64 SendMessageA 3087 405032 OleUninitialize 3086->3087 3089->3086 3091 403f7c 3090->3091 3092 403f6d SendMessageA 3090->3092 3091->3085 3092->3091 3095 401390 3093->3095 3094 4013fe 3094->3085 3095->3094 3096 4013cb MulDiv SendMessageA 3095->3096 3096->3095 3176 403a45 3177 403b98 3176->3177 3178 403a5d 3176->3178 3180 403be9 3177->3180 3181 403ba9 GetDlgItem GetDlgItem 3177->3181 3178->3177 3179 403a69 3178->3179 3183 403a74 SetWindowPos 3179->3183 3184 403a87 3179->3184 3182 403c43 3180->3182 3190 401389 2 API calls 3180->3190 3185 403f18 19 API calls 3181->3185 3186 403f64 SendMessageA 3182->3186 3237 403b93 3182->3237 3183->3184 3187 403aa4 3184->3187 3188 403a8c ShowWindow 3184->3188 3189 403bd3 SetClassLongA 3185->3189 3235 403c55 3186->3235 3191 403ac6 3187->3191 3192 403aac DestroyWindow 3187->3192 3188->3187 3193 40140b 2 API calls 3189->3193 3194 403c1b 3190->3194 3195 403acb SetWindowLongA 3191->3195 3196 403adc 3191->3196 3245 403ea1 3192->3245 3193->3180 3194->3182 3199 403c1f SendMessageA 3194->3199 3195->3237 3197 403b85 3196->3197 3198 403ae8 GetDlgItem 3196->3198 3203 403f7f 8 API calls 3197->3203 3202 403afb SendMessageA IsWindowEnabled 3198->3202 3205 403b18 3198->3205 3199->3237 3200 40140b 2 API calls 3200->3235 3201 403ea3 DestroyWindow KiUserCallbackDispatcher 3201->3245 3202->3205 3202->3237 3203->3237 3204 403ed2 ShowWindow 3204->3237 3207 403b25 3205->3207 3208 403b6c SendMessageA 3205->3208 3209 403b38 3205->3209 3218 403b1d 3205->3218 3206 405b88 18 API calls 3206->3235 3207->3208 3207->3218 3208->3197 3212 403b40 3209->3212 3213 403b55 3209->3213 3210 403ef1 SendMessageA 3211 403b53 3210->3211 3211->3197 3249 40140b 3212->3249 3215 40140b 2 API calls 3213->3215 3214 403f18 19 API calls 3214->3235 3217 403b5c 3215->3217 3217->3197 3217->3218 3218->3210 3219 403f18 19 API calls 3220 403cd0 GetDlgItem 3219->3220 3221 403ce5 3220->3221 3222 403ced ShowWindow KiUserCallbackDispatcher 3220->3222 3221->3222 3246 403f3a KiUserCallbackDispatcher 3222->3246 3224 403d17 EnableWindow 3227 403d2b 3224->3227 3225 403d30 GetSystemMenu EnableMenuItem SendMessageA 3226 403d60 SendMessageA 3225->3226 3225->3227 3226->3227 3227->3225 3247 403f4d SendMessageA 3227->3247 3248 405b66 lstrcpynA 3227->3248 3230 403d8e lstrlenA 3231 405b88 18 API calls 3230->3231 3232 403d9f SetWindowTextA 3231->3232 3233 401389 2 API calls 3232->3233 3233->3235 3234 403de3 DestroyWindow 3236 403dfd CreateDialogParamA 3234->3236 3234->3245 3235->3200 3235->3201 3235->3206 3235->3214 3235->3219 3235->3234 3235->3237 3238 403e30 3236->3238 3236->3245 3239 403f18 19 API calls 3238->3239 3240 403e3b GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3239->3240 3241 401389 2 API calls 3240->3241 3242 403e81 3241->3242 3242->3237 3243 403e89 ShowWindow 3242->3243 3244 403f64 SendMessageA 3243->3244 3244->3245 3245->3204 3245->3237 3246->3224 3247->3227 3248->3230 3250 401389 2 API calls 3249->3250 3251 401420 3250->3251 3251->3218 3755 401645 3756 4029f6 18 API calls 3755->3756 3757 40164c 3756->3757 3758 4029f6 18 API calls 3757->3758 3759 401655 3758->3759 3760 4029f6 18 API calls 3759->3760 3761 40165e MoveFileA 3760->3761 3762 401671 3761->3762 3763 40166a 3761->3763 3764 405e61 2 API calls 3762->3764 3767 402169 3762->3767 3765 401423 25 API calls 3763->3765 3766 401680 3764->3766 3765->3767 3766->3767 3768 4058b4 38 API calls 3766->3768 3768->3763 3769 401ec5 3770 4029f6 18 API calls 3769->3770 3771 401ecc GetFileVersionInfoSizeA 3770->3771 3772 401eef GlobalAlloc 3771->3772 3773 401f45 3771->3773 3772->3773 3774 401f03 GetFileVersionInfoA 3772->3774 3774->3773 3775 401f14 VerQueryValueA 3774->3775 3775->3773 3776 401f2d 3775->3776 3780 405ac4 wsprintfA 3776->3780 3778 401f39 3781 405ac4 wsprintfA 3778->3781 3780->3778 3781->3773 3785 4025cc 3786 4025d3 3785->3786 3788 402838 3785->3788 3787 4029d9 18 API calls 3786->3787 3789 4025de 3787->3789 3790 4025e5 SetFilePointer 3789->3790 3790->3788 3791 4025f5 3790->3791 3793 405ac4 wsprintfA 3791->3793 3793->3788 3409 401f51 3410 401f63 3409->3410 3420 402012 3409->3420 3411 4029f6 18 API calls 3410->3411 3412 401f6a 3411->3412 3414 4029f6 18 API calls 3412->3414 3413 401423 25 API calls 3418 402169 3413->3418 3415 401f73 3414->3415 3416 401f88 LoadLibraryExA 3415->3416 3417 401f7b GetModuleHandleA 3415->3417 3419 401f98 GetProcAddress 3416->3419 3416->3420 3417->3416 3417->3419 3421 401fe5 3419->3421 3422 401fa8 3419->3422 3420->3413 3423 404f04 25 API calls 3421->3423 3424 401423 25 API calls 3422->3424 3425 401fb8 3422->3425 3423->3425 3424->3425 3425->3418 3426 402006 FreeLibrary 3425->3426 3426->3418 3801 404853 GetDlgItem GetDlgItem 3802 4048a7 7 API calls 3801->3802 3809 404ac4 3801->3809 3803 404940 SendMessageA 3802->3803 3804 40494d DeleteObject 3802->3804 3803->3804 3805 404958 3804->3805 3807 40498f 3805->3807 3808 405b88 18 API calls 3805->3808 3806 404bae 3811 404c5d 3806->3811 3816 404ab7 3806->3816 3817 404c07 SendMessageA 3806->3817 3810 403f18 19 API calls 3807->3810 3812 404971 SendMessageA SendMessageA 3808->3812 3809->3806 3836 404b38 3809->3836 3854 4047d3 SendMessageA 3809->3854 3815 4049a3 3810->3815 3813 404c72 3811->3813 3814 404c66 SendMessageA 3811->3814 3812->3805 3825 404c84 ImageList_Destroy 3813->3825 3826 404c8b 3813->3826 3830 404c9b 3813->3830 3814->3813 3821 403f18 19 API calls 3815->3821 3818 403f7f 8 API calls 3816->3818 3817->3816 3823 404c1c SendMessageA 3817->3823 3824 404e4d 3818->3824 3819 404ba0 SendMessageA 3819->3806 3833 4049b1 3821->3833 3822 404e01 3822->3816 3831 404e13 ShowWindow GetDlgItem ShowWindow 3822->3831 3827 404c2f 3823->3827 3825->3826 3828 404c94 GlobalFree 3826->3828 3826->3830 3839 404c40 SendMessageA 3827->3839 3828->3830 3829 404a85 GetWindowLongA SetWindowLongA 3832 404a9e 3829->3832 3830->3822 3838 40140b 2 API calls 3830->3838 3845 404ccd 3830->3845 3831->3816 3834 404aa4 ShowWindow 3832->3834 3835 404abc 3832->3835 3833->3829 3837 404a00 SendMessageA 3833->3837 3840 404a7f 3833->3840 3843 404a3c SendMessageA 3833->3843 3844 404a4d SendMessageA 3833->3844 3852 403f4d SendMessageA 3834->3852 3853 403f4d SendMessageA 3835->3853 3836->3806 3836->3819 3837->3833 3838->3845 3839->3811 3840->3829 3840->3832 3843->3833 3844->3833 3847 404d11 3845->3847 3848 404cfb SendMessageA 3845->3848 3846 404dd7 InvalidateRect 3846->3822 3849 404ded 3846->3849 3847->3846 3851 404d85 SendMessageA SendMessageA 3847->3851 3848->3847 3859 4046f1 3849->3859 3851->3847 3852->3816 3853->3809 3855 404832 SendMessageA 3854->3855 3856 4047f6 GetMessagePos ScreenToClient SendMessageA 3854->3856 3857 40482a 3855->3857 3856->3857 3858 40482f 3856->3858 3857->3836 3858->3855 3860 40470b 3859->3860 3861 405b88 18 API calls 3860->3861 3862 404740 3861->3862 3863 405b88 18 API calls 3862->3863 3864 40474b 3863->3864 3865 405b88 18 API calls 3864->3865 3866 40477c lstrlenA wsprintfA SetDlgItemTextA 3865->3866 3866->3822 3867 404e54 3868 404e62 3867->3868 3869 404e79 3867->3869 3870 404e68 3868->3870 3885 404ee2 3868->3885 3871 404e87 IsWindowVisible 3869->3871 3877 404e9e 3869->3877 3872 403f64 SendMessageA 3870->3872 3874 404e94 3871->3874 3871->3885 3875 404e72 3872->3875 3873 404ee8 CallWindowProcA 3873->3875 3876 4047d3 5 API calls 3874->3876 3876->3877 3877->3873 3886 405b66 lstrcpynA 3877->3886 3879 404ecd 3887 405ac4 wsprintfA 3879->3887 3881 404ed4 3882 40140b 2 API calls 3881->3882 3883 404edb 3882->3883 3888 405b66 lstrcpynA 3883->3888 3885->3873 3886->3879 3887->3881 3888->3885 3889 404356 3890 404394 3889->3890 3891 404387 3889->3891 3893 40439d GetDlgItem 3890->3893 3899 404400 3890->3899 3950 40540b GetDlgItemTextA 3891->3950 3895 4043b1 3893->3895 3894 40438e 3897 405dc8 5 API calls 3894->3897 3898 4043c5 SetWindowTextA 3895->3898 3902 4056ed 4 API calls 3895->3902 3896 4044e4 3947 404670 3896->3947 3952 40540b GetDlgItemTextA 3896->3952 3897->3890 3903 403f18 19 API calls 3898->3903 3899->3896 3904 405b88 18 API calls 3899->3904 3899->3947 3901 403f7f 8 API calls 3909 404684 3901->3909 3910 4043bb 3902->3910 3906 4043e3 3903->3906 3907 404476 SHBrowseForFolderA 3904->3907 3905 404510 3908 40573a 18 API calls 3905->3908 3911 403f18 19 API calls 3906->3911 3907->3896 3912 40448e CoTaskMemFree 3907->3912 3913 404516 3908->3913 3910->3898 3916 405659 3 API calls 3910->3916 3914 4043f1 3911->3914 3915 405659 3 API calls 3912->3915 3953 405b66 lstrcpynA 3913->3953 3951 403f4d SendMessageA 3914->3951 3918 40449b 3915->3918 3916->3898 3921 4044d2 SetDlgItemTextA 3918->3921 3925 405b88 18 API calls 3918->3925 3920 4043f9 3923 405e88 3 API calls 3920->3923 3921->3896 3922 40452d 3924 405e88 3 API calls 3922->3924 3923->3899 3932 404535 3924->3932 3926 4044ba lstrcmpiA 3925->3926 3926->3921 3929 4044cb lstrcatA 3926->3929 3927 40456f 3954 405b66 lstrcpynA 3927->3954 3929->3921 3930 404578 3931 4056ed 4 API calls 3930->3931 3933 40457e GetDiskFreeSpaceA 3931->3933 3932->3927 3936 4056a0 2 API calls 3932->3936 3937 4045c2 3932->3937 3935 4045a0 MulDiv 3933->3935 3933->3937 3935->3937 3936->3932 3938 4046f1 21 API calls 3937->3938 3948 40461f 3937->3948 3939 404611 3938->3939 3942 404621 SetDlgItemTextA 3939->3942 3943 404616 3939->3943 3940 40140b 2 API calls 3944 404642 3940->3944 3942->3948 3946 4046f1 21 API calls 3943->3946 3955 403f3a KiUserCallbackDispatcher 3944->3955 3945 40465e 3945->3947 3956 4042eb 3945->3956 3946->3948 3947->3901 3948->3940 3948->3944 3950->3894 3951->3920 3952->3905 3953->3922 3954->3930 3955->3945 3957 4042f9 3956->3957 3958 4042fe SendMessageA 3956->3958 3957->3958 3958->3947 3959 4014d6 3960 4029d9 18 API calls 3959->3960 3961 4014dc Sleep 3960->3961 3963 40288b 3961->3963 3969 4018d8 3970 40190f 3969->3970 3971 4029f6 18 API calls 3970->3971 3972 401914 3971->3972 3973 40548b 68 API calls 3972->3973 3974 40191d 3973->3974 3975 4018db 3976 4029f6 18 API calls 3975->3976 3977 4018e2 3976->3977 3978 405427 MessageBoxIndirectA 3977->3978 3979 4018eb 3978->3979 3980 404060 3981 404076 3980->3981 3989 404183 3980->3989 3985 403f18 19 API calls 3981->3985 3982 4041f2 3983 4042c6 3982->3983 3984 4041fc GetDlgItem 3982->3984 3990 403f7f 8 API calls 3983->3990 3987 404212 3984->3987 3988 404284 3984->3988 3986 4040cc 3985->3986 3991 403f18 19 API calls 3986->3991 3987->3988 3995 404238 6 API calls 3987->3995 3988->3983 3996 404296 3988->3996 3989->3982 3989->3983 3992 4041c7 GetDlgItem SendMessageA 3989->3992 3993 4042c1 3990->3993 3994 4040d9 CheckDlgButton 3991->3994 4011 403f3a KiUserCallbackDispatcher 3992->4011 4009 403f3a KiUserCallbackDispatcher 3994->4009 3995->3988 3999 40429c SendMessageA 3996->3999 4000 4042ad 3996->4000 3999->4000 4000->3993 4004 4042b3 SendMessageA 4000->4004 4001 4041ed 4002 4042eb SendMessageA 4001->4002 4002->3982 4003 4040f7 GetDlgItem 4010 403f4d SendMessageA 4003->4010 4004->3993 4006 40410d SendMessageA 4007 404134 SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 4006->4007 4008 40412b GetSysColor 4006->4008 4007->3993 4008->4007 4009->4003 4010->4006 4011->4001 4012 401ae5 4013 4029f6 18 API calls 4012->4013 4014 401aec 4013->4014 4015 4029d9 18 API calls 4014->4015 4016 401af5 wsprintfA 4015->4016 4017 40288b 4016->4017 4018 402866 SendMessageA 4019 402880 InvalidateRect 4018->4019 4020 40288b 4018->4020 4019->4020 4028 4019e6 4029 4029f6 18 API calls 4028->4029 4030 4019ef ExpandEnvironmentStringsA 4029->4030 4031 401a03 4030->4031 4033 401a16 4030->4033 4032 401a08 lstrcmpA 4031->4032 4031->4033 4032->4033 4034 402267 4035 4029f6 18 API calls 4034->4035 4036 402275 4035->4036 4037 4029f6 18 API calls 4036->4037 4038 40227e 4037->4038 4039 4029f6 18 API calls 4038->4039 4040 402288 GetPrivateProfileStringA 4039->4040 4048 401c6d 4049 4029d9 18 API calls 4048->4049 4050 401c73 IsWindow 4049->4050 4051 4019d6 4050->4051 4052 40366d 4053 403678 4052->4053 4054 40367c 4053->4054 4055 40367f GlobalAlloc 4053->4055 4055->4054 4063 4014f0 SetForegroundWindow 4064 40288b 4063->4064 4065 402172 4066 4029f6 18 API calls 4065->4066 4067 402178 4066->4067 4068 4029f6 18 API calls 4067->4068 4069 402181 4068->4069 4070 4029f6 18 API calls 4069->4070 4071 40218a 4070->4071 4072 405e61 2 API calls 4071->4072 4073 402193 4072->4073 4074 4021a4 lstrlenA lstrlenA 4073->4074 4078 402197 4073->4078 4076 404f04 25 API calls 4074->4076 4075 404f04 25 API calls 4079 40219f 4075->4079 4077 4021e0 SHFileOperationA 4076->4077 4077->4078 4077->4079 4078->4075 4078->4079 4080 4021f4 4081 4021fb 4080->4081 4083 40220e 4080->4083 4082 405b88 18 API calls 4081->4082 4084 402208 4082->4084 4085 405427 MessageBoxIndirectA 4084->4085 4085->4083 4086 4016fa 4087 4029f6 18 API calls 4086->4087 4088 401701 SearchPathA 4087->4088 4089 40171c 4088->4089 4090 4025fb 4091 402602 4090->4091 4092 40288b 4090->4092 4093 402608 FindClose 4091->4093 4093->4092 3511 40267c 3512 4029f6 18 API calls 3511->3512 3514 40268a 3512->3514 3513 4026a0 3516 40581e 2 API calls 3513->3516 3514->3513 3515 4029f6 18 API calls 3514->3515 3515->3513 3517 4026a6 3516->3517 3537 40583d GetFileAttributesA CreateFileA 3517->3537 3519 4026b3 3520 40275c 3519->3520 3521 4026bf GlobalAlloc 3519->3521 3524 402764 DeleteFileA 3520->3524 3525 402777 3520->3525 3522 402753 FindCloseChangeNotification 3521->3522 3523 4026d8 3521->3523 3522->3520 3538 4031f1 SetFilePointer 3523->3538 3524->3525 3527 4026de 3528 4031bf ReadFile 3527->3528 3529 4026e7 GlobalAlloc 3528->3529 3530 4026f7 3529->3530 3531 40272b WriteFile GlobalFree 3529->3531 3533 402f18 48 API calls 3530->3533 3532 402f18 48 API calls 3531->3532 3534 402750 3532->3534 3536 402704 3533->3536 3534->3522 3535 402722 GlobalFree 3535->3531 3536->3535 3537->3519 3538->3527 4094 40277d 4095 4029d9 18 API calls 4094->4095 4096 402783 4095->4096 4097 4027a7 4096->4097 4098 4027be 4096->4098 4107 40265c 4096->4107 4101 4027bb 4097->4101 4104 4027ac 4097->4104 4099 4027d4 4098->4099 4100 4027c8 4098->4100 4103 405b88 18 API calls 4099->4103 4102 4029d9 18 API calls 4100->4102 4109 405ac4 wsprintfA 4101->4109 4102->4107 4103->4107 4108 405b66 lstrcpynA 4104->4108 4108->4107 4109->4107 4117 4014fe 4118 401506 4117->4118 4120 401519 4117->4120 4119 4029d9 18 API calls 4118->4119 4119->4120 4121 401000 4122 401037 BeginPaint GetClientRect 4121->4122 4123 40100c DefWindowProcA 4121->4123 4124 4010f3 4122->4124 4126 401179 4123->4126 4127 401073 CreateBrushIndirect FillRect DeleteObject 4124->4127 4128 4010fc 4124->4128 4127->4124 4129 401102 CreateFontIndirectA 4128->4129 4130 401167 EndPaint 4128->4130 4129->4130 4131 401112 6 API calls 4129->4131 4130->4126 4131->4130 3097 402303 3098 402309 3097->3098 3099 4029f6 18 API calls 3098->3099 3100 40231b 3099->3100 3101 4029f6 18 API calls 3100->3101 3102 402325 RegCreateKeyExA 3101->3102 3103 40288b 3102->3103 3104 40234f 3102->3104 3105 402367 3104->3105 3106 4029f6 18 API calls 3104->3106 3107 402373 3105->3107 3114 4029d9 3105->3114 3108 402360 lstrlenA 3106->3108 3110 40238e RegSetValueExA 3107->3110 3117 402f18 3107->3117 3108->3105 3111 4023a4 RegCloseKey 3110->3111 3111->3103 3115 405b88 18 API calls 3114->3115 3116 4029ed 3115->3116 3116->3107 3118 402f45 3117->3118 3119 402f29 SetFilePointer 3117->3119 3132 403043 GetTickCount 3118->3132 3119->3118 3122 402f56 ReadFile 3123 402f76 3122->3123 3127 403002 3122->3127 3124 403043 43 API calls 3123->3124 3123->3127 3125 402f8d 3124->3125 3126 403008 ReadFile 3125->3126 3125->3127 3131 402f9d 3125->3131 3126->3127 3127->3110 3129 402fb8 ReadFile 3129->3127 3129->3131 3130 402fd1 WriteFile 3130->3127 3130->3131 3131->3127 3131->3129 3131->3130 3133 403072 3132->3133 3134 4031ad 3132->3134 3145 4031f1 SetFilePointer 3133->3145 3135 402bd3 33 API calls 3134->3135 3141 402f4e 3135->3141 3137 40307d SetFilePointer 3143 4030a2 3137->3143 3141->3122 3141->3127 3142 403137 WriteFile 3142->3141 3142->3143 3143->3141 3143->3142 3144 40318e SetFilePointer 3143->3144 3146 4031bf ReadFile 3143->3146 3148 402bd3 3143->3148 3162 405f82 3143->3162 3144->3134 3145->3137 3147 4031e0 3146->3147 3147->3143 3149 402be1 3148->3149 3150 402bf9 3148->3150 3151 402bea DestroyWindow 3149->3151 3161 402bf1 3149->3161 3152 402c01 3150->3152 3153 402c09 GetTickCount 3150->3153 3151->3161 3172 405ec1 3152->3172 3154 402c17 3153->3154 3153->3161 3156 402c4c CreateDialogParamA ShowWindow 3154->3156 3157 402c1f 3154->3157 3156->3161 3157->3161 3169 402bb7 3157->3169 3159 402c2d wsprintfA 3160 404f04 25 API calls 3159->3160 3160->3161 3161->3143 3163 405fa7 3162->3163 3164 405faf 3162->3164 3163->3143 3164->3163 3165 406036 GlobalFree 3164->3165 3166 40603f GlobalAlloc 3164->3166 3167 4060b6 GlobalAlloc 3164->3167 3168 4060ad GlobalFree 3164->3168 3165->3166 3166->3163 3166->3164 3167->3163 3167->3164 3168->3167 3170 402bc6 3169->3170 3171 402bc8 MulDiv 3169->3171 3170->3171 3171->3159 3173 405ede PeekMessageA 3172->3173 3174 405ed4 DispatchMessageA 3173->3174 3175 405eee 3173->3175 3174->3173 3175->3161 4132 402803 4133 4029d9 18 API calls 4132->4133 4134 402809 4133->4134 4135 40283a 4134->4135 4137 402817 4134->4137 4138 40265c 4134->4138 4136 405b88 18 API calls 4135->4136 4135->4138 4136->4138 4137->4138 4140 405ac4 wsprintfA 4137->4140 4140->4138 4141 401b06 4142 401b13 4141->4142 4143 401b57 4141->4143 4144 4021fb 4142->4144 4152 401b2a 4142->4152 4145 401b80 GlobalAlloc 4143->4145 4146 401b5b 4143->4146 4149 405b88 18 API calls 4144->4149 4148 405b88 18 API calls 4145->4148 4147 401b9b 4146->4147 4162 405b66 lstrcpynA 4146->4162 4148->4147 4151 402208 4149->4151 4155 405427 MessageBoxIndirectA 4151->4155 4160 405b66 lstrcpynA 4152->4160 4153 401b6d GlobalFree 4153->4147 4155->4147 4156 401b39 4161 405b66 lstrcpynA 4156->4161 4158 401b48 4163 405b66 lstrcpynA 4158->4163 4160->4156 4161->4158 4162->4153 4163->4147 4164 402506 4165 4029d9 18 API calls 4164->4165 4168 402510 4165->4168 4166 402586 4167 402544 ReadFile 4167->4166 4167->4168 4168->4166 4168->4167 4169 402588 4168->4169 4170 402598 4168->4170 4173 405ac4 wsprintfA 4169->4173 4170->4166 4172 4025ae SetFilePointer 4170->4172 4172->4166 4173->4166 4174 401c8a 4175 4029d9 18 API calls 4174->4175 4176 401c91 4175->4176 4177 4029d9 18 API calls 4176->4177 4178 401c99 GetDlgItem 4177->4178 4179 4024b8 4178->4179 4180 40468b 4181 4046b7 4180->4181 4182 40469b 4180->4182 4184 4046ea 4181->4184 4185 4046bd SHGetPathFromIDListA 4181->4185 4191 40540b GetDlgItemTextA 4182->4191 4187 4046d4 SendMessageA 4185->4187 4188 4046cd 4185->4188 4186 4046a8 SendMessageA 4186->4181 4187->4184 4189 40140b 2 API calls 4188->4189 4189->4187 4191->4186 3266 40190d 3267 40190f 3266->3267 3268 4029f6 18 API calls 3267->3268 3269 401914 3268->3269 3272 40548b 3269->3272 3313 40573a 3272->3313 3275 4054a8 DeleteFileA 3277 40191d 3275->3277 3276 4054bf 3278 4055f4 3276->3278 3327 405b66 lstrcpynA 3276->3327 3278->3277 3332 405e61 FindFirstFileA 3278->3332 3280 4054e9 3281 4054fa 3280->3281 3282 4054ed lstrcatA 3280->3282 3338 4056a0 lstrlenA 3281->3338 3285 405500 3282->3285 3286 40550e lstrcatA 3285->3286 3288 405519 lstrlenA FindFirstFileA 3285->3288 3286->3288 3288->3278 3299 40553d 3288->3299 3290 405684 CharNextA 3290->3299 3292 40581e 2 API calls 3293 405629 RemoveDirectoryA 3292->3293 3294 405634 3293->3294 3295 40564b 3293->3295 3294->3277 3296 40563a 3294->3296 3297 404f04 25 API calls 3295->3297 3301 404f04 25 API calls 3296->3301 3297->3277 3298 4055d3 FindNextFileA 3298->3299 3302 4055eb FindClose 3298->3302 3299->3290 3299->3298 3306 40548b 59 API calls 3299->3306 3309 404f04 25 API calls 3299->3309 3312 4055b1 3299->3312 3328 405b66 lstrcpynA 3299->3328 3329 40581e GetFileAttributesA 3299->3329 3303 405642 3301->3303 3302->3278 3304 4058b4 38 API calls 3303->3304 3307 405649 3304->3307 3306->3299 3307->3277 3309->3298 3310 404f04 25 API calls 3310->3312 3312->3298 3312->3310 3342 4058b4 3312->3342 3368 405b66 lstrcpynA 3313->3368 3315 40574b 3369 4056ed CharNextA CharNextA 3315->3369 3318 40549f 3318->3275 3318->3276 3319 405dc8 5 API calls 3325 405761 3319->3325 3320 40578c lstrlenA 3321 405797 3320->3321 3320->3325 3322 405659 3 API calls 3321->3322 3324 40579c GetFileAttributesA 3322->3324 3323 405e61 2 API calls 3323->3325 3324->3318 3325->3318 3325->3320 3325->3323 3326 4056a0 2 API calls 3325->3326 3326->3320 3327->3280 3328->3299 3330 4055a0 DeleteFileA 3329->3330 3331 40582d SetFileAttributesA 3329->3331 3330->3299 3331->3330 3333 405619 3332->3333 3334 405e77 FindClose 3332->3334 3333->3277 3335 405659 lstrlenA CharPrevA 3333->3335 3334->3333 3336 405673 lstrcatA 3335->3336 3337 405623 3335->3337 3336->3337 3337->3292 3339 4056ad 3338->3339 3340 4056b2 CharPrevA 3339->3340 3341 4056be 3339->3341 3340->3339 3340->3341 3341->3285 3375 405e88 GetModuleHandleA 3342->3375 3344 40591c GetShortPathNameA 3346 405931 3344->3346 3347 405a11 3344->3347 3346->3347 3350 405939 wsprintfA 3346->3350 3347->3312 3349 405900 CloseHandle GetShortPathNameA 3349->3347 3351 405914 3349->3351 3352 405b88 18 API calls 3350->3352 3351->3344 3351->3347 3353 405961 3352->3353 3380 40583d GetFileAttributesA CreateFileA 3353->3380 3355 40596e 3355->3347 3356 40597d GetFileSize GlobalAlloc 3355->3356 3357 405a0a CloseHandle 3356->3357 3358 40599b ReadFile 3356->3358 3357->3347 3358->3357 3359 4059af 3358->3359 3359->3357 3381 4057b2 lstrlenA 3359->3381 3362 4059c4 3386 405b66 lstrcpynA 3362->3386 3363 405a1e 3365 4057b2 4 API calls 3363->3365 3366 4059d2 3365->3366 3367 4059e5 SetFilePointer WriteFile GlobalFree 3366->3367 3367->3357 3368->3315 3370 405707 3369->3370 3374 405713 3369->3374 3371 40570e CharNextA 3370->3371 3370->3374 3372 405730 3371->3372 3372->3318 3372->3319 3373 405684 CharNextA 3373->3374 3374->3372 3374->3373 3376 405ea4 LoadLibraryA 3375->3376 3377 405eaf GetProcAddress 3375->3377 3376->3377 3378 4058bf 3376->3378 3377->3378 3378->3344 3378->3347 3379 40583d GetFileAttributesA CreateFileA 3378->3379 3379->3349 3380->3355 3382 4057e8 lstrlenA 3381->3382 3383 4057f2 3382->3383 3384 4057c6 lstrcmpiA 3382->3384 3383->3362 3383->3363 3384->3383 3385 4057df CharNextA 3384->3385 3385->3382 3386->3366 4192 40430f 4193 404345 4192->4193 4194 40431f 4192->4194 4196 403f7f 8 API calls 4193->4196 4195 403f18 19 API calls 4194->4195 4197 40432c SetDlgItemTextA 4195->4197 4198 404351 4196->4198 4197->4193 4199 401490 4200 404f04 25 API calls 4199->4200 4201 401497 4200->4201 4202 402615 4203 402618 4202->4203 4204 402630 4202->4204 4205 402625 FindNextFileA 4203->4205 4205->4204 4206 40266f 4205->4206 4208 405b66 lstrcpynA 4206->4208 4208->4204 4216 401595 4217 4029f6 18 API calls 4216->4217 4218 40159c SetFileAttributesA 4217->4218 4219 4015ae 4218->4219 4220 401d95 4221 4029d9 18 API calls 4220->4221 4222 401d9b 4221->4222 4223 4029d9 18 API calls 4222->4223 4224 401da4 4223->4224 4225 401db6 EnableWindow 4224->4225 4226 401dab ShowWindow 4224->4226 4227 40288b 4225->4227 4226->4227 4228 401e95 4229 4029f6 18 API calls 4228->4229 4230 401e9c 4229->4230 4231 405e61 2 API calls 4230->4231 4232 401ea2 4231->4232 4234 401eb4 4232->4234 4235 405ac4 wsprintfA 4232->4235 4235->4234 4236 401696 4237 4029f6 18 API calls 4236->4237 4238 40169c GetFullPathNameA 4237->4238 4239 4016b3 4238->4239 4245 4016d4 4238->4245 4242 405e61 2 API calls 4239->4242 4239->4245 4240 4016e8 GetShortPathNameA 4241 40288b 4240->4241 4243 4016c4 4242->4243 4243->4245 4246 405b66 lstrcpynA 4243->4246 4245->4240 4245->4241 4246->4245 3491 401e1b 3492 4029f6 18 API calls 3491->3492 3493 401e21 3492->3493 3494 404f04 25 API calls 3493->3494 3495 401e2b 3494->3495 3507 4053c6 CreateProcessA 3495->3507 3497 401e87 CloseHandle 3499 40265c 3497->3499 3498 401e50 WaitForSingleObject 3500 401e31 3498->3500 3501 401e5e GetExitCodeProcess 3498->3501 3500->3497 3500->3498 3500->3499 3502 405ec1 2 API calls 3500->3502 3503 401e70 3501->3503 3504 401e7b 3501->3504 3502->3498 3510 405ac4 wsprintfA 3503->3510 3504->3497 3506 401e79 3504->3506 3506->3497 3508 405401 3507->3508 3509 4053f5 CloseHandle 3507->3509 3508->3500 3509->3508 3510->3506 4247 401d1b GetDC GetDeviceCaps 4248 4029d9 18 API calls 4247->4248 4249 401d37 MulDiv 4248->4249 4250 4029d9 18 API calls 4249->4250 4251 401d4c 4250->4251 4252 405b88 18 API calls 4251->4252 4253 401d85 CreateFontIndirectA 4252->4253 4254 4024b8 4253->4254 4255 40249c 4256 4029f6 18 API calls 4255->4256 4257 4024a3 4256->4257 4260 40583d GetFileAttributesA CreateFileA 4257->4260 4259 4024af 4260->4259 2927 402020 2945 4029f6 2927->2945 2930 4029f6 18 API calls 2931 402031 2930->2931 2932 4029f6 18 API calls 2931->2932 2933 40203a 2932->2933 2934 4029f6 18 API calls 2933->2934 2935 402044 2934->2935 2936 4029f6 18 API calls 2935->2936 2938 40204e 2936->2938 2937 402062 CoCreateInstance 2940 402081 2937->2940 2941 402137 2937->2941 2938->2937 2939 4029f6 18 API calls 2938->2939 2939->2937 2940->2941 2944 402116 MultiByteToWideChar 2940->2944 2943 402169 2941->2943 2951 401423 2941->2951 2944->2941 2946 402a02 2945->2946 2954 405b88 2946->2954 2949 402027 2949->2930 2993 404f04 2951->2993 2969 405b95 2954->2969 2955 405daf 2956 402a23 2955->2956 2988 405b66 lstrcpynA 2955->2988 2956->2949 2972 405dc8 2956->2972 2958 405c2d GetVersion 2958->2969 2959 405d86 lstrlenA 2959->2969 2960 405b88 10 API calls 2960->2959 2963 405ca5 GetSystemDirectoryA 2963->2969 2965 405cb8 GetWindowsDirectoryA 2965->2969 2966 405dc8 5 API calls 2966->2969 2967 405b88 10 API calls 2967->2969 2968 405d2f lstrcatA 2968->2969 2969->2955 2969->2958 2969->2959 2969->2960 2969->2963 2969->2965 2969->2966 2969->2967 2969->2968 2970 405cec SHGetSpecialFolderLocation 2969->2970 2981 405a4d RegOpenKeyExA 2969->2981 2986 405ac4 wsprintfA 2969->2986 2987 405b66 lstrcpynA 2969->2987 2970->2969 2971 405d04 SHGetPathFromIDListA CoTaskMemFree 2970->2971 2971->2969 2978 405dd4 2972->2978 2973 405e40 CharPrevA 2974 405e3c 2973->2974 2974->2973 2977 405e5b 2974->2977 2975 405e31 CharNextA 2975->2974 2975->2978 2977->2949 2978->2974 2978->2975 2979 405e1f CharNextA 2978->2979 2980 405e2c CharNextA 2978->2980 2989 405684 2978->2989 2979->2978 2980->2975 2982 405a80 RegQueryValueExA 2981->2982 2983 405abe 2981->2983 2984 405aa1 RegCloseKey 2982->2984 2983->2969 2984->2983 2986->2969 2987->2969 2988->2956 2990 40568a 2989->2990 2991 40569d 2990->2991 2992 405690 CharNextA 2990->2992 2991->2978 2992->2990 2994 401431 2993->2994 2995 404f1f 2993->2995 2994->2943 2996 404f3c lstrlenA 2995->2996 2997 405b88 18 API calls 2995->2997 2998 404f65 2996->2998 2999 404f4a lstrlenA 2996->2999 2997->2996 3001 404f78 2998->3001 3002 404f6b SetWindowTextA 2998->3002 2999->2994 3000 404f5c lstrcatA 2999->3000 3000->2998 3001->2994 3003 404f7e SendMessageA SendMessageA SendMessageA 3001->3003 3002->3001 3003->2994 3004 401721 3005 4029f6 18 API calls 3004->3005 3006 401728 3005->3006 3010 40586c 3006->3010 3008 40172f 3009 40586c 2 API calls 3008->3009 3009->3008 3011 405877 GetTickCount GetTempFileNameA 3010->3011 3012 4058a7 3011->3012 3013 4058a3 3011->3013 3012->3008 3013->3011 3013->3012 4261 401922 4262 4029f6 18 API calls 4261->4262 4263 401929 lstrlenA 4262->4263 4264 4024b8 4263->4264 4265 402223 4266 40222b 4265->4266 4269 402231 4265->4269 4267 4029f6 18 API calls 4266->4267 4267->4269 4268 402241 4271 4029f6 18 API calls 4268->4271 4273 40224f 4268->4273 4269->4268 4270 4029f6 18 API calls 4269->4270 4270->4268 4271->4273 4272 4029f6 18 API calls 4274 402258 WritePrivateProfileStringA 4272->4274 4273->4272 4282 401ca5 4283 4029d9 18 API calls 4282->4283 4284 401cb5 SetWindowLongA 4283->4284 4285 40288b 4284->4285 4286 401a26 4287 4029d9 18 API calls 4286->4287 4288 401a2c 4287->4288 4289 4029d9 18 API calls 4288->4289 4290 4019d6 4289->4290 3252 402427 3262 402b00 3252->3262 3254 402431 3255 4029d9 18 API calls 3254->3255 3256 40243a 3255->3256 3257 402451 RegEnumKeyA 3256->3257 3258 40245d RegEnumValueA 3256->3258 3259 40265c 3256->3259 3260 402476 RegCloseKey 3257->3260 3258->3259 3258->3260 3260->3259 3263 4029f6 18 API calls 3262->3263 3264 402b19 3263->3264 3265 402b27 RegOpenKeyExA 3264->3265 3265->3254 4291 4022a7 4292 4022d7 4291->4292 4293 4022ac 4291->4293 4294 4029f6 18 API calls 4292->4294 4295 402b00 19 API calls 4293->4295 4296 4022de 4294->4296 4297 4022b3 4295->4297 4302 402a36 RegOpenKeyExA 4296->4302 4298 4029f6 18 API calls 4297->4298 4301 4022f4 4297->4301 4299 4022c4 RegDeleteValueA RegCloseKey 4298->4299 4299->4301 4306 402a61 4302->4306 4310 402aad 4302->4310 4303 402a87 RegEnumKeyA 4304 402a99 RegCloseKey 4303->4304 4303->4306 4305 405e88 3 API calls 4304->4305 4308 402aa9 4305->4308 4306->4303 4306->4304 4307 402abe RegCloseKey 4306->4307 4309 402a36 3 API calls 4306->4309 4307->4310 4308->4310 4311 402ad9 RegDeleteKeyA 4308->4311 4309->4306 4310->4301 4311->4310 4312 40402c lstrcpynA lstrlenA 3387 401bad 3388 4029d9 18 API calls 3387->3388 3389 401bb4 3388->3389 3390 4029d9 18 API calls 3389->3390 3391 401bbe 3390->3391 3392 401bce 3391->3392 3393 4029f6 18 API calls 3391->3393 3394 401bde 3392->3394 3395 4029f6 18 API calls 3392->3395 3393->3392 3396 401be9 3394->3396 3397 401c2d 3394->3397 3395->3394 3399 4029d9 18 API calls 3396->3399 3398 4029f6 18 API calls 3397->3398 3400 401c32 3398->3400 3401 401bee 3399->3401 3402 4029f6 18 API calls 3400->3402 3403 4029d9 18 API calls 3401->3403 3404 401c3b FindWindowExA 3402->3404 3405 401bf7 3403->3405 3408 401c59 3404->3408 3406 401c1d SendMessageA 3405->3406 3407 401bff SendMessageTimeoutA 3405->3407 3406->3408 3407->3408 4313 4023af 4314 402b00 19 API calls 4313->4314 4315 4023b9 4314->4315 4316 4029f6 18 API calls 4315->4316 4317 4023c2 4316->4317 4318 4023cc RegQueryValueExA 4317->4318 4321 40265c 4317->4321 4319 4023f2 RegCloseKey 4318->4319 4320 4023ec 4318->4320 4319->4321 4320->4319 4324 405ac4 wsprintfA 4320->4324 4324->4319 4325 406131 4326 405fb5 4325->4326 4327 406920 4326->4327 4328 406036 GlobalFree 4326->4328 4329 40603f GlobalAlloc 4326->4329 4330 4060b6 GlobalAlloc 4326->4330 4331 4060ad GlobalFree 4326->4331 4328->4329 4329->4326 4329->4327 4330->4326 4330->4327 4331->4330 3427 4015b3 3428 4029f6 18 API calls 3427->3428 3429 4015ba 3428->3429 3430 4056ed 4 API calls 3429->3430 3442 4015c2 3430->3442 3431 40160a 3432 40162d 3431->3432 3433 40160f 3431->3433 3438 401423 25 API calls 3432->3438 3435 401423 25 API calls 3433->3435 3434 405684 CharNextA 3436 4015d0 CreateDirectoryA 3434->3436 3437 401616 3435->3437 3439 4015e5 GetLastError 3436->3439 3436->3442 3445 405b66 lstrcpynA 3437->3445 3444 402169 3438->3444 3441 4015f2 GetFileAttributesA 3439->3441 3439->3442 3441->3442 3442->3431 3442->3434 3443 401621 SetCurrentDirectoryA 3443->3444 3445->3443 3446 401734 3447 4029f6 18 API calls 3446->3447 3448 40173b 3447->3448 3449 401761 3448->3449 3450 401759 3448->3450 3486 405b66 lstrcpynA 3449->3486 3485 405b66 lstrcpynA 3450->3485 3453 40175f 3457 405dc8 5 API calls 3453->3457 3454 40176c 3455 405659 3 API calls 3454->3455 3456 401772 lstrcatA 3455->3456 3456->3453 3463 40177e 3457->3463 3458 405e61 2 API calls 3458->3463 3459 40581e 2 API calls 3459->3463 3461 401795 CompareFileTime 3461->3463 3462 401859 3464 404f04 25 API calls 3462->3464 3463->3458 3463->3459 3463->3461 3463->3462 3466 405b66 lstrcpynA 3463->3466 3473 405b88 18 API calls 3463->3473 3482 401830 3463->3482 3484 40583d GetFileAttributesA CreateFileA 3463->3484 3487 405427 3463->3487 3467 401863 3464->3467 3465 404f04 25 API calls 3472 401845 3465->3472 3466->3463 3468 402f18 48 API calls 3467->3468 3469 401876 3468->3469 3470 40188a SetFileTime 3469->3470 3471 40189c FindCloseChangeNotification 3469->3471 3470->3471 3471->3472 3474 4018ad 3471->3474 3473->3463 3475 4018b2 3474->3475 3476 4018c5 3474->3476 3477 405b88 18 API calls 3475->3477 3478 405b88 18 API calls 3476->3478 3479 4018ba lstrcatA 3477->3479 3480 4018cd 3478->3480 3479->3480 3483 405427 MessageBoxIndirectA 3480->3483 3482->3465 3482->3472 3483->3472 3484->3463 3485->3453 3486->3454 3490 40543c 3487->3490 3488 405488 3488->3463 3489 405450 MessageBoxIndirectA 3489->3488 3490->3488 3490->3489 4332 401634 4333 4029f6 18 API calls 4332->4333 4334 40163a 4333->4334 4335 405e61 2 API calls 4334->4335 4336 401640 4335->4336 4337 401934 4338 4029d9 18 API calls 4337->4338 4339 40193b 4338->4339 4340 4029d9 18 API calls 4339->4340 4341 401945 4340->4341 4342 4029f6 18 API calls 4341->4342 4343 40194e 4342->4343 4344 401961 lstrlenA 4343->4344 4345 40199c 4343->4345 4346 40196b 4344->4346 4346->4345 4350 405b66 lstrcpynA 4346->4350 4348 401985 4348->4345 4349 401992 lstrlenA 4348->4349 4349->4345 4350->4348 4351 4019b5 4352 4029f6 18 API calls 4351->4352 4353 4019bc 4352->4353 4354 4029f6 18 API calls 4353->4354 4355 4019c5 4354->4355 4356 4019cc lstrcmpiA 4355->4356 4357 4019de lstrcmpA 4355->4357 4358 4019d2 4356->4358 4357->4358 4359 4014b7 4360 4014bd 4359->4360 4361 401389 2 API calls 4360->4361 4362 4014c5 4361->4362 4370 402b3b 4371 402b63 4370->4371 4372 402b4a SetTimer 4370->4372 4373 402bb1 4371->4373 4374 402bb7 MulDiv 4371->4374 4372->4371 4375 402b71 wsprintfA SetWindowTextA SetDlgItemTextA 4374->4375 4375->4373 3539 40323c #17 SetErrorMode OleInitialize 3540 405e88 3 API calls 3539->3540 3541 40327f SHGetFileInfoA 3540->3541 3609 405b66 lstrcpynA 3541->3609 3543 4032aa GetCommandLineA 3610 405b66 lstrcpynA 3543->3610 3545 4032bc GetModuleHandleA 3546 4032d3 3545->3546 3547 405684 CharNextA 3546->3547 3548 4032e7 CharNextA 3547->3548 3552 4032f4 3548->3552 3549 40335d 3550 403370 GetTempPathA 3549->3550 3611 403208 3550->3611 3552->3549 3556 405684 CharNextA 3552->3556 3560 40335f 3552->3560 3553 403386 3554 4033aa DeleteFileA 3553->3554 3555 40338a GetWindowsDirectoryA lstrcatA 3553->3555 3619 402c72 GetTickCount GetModuleFileNameA 3554->3619 3557 403208 11 API calls 3555->3557 3556->3552 3559 4033a6 3557->3559 3559->3554 3562 403428 ExitProcess OleUninitialize 3559->3562 3703 405b66 lstrcpynA 3560->3703 3561 4033bb 3561->3562 3564 403414 3561->3564 3569 405684 CharNextA 3561->3569 3565 403522 3562->3565 3566 40343d 3562->3566 3649 4036af 3564->3649 3567 4035a5 ExitProcess 3565->3567 3571 405e88 3 API calls 3565->3571 3570 405427 MessageBoxIndirectA 3566->3570 3574 4033d2 3569->3574 3575 40344b ExitProcess 3570->3575 3576 403531 3571->3576 3572 403424 3572->3562 3578 403453 lstrcatA lstrcmpiA 3574->3578 3579 4033ef 3574->3579 3577 405e88 3 API calls 3576->3577 3580 40353a 3577->3580 3578->3562 3581 40346f CreateDirectoryA SetCurrentDirectoryA 3578->3581 3582 40573a 18 API calls 3579->3582 3583 405e88 3 API calls 3580->3583 3584 403491 3581->3584 3585 403486 3581->3585 3586 4033fa 3582->3586 3587 403543 3583->3587 3707 405b66 lstrcpynA 3584->3707 3706 405b66 lstrcpynA 3585->3706 3586->3562 3704 405b66 lstrcpynA 3586->3704 3590 403591 ExitWindowsEx 3587->3590 3593 403551 GetCurrentProcess 3587->3593 3590->3567 3592 40359e 3590->3592 3595 40140b 2 API calls 3592->3595 3598 403561 3593->3598 3594 403409 3705 405b66 lstrcpynA 3594->3705 3595->3567 3597 405b88 18 API calls 3599 4034c1 DeleteFileA 3597->3599 3598->3590 3600 4034ce CopyFileA 3599->3600 3606 40349f 3599->3606 3600->3606 3601 403516 3602 4058b4 38 API calls 3601->3602 3604 40351d 3602->3604 3603 4058b4 38 API calls 3603->3606 3604->3562 3605 405b88 18 API calls 3605->3606 3606->3597 3606->3601 3606->3603 3606->3605 3607 4053c6 2 API calls 3606->3607 3608 403502 CloseHandle 3606->3608 3607->3606 3608->3606 3609->3543 3610->3545 3612 405dc8 5 API calls 3611->3612 3613 403214 3612->3613 3614 40321e 3613->3614 3615 405659 3 API calls 3613->3615 3614->3553 3616 403226 CreateDirectoryA 3615->3616 3617 40586c 2 API calls 3616->3617 3618 40323a 3617->3618 3618->3553 3708 40583d GetFileAttributesA CreateFileA 3619->3708 3621 402cb5 3648 402cc2 3621->3648 3709 405b66 lstrcpynA 3621->3709 3623 402cd8 3624 4056a0 2 API calls 3623->3624 3625 402cde 3624->3625 3710 405b66 lstrcpynA 3625->3710 3627 402ce9 GetFileSize 3628 402dea 3627->3628 3638 402d00 3627->3638 3629 402bd3 33 API calls 3628->3629 3631 402df1 3629->3631 3630 4031bf ReadFile 3630->3638 3632 402e2d GlobalAlloc 3631->3632 3631->3648 3711 4031f1 SetFilePointer 3631->3711 3635 402e44 3632->3635 3633 402e85 3636 402bd3 33 API calls 3633->3636 3641 40586c 2 API calls 3635->3641 3636->3648 3637 402e0e 3639 4031bf ReadFile 3637->3639 3638->3628 3638->3630 3638->3633 3640 402bd3 33 API calls 3638->3640 3638->3648 3642 402e19 3639->3642 3640->3638 3643 402e55 CreateFileA 3641->3643 3642->3632 3642->3648 3644 402e8f 3643->3644 3643->3648 3712 4031f1 SetFilePointer 3644->3712 3646 402e9d 3647 402f18 48 API calls 3646->3647 3647->3648 3648->3561 3650 405e88 3 API calls 3649->3650 3651 4036c3 3650->3651 3652 4036c9 3651->3652 3653 4036db 3651->3653 3722 405ac4 wsprintfA 3652->3722 3654 405a4d 3 API calls 3653->3654 3655 4036fc 3654->3655 3656 40371a lstrcatA 3655->3656 3659 405a4d 3 API calls 3655->3659 3658 4036d9 3656->3658 3713 403978 3658->3713 3659->3656 3662 40573a 18 API calls 3663 40374c 3662->3663 3664 4037d5 3663->3664 3667 405a4d 3 API calls 3663->3667 3665 40573a 18 API calls 3664->3665 3666 4037db 3665->3666 3668 4037eb LoadImageA 3666->3668 3670 405b88 18 API calls 3666->3670 3669 403778 3667->3669 3671 403816 RegisterClassA 3668->3671 3672 40389f 3668->3672 3669->3664 3673 403794 lstrlenA 3669->3673 3676 405684 CharNextA 3669->3676 3670->3668 3674 403852 SystemParametersInfoA CreateWindowExA 3671->3674 3700 4038a9 3671->3700 3675 40140b 2 API calls 3672->3675 3677 4037a2 lstrcmpiA 3673->3677 3678 4037c8 3673->3678 3674->3672 3679 4038a5 3675->3679 3680 403792 3676->3680 3677->3678 3681 4037b2 GetFileAttributesA 3677->3681 3682 405659 3 API calls 3678->3682 3684 403978 19 API calls 3679->3684 3679->3700 3680->3673 3683 4037be 3681->3683 3685 4037ce 3682->3685 3683->3678 3686 4056a0 2 API calls 3683->3686 3687 4038b6 3684->3687 3723 405b66 lstrcpynA 3685->3723 3686->3678 3689 4038c2 ShowWindow LoadLibraryA 3687->3689 3690 403945 3687->3690 3692 4038e1 LoadLibraryA 3689->3692 3693 4038e8 GetClassInfoA 3689->3693 3691 404fd6 5 API calls 3690->3691 3696 40394b 3691->3696 3692->3693 3694 403912 DialogBoxParamA 3693->3694 3695 4038fc GetClassInfoA RegisterClassA 3693->3695 3697 40140b 2 API calls 3694->3697 3695->3694 3698 403967 3696->3698 3699 40394f 3696->3699 3697->3700 3701 40140b 2 API calls 3698->3701 3699->3700 3702 40140b 2 API calls 3699->3702 3700->3572 3701->3700 3702->3700 3703->3550 3704->3594 3705->3564 3706->3584 3707->3606 3708->3621 3709->3623 3710->3627 3711->3637 3712->3646 3714 40398c 3713->3714 3724 405ac4 wsprintfA 3714->3724 3716 4039fd 3717 405b88 18 API calls 3716->3717 3718 403a09 SetWindowTextA 3717->3718 3719 40372a 3718->3719 3720 403a25 3718->3720 3719->3662 3720->3719 3721 405b88 18 API calls 3720->3721 3721->3720 3722->3658 3723->3664 3724->3716 3725 4035bd 3726 4035d8 3725->3726 3727 4035ce CloseHandle 3725->3727 3728 4035e2 CloseHandle 3726->3728 3729 4035ec 3726->3729 3727->3726 3728->3729 3734 40361a 3729->3734 3732 40548b 68 API calls 3733 4035fd 3732->3733 3735 403628 3734->3735 3736 4035f1 3735->3736 3737 40362d FreeLibrary GlobalFree 3735->3737 3736->3732 3737->3736 3737->3737 4377 40263e 4378 4029f6 18 API calls 4377->4378 4379 402645 FindFirstFileA 4378->4379 4380 402668 4379->4380 4384 402658 4379->4384 4382 40266f 4380->4382 4385 405ac4 wsprintfA 4380->4385 4386 405b66 lstrcpynA 4382->4386 4385->4382 4386->4384 4387 4024be 4388 4024c3 4387->4388 4389 4024d4 4387->4389 4390 4029d9 18 API calls 4388->4390 4391 4029f6 18 API calls 4389->4391 4393 4024ca 4390->4393 4392 4024db lstrlenA 4391->4392 4392->4393 4394 4024fa WriteFile 4393->4394 4395 40265c 4393->4395 4394->4395

              Executed Functions

              Function 0040323C Relevance: 75.5, APIs: 24, Strings: 19, Instructions: 270filestringcomCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 0 40323c-4032d1 #17 SetErrorMode OleInitialize call 405e88 SHGetFileInfoA call 405b66 GetCommandLineA call 405b66 GetModuleHandleA 7 4032d3-4032d8 0->7 8 4032dd-4032f2 call 405684 CharNextA 0->8 7->8 11 403357-40335b 8->11 12 4032f4-4032f7 11->12 13 40335d 11->13 14 4032f9-4032fd 12->14 15 4032ff-403307 12->15 16 403370-403388 GetTempPathA call 403208 13->16 14->14 14->15 18 403309-40330a 15->18 19 40330f-403312 15->19 25 4033aa-4033c1 DeleteFileA call 402c72 16->25 26 40338a-4033a8 GetWindowsDirectoryA lstrcatA call 403208 16->26 18->19 20 403314-403318 19->20 21 403347-403354 call 405684 19->21 23 403328-40332e 20->23 24 40331a-403323 20->24 21->11 38 403356 21->38 30 403330-403339 23->30 31 40333e-403345 23->31 24->23 28 403325 24->28 39 403428-403437 ExitProcess OleUninitialize 25->39 40 4033c3-4033c9 25->40 26->25 26->39 28->23 30->31 35 40333b 30->35 31->21 36 40335f-40336b call 405b66 31->36 35->31 36->16 38->11 44 403522-403528 39->44 45 40343d-40344d call 405427 ExitProcess 39->45 42 403418-40341f call 4036af 40->42 43 4033cb-4033d4 call 405684 40->43 52 403424 42->52 58 4033df-4033e1 43->58 46 4035a5-4035ad 44->46 47 40352a-403547 call 405e88 * 3 44->47 53 4035b3-4035b7 ExitProcess 46->53 54 4035af 46->54 76 403591-40359c ExitWindowsEx 47->76 77 403549-40354b 47->77 52->39 54->53 60 4033e3-4033ed 58->60 61 4033d6-4033dc 58->61 62 403453-40346d lstrcatA lstrcmpiA 60->62 63 4033ef-4033fc call 40573a 60->63 61->60 65 4033de 61->65 62->39 66 40346f-403484 CreateDirectoryA SetCurrentDirectoryA 62->66 63->39 74 4033fe-403414 call 405b66 * 2 63->74 65->58 69 403491-4034ab call 405b66 66->69 70 403486-40348c call 405b66 66->70 84 4034b0-4034cc call 405b88 DeleteFileA 69->84 70->69 74->42 76->46 80 40359e-4035a0 call 40140b 76->80 77->76 81 40354d-40354f 77->81 80->46 81->76 82 403551-403563 GetCurrentProcess 81->82 82->76 91 403565-403587 82->91 92 40350d-403514 84->92 93 4034ce-4034de CopyFileA 84->93 91->76 92->84 94 403516-40351d call 4058b4 92->94 93->92 95 4034e0-403500 call 4058b4 call 405b88 call 4053c6 93->95 94->39 95->92 105 403502-403509 CloseHandle 95->105 105->92
              APIs
              • #17.COMCTL32 ref: 0040325B
              • SetErrorMode.KERNELBASE(00008001), ref: 00403266
              • OleInitialize.OLE32(00000000), ref: 0040326D
                • Part of subcall function 00405E88: GetModuleHandleA.KERNEL32(?,?,00000000,0040327F,00000008), ref: 00405E9A
                • Part of subcall function 00405E88: LoadLibraryA.KERNELBASE(?,?,00000000,0040327F,00000008), ref: 00405EA5
                • Part of subcall function 00405E88: GetProcAddress.KERNEL32(00000000,?), ref: 00405EB6
              • SHGetFileInfoA.SHELL32(0041F458,00000000,?,00000160,00000000,00000008), ref: 00403295
                • Part of subcall function 00405B66: lstrcpynA.KERNEL32(?,?,00000400,004032AA,WebPlugin Setup,NSIS Error), ref: 00405B73
              • GetCommandLineA.KERNEL32(WebPlugin Setup,NSIS Error), ref: 004032AA
              • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe",00000000), ref: 004032BD
              • CharNextA.USER32(00000000,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe",00000020), ref: 004032E8
              • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 0040337B
              • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403390
              • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040339C
              • DeleteFileA.KERNELBASE(1033), ref: 004033AF
              • ExitProcess.KERNEL32(00000000), ref: 00403428
              • OleUninitialize.OLE32(00000000), ref: 0040342D
              • ExitProcess.KERNEL32 ref: 0040344D
              • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe",00000000,00000000), ref: 00403459
              • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop), ref: 00403465
              • CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403471
              • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 00403478
              • DeleteFileA.KERNEL32(0041F058,0041F058,?,00424000,?), ref: 004034C2
              • CopyFileA.KERNEL32(C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe,0041F058,00000001), ref: 004034D6
              • CloseHandle.KERNEL32(00000000,0041F058,0041F058,?,0041F058,00000000), ref: 00403503
              • GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 00403558
              • ExitWindowsEx.USER32(00000002,00000000), ref: 00403594
              • ExitProcess.KERNEL32 ref: 004035B7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: ExitFileProcess$DirectoryHandle$CurrentDeleteModuleWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
              • String ID: /D=$ _?=$"$"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe"$1033$C:\Program Files (x86)\webrec\WEB30\WebPlugin$C:\Program Files (x86)\webrec\WEB30\WebPlugin$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$NCRC$NSIS Error$SeShutdownPrivilege$WebPlugin Setup$\Temp$pyq$~nsu.tmp
              • API String ID: 553446912-647552187
              • Opcode ID: 12a15860763ed27b157ca737a9af8f9ad945b33dd426c8faa94cb20c8ad7d4db
              • Instruction ID: d9df3101e86bd055252ea398e1a167ecdf9755d8b7b18b8fa076e16bcd865dbe
              • Opcode Fuzzy Hash: 12a15860763ed27b157ca737a9af8f9ad945b33dd426c8faa94cb20c8ad7d4db
              • Instruction Fuzzy Hash: E191D231A087417EE7216F609D49B2B7EACEB01306F44457BF941B61E2C77CAE058B6E
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405042 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 278windowclipboardmemoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 106 405042-40505d 107 405063-40512c GetDlgItem * 3 call 403f4d call 4047a6 GetClientRect GetSystemMetrics SendMessageA * 2 106->107 108 4051ee-4051f5 106->108 128 40514a-40514d 107->128 129 40512e-405148 SendMessageA * 2 107->129 110 4051f7-405219 GetDlgItem CreateThread FindCloseChangeNotification 108->110 111 40521f-40522c 108->111 110->111 113 40524a-405251 111->113 114 40522e-405234 111->114 118 405253-405259 113->118 119 4052a8-4052ac 113->119 116 405236-405245 ShowWindow * 2 call 403f4d 114->116 117 40526c-405275 call 403f7f 114->117 116->113 132 40527a-40527e 117->132 123 405281-405291 ShowWindow 118->123 124 40525b-405267 call 403ef1 118->124 119->117 121 4052ae-4052b1 119->121 121->117 130 4052b3-4052c6 SendMessageA 121->130 126 4052a1-4052a3 call 403ef1 123->126 127 405293-40529c call 404f04 123->127 124->117 126->119 127->126 135 40515d-405174 call 403f18 128->135 136 40514f-40515b SendMessageA 128->136 129->128 137 4052cc-4052ed CreatePopupMenu call 405b88 AppendMenuA 130->137 138 4053bf-4053c1 130->138 145 405176-40518a ShowWindow 135->145 146 4051aa-4051cb GetDlgItem SendMessageA 135->146 136->135 143 405302-405308 137->143 144 4052ef-405300 GetWindowRect 137->144 138->132 148 40530b-405323 TrackPopupMenu 143->148 144->148 149 405199 145->149 150 40518c-405197 ShowWindow 145->150 146->138 147 4051d1-4051e9 SendMessageA * 2 146->147 147->138 148->138 151 405329-405340 148->151 152 40519f-4051a5 call 403f4d 149->152 150->152 153 405345-405360 SendMessageA 151->153 152->146 153->153 155 405362-405382 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 153->155 156 405384-4053a3 SendMessageA 155->156 156->156 157 4053a5-4053b9 GlobalUnlock SetClipboardData CloseClipboard 156->157 157->138
              APIs
              • GetDlgItem.USER32(?,00000403), ref: 004050A1
              • GetDlgItem.USER32(?,000003EE), ref: 004050B0
              • GetClientRect.USER32(?,?), ref: 004050ED
              • GetSystemMetrics.USER32(00000015), ref: 004050F5
              • SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00405116
              • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405127
              • SendMessageA.USER32(?,00001001,00000000,00000110), ref: 0040513A
              • SendMessageA.USER32(?,00001026,00000000,00000110), ref: 00405148
              • SendMessageA.USER32(?,00001024,00000000,?), ref: 0040515B
              • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040517D
              • ShowWindow.USER32(?,00000008), ref: 00405191
              • GetDlgItem.USER32(?,000003EC), ref: 004051B2
              • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004051C2
              • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004051DB
              • SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 004051E7
              • GetDlgItem.USER32(?,000003F8), ref: 004050BF
                • Part of subcall function 00403F4D: SendMessageA.USER32(00000028,?,00000001,00403D7E), ref: 00403F5B
              • GetDlgItem.USER32(?,000003EC), ref: 00405204
              • CreateThread.KERNELBASE(00000000,00000000,Function_00004FD6,00000000), ref: 00405212
              • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00405219
              • ShowWindow.USER32(00000000), ref: 0040523D
              • ShowWindow.USER32(00010484,00000008), ref: 00405242
              • ShowWindow.USER32(00000008), ref: 00405289
              • SendMessageA.USER32(00010484,00001004,00000000,00000000), ref: 004052BB
              • CreatePopupMenu.USER32 ref: 004052CC
              • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004052E1
              • GetWindowRect.USER32(00010484,?), ref: 004052F4
              • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405318
              • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405353
              • OpenClipboard.USER32(00000000), ref: 00405363
              • EmptyClipboard.USER32 ref: 00405369
              • GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 00405372
              • GlobalLock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 0040537C
              • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405390
              • GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 004053A8
              • SetClipboardData.USER32(00000001,00000000), ref: 004053B3
              • CloseClipboard.USER32 ref: 004053B9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
              • String ID: pyq${
              • API String ID: 4154960007-1254863793
              • Opcode ID: fc9970df9ca51376a78cc365cdcb72e4e5af863c575af441848823af7e1d43c2
              • Instruction ID: b28aa7ce0402c6385ba5b6cd868a6258f1d07b471923b7bae974b2a68da01879
              • Opcode Fuzzy Hash: fc9970df9ca51376a78cc365cdcb72e4e5af863c575af441848823af7e1d43c2
              • Instruction Fuzzy Hash: 34A14870904208FFDB219F60DD89AAE7F79FB08355F00417AFA05BA2A0C7795A41DF69
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040548B Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 156filestringCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 403 40548b-4054a6 call 40573a 406 4054a8-4054ba DeleteFileA 403->406 407 4054bf-4054c9 403->407 408 405653-405656 406->408 409 4054cb-4054cd 407->409 410 4054dd-4054eb call 405b66 407->410 411 4054d3-4054d7 409->411 412 4055fe-405604 409->412 418 4054fa-4054fb call 4056a0 410->418 419 4054ed-4054f8 lstrcatA 410->419 411->410 411->412 412->408 414 405606-405609 412->414 416 405613-40561b call 405e61 414->416 417 40560b-405611 414->417 416->408 427 40561d-405632 call 405659 call 40581e RemoveDirectoryA 416->427 417->408 422 405500-405503 418->422 419->422 423 405505-40550c 422->423 424 40550e-405514 lstrcatA 422->424 423->424 426 405519-405537 lstrlenA FindFirstFileA 423->426 424->426 428 4055f4-4055f8 426->428 429 40553d-405554 call 405684 426->429 439 405634-405638 427->439 440 40564b-40564e call 404f04 427->440 428->412 431 4055fa 428->431 436 405556-40555a 429->436 437 40555f-405562 429->437 431->412 436->437 441 40555c 436->441 442 405564-405569 437->442 443 405575-405583 call 405b66 437->443 439->417 444 40563a-405649 call 404f04 call 4058b4 439->444 440->408 441->437 446 4055d3-4055e5 FindNextFileA 442->446 447 40556b-40556d 442->447 453 405585-40558d 443->453 454 40559a-4055a9 call 40581e DeleteFileA 443->454 444->408 446->429 451 4055eb-4055ee FindClose 446->451 447->443 452 40556f-405573 447->452 451->428 452->443 452->446 453->446 456 40558f-405598 call 40548b 453->456 463 4055cb-4055ce call 404f04 454->463 464 4055ab-4055af 454->464 456->446 463->446 466 4055b1-4055c1 call 404f04 call 4058b4 464->466 467 4055c3-4055c9 464->467 466->446 467->446
              APIs
              • DeleteFileA.KERNELBASE(?,?,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe",74DF2EE0), ref: 004054A9
              • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\*.*,\*.*,C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\*.*,?,00000000,?,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe",74DF2EE0), ref: 004054F3
              • lstrcatA.KERNEL32(?,00409010,?,C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\*.*,?,00000000,?,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe",74DF2EE0), ref: 00405514
              • lstrlenA.KERNEL32(?,?,00409010,?,C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\*.*,?,00000000,?,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe",74DF2EE0), ref: 0040551A
              • FindFirstFileA.KERNELBASE(C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\*.*,?,?,?,00409010,?,C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\*.*,?,00000000,?,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe",74DF2EE0), ref: 0040552B
              • FindNextFileA.KERNELBASE(?,00000010,000000F2,?), ref: 004055DD
              • FindClose.KERNEL32(?), ref: 004055EE
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
              • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\*.*$\*.*
              • API String ID: 2035342205-4080539235
              • Opcode ID: 0d5e4c23c8571cffb424adfe634a104f8b559ce694cc149621e7f7b2c072b745
              • Instruction ID: bc429f5d1e1b14784ce7e3564347ec6ed469848bfd5577fff983359c073685a4
              • Opcode Fuzzy Hash: 0d5e4c23c8571cffb424adfe634a104f8b559ce694cc149621e7f7b2c072b745
              • Instruction Fuzzy Hash: 0351F331904A447ADB216B218C45BBF3B79CF42728F54847BF905711E2CB3C5A82DE6E
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405B88 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 197stringCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 472 405b88-405b93 473 405b95-405ba4 472->473 474 405ba6-405bc3 472->474 473->474 475 405da5-405da9 474->475 476 405bc9-405bd0 474->476 477 405bd5-405bdf 475->477 478 405daf-405db9 475->478 476->475 477->478 479 405be5-405bec 477->479 480 405dc4-405dc5 478->480 481 405dbb-405dbf call 405b66 478->481 482 405bf2-405c27 479->482 483 405d98 479->483 481->480 485 405d42-405d45 482->485 486 405c2d-405c38 GetVersion 482->486 487 405da2-405da4 483->487 488 405d9a-405da0 483->488 491 405d75-405d78 485->491 492 405d47-405d4a 485->492 489 405c52 486->489 490 405c3a-405c3e 486->490 487->475 488->475 496 405c59-405c60 489->496 490->489 493 405c40-405c44 490->493 497 405d86-405d96 lstrlenA 491->497 498 405d7a-405d81 call 405b88 491->498 494 405d5a-405d66 call 405b66 492->494 495 405d4c-405d58 call 405ac4 492->495 493->489 500 405c46-405c4a 493->500 509 405d6b-405d71 494->509 495->509 502 405c62-405c64 496->502 503 405c65-405c67 496->503 497->475 498->497 500->489 505 405c4c-405c50 500->505 502->503 507 405ca0-405ca3 503->507 508 405c69-405c84 call 405a4d 503->508 505->496 510 405cb3-405cb6 507->510 511 405ca5-405cb1 GetSystemDirectoryA 507->511 517 405c89-405c8c 508->517 509->497 513 405d73 509->513 515 405d20-405d22 510->515 516 405cb8-405cc6 GetWindowsDirectoryA 510->516 514 405d24-405d27 511->514 518 405d3a-405d40 call 405dc8 513->518 514->518 519 405d29-405d2d 514->519 515->514 521 405cc8-405cd2 515->521 516->515 517->519 522 405c92-405c9b call 405b88 517->522 518->497 519->518 524 405d2f-405d35 lstrcatA 519->524 526 405cd4-405cd7 521->526 527 405cec-405d02 SHGetSpecialFolderLocation 521->527 522->514 524->518 526->527 529 405cd9-405ce0 526->529 530 405d04-405d1b SHGetPathFromIDListA CoTaskMemFree 527->530 531 405d1d 527->531 532 405ce8-405cea 529->532 530->514 530->531 531->515 532->514 532->527
              APIs
              • GetVersion.KERNEL32(00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\,00000000,00404F3C,Remove folder: C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\,00000000), ref: 00405C30
              • GetSystemDirectoryA.KERNEL32(Remove folder: ,00000400), ref: 00405CAB
              • GetWindowsDirectoryA.KERNEL32(Remove folder: ,00000400), ref: 00405CBE
              • SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00405CFA
              • SHGetPathFromIDListA.SHELL32(00000000,Remove folder: ), ref: 00405D08
              • CoTaskMemFree.OLE32(00000000), ref: 00405D13
              • lstrcatA.KERNEL32(Remove folder: ,\Microsoft\Internet Explorer\Quick Launch), ref: 00405D35
              • lstrlenA.KERNEL32(Remove folder: ,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\,00000000,00404F3C,Remove folder: C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\,00000000), ref: 00405D87
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
              • String ID: Remove folder: $Remove folder: C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
              • API String ID: 900638850-979057030
              • Opcode ID: ca0249d5f4d71674562d458b63bf6447001add47325df02e3d4ad3532f05c4cf
              • Instruction ID: 2bb53c71d9fe9ef1e56bc14ab20fd8486271744d1d3ead2cb2ad614034e11287
              • Opcode Fuzzy Hash: ca0249d5f4d71674562d458b63bf6447001add47325df02e3d4ad3532f05c4cf
              • Instruction Fuzzy Hash: D7510131A04A04AAEF205F64DC88B7B3BA4DF55324F14823BE911B62D0D33C59829E4E
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00402020 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 134comCOMMON
              Download Yara Rule
              APIs
              • CoCreateInstance.OLE32(00407384,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402073
              • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WebPlugin\Uninstall.lnk,00000400,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040212D
              Strings
              • C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WebPlugin\Uninstall.lnk, xrefs: 00402116, 00402120, 0040213C
              • C:\Program Files (x86)\webrec\WEB30\WebPlugin, xrefs: 004020AB
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: ByteCharCreateInstanceMultiWide
              • String ID: C:\Program Files (x86)\webrec\WEB30\WebPlugin$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WebPlugin\Uninstall.lnk
              • API String ID: 123533781-2458466899
              • Opcode ID: 20f8b56c3263d051d76756f701b26ac218ff209cd135641c8178b13e20f06e8d
              • Instruction ID: 0b92ce9401c32f92a97655b67b17bc3e2e7042a2ba93bb40bff56c30807ccd12
              • Opcode Fuzzy Hash: 20f8b56c3263d051d76756f701b26ac218ff209cd135641c8178b13e20f06e8d
              • Instruction Fuzzy Hash: 94418E75A00205BFCB40DFA4CD88E9E7BBABF48354B204269FA15FB2D1CA799D41CB54
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00406131 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d33a5f9df5361017a2c2cd63e74982cac3414c6cd2676332625b738f25334a08
              • Instruction ID: 7fe690cacb8e5da35aefc448adc87e2f65dc6f56ff44dc44b78e187fa59068bd
              • Opcode Fuzzy Hash: d33a5f9df5361017a2c2cd63e74982cac3414c6cd2676332625b738f25334a08
              • Instruction Fuzzy Hash: 70F16871D00229CBDF28CFA8C8946ADBBB1FF44305F25816ED856BB281D7785A96CF44
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405E61 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileA.KERNELBASE(?,004224F0,C:\,0040577D,C:\,C:\,00000000,C:\,C:\,?,?,74DF2EE0,0040549F,?,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe",74DF2EE0), ref: 00405E6C
              • FindClose.KERNEL32(00000000), ref: 00405E78
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: Find$CloseFileFirst
              • String ID: C:\
              • API String ID: 2295610775-3404278061
              • Opcode ID: a0d9290738f1f02d4b3743de2211279f78b4a64d0718c2c828088997ee3199ab
              • Instruction ID: f2fe444ddfa45285d6a9eb51d657c4c39712a0d2250b7f8498e11f87d01b5aa3
              • Opcode Fuzzy Hash: a0d9290738f1f02d4b3743de2211279f78b4a64d0718c2c828088997ee3199ab
              • Instruction Fuzzy Hash: 26D012359495206FC7001738AD0C85B7A58EF553347508B32F969F62E0C7B4AD51DAED
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405E88 Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleA.KERNEL32(?,?,00000000,0040327F,00000008), ref: 00405E9A
              • LoadLibraryA.KERNELBASE(?,?,00000000,0040327F,00000008), ref: 00405EA5
              • GetProcAddress.KERNEL32(00000000,?), ref: 00405EB6
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: AddressHandleLibraryLoadModuleProc
              • String ID:
              • API String ID: 310444273-0
              • Opcode ID: cda0668070076e7cac62d6abfc32be1e4fdfe709f191786036c768239460f4b3
              • Instruction ID: 91087f9554edebef2dfdad95906e97f440013226b38390424b9c6ad62026e406
              • Opcode Fuzzy Hash: cda0668070076e7cac62d6abfc32be1e4fdfe709f191786036c768239460f4b3
              • Instruction Fuzzy Hash: 0FE08C32A08511BBD3115B30ED0896B77A8EA89B41304083EF959F6290D734EC119BFA
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00403A45 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 158 403a45-403a57 159 403b98-403ba7 158->159 160 403a5d-403a63 158->160 162 403bf6-403c0b 159->162 163 403ba9-403bf1 GetDlgItem * 2 call 403f18 SetClassLongA call 40140b 159->163 160->159 161 403a69-403a72 160->161 166 403a74-403a81 SetWindowPos 161->166 167 403a87-403a8a 161->167 164 403c4b-403c50 call 403f64 162->164 165 403c0d-403c10 162->165 163->162 177 403c55-403c70 164->177 169 403c12-403c1d call 401389 165->169 170 403c43-403c45 165->170 166->167 172 403aa4-403aaa 167->172 173 403a8c-403a9e ShowWindow 167->173 169->170 191 403c1f-403c3e SendMessageA 169->191 170->164 176 403ee5 170->176 178 403ac6-403ac9 172->178 179 403aac-403ac1 DestroyWindow 172->179 173->172 184 403ee7-403eee 176->184 182 403c72-403c74 call 40140b 177->182 183 403c79-403c7f 177->183 187 403acb-403ad7 SetWindowLongA 178->187 188 403adc-403ae2 178->188 185 403ec2-403ec8 179->185 182->183 194 403ea3-403ebc DestroyWindow KiUserCallbackDispatcher 183->194 195 403c85-403c90 183->195 185->176 192 403eca-403ed0 185->192 187->184 189 403b85-403b93 call 403f7f 188->189 190 403ae8-403af9 GetDlgItem 188->190 189->184 196 403b18-403b1b 190->196 197 403afb-403b12 SendMessageA IsWindowEnabled 190->197 191->184 192->176 199 403ed2-403edb ShowWindow 192->199 194->185 195->194 200 403c96-403ce3 call 405b88 call 403f18 * 3 GetDlgItem 195->200 201 403b20-403b23 196->201 202 403b1d-403b1e 196->202 197->176 197->196 199->176 228 403ce5-403cea 200->228 229 403ced-403d29 ShowWindow KiUserCallbackDispatcher call 403f3a EnableWindow 200->229 206 403b31-403b36 201->206 207 403b25-403b2b 201->207 205 403b4e-403b53 call 403ef1 202->205 205->189 210 403b6c-403b7f SendMessageA 206->210 212 403b38-403b3e 206->212 207->210 211 403b2d-403b2f 207->211 210->189 211->205 216 403b40-403b46 call 40140b 212->216 217 403b55-403b5e call 40140b 212->217 226 403b4c 216->226 217->189 225 403b60-403b6a 217->225 225->226 226->205 228->229 232 403d2b-403d2c 229->232 233 403d2e 229->233 234 403d30-403d5e GetSystemMenu EnableMenuItem SendMessageA 232->234 233->234 235 403d60-403d71 SendMessageA 234->235 236 403d73 234->236 237 403d79-403db2 call 403f4d call 405b66 lstrlenA call 405b88 SetWindowTextA call 401389 235->237 236->237 237->177 246 403db8-403dba 237->246 246->177 247 403dc0-403dc4 246->247 248 403de3-403df7 DestroyWindow 247->248 249 403dc6-403dcc 247->249 248->185 251 403dfd-403e2a CreateDialogParamA 248->251 249->176 250 403dd2-403dd8 249->250 250->177 252 403dde 250->252 251->185 253 403e30-403e87 call 403f18 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 251->253 252->176 253->176 258 403e89-403e9c ShowWindow call 403f64 253->258 260 403ea1 258->260 260->185
              APIs
              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403A81
              • ShowWindow.USER32(?), ref: 00403A9E
              • DestroyWindow.USER32 ref: 00403AB2
              • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403ACE
              • GetDlgItem.USER32(?,?), ref: 00403AEF
              • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403B03
              • IsWindowEnabled.USER32(00000000), ref: 00403B0A
              • GetDlgItem.USER32(?,00000001), ref: 00403BB8
              • GetDlgItem.USER32(?,00000002), ref: 00403BC2
              • SetClassLongA.USER32(?,000000F2,?), ref: 00403BDC
              • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403C2D
              • GetDlgItem.USER32(?,00000003), ref: 00403CD3
              • ShowWindow.USER32(00000000,?), ref: 00403CF4
              • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403D06
              • EnableWindow.USER32(?,?), ref: 00403D21
              • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403D37
              • EnableMenuItem.USER32(00000000), ref: 00403D3E
              • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403D56
              • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403D69
              • lstrlenA.KERNEL32(004204A0,?,004204A0,WebPlugin Setup), ref: 00403D92
              • SetWindowTextA.USER32(?,004204A0), ref: 00403DA1
              • ShowWindow.USER32(?,0000000A), ref: 00403ED5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
              • String ID: WebPlugin Setup
              • API String ID: 3282139019-3677527531
              • Opcode ID: 0ca44dad19ebef12785e3fca4310d205a7ec76f049bba6dd02c4170e1792f308
              • Instruction ID: 1b558320748e03173a152966608fa9e4bba3452d5179f8dde3fdb5243a6fbb8a
              • Opcode Fuzzy Hash: 0ca44dad19ebef12785e3fca4310d205a7ec76f049bba6dd02c4170e1792f308
              • Instruction Fuzzy Hash: 21C18071A04204BBDB216F21ED45E2B3E7DEB4970AF40053EF541B12E1C739AA42DB6E
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004036AF Relevance: 52.7, APIs: 15, Strings: 15, Instructions: 216stringregistrylibraryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 261 4036af-4036c7 call 405e88 264 4036c9-4036d9 call 405ac4 261->264 265 4036db-403702 call 405a4d 261->265 274 403725-40374e call 403978 call 40573a 264->274 269 403704-403715 call 405a4d 265->269 270 40371a-403720 lstrcatA 265->270 269->270 270->274 279 403754-403759 274->279 280 4037d5-4037dd call 40573a 274->280 279->280 281 40375b-40377f call 405a4d 279->281 285 4037eb-403810 LoadImageA 280->285 286 4037df-4037e6 call 405b88 280->286 281->280 288 403781-403783 281->288 290 403816-40384c RegisterClassA 285->290 291 40389f-4038a7 call 40140b 285->291 286->285 292 403794-4037a0 lstrlenA 288->292 293 403785-403792 call 405684 288->293 294 403852-40389a SystemParametersInfoA CreateWindowExA 290->294 295 40396e 290->295 304 4038b1-4038bc call 403978 291->304 305 4038a9-4038ac 291->305 299 4037a2-4037b0 lstrcmpiA 292->299 300 4037c8-4037d0 call 405659 call 405b66 292->300 293->292 294->291 297 403970-403977 295->297 299->300 303 4037b2-4037bc GetFileAttributesA 299->303 300->280 307 4037c2-4037c3 call 4056a0 303->307 308 4037be-4037c0 303->308 314 4038c2-4038df ShowWindow LoadLibraryA 304->314 315 403945-403946 call 404fd6 304->315 305->297 307->300 308->300 308->307 317 4038e1-4038e6 LoadLibraryA 314->317 318 4038e8-4038fa GetClassInfoA 314->318 321 40394b-40394d 315->321 317->318 319 403912-403935 DialogBoxParamA call 40140b 318->319 320 4038fc-40390c GetClassInfoA RegisterClassA 318->320 325 40393a-403943 call 4035ff 319->325 320->319 323 403967-403969 call 40140b 321->323 324 40394f-403955 321->324 323->295 324->305 326 40395b-403962 call 40140b 324->326 325->297 326->305
              APIs
                • Part of subcall function 00405E88: GetModuleHandleA.KERNEL32(?,?,00000000,0040327F,00000008), ref: 00405E9A
                • Part of subcall function 00405E88: LoadLibraryA.KERNELBASE(?,?,00000000,0040327F,00000008), ref: 00405EA5
                • Part of subcall function 00405E88: GetProcAddress.KERNEL32(00000000,?), ref: 00405EB6
              • lstrcatA.KERNEL32(1033,004204A0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004204A0,00000000,00000006,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe",00000000,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403720
              • lstrlenA.KERNEL32(Remove folder: ,?,?,?,Remove folder: ,00000000,C:\Program Files (x86)\webrec\WEB30\WebPlugin,1033,004204A0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004204A0,00000000,00000006,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe"), ref: 00403795
              • lstrcmpiA.KERNEL32(?,.exe), ref: 004037A8
              • GetFileAttributesA.KERNEL32(Remove folder: ), ref: 004037B3
              • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Program Files (x86)\webrec\WEB30\WebPlugin), ref: 004037FC
                • Part of subcall function 00405AC4: wsprintfA.USER32 ref: 00405AD1
              • RegisterClassA.USER32 ref: 00403843
              • SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 0040385B
              • CreateWindowExA.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403894
              • ShowWindow.USER32(00000005,00000000), ref: 004038CA
              • LoadLibraryA.KERNELBASE(RichEd20), ref: 004038DB
              • LoadLibraryA.KERNEL32(RichEd32), ref: 004038E6
              • GetClassInfoA.USER32(00000000,RichEdit20A,00423640), ref: 004038F6
              • GetClassInfoA.USER32(00000000,RichEdit,00423640), ref: 00403903
              • RegisterClassA.USER32(00423640), ref: 0040390C
              • DialogBoxParamA.USER32(?,00000000,00403A45,00000000), ref: 0040392B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
              • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe"$.DEFAULT\Control Panel\International$.exe$1033$@6B$C:\Program Files (x86)\webrec\WEB30\WebPlugin$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$Remove folder: $RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$pyq
              • API String ID: 914957316-4036163102
              • Opcode ID: df3e65e4785b10912f2cc945d8ce61fae7cc82ae08d3dd313a0b53a2ea4163e5
              • Instruction ID: 5edcd83abe1923a5ef33726047749e404321c8c293ca1ea02831498dc8d0bb6f
              • Opcode Fuzzy Hash: df3e65e4785b10912f2cc945d8ce61fae7cc82ae08d3dd313a0b53a2ea4163e5
              • Instruction Fuzzy Hash: A961A3B16442007FD720AF659D45E2B3AADEB4475AF40457FF940B22E1D77CAD01CA2E
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00402C72 Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 203memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 332 402c72-402cc0 GetTickCount GetModuleFileNameA call 40583d 335 402cc2-402cc7 332->335 336 402ccc-402cfa call 405b66 call 4056a0 call 405b66 GetFileSize 332->336 337 402f11-402f15 335->337 344 402d00-402d17 336->344 345 402dea-402df8 call 402bd3 336->345 346 402d19 344->346 347 402d1b-402d21 call 4031bf 344->347 351 402ec9-402ece 345->351 352 402dfe-402e01 345->352 346->347 353 402d26-402d28 347->353 351->337 354 402e03-402e14 call 4031f1 call 4031bf 352->354 355 402e2d-402e79 GlobalAlloc call 405f62 call 40586c CreateFileA 352->355 356 402e85-402e8d call 402bd3 353->356 357 402d2e-402d34 353->357 375 402e19-402e1b 354->375 382 402e7b-402e80 355->382 383 402e8f-402ebf call 4031f1 call 402f18 355->383 356->351 360 402db4-402db8 357->360 361 402d36-402d4e call 4057fe 357->361 364 402dc1-402dc7 360->364 365 402dba-402dc0 call 402bd3 360->365 361->364 379 402d50-402d57 361->379 371 402dc9-402dd7 call 405ef4 364->371 372 402dda-402de4 364->372 365->364 371->372 372->344 372->345 375->351 380 402e21-402e27 375->380 379->364 384 402d59-402d60 379->384 380->351 380->355 382->337 392 402ec4-402ec7 383->392 384->364 386 402d62-402d69 384->386 386->364 388 402d6b-402d72 386->388 388->364 390 402d74-402d94 388->390 390->351 391 402d9a-402d9e 390->391 393 402da0-402da4 391->393 394 402da6-402dae 391->394 392->351 395 402ed0-402ee1 392->395 393->345 393->394 394->364 396 402db0-402db2 394->396 397 402ee3 395->397 398 402ee9-402eee 395->398 396->364 397->398 399 402eef-402ef5 398->399 399->399 400 402ef7-402f0f call 4057fe 399->400 400->337
              APIs
              • GetTickCount.KERNEL32 ref: 00402C86
              • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe,00000400), ref: 00402CA2
                • Part of subcall function 0040583D: GetFileAttributesA.KERNELBASE(00000003,00402CB5,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe,80000000,00000003), ref: 00405841
                • Part of subcall function 0040583D: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405863
              • GetFileSize.KERNEL32(00000000,00000000,SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe,80000000,00000003), ref: 00402CEB
              • GlobalAlloc.KERNELBASE(00000040,00409130), ref: 00402E32
              Strings
              • Inst, xrefs: 00402D59
              • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402EC9
              • SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, xrefs: 00402CDF
              • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402E7B
              • Error launching installer, xrefs: 00402CC2
              • Null, xrefs: 00402D6B
              • pyq, xrefs: 00402ED4
              • soft, xrefs: 00402D62
              • C:\Users\user\AppData\Local\Temp\, xrefs: 00402C72, 00402E4A
              • "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe", xrefs: 00402C7F
              • C:\Users\user\Desktop, xrefs: 00402CCD, 00402CD2, 00402CD8
              • C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe, xrefs: 00402C8C, 00402C9B, 00402CAF, 00402CCC
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
              • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe$pyq$soft
              • API String ID: 2803837635-3355520958
              • Opcode ID: f409464feeab3dd024d1120dd8a35761bb24cd2e38712ebb294b72542288e2a6
              • Instruction ID: 0b72a330c31c6d4d52753dad6a5c3012229d4666e6dae103a7747cbc92612fb8
              • Opcode Fuzzy Hash: f409464feeab3dd024d1120dd8a35761bb24cd2e38712ebb294b72542288e2a6
              • Instruction Fuzzy Hash: B761E231A40215ABDB20DF64DE49B9E7BB4EB04315F20407BF904B62D2D7BC9E458B9C
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00401734 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147stringtimeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 533 401734-401757 call 4029f6 call 4056c6 538 401761-401773 call 405b66 call 405659 lstrcatA 533->538 539 401759-40175f call 405b66 533->539 544 401778-40177e call 405dc8 538->544 539->544 549 401783-401787 544->549 550 401789-401793 call 405e61 549->550 551 4017ba-4017bd 549->551 559 4017a5-4017b7 550->559 560 401795-4017a3 CompareFileTime 550->560 552 4017c5-4017e1 call 40583d 551->552 553 4017bf-4017c0 call 40581e 551->553 561 4017e3-4017e6 552->561 562 401859-401882 call 404f04 call 402f18 552->562 553->552 559->551 560->559 563 4017e8-40182a call 405b66 * 2 call 405b88 call 405b66 call 405427 561->563 564 40183b-401845 call 404f04 561->564 576 401884-401888 562->576 577 40188a-401896 SetFileTime 562->577 563->549 596 401830-401831 563->596 574 40184e-401854 564->574 579 402894 574->579 576->577 578 40189c-4018a7 FindCloseChangeNotification 576->578 577->578 581 40288b-40288e 578->581 582 4018ad-4018b0 578->582 583 402896-40289a 579->583 581->579 585 4018b2-4018c3 call 405b88 lstrcatA 582->585 586 4018c5-4018c8 call 405b88 582->586 592 4018cd-402213 call 405427 585->592 586->592 592->583 600 40265c-402663 592->600 596->574 598 401833-401834 596->598 598->564 600->581
              APIs
              • lstrcatA.KERNEL32(00000000,00000000,C:\Program Files (x86)\webrec\WEB30\WebPlugin\TimeGridEXE.exe,C:\Program Files (x86)\webrec\WEB30\WebPlugin,00000000,00000000,00000031), ref: 00401773
              • CompareFileTime.KERNEL32(-00000014,?,C:\Program Files (x86)\webrec\WEB30\WebPlugin\TimeGridEXE.exe,C:\Program Files (x86)\webrec\WEB30\WebPlugin\TimeGridEXE.exe,00000000,00000000,C:\Program Files (x86)\webrec\WEB30\WebPlugin\TimeGridEXE.exe,C:\Program Files (x86)\webrec\WEB30\WebPlugin,00000000,00000000,00000031), ref: 0040179D
                • Part of subcall function 00405B66: lstrcpynA.KERNEL32(?,?,00000400,004032AA,WebPlugin Setup,NSIS Error), ref: 00405B73
                • Part of subcall function 00404F04: lstrlenA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000,?), ref: 00404F3D
                • Part of subcall function 00404F04: lstrlenA.KERNEL32(00402C4A,Remove folder: C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000), ref: 00404F4D
                • Part of subcall function 00404F04: lstrcatA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\,00402C4A,00402C4A,Remove folder: C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\,00000000,00000000,00000000), ref: 00404F60
                • Part of subcall function 00404F04: SetWindowTextA.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\), ref: 00404F72
                • Part of subcall function 00404F04: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F98
                • Part of subcall function 00404F04: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FB2
                • Part of subcall function 00404F04: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404FC0
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
              • String ID: C:\Program Files (x86)\webrec\WEB30\WebPlugin$C:\Program Files (x86)\webrec\WEB30\WebPlugin\TimeGridEXE.exe$HIGHDPIAWARE$Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
              • API String ID: 1941528284-108201823
              • Opcode ID: 18e3a7fc7c24dc1b871223d9532d772c7d1194df8f20b51678b3b492ccae7dad
              • Instruction ID: ca24b6133afb507e547736dc5ab02d451b7f1a2d30e0a517c5ad6537af4b780a
              • Opcode Fuzzy Hash: 18e3a7fc7c24dc1b871223d9532d772c7d1194df8f20b51678b3b492ccae7dad
              • Instruction Fuzzy Hash: 8441C131900515BBCB10BFB5DD46EAF3A79EF01369B24433BF511B11E1D63C9A418AAD
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00404F04 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 601 404f04-404f19 602 404fcf-404fd3 601->602 603 404f1f-404f31 601->603 604 404f33-404f37 call 405b88 603->604 605 404f3c-404f48 lstrlenA 603->605 604->605 607 404f65-404f69 605->607 608 404f4a-404f5a lstrlenA 605->608 610 404f78-404f7c 607->610 611 404f6b-404f72 SetWindowTextA 607->611 608->602 609 404f5c-404f60 lstrcatA 608->609 609->607 612 404fc2-404fc4 610->612 613 404f7e-404fc0 SendMessageA * 3 610->613 611->610 612->602 614 404fc6-404fc9 612->614 613->612 614->602
              APIs
              • lstrlenA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000,?), ref: 00404F3D
              • lstrlenA.KERNEL32(00402C4A,Remove folder: C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000), ref: 00404F4D
              • lstrcatA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\,00402C4A,00402C4A,Remove folder: C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\,00000000,00000000,00000000), ref: 00404F60
              • SetWindowTextA.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\), ref: 00404F72
              • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F98
              • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FB2
              • SendMessageA.USER32(?,00001013,?,00000000), ref: 00404FC0
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: MessageSend$lstrlen$TextWindowlstrcat
              • String ID: Remove folder: C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\
              • API String ID: 2531174081-4132314799
              • Opcode ID: c16ae44753e0492e8ebf0dec6d4426dfb74cf51d03073e062323e975129af71d
              • Instruction ID: 33d69ec58002f5e3cec48cf4aa7ac502a1da6879986bf9ca4026f821734cd723
              • Opcode Fuzzy Hash: c16ae44753e0492e8ebf0dec6d4426dfb74cf51d03073e062323e975129af71d
              • Instruction Fuzzy Hash: C4219D71A00108BBDF119FA5CD849DEBFB9EB49354F14807AFA04B6290C3389E45CBA8
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00402F18 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 615 402f18-402f27 616 402f45-402f50 call 403043 615->616 617 402f29-402f3f SetFilePointer 615->617 620 402f56-402f70 ReadFile 616->620 621 40303c-403040 616->621 617->616 622 402f76-402f79 620->622 623 403039 620->623 622->623 625 402f7f-402f92 call 403043 622->625 624 40303b 623->624 624->621 625->621 628 402f98-402f9b 625->628 629 403008-40300e 628->629 630 402f9d-402fa0 628->630 633 403010 629->633 634 403013-403026 ReadFile 629->634 631 403034-403037 630->631 632 402fa6 630->632 631->621 636 402fab-402fb3 632->636 633->634 634->623 635 403028-403031 634->635 635->631 637 402fb5 636->637 638 402fb8-402fca ReadFile 636->638 637->638 638->623 639 402fcc-402fcf 638->639 639->623 640 402fd1-402fe6 WriteFile 639->640 641 403004-403006 640->641 642 402fe8-402feb 640->642 641->624 642->641 643 402fed-403000 642->643 643->636 644 403002 643->644 644->631
              APIs
              • SetFilePointer.KERNELBASE(00409130,00000000,00000000,00000000,00000000,00000000,?,?,?,00402EC4,000000FF,00000000,00000000,00409130,0000CDE4), ref: 00402F3F
              • ReadFile.KERNELBASE(00409130,00000004,0000CDE4,00000000,00000004,00000000,00000000,00000000,?,?,?,00402EC4,000000FF,00000000,00000000,00409130), ref: 00402F6C
              • ReadFile.KERNELBASE(00413040,00004000,0000CDE4,00000000,00409130,?,00402EC4,000000FF,00000000,00000000,00409130,0000CDE4), ref: 00402FC6
              • WriteFile.KERNELBASE(00000000,00413040,0000CDE4,000000FF,00000000,?,00402EC4,000000FF,00000000,00000000,00409130,0000CDE4), ref: 00402FDE
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: File$Read$PointerWrite
              • String ID: @0A
              • API String ID: 2113905535-1363546919
              • Opcode ID: 3fc20a6f8204afd4db5be5275d6ec1a2b538eb21de19a3adc5be7867336c551b
              • Instruction ID: f0f891dec1baa82fcb152a6e3a42d02399587e043c2e4755ce28507b82245ee9
              • Opcode Fuzzy Hash: 3fc20a6f8204afd4db5be5275d6ec1a2b538eb21de19a3adc5be7867336c551b
              • Instruction Fuzzy Hash: 3F315731501249EBDB21CF55DD40A9E7FBCEB843A5F20407AFA05A6190D3789F81DBA9
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00403043 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 645 403043-40306c GetTickCount 646 403072-40309d call 4031f1 SetFilePointer 645->646 647 4031ad-4031b5 call 402bd3 645->647 653 4030a2-4030b4 646->653 652 4031b7-4031bc 647->652 654 4030b6 653->654 655 4030b8-4030c6 call 4031bf 653->655 654->655 658 4030cc-4030d8 655->658 659 40319f-4031a2 655->659 660 4030de-4030e4 658->660 659->652 661 4030e6-4030ec 660->661 662 40310f-40312b call 405f82 660->662 661->662 664 4030ee-403109 call 402bd3 661->664 668 4031a8 662->668 669 40312d-403135 662->669 667 40310e 664->667 667->662 670 4031aa-4031ab 668->670 671 403137-40314d WriteFile 669->671 672 403169-40316f 669->672 670->652 673 4031a4-4031a6 671->673 674 40314f-403153 671->674 672->668 675 403171-403173 672->675 673->670 674->673 676 403155-403161 674->676 675->668 677 403175-403188 675->677 676->660 678 403167 676->678 677->653 679 40318e-40319d SetFilePointer 677->679 678->677 679->647
              APIs
              • GetTickCount.KERNEL32 ref: 00403058
                • Part of subcall function 004031F1: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E9D,0000CDE4), ref: 004031FF
              • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00402F4E,00000004,00000000,00000000,00000000,?,?,?,00402EC4,000000FF,00000000), ref: 0040308B
              • WriteFile.KERNELBASE(0040B040,0040B5A9,00000000,00000000,00413040,00004000,?,00000000,?,00402F4E,00000004,00000000,00000000,00000000,?,?), ref: 00403145
              • SetFilePointer.KERNELBASE(008ED971,00000000,00000000,00413040,00004000,?,00000000,?,00402F4E,00000004,00000000,00000000,00000000,?,?), ref: 00403197
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: File$Pointer$CountTickWrite
              • String ID: @0A$pyq
              • API String ID: 2146148272-449843071
              • Opcode ID: ecc03a9d94c063588dca87f0fc1243fee3c78ba2dd598819d8046e977a4d11a3
              • Instruction ID: c862c83604f3b109b9ae356e59bf9e99270c6d64ee518f880403d0392c1b0dc8
              • Opcode Fuzzy Hash: ecc03a9d94c063588dca87f0fc1243fee3c78ba2dd598819d8046e977a4d11a3
              • Instruction Fuzzy Hash: 4B41ABB25042029FD710CF29EE4096A7FBDF748356705423BE501BA2E1CB3C6E099B9E
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040267C Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GlobalAlloc.KERNEL32(00000040,0000CE00,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026D0
              • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026EC
              • GlobalFree.KERNEL32(?), ref: 00402725
              • WriteFile.KERNELBASE(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 00402737
              • GlobalFree.KERNELBASE(00000000), ref: 0040273E
              • FindCloseChangeNotification.KERNELBASE(FFFFFD66,?,?,000000F0), ref: 00402756
              • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 0040276A
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: Global$AllocFileFree$ChangeCloseDeleteFindNotificationWrite
              • String ID:
              • API String ID: 2326852265-0
              • Opcode ID: 6a9f9e03234ab5bf5e394379d93ad3354b9b1830e35b83e5fa95684e592760ec
              • Instruction ID: 719c612f4f238206e278f6e296a81204df483451b361404a9b6a09c3536a307a
              • Opcode Fuzzy Hash: 6a9f9e03234ab5bf5e394379d93ad3354b9b1830e35b83e5fa95684e592760ec
              • Instruction Fuzzy Hash: F831AD71C00128BBDF216FA4CD89DAE7E79EF08364F10423AF920772E0C6795D419BA8
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00402BD3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 713 402bd3-402bdf 714 402be1-402be8 713->714 715 402bf9-402bff 713->715 716 402bf1-402bf7 714->716 717 402bea-402beb DestroyWindow 714->717 718 402c01-402c07 call 405ec1 715->718 719 402c09-402c15 GetTickCount 715->719 721 402c6f-402c71 716->721 717->716 718->721 720 402c17-402c1d 719->720 719->721 724 402c4c-402c69 CreateDialogParamA ShowWindow 720->724 725 402c1f-402c26 720->725 724->721 725->721 726 402c28-402c45 call 402bb7 wsprintfA call 404f04 725->726 730 402c4a 726->730 730->721
              APIs
              • DestroyWindow.USER32(00000000,00000000), ref: 00402BEB
              • GetTickCount.KERNEL32 ref: 00402C09
              • wsprintfA.USER32 ref: 00402C37
                • Part of subcall function 00404F04: lstrlenA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000,?), ref: 00404F3D
                • Part of subcall function 00404F04: lstrlenA.KERNEL32(00402C4A,Remove folder: C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000), ref: 00404F4D
                • Part of subcall function 00404F04: lstrcatA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\,00402C4A,00402C4A,Remove folder: C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\,00000000,00000000,00000000), ref: 00404F60
                • Part of subcall function 00404F04: SetWindowTextA.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\), ref: 00404F72
                • Part of subcall function 00404F04: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F98
                • Part of subcall function 00404F04: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FB2
                • Part of subcall function 00404F04: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404FC0
              • CreateDialogParamA.USER32(0000006F,00000000,00402B3B,00000000), ref: 00402C5B
              • ShowWindow.USER32(00000000,00000005), ref: 00402C69
                • Part of subcall function 00402BB7: MulDiv.KERNEL32(00000000,00000064,00000569), ref: 00402BCC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
              • String ID: ... %d%%
              • API String ID: 722711167-2449383134
              • Opcode ID: 17bdaf27663d9d1b2b81c0b918eaf4f945a095ba4556a5c22c1c6286d7ec1668
              • Instruction ID: c44cf6bb529b7c61e0c77009ed50883557557090b8ffabf6f859222ef57aaf40
              • Opcode Fuzzy Hash: 17bdaf27663d9d1b2b81c0b918eaf4f945a095ba4556a5c22c1c6286d7ec1668
              • Instruction Fuzzy Hash: C6016170949210EBD7215F61EE4DA9F7B78AB04701B14403BF502B11E5C6BC9A01CBAE
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00401F51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryloaderCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 731 401f51-401f5d 732 401f63-401f79 call 4029f6 * 2 731->732 733 402019-40201b 731->733 743 401f88-401f96 LoadLibraryExA 732->743 744 401f7b-401f86 GetModuleHandleA 732->744 735 402164-402169 call 401423 733->735 741 40288b-40289a 735->741 746 401f98-401fa6 GetProcAddress 743->746 747 402012-402014 743->747 744->743 744->746 748 401fe5-401fea call 404f04 746->748 749 401fa8-401fae 746->749 747->735 753 401fef-401ff2 748->753 751 401fb0-401fbc call 401423 749->751 752 401fc7-401fe3 749->752 751->753 761 401fbe-401fc5 751->761 752->753 753->741 756 401ff8-402000 call 40364f 753->756 756->741 762 402006-40200d FreeLibrary 756->762 761->753 762->741
              APIs
              • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401F7C
                • Part of subcall function 00404F04: lstrlenA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000,?), ref: 00404F3D
                • Part of subcall function 00404F04: lstrlenA.KERNEL32(00402C4A,Remove folder: C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000), ref: 00404F4D
                • Part of subcall function 00404F04: lstrcatA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\,00402C4A,00402C4A,Remove folder: C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\,00000000,00000000,00000000), ref: 00404F60
                • Part of subcall function 00404F04: SetWindowTextA.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\), ref: 00404F72
                • Part of subcall function 00404F04: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F98
                • Part of subcall function 00404F04: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FB2
                • Part of subcall function 00404F04: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404FC0
              • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401F8C
              • GetProcAddress.KERNEL32(00000000,?), ref: 00401F9C
              • FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402007
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
              • String ID: ?B
              • API String ID: 2987980305-117478770
              • Opcode ID: a57e8c0769ea844e22e0c1e1f0cba5f5542df926a794c83fcda134ba5213478a
              • Instruction ID: 83c29b7dad20212888764ed045f323035a642c1bbb84e8da84d377f5f563bf0e
              • Opcode Fuzzy Hash: a57e8c0769ea844e22e0c1e1f0cba5f5542df926a794c83fcda134ba5213478a
              • Instruction Fuzzy Hash: D621EE72D04216EBCF207FA4DE49A6E75B06B44399F204237F511B52E0D77C4D41965E
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00402303 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 763 402303-402349 call 402aeb call 4029f6 * 2 RegCreateKeyExA 770 40288b-40289a 763->770 771 40234f-402357 763->771 773 402367-40236a 771->773 774 402359-402366 call 4029f6 lstrlenA 771->774 777 40237a-40237d 773->777 778 40236c-402379 call 4029d9 773->778 774->773 781 40238e-4023a2 RegSetValueExA 777->781 782 40237f-402389 call 402f18 777->782 778->777 783 4023a4 781->783 784 4023a7-402483 RegCloseKey 781->784 782->781 783->784 784->770
              APIs
              • RegCreateKeyExA.KERNELBASE(00000000,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402341
              • lstrlenA.KERNEL32(HIGHDPIAWARE,00000023,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402361
              • RegSetValueExA.KERNELBASE(?,?,?,?,HIGHDPIAWARE,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 0040239A
              • RegCloseKey.KERNELBASE(?,?,?,HIGHDPIAWARE,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 0040247D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: CloseCreateValuelstrlen
              • String ID: HIGHDPIAWARE
              • API String ID: 1356686001-2481768469
              • Opcode ID: a542455d9f9526f25a51f1532c83397ec4fb85749294bc37414485deefa1f1b8
              • Instruction ID: d7b132d9018d44432a73f3315d2b91b6aa1600c7a927e9fa70905f900517fa5a
              • Opcode Fuzzy Hash: a542455d9f9526f25a51f1532c83397ec4fb85749294bc37414485deefa1f1b8
              • Instruction Fuzzy Hash: BA1160B1E00209BFEB10AFA0DE49EAF767CFB54398F10413AF905B61D0D7B85D019669
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 004056ED: CharNextA.USER32(0040549F,?,C:\,00000000,00405751,C:\,C:\,?,?,74DF2EE0,0040549F,?,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe",74DF2EE0), ref: 004056FB
                • Part of subcall function 004056ED: CharNextA.USER32(00000000), ref: 00405700
                • Part of subcall function 004056ED: CharNextA.USER32(00000000), ref: 0040570F
              • CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
              • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
              • GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
              • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Program Files (x86)\webrec\WEB30\WebPlugin,00000000,00000000,000000F0), ref: 00401622
              Strings
              • C:\Program Files (x86)\webrec\WEB30\WebPlugin, xrefs: 00401617
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
              • String ID: C:\Program Files (x86)\webrec\WEB30\WebPlugin
              • API String ID: 3751793516-2867708666
              • Opcode ID: 79158bb1b9e0f9446a8291b1140989ad94052719e68ebd3d846b01836d69eb3e
              • Instruction ID: c38907cd9fbddcdb820990ab727de55d75fa8bca08f123d111df4852c942a759
              • Opcode Fuzzy Hash: 79158bb1b9e0f9446a8291b1140989ad94052719e68ebd3d846b01836d69eb3e
              • Instruction Fuzzy Hash: 7E010431D08141AFDB216F751D4497F27B0AA56369728073FF891B22E2C63C0942962E
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040586C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32COMMON
              Download Yara Rule
              APIs
              • GetTickCount.KERNEL32 ref: 0040587F
              • GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 00405899
              Strings
              • nsa, xrefs: 00405878
              • C:\Users\user\AppData\Local\Temp\, xrefs: 0040586C, 0040586F
              • "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe", xrefs: 00405873
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: CountFileNameTempTick
              • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe"$C:\Users\user\AppData\Local\Temp\$nsa
              • API String ID: 1716503409-3997378299
              • Opcode ID: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
              • Instruction ID: 7bdb262dbebad2fb51735791196b4a750b565e3ebaa120aaaad2cbe3184e43fd
              • Opcode Fuzzy Hash: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
              • Instruction Fuzzy Hash: B1F0A73734820876E7105E55DC04B9B7F9DDF91760F14C027FE44DA1C0D6B49954C7A5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00401BAD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
              Download Yara Rule
              APIs
              • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C0D
              • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C25
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: MessageSend$Timeout
              • String ID: !
              • API String ID: 1777923405-2657877971
              • Opcode ID: 4c88f05d798f5705ce1e1e18451d2fcf653d7f56610e9d44bad61831beeb824c
              • Instruction ID: 67abd366a37910a3fb0c7fe19d632a25016d3899897cc5a5bd850e91adcb6683
              • Opcode Fuzzy Hash: 4c88f05d798f5705ce1e1e18451d2fcf653d7f56610e9d44bad61831beeb824c
              • Instruction Fuzzy Hash: B721C4B1A44209BFEF01AFB4CE4AAAE7B75EF44344F14053EF602B60D1D6B84980E718
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004053C6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24processCOMMON
              Download Yara Rule
              APIs
              • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004224A8,Error launching installer), ref: 004053EB
              • CloseHandle.KERNEL32(?), ref: 004053F8
              Strings
              • Error launching installer, xrefs: 004053D9
              • C:\Users\user\AppData\Local\Temp\, xrefs: 004053C6
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: CloseCreateHandleProcess
              • String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer
              • API String ID: 3712363035-1785902839
              • Opcode ID: 3b814a6f076d0ba9038e170a1e0f3647fdefee354992cb10a65e7e77ca0a2381
              • Instruction ID: 069b69ca15cd8b990da55ccc95fe3be7356009797bdfa18ab8f6d6c8c96e71ef
              • Opcode Fuzzy Hash: 3b814a6f076d0ba9038e170a1e0f3647fdefee354992cb10a65e7e77ca0a2381
              • Instruction Fuzzy Hash: A3E0ECB4A00219BFDB00AF64ED49AAB7BBDEB00305F90C522A911E2150D775D8118AB9
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040573A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00405B66: lstrcpynA.KERNEL32(?,?,00000400,004032AA,WebPlugin Setup,NSIS Error), ref: 00405B73
                • Part of subcall function 004056ED: CharNextA.USER32(0040549F,?,C:\,00000000,00405751,C:\,C:\,?,?,74DF2EE0,0040549F,?,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe",74DF2EE0), ref: 004056FB
                • Part of subcall function 004056ED: CharNextA.USER32(00000000), ref: 00405700
                • Part of subcall function 004056ED: CharNextA.USER32(00000000), ref: 0040570F
              • lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,?,?,74DF2EE0,0040549F,?,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe",74DF2EE0), ref: 0040578D
              • GetFileAttributesA.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,?,?,74DF2EE0,0040549F,?,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe",74DF2EE0), ref: 0040579D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: CharNext$AttributesFilelstrcpynlstrlen
              • String ID: C:\
              • API String ID: 3248276644-3404278061
              • Opcode ID: 716f681fdc2f335f171507b78212e4fdddf35da2e6b413ee0daba6d976a18fc7
              • Instruction ID: 7155b9e5202267c574e320c9449d9087b3e4f671a0d42f3ce7b213b6d11f415d
              • Opcode Fuzzy Hash: 716f681fdc2f335f171507b78212e4fdddf35da2e6b413ee0daba6d976a18fc7
              • Instruction Fuzzy Hash: A1F0F425104D509AC72636395C09EAF1A55CE833A4F48053FF894B32D1CB3C8943EDAE
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00403208 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00405DC8: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe",C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E20
                • Part of subcall function 00405DC8: CharNextA.USER32(?,?,?,00000000), ref: 00405E2D
                • Part of subcall function 00405DC8: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe",C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E32
                • Part of subcall function 00405DC8: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe",C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E42
              • CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00403229
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: Char$Next$CreateDirectoryPrev
              • String ID: 1033$C:\Users\user\AppData\Local\Temp\
              • API String ID: 4115351271-517883005
              • Opcode ID: 6efbcda31fdcc81e1bc9b7455ac61b895c89039b7b6caaf7bbff9198608db7ec
              • Instruction ID: 28437e5e833f6c5712a3d87292ca06883de7807d6adf700678bf42288e0e849f
              • Opcode Fuzzy Hash: 6efbcda31fdcc81e1bc9b7455ac61b895c89039b7b6caaf7bbff9198608db7ec
              • Instruction Fuzzy Hash: 11D0C922656E3032C651363A3C0AFDF091C8F5271AF55847BF908B40D64B6C5A5259EF
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00406566 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b47bfdafb4299acf6df14b1a265fb959f908a42d38d0bc6d60d6342fbb02c28f
              • Instruction ID: 319d18918fa2cc3741333e20ed782d5c303dd2f769888eebbc994f2124d7c2e6
              • Opcode Fuzzy Hash: b47bfdafb4299acf6df14b1a265fb959f908a42d38d0bc6d60d6342fbb02c28f
              • Instruction Fuzzy Hash: 29A15171E00229CBDF28CFA8C8547ADBBB1FF44305F15812AD856BB281D7789A96DF44
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00406767 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d0b545a720d06a2780d8eb9310de1c164ea8e259f40aa19cdef3f662a7789f4d
              • Instruction ID: 868f2ec1f3ea74d7de1394d818727f69d5aca31e92bf34b5737afca42cfaef71
              • Opcode Fuzzy Hash: d0b545a720d06a2780d8eb9310de1c164ea8e259f40aa19cdef3f662a7789f4d
              • Instruction Fuzzy Hash: 6E913171D00229CBEF28CF98C8547ADBBB1FF44305F15812AD856BB281C7789A9ADF44
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040647D Relevance: 5.2, APIs: 4, Instructions: 205COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3ca4e82cbd918d9bc6f131d9bc7fd5d61b9600368ad5a57dd77e762cc9babb20
              • Instruction ID: e06b97397237a54a8f7c6fae7a0c48c933f493286525731b7b3672fa0d973436
              • Opcode Fuzzy Hash: 3ca4e82cbd918d9bc6f131d9bc7fd5d61b9600368ad5a57dd77e762cc9babb20
              • Instruction Fuzzy Hash: 678155B1D00229CFDF24CFA8C8447ADBBB1FB44305F25816AD456BB281D7789A96CF54
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405F82 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c94337aa44be19872a05e7fe324c1f72408cb83bc4afcb37e89916e28dd5cdb7
              • Instruction ID: 3ccfc7c80e99de65fa6db0e0edc8679980b1d0ea62cd2807200041591328ae3c
              • Opcode Fuzzy Hash: c94337aa44be19872a05e7fe324c1f72408cb83bc4afcb37e89916e28dd5cdb7
              • Instruction Fuzzy Hash: D98187B1D00229CBDF24CFA8C8447AEBBB1FB44305F11816AD856BB2C1C7785A96CF44
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004063D0 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 040a7e0d789931a885e98904e34fb369bef72c7c312577bd0d6f252efd828c84
              • Instruction ID: 235c9a1f152390887c8e3346b3cf8cf745e7d176c25095dba4735a56a8f4339d
              • Opcode Fuzzy Hash: 040a7e0d789931a885e98904e34fb369bef72c7c312577bd0d6f252efd828c84
              • Instruction Fuzzy Hash: 80714371D00229CBDF28CFA8C8447ADBBF1FB48305F15806AD846BB281D7395A96DF54
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004064EE Relevance: 5.2, APIs: 4, Instructions: 170COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 55b1e8378e3b2d282ecc9e99db2cbf184c75cfe722202a43e2005f386b139382
              • Instruction ID: 067b91939e33353516387f96afd3df60e22fb0a2a23546be1218d687de4ca84d
              • Opcode Fuzzy Hash: 55b1e8378e3b2d282ecc9e99db2cbf184c75cfe722202a43e2005f386b139382
              • Instruction Fuzzy Hash: 14715371E00229CFEF28CF98C844BADBBB1FB44305F15816AD816BB281C7799996DF54
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040643A Relevance: 5.2, APIs: 4, Instructions: 168COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c10b0ec6d8a1716373c4594016b158d4b4e2bf5790cbb1f15a9d43b973b4a336
              • Instruction ID: fa01dbb36adddbb747bc37ce8d7c8691094d52a97b4972d7f98645f49a39bfe1
              • Opcode Fuzzy Hash: c10b0ec6d8a1716373c4594016b158d4b4e2bf5790cbb1f15a9d43b973b4a336
              • Instruction Fuzzy Hash: B3715671D00229CBEF28CF98C844BADBBB1FF44305F11816AD856BB281C7795A56DF54
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00401E1B Relevance: 4.5, APIs: 3, Instructions: 48synchronizationCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00404F04: lstrlenA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000,?), ref: 00404F3D
                • Part of subcall function 00404F04: lstrlenA.KERNEL32(00402C4A,Remove folder: C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000), ref: 00404F4D
                • Part of subcall function 00404F04: lstrcatA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\,00402C4A,00402C4A,Remove folder: C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\,00000000,00000000,00000000), ref: 00404F60
                • Part of subcall function 00404F04: SetWindowTextA.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\), ref: 00404F72
                • Part of subcall function 00404F04: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F98
                • Part of subcall function 00404F04: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FB2
                • Part of subcall function 00404F04: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404FC0
                • Part of subcall function 004053C6: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004224A8,Error launching installer), ref: 004053EB
                • Part of subcall function 004053C6: CloseHandle.KERNEL32(?), ref: 004053F8
              • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00401E55
              • GetExitCodeProcess.KERNELBASE(?,?), ref: 00401E65
              • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401E8A
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcat
              • String ID:
              • API String ID: 3521207402-0
              • Opcode ID: 1fdde52640a539061ac3941da348919b66d20a0eed5ed07477821aeb51be007f
              • Instruction ID: 355628b0c836e6669011c6779fae97b23835f6d082b04fdd633ca662238f37b1
              • Opcode Fuzzy Hash: 1fdde52640a539061ac3941da348919b66d20a0eed5ed07477821aeb51be007f
              • Instruction Fuzzy Hash: 19019271D04215EBCF11AF91CD8599E7A75EB40358F20403BFA05B51E1C3794A82DBDE
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405A4D Relevance: 4.5, APIs: 3, Instructions: 45registryCOMMON
              Download Yara Rule
              APIs
              • RegOpenKeyExA.KERNELBASE(80000002,00405C89,00000000,00000002,?,00000002,002F5409,?,00405C89,80000002,Software\Microsoft\Windows\CurrentVersion,002F5409,Remove folder: ,007192E1), ref: 00405A76
              • RegQueryValueExA.KERNELBASE(002F5409,?,00000000,00405C89,002F5409,00405C89), ref: 00405A97
              • RegCloseKey.KERNELBASE(?), ref: 00405AB8
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: CloseOpenQueryValue
              • String ID:
              • API String ID: 3677997916-0
              • Opcode ID: 20ca1dc64cf80f35bde4a5a459f169022cfe0f17446037da1f5ac97088a586f8
              • Instruction ID: 1f5187eb0d206272966296eac295dca0b6851c7ebc3b2299c22a00064415c0d3
              • Opcode Fuzzy Hash: 20ca1dc64cf80f35bde4a5a459f169022cfe0f17446037da1f5ac97088a586f8
              • Instruction Fuzzy Hash: 5E01487114020AEFDB128F64EC84AEB3FACEF14394F004526F945E6120D335D964DFA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00402427 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00402B00: RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B28
              • RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402455
              • RegEnumValueA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003), ref: 00402468
              • RegCloseKey.KERNELBASE(?,?,?,HIGHDPIAWARE,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 0040247D
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: Enum$CloseOpenValue
              • String ID:
              • API String ID: 167947723-0
              • Opcode ID: 1d85925df537648a9c8100c91117e3a98dc000329059becc0b6dcb6c7e4f6667
              • Instruction ID: ca0bea074700aed3f6d5cd19b6a76ded14fd7da9354d4d4a85815760a07b6232
              • Opcode Fuzzy Hash: 1d85925df537648a9c8100c91117e3a98dc000329059becc0b6dcb6c7e4f6667
              • Instruction Fuzzy Hash: 31F0A271A04201EFE715AF659E88EBB7A6CDB40398F10443FF406A61C0D6B85D42967A
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004035BD Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 20COMMON
              Download Yara Rule
              APIs
              • CloseHandle.KERNEL32(FFFFFFFF,00000000,0040342D,00000000), ref: 004035CF
              • CloseHandle.KERNEL32(FFFFFFFF,00000000,0040342D,00000000), ref: 004035E3
              Strings
              • C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\, xrefs: 004035F3
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: CloseHandle
              • String ID: C:\Users\user\AppData\Local\Temp\nswA2C6.tmp\
              • API String ID: 2962429428-1473654031
              • Opcode ID: d5091cb339cf9ca4b2a17f3525511bedeea9812c5bf65782ecb3b679df28d270
              • Instruction ID: 5c77e6c533590f6c422f1e12d180fd4ee44bb6ddfd602f374d0031013ab669df
              • Opcode Fuzzy Hash: d5091cb339cf9ca4b2a17f3525511bedeea9812c5bf65782ecb3b679df28d270
              • Instruction Fuzzy Hash: 3AE08C30900610AAC234AF7CAE4594A3A1C9B413327248722F538F21F2C738AE824AAD
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004023AF Relevance: 3.1, APIs: 2, Instructions: 57registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00402B00: RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B28
              • RegQueryValueExA.ADVAPI32(00000000,00000000,?,000003FF,?,?,?,?,00000033), ref: 004023DF
              • RegCloseKey.KERNELBASE(?,?,?,HIGHDPIAWARE,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 0040247D
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: CloseOpenQueryValue
              • String ID:
              • API String ID: 3677997916-0
              • Opcode ID: 5c736b1c3bc3a42a99aec7079b361a6752b8a94413690e9c5d7bc292bbd36485
              • Instruction ID: 12193c1ceb89264442681d64ce78cd47003ed4e83c7ffe784dc41c43057f06db
              • Opcode Fuzzy Hash: 5c736b1c3bc3a42a99aec7079b361a6752b8a94413690e9c5d7bc292bbd36485
              • Instruction Fuzzy Hash: C111E371900205EFDB15DF64CA889AF7BB4EF14348F20807FE442B72C1D2B88A45EB5A
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
              Download Yara Rule
              APIs
              • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
              • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: MessageSend
              • String ID:
              • API String ID: 3850602802-0
              • Opcode ID: 7b8e9ba5108b55dad21e1cb19ef7846daac3b048e1c883625bc8c045044f289d
              • Instruction ID: b71ad761f0ea07ecc4e6183a90c0cd8288537aab3e92bb5761005deb6e4a9b1f
              • Opcode Fuzzy Hash: 7b8e9ba5108b55dad21e1cb19ef7846daac3b048e1c883625bc8c045044f289d
              • Instruction Fuzzy Hash: 20014431B24210ABE7291B388D08B2A32ADE714315F10423FF801F32F0D678DC028B4C
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00404FD6 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
              Download Yara Rule
              APIs
              • OleInitialize.OLE32(00000000), ref: 00404FE6
                • Part of subcall function 00403F64: SendMessageA.USER32(0001047C,00000000,00000000,00000000), ref: 00403F76
              • OleUninitialize.OLE32(00000404,00000000), ref: 00405032
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: InitializeMessageSendUninitialize
              • String ID:
              • API String ID: 2896919175-0
              • Opcode ID: 556d00a79d4960ff1ce6e89c465a7e0d9a54ac6e1d471b85b6eeaa2226694139
              • Instruction ID: 3b1d1a5f3629fb090bd5a0ea86c798931cabf3c291590e76d9817694e46b8829
              • Opcode Fuzzy Hash: 556d00a79d4960ff1ce6e89c465a7e0d9a54ac6e1d471b85b6eeaa2226694139
              • Instruction Fuzzy Hash: BEF02477E00201AAD3206F68AD00B1B7774EF88302F06443AFE04722E1C77D89428B9D
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040583D Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
              Download Yara Rule
              APIs
              • GetFileAttributesA.KERNELBASE(00000003,00402CB5,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe,80000000,00000003), ref: 00405841
              • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405863
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: File$AttributesCreate
              • String ID:
              • API String ID: 415043291-0
              • Opcode ID: 6d56aff3fab625e069b8f0f4beb3d6c68df7a2746e2dd21b0a72e0224e52029a
              • Instruction ID: 90a47e22fdd321f70bf06df01bfdefa11f3e73682391c7296034eb3a8fe04f39
              • Opcode Fuzzy Hash: 6d56aff3fab625e069b8f0f4beb3d6c68df7a2746e2dd21b0a72e0224e52029a
              • Instruction Fuzzy Hash: 8CD09E31658301AFEF098F20DD1AF2E7AA2EB84B00F10562CB646940E0D6715815DB16
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040581E Relevance: 3.0, APIs: 2, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • GetFileAttributesA.KERNELBASE(?,00405629,?,?,?), ref: 00405822
              • SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405834
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: AttributesFile
              • String ID:
              • API String ID: 3188754299-0
              • Opcode ID: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
              • Instruction ID: 89544605ef234ac14ed66c3b065a2d642d1346908a696065e0ba681aeed38476
              • Opcode Fuzzy Hash: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
              • Instruction Fuzzy Hash: F8C04CB1808501ABD7056B24EF0D81F7B66EF50325B108B35F5A9E00F0C7355C66DA1A
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004031BF Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
              Download Yara Rule
              APIs
              • ReadFile.KERNELBASE(00409130,00000000,00000000,00000000,00413040,0040B040,004030C4,00413040,00004000,?,00000000,?,00402F4E,00000004,00000000,00000000), ref: 004031D6
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: FileRead
              • String ID:
              • API String ID: 2738559852-0
              • Opcode ID: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
              • Instruction ID: 4c5c04567c480c11bae84e94003d2882b37cb3083c3cc1db03504fe221b835f3
              • Opcode Fuzzy Hash: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
              • Instruction Fuzzy Hash: DAE08631500119BBCF215E619C00A973B5CEB09362F008033FA04E9190D532DB109BA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00403F18 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • SetDlgItemTextA.USER32(?,?,00000000), ref: 00403F32
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: ItemText
              • String ID:
              • API String ID: 3367045223-0
              • Opcode ID: e65bc35160ed5513600404499191e6285347109cacf77d99fb514981775c36ca
              • Instruction ID: 32956ba5a052c000d200729fffd4f2c944d874cb1110b62223aa4bdd109d9e57
              • Opcode Fuzzy Hash: e65bc35160ed5513600404499191e6285347109cacf77d99fb514981775c36ca
              • Instruction Fuzzy Hash: E4C08C31048200BFD241AB04CC42F1FB3A8EFA0327F00C92EB05CE00D2C634D420CE2A
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00403F64 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageA.USER32(0001047C,00000000,00000000,00000000), ref: 00403F76
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: MessageSend
              • String ID:
              • API String ID: 3850602802-0
              • Opcode ID: 74a19277012f6d931596f598d2f6ffa2ec736fc7041dbb57cfa43a045af561dc
              • Instruction ID: 4934297729c285da13a483c37f1bad53b44c21571947472378d90217470b6476
              • Opcode Fuzzy Hash: 74a19277012f6d931596f598d2f6ffa2ec736fc7041dbb57cfa43a045af561dc
              • Instruction Fuzzy Hash: 6CC04C71B442017AEA209F619D45F177B68A754701F5444657204A51D0C674E510D61D
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00403F4D Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageA.USER32(00000028,?,00000001,00403D7E), ref: 00403F5B
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: MessageSend
              • String ID:
              • API String ID: 3850602802-0
              • Opcode ID: 5380ca26047a56ac044db27ec5452a3d407db4c462228856e9187df95d64c5b6
              • Instruction ID: 0662716cb4741bc9db58cdf5bc89cb1196afa115b106f7c4ea820954fb206898
              • Opcode Fuzzy Hash: 5380ca26047a56ac044db27ec5452a3d407db4c462228856e9187df95d64c5b6
              • Instruction Fuzzy Hash: 17B09276685201BADA215B10DE09F457E62E764702F018064B204240B0C6B200A5DB09
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004031F1 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
              Download Yara Rule
              APIs
              • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E9D,0000CDE4), ref: 004031FF
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: FilePointer
              • String ID:
              • API String ID: 973152223-0
              • Opcode ID: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
              • Instruction ID: eafd0aff1283cdec3023edec91852d87283cefa69c9b21bce59c6677f93a42a7
              • Opcode Fuzzy Hash: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
              • Instruction Fuzzy Hash: 14B01271644200BFDB214F00DF06F057B21A790701F108030B344380F082712420EB1E
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00403F3A Relevance: 1.5, APIs: 1, Instructions: 4COMMON
              Download Yara Rule
              APIs
              • KiUserCallbackDispatcher.NTDLL(?,00403D17), ref: 00403F44
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: CallbackDispatcherUser
              • String ID:
              • API String ID: 2492992576-0
              • Opcode ID: 315e157356e8942ef3b8d7e2082c61631171d9164c942d8812de0ab912510814
              • Instruction ID: 218003202f2b1835e3bff4e9bf146b8b4f872d9b8cc4e3003fd48478f7f9154f
              • Opcode Fuzzy Hash: 315e157356e8942ef3b8d7e2082c61631171d9164c942d8812de0ab912510814
              • Instruction Fuzzy Hash: 09A002755051049BCA519B54DE048057A62A754701741C479B24551575C7315461EB6E
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Function 00404853 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 478windowmemoryCOMMON
              Download Yara Rule
              APIs
              • GetDlgItem.USER32(?,000003F9), ref: 0040486A
              • GetDlgItem.USER32(?,00000408), ref: 00404877
              • GlobalAlloc.KERNEL32(00000040,00000003), ref: 004048C3
              • LoadBitmapA.USER32(0000006E), ref: 004048D6
              • SetWindowLongA.USER32(?,000000FC,00404E54), ref: 004048F0
              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404904
              • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404918
              • SendMessageA.USER32(?,00001109,00000002), ref: 0040492D
              • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404939
              • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 0040494B
              • DeleteObject.GDI32(?), ref: 00404950
              • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 0040497B
              • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404987
              • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404A1C
              • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404A47
              • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404A5B
              • GetWindowLongA.USER32(?,000000F0), ref: 00404A8A
              • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404A98
              • ShowWindow.USER32(?,00000005), ref: 00404AA9
              • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404BAC
              • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404C11
              • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404C26
              • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404C4A
              • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404C70
              • ImageList_Destroy.COMCTL32(?), ref: 00404C85
              • GlobalFree.KERNEL32(?), ref: 00404C95
              • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404D05
              • SendMessageA.USER32(?,00001102,00000410,?), ref: 00404DAE
              • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404DBD
              • InvalidateRect.USER32(?,00000000,00000001), ref: 00404DDD
              • ShowWindow.USER32(?,00000000), ref: 00404E2B
              • GetDlgItem.USER32(?,000003FE), ref: 00404E36
              • ShowWindow.USER32(00000000), ref: 00404E3D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
              • String ID: $M$N$pyq
              • API String ID: 1638840714-3854081084
              • Opcode ID: bc836f97d9874f4f727094095d6c382577d8705a5fdd7ffcfefc5c205b7b8112
              • Instruction ID: 91af9d563adbb526dddc39620d8b288a2aea1bcbb5731436b9e02a5cfbe7d22d
              • Opcode Fuzzy Hash: bc836f97d9874f4f727094095d6c382577d8705a5fdd7ffcfefc5c205b7b8112
              • Instruction Fuzzy Hash: AB029FB0E00209AFDB21DF54DD45AAE7BB5FB84315F10817AF610BA2E1C7799A42CF58
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00404356 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 266stringCOMMON
              Download Yara Rule
              APIs
              • GetDlgItem.USER32(?,000003FB), ref: 004043A2
              • SetWindowTextA.USER32(?,?), ref: 004043CF
              • SHBrowseForFolderA.SHELL32(?,0041F870,?), ref: 00404484
              • CoTaskMemFree.OLE32(00000000), ref: 0040448F
              • lstrcmpiA.KERNEL32(Remove folder: ,004204A0), ref: 004044C1
              • lstrcatA.KERNEL32(?,Remove folder: ), ref: 004044CD
              • SetDlgItemTextA.USER32(?,000003FB,?), ref: 004044DD
                • Part of subcall function 0040540B: GetDlgItemTextA.USER32(?,?,00000400,00404510), ref: 0040541E
                • Part of subcall function 00405DC8: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe",C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E20
                • Part of subcall function 00405DC8: CharNextA.USER32(?,?,?,00000000), ref: 00405E2D
                • Part of subcall function 00405DC8: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe",C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E32
                • Part of subcall function 00405DC8: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe",C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E42
              • GetDiskFreeSpaceA.KERNEL32(0041F468,?,?,0000040F,?,0041F468,0041F468,?,00000000,0041F468,?,?,000003FB,?), ref: 00404596
              • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004045B1
              • SetDlgItemTextA.USER32(00000000,00000400,0041F458), ref: 0040462A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
              • String ID: A$C:\Program Files (x86)\webrec\WEB30\WebPlugin$Remove folder: $pyq
              • API String ID: 2246997448-4027155436
              • Opcode ID: 8a3aad76447270b687e8e1509915f8df1e24d5d4c23db986a95c4726ded8d1ea
              • Instruction ID: fa341535892c43c3a67d7fcafb17cb6574160925603278dae289bcadb551eaae
              • Opcode Fuzzy Hash: 8a3aad76447270b687e8e1509915f8df1e24d5d4c23db986a95c4726ded8d1ea
              • Instruction Fuzzy Hash: 2D9170B1900218BBDB11AFA1CD84AAF7BB8EF45314F10847BF704B6291D77C9A41DB59
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040263E Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040264D
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: FileFindFirst
              • String ID:
              • API String ID: 1974802433-0
              • Opcode ID: fec3e59c21f88b2afe0d858e3cd58f666a30441cfee8bf2827fa80150cba7d73
              • Instruction ID: b3d2387cb92b068db8966d6a1439c3c253679041c8135bb289436d91baf53d0e
              • Opcode Fuzzy Hash: fec3e59c21f88b2afe0d858e3cd58f666a30441cfee8bf2827fa80150cba7d73
              • Instruction Fuzzy Hash: 42F0A072A04201DBD700EBB49A89AEEB7789B51328F60067BE111F20C1C6B85A459B2E
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00404060 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 204windowstringCOMMON
              Download Yara Rule
              APIs
              • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004040EB
              • GetDlgItem.USER32(00000000,000003E8), ref: 004040FF
              • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040411D
              • GetSysColor.USER32(?), ref: 0040412E
              • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040413D
              • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040414C
              • lstrlenA.KERNEL32(?), ref: 00404156
              • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404164
              • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404173
              • GetDlgItem.USER32(?,0000040A), ref: 004041D6
              • SendMessageA.USER32(00000000), ref: 004041D9
              • GetDlgItem.USER32(?,000003E8), ref: 00404204
              • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404244
              • LoadCursorA.USER32(00000000,00007F02), ref: 00404253
              • SetCursor.USER32(00000000), ref: 0040425C
              • ShellExecuteA.SHELL32(0000070B,open,@.B,00000000,00000000,00000001), ref: 0040426F
              • LoadCursorA.USER32(00000000,00007F00), ref: 0040427C
              • SetCursor.USER32(00000000), ref: 0040427F
              • SendMessageA.USER32(00000111,00000001,00000000), ref: 004042AB
              • SendMessageA.USER32(00000010,00000000,00000000), ref: 004042BF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
              • String ID: @.B$N$open$pyq
              • API String ID: 3615053054-1429151264
              • Opcode ID: e8b988e3949f0b6d91b1b58256fef292242953983a672fd1ea6cb44b2e1e2ed0
              • Instruction ID: 7761d7a6ce13443680711406d70bf9c6d022160e69bfd2fffc9b265f6460a43d
              • Opcode Fuzzy Hash: e8b988e3949f0b6d91b1b58256fef292242953983a672fd1ea6cb44b2e1e2ed0
              • Instruction Fuzzy Hash: 4661B2B1A40209BFEB109F60DC45F6A3B69FB44755F10817AFB04BA2D1C7B8A951CF98
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00401000 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 125COMMON
              Download Yara Rule
              APIs
              • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
              • BeginPaint.USER32(?,?), ref: 00401047
              • GetClientRect.USER32(?,?), ref: 0040105B
              • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
              • FillRect.USER32(00000000,?,00000000), ref: 004010E4
              • DeleteObject.GDI32(?), ref: 004010ED
              • CreateFontIndirectA.GDI32(?), ref: 00401105
              • SetBkMode.GDI32(00000000,00000001), ref: 00401126
              • SetTextColor.GDI32(00000000,?), ref: 00401130
              • SelectObject.GDI32(00000000,?), ref: 00401140
              • DrawTextA.USER32(00000000,WebPlugin Setup,000000FF,00000010,00000820), ref: 00401156
              • SelectObject.GDI32(00000000,00000000), ref: 00401160
              • DeleteObject.GDI32(?), ref: 00401165
              • EndPaint.USER32(?,?), ref: 0040116E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
              • String ID: F$WebPlugin Setup$pyq
              • API String ID: 941294808-1176453382
              • Opcode ID: 1fa3053a276be56ef7da5d68adfba1d9971bfb9fa2beb597bf2db4fb963a824d
              • Instruction ID: 81477e3a2fde3fb3f26aa953fc06e347994717d76cab2c79682594c458f31f57
              • Opcode Fuzzy Hash: 1fa3053a276be56ef7da5d68adfba1d9971bfb9fa2beb597bf2db4fb963a824d
              • Instruction Fuzzy Hash: 8141BC71804249AFCB058FA4CD459BFBFB9FF44314F00802AF551AA1A0C378EA54DFA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004058B4 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 144filememoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00405E88: GetModuleHandleA.KERNEL32(?,?,00000000,0040327F,00000008), ref: 00405E9A
                • Part of subcall function 00405E88: LoadLibraryA.KERNELBASE(?,?,00000000,0040327F,00000008), ref: 00405EA5
                • Part of subcall function 00405E88: GetProcAddress.KERNEL32(00000000,?), ref: 00405EB6
              • CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000001,?,00000000,?,?,00405649,?,00000000,000000F1,?), ref: 00405901
              • GetShortPathNameA.KERNEL32(?,00422630,00000400), ref: 0040590A
              • GetShortPathNameA.KERNEL32(00000000,004220A8,00000400), ref: 00405927
              • wsprintfA.USER32 ref: 00405945
              • GetFileSize.KERNEL32(00000000,00000000,004220A8,C0000000,00000004,004220A8,?,?,?,00000000,000000F1,?), ref: 00405980
              • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 0040598F
              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 004059A5
              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,00421CA8,00000000,-0000000A,00409350,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004059EB
              • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 004059FD
              • GlobalFree.KERNEL32(00000000), ref: 00405A04
              • CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 00405A0B
                • Part of subcall function 004057B2: lstrlenA.KERNEL32(00000000,?,00000000,00000000,004059C0,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057B9
                • Part of subcall function 004057B2: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004059C0,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057E9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModulePointerProcReadSizeWritewsprintf
              • String ID: %s=%s$0&B$[Rename]$pyq
              • API String ID: 3772915668-3031806598
              • Opcode ID: 73d0c5d55c6a66a5fc5f40039b5a9282ef929e2af51c157191695387f36ba956
              • Instruction ID: 8912a0e40cac8f66f34925055924fb713260e7a12edb00ecfb1cfbef244c1689
              • Opcode Fuzzy Hash: 73d0c5d55c6a66a5fc5f40039b5a9282ef929e2af51c157191695387f36ba956
              • Instruction Fuzzy Hash: D9411332B05B11BBD3216B61AD88F6B3A5CDB84715F140136FE05F22C2E678A801CEBD
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405DC8 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
              Download Yara Rule
              APIs
              • CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe",C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E20
              • CharNextA.USER32(?,?,?,00000000), ref: 00405E2D
              • CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe",C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E32
              • CharPrevA.USER32(?,?,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe",C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E42
              Strings
              • *?|<>/":, xrefs: 00405E10
              • C:\Users\user\AppData\Local\Temp\, xrefs: 00405DC9, 00405E04
              • "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe", xrefs: 00405DCE
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: Char$Next$Prev
              • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
              • API String ID: 589700163-1065933076
              • Opcode ID: d60fa47d96b079028a76cfcdb2d30976ede71f36b1f4f1e1bc9c50cb25bd2be5
              • Instruction ID: 3b6179abbfe29fc78842bf11aa846075366cc437f950451d76d565b88bc2b460
              • Opcode Fuzzy Hash: d60fa47d96b079028a76cfcdb2d30976ede71f36b1f4f1e1bc9c50cb25bd2be5
              • Instruction Fuzzy Hash: A0110861805B9129EB3227284C48BBB7F89CF66754F18447FD8C4722C2C67C5D429FAD
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00402B3B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 36timeCOMMON
              Download Yara Rule
              APIs
              • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B56
              • wsprintfA.USER32 ref: 00402B8A
              • SetWindowTextA.USER32(?,?), ref: 00402B9A
              • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BAC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: Text$ItemTimerWindowwsprintf
              • String ID: pyq$unpacking data: %d%%$verifying installer: %d%%
              • API String ID: 1451636040-463840438
              • Opcode ID: a19141f3df1e0a3c8b8c2abcbd515ef60a2dd56e778219f0b9cb34bd20a9fb2d
              • Instruction ID: 39266fd7d8b3d51d4259f470751267aa52f8e49dbca779dff7f29341b6a717b4
              • Opcode Fuzzy Hash: a19141f3df1e0a3c8b8c2abcbd515ef60a2dd56e778219f0b9cb34bd20a9fb2d
              • Instruction Fuzzy Hash: AFF03671900109ABEF255F51DD0ABEE3779FB00305F008036FA05B51D1D7F9AA559F99
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00403F7F Relevance: 12.1, APIs: 8, Instructions: 61COMMON
              Download Yara Rule
              APIs
              • GetWindowLongA.USER32(?,000000EB), ref: 00403F9C
              • GetSysColor.USER32(00000000), ref: 00403FB8
              • SetTextColor.GDI32(?,00000000), ref: 00403FC4
              • SetBkMode.GDI32(?,?), ref: 00403FD0
              • GetSysColor.USER32(?), ref: 00403FE3
              • SetBkColor.GDI32(?,?), ref: 00403FF3
              • DeleteObject.GDI32(?), ref: 0040400D
              • CreateBrushIndirect.GDI32(?), ref: 00404017
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
              • String ID:
              • API String ID: 2320649405-0
              • Opcode ID: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
              • Instruction ID: 4cc26f8bf5fc777f430f8318c3ba194748f169832e683f7fcd21add738ba3f9d
              • Opcode Fuzzy Hash: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
              • Instruction Fuzzy Hash: C221C371904705ABCB209F78DD08B4BBBF8AF40711F048A29F992F26E0C738E904CB55
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004047D3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 004047EE
              • GetMessagePos.USER32 ref: 004047F6
              • ScreenToClient.USER32(?,?), ref: 00404810
              • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404822
              • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404848
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: Message$Send$ClientScreen
              • String ID: f
              • API String ID: 41195575-1993550816
              • Opcode ID: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
              • Instruction ID: 01d6173a61c3c3b4b037133c9a52f1e04ee3049876a8ff08b59bebc5d15cf036
              • Opcode Fuzzy Hash: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
              • Instruction Fuzzy Hash: BA018075D40218BADB00DB94CC41BFEBBBCAB55711F10412ABB00B61C0C3B46501CB95
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00403978 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON
              Download Yara Rule
              APIs
              • SetWindowTextA.USER32(00000000,WebPlugin Setup), ref: 00403A10
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: TextWindow
              • String ID: 1033$C:\Users\user\AppData\Local\Temp\$WebPlugin Setup$pyq
              • API String ID: 530164218-2734445299
              • Opcode ID: 9a42cbf8a28c659a92ce9de243ac321228f9f300189a9516546428ecdf00a219
              • Instruction ID: 09623374405f0611f065d620c03919b516a5f167df25bc0d5edc66fe9dc562c0
              • Opcode Fuzzy Hash: 9a42cbf8a28c659a92ce9de243ac321228f9f300189a9516546428ecdf00a219
              • Instruction Fuzzy Hash: F611C2B1B005109BC730DF15D880A73767DEB84716369413BE94167391C77EAE028E58
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00401D1B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 34COMMON
              Download Yara Rule
              APIs
              • GetDC.USER32(?), ref: 00401D22
              • GetDeviceCaps.GDI32(00000000), ref: 00401D29
              • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D38
              • CreateFontIndirectA.GDI32(0040AF74), ref: 00401D8A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: CapsCreateDeviceFontIndirect
              • String ID: MS Shell Dlg
              • API String ID: 3272661963-76309092
              • Opcode ID: d8d00129a0c809e423feca600faf407eaf54c466d4b244af4f30760ff25f5d33
              • Instruction ID: d83410998d1654a5337f8c322709d39cf2ce3a8a4f0330bc6585c9693e616625
              • Opcode Fuzzy Hash: d8d00129a0c809e423feca600faf407eaf54c466d4b244af4f30760ff25f5d33
              • Instruction Fuzzy Hash: E1F044F1A45342AEE7016770AE0ABA93B649725306F100576F541BA1E2C5BC10149B7F
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00402A36 Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
              Download Yara Rule
              APIs
              • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000000,?), ref: 00402A57
              • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A93
              • RegCloseKey.ADVAPI32(?), ref: 00402A9C
              • RegCloseKey.ADVAPI32(?), ref: 00402AC1
              • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402ADF
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: Close$DeleteEnumOpen
              • String ID:
              • API String ID: 1912718029-0
              • Opcode ID: 90165163457562f2d2db0d0e016cf4740f9c141c2854e05e69f214c53397e3bf
              • Instruction ID: 3ec7b1818cbfc33efeafaf7017db19c7c479205e5d6f4ff66fb244667a93d6f3
              • Opcode Fuzzy Hash: 90165163457562f2d2db0d0e016cf4740f9c141c2854e05e69f214c53397e3bf
              • Instruction Fuzzy Hash: 93112971A00009FFDF319F90DE49EAF7B7DEB44385B104436F905A10A0DBB59E51AE69
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00401CC1 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
              Download Yara Rule
              APIs
              • GetDlgItem.USER32(?), ref: 00401CC5
              • GetClientRect.USER32(00000000,?), ref: 00401CD2
              • LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401CF3
              • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D01
              • DeleteObject.GDI32(00000000), ref: 00401D10
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
              • String ID:
              • API String ID: 1849352358-0
              • Opcode ID: 70cca8153c69b2e132429069c22b9ddf05dbb7ba62a9a7cfa9b79a9bcebcea9b
              • Instruction ID: de7316f9b9f1bcc3f0c1dff9ae5dc63c91f1472c52c052d8cf8a0da7f27950be
              • Opcode Fuzzy Hash: 70cca8153c69b2e132429069c22b9ddf05dbb7ba62a9a7cfa9b79a9bcebcea9b
              • Instruction Fuzzy Hash: D5F01DB2E04105BFD700EFA4EE89DAFB7BDEB44345B104576F602F2190C6789D018B69
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004046F1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenA.KERNEL32(004204A0,004204A0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404611,000000DF,0000040F,00000400,00000000), ref: 0040477F
              • wsprintfA.USER32 ref: 00404787
              • SetDlgItemTextA.USER32(?,004204A0), ref: 0040479A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: ItemTextlstrlenwsprintf
              • String ID: %u.%u%s%s
              • API String ID: 3540041739-3551169577
              • Opcode ID: 87794c8f90da6e594bd2e0cae66498bbfb5b9cbb1a5c5e50d1da5967a7fbc4b5
              • Instruction ID: e1128f73888b2767c9277aed1687fd20c93e739cc52df1aac9c0a45a5a8dde9d
              • Opcode Fuzzy Hash: 87794c8f90da6e594bd2e0cae66498bbfb5b9cbb1a5c5e50d1da5967a7fbc4b5
              • Instruction Fuzzy Hash: 7311E2736001243BDB10666D9C46EEF3699DBC6335F14423BFA25F61D1E938AC5286A8
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405659 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403226,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 0040565F
              • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403226,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405668
              • lstrcatA.KERNEL32(?,00409010), ref: 00405679
              Strings
              • C:\Users\user\AppData\Local\Temp\, xrefs: 00405659
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: CharPrevlstrcatlstrlen
              • String ID: C:\Users\user\AppData\Local\Temp\
              • API String ID: 2659869361-3081826266
              • Opcode ID: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
              • Instruction ID: d5422d5486d5b384c4dcc02911800b35c31fcf4388d9dde419d5dff5703c7688
              • Opcode Fuzzy Hash: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
              • Instruction Fuzzy Hash: 8BD05272605A202ED2022A258C05E9B7A28CF06311B044866B540B2292C6386D818AEE
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00401EC5 Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON
              Download Yara Rule
              APIs
              • GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401ED4
              • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401EF2
              • GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F0B
              • VerQueryValueA.VERSION(?,00409010,?,?,?,?,?,00000000), ref: 00401F24
                • Part of subcall function 00405AC4: wsprintfA.USER32 ref: 00405AD1
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
              • String ID:
              • API String ID: 1404258612-0
              • Opcode ID: be50ba22476c795dccddfbd46c0b19e6aec7ed87346bdfd2eed6167faf837e67
              • Instruction ID: 178fa6cf4330108057832d0c189c0e5a27020503733a18e797ef1cc5e9d7aef6
              • Opcode Fuzzy Hash: be50ba22476c795dccddfbd46c0b19e6aec7ed87346bdfd2eed6167faf837e67
              • Instruction Fuzzy Hash: 52113A71A00108BEDB01EFA5DD819AEBBB9EB48344B20853AF501F61E1D7389A54DB28
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004056ED Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 36COMMON
              Download Yara Rule
              APIs
              • CharNextA.USER32(0040549F,?,C:\,00000000,00405751,C:\,C:\,?,?,74DF2EE0,0040549F,?,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe",74DF2EE0), ref: 004056FB
              • CharNextA.USER32(00000000), ref: 00405700
              • CharNextA.USER32(00000000), ref: 0040570F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: CharNext
              • String ID: C:\
              • API String ID: 3213498283-3404278061
              • Opcode ID: 48d170df000bd52d6530e74bc6e21c30bbb8ee0efc11f7a91444a9d932de86af
              • Instruction ID: 78d2da9fff81111ace552b99da8146ab0c55ee08e32a6a48318d29482ea338b5
              • Opcode Fuzzy Hash: 48d170df000bd52d6530e74bc6e21c30bbb8ee0efc11f7a91444a9d932de86af
              • Instruction Fuzzy Hash: 5AF0A751945A219AEB3262AC4C44B7B5B9CDB95720F144437E100BB1D1C6BC4C82AFAA
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00404E54 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
              Download Yara Rule
              APIs
              • IsWindowVisible.USER32(?), ref: 00404E8A
              • CallWindowProcA.USER32(?,00000200,?,?), ref: 00404EF8
                • Part of subcall function 00403F64: SendMessageA.USER32(0001047C,00000000,00000000,00000000), ref: 00403F76
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: Window$CallMessageProcSendVisible
              • String ID:
              • API String ID: 3748168415-3916222277
              • Opcode ID: 1a28ca64547386e1a64dd11c64f6ae458e1df03769ff3acb3952d776ac0a4b66
              • Instruction ID: 62f3a1a08e098275047049d4f9968a6b4933f6b7f921e7009373277d82a30415
              • Opcode Fuzzy Hash: 1a28ca64547386e1a64dd11c64f6ae458e1df03769ff3acb3952d776ac0a4b66
              • Instruction Fuzzy Hash: D1116D71900208BBDB21AF52DC4499B3669FB84369F00803BF6047A2E2C37C5A519BAD
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004024BE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON
              Download Yara Rule
              APIs
              • lstrlenA.KERNEL32(00000000,00000011), ref: 004024DC
              • WriteFile.KERNEL32(00000000,?,Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers,00000000,?,?,00000000,00000011), ref: 004024FB
              Strings
              • Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers, xrefs: 004024CA, 004024EF
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: FileWritelstrlen
              • String ID: Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
              • API String ID: 427699356-1966416226
              • Opcode ID: 02a15bd42c28bed1fb8554f3d16374f042fc662dbffd218bbabce7ee12e12458
              • Instruction ID: 2c1f07a632d72534084a5ac00d75746702f795d1104bf50e8da4b719a2e94720
              • Opcode Fuzzy Hash: 02a15bd42c28bed1fb8554f3d16374f042fc662dbffd218bbabce7ee12e12458
              • Instruction Fuzzy Hash: BCF08972A44245FFD710EBB19E49EAF7668DB00348F14443BB142F51C2D6FC5982976D
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040361A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
              Download Yara Rule
              APIs
              • FreeLibrary.KERNEL32(?,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe",00000000,74DF2EE0,004035F1,00000000,0040342D,00000000), ref: 00403634
              • GlobalFree.KERNEL32(00000000), ref: 0040363B
              Strings
              • "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe", xrefs: 0040362C
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: Free$GlobalLibrary
              • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe"
              • API String ID: 1100898210-207441814
              • Opcode ID: 594683390acbace1feb38ee5af495b240e475f157c4d409b541952378f73dbd9
              • Instruction ID: 07f203a12dc211ea1540440f4769086933c1ddaa55d0411da1bb29b7fd771b51
              • Opcode Fuzzy Hash: 594683390acbace1feb38ee5af495b240e475f157c4d409b541952378f73dbd9
              • Instruction Fuzzy Hash: 8FE08C32804420ABC6216F55EC0579A7768AB48B22F028536E900BB3A083743C464BDC
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004056A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CDE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe,80000000,00000003), ref: 004056A6
              • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CDE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop13.41595.16600.22629.exe,80000000,00000003), ref: 004056B4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: CharPrevlstrlen
              • String ID: C:\Users\user\Desktop
              • API String ID: 2709904686-224404859
              • Opcode ID: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
              • Instruction ID: 6658d1b0ab05e5211e75f0b74aef41c49d7b43cb9628f8e009f88ad9fa15a52a
              • Opcode Fuzzy Hash: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
              • Instruction Fuzzy Hash: C5D0A772409DB02EF30352108C04B8F7A98CF17300F0948A2E440E21D0C27C5C818FFD
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004057B2 Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenA.KERNEL32(00000000,?,00000000,00000000,004059C0,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057B9
              • lstrcmpiA.KERNEL32(00000000,00000000), ref: 004057D2
              • CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 004057E0
              • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004059C0,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057E9
              Memory Dump Source
              • Source File: 00000000.00000002.1660180719.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.1660166466.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660195421.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660208041.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1660251331.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
              Similarity
              • API ID: lstrlen$CharNextlstrcmpi
              • String ID:
              • API String ID: 190613189-0
              • Opcode ID: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
              • Instruction ID: 042c172281cf084eebf1820456e7eb749b121a10276c912c68532230cfd8689c
              • Opcode Fuzzy Hash: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
              • Instruction Fuzzy Hash: BBF0A736249D51DBC2029B295C44E6FBEA4EF95355F14057EF440F3180D335AC11ABBB
              Uniqueness

              Uniqueness Score: -1.00%

              Execution Graph

              Execution Coverage:0.9%
              Dynamic/Decrypted Code Coverage:0%
              Signature Coverage:16.7%
              Total number of Nodes:78
              Total number of Limit Nodes:2
              execution_graph 7448 40a911 #23 7449 40e38c __set_app_type __p__fmode __p__commode 7450 40e3fb 7449->7450 7451 40e403 __setusermatherr 7450->7451 7452 40e40f 7450->7452 7451->7452 7461 40e4fc _controlfp 7452->7461 7454 40e414 _initterm __getmainargs _initterm 7455 40e468 GetStartupInfoA 7454->7455 7457 40e49c GetModuleHandleA 7455->7457 7462 40aa42 7457->7462 7461->7454 7487 40160d 7462->7487 7465 40aabc GetCurrentThreadId 7467 40aade 7465->7467 7466 40aaac memcpy 7466->7465 7469 40ab46 7467->7469 7470 40aaeb lstrcmpiA 7467->7470 7493 40aa01 7467->7493 7513 40a9b6 CreateEventA 7469->7513 7472 40ab12 #23 #57 7470->7472 7473 40aafb lstrcmpiA 7470->7473 7476 40ab28 7472->7476 7473->7467 7475 40ab2d #23 #18 7473->7475 7475->7476 7478 40ab9b #21 7476->7478 7499 4018e5 7478->7499 7481 40ab70 GetMessageA 7483 40ab76 DispatchMessageA 7481->7483 7484 40ab89 #20 Sleep 7481->7484 7483->7481 7484->7478 7488 401647 GetCommandLineA CoInitialize #16 7487->7488 7489 401619 7487->7489 7488->7465 7488->7466 7490 401620 _strdup 7489->7490 7491 401632 7489->7491 7492 40163c SetUnhandledExceptionFilter 7490->7492 7491->7492 7492->7488 7494 40aa38 7493->7494 7495 40aa0b 7493->7495 7494->7467 7495->7494 7496 40aa2f CharNextA 7495->7496 7497 40aa28 CharNextA 7495->7497 7498 40aa3d CharNextA 7495->7498 7496->7494 7496->7495 7497->7495 7497->7496 7498->7494 7500 401901 7499->7500 7501 4018ee 7499->7501 7526 40a8fb 7500->7526 7529 40a7b1 GetProcAddress 7501->7529 7506 40a8fb FreeLibrary 7507 401917 7506->7507 7508 40a8fb FreeLibrary 7507->7508 7509 401923 CoUninitialize 7508->7509 7510 4015fb 7509->7510 7511 401604 free 7510->7511 7512 40160c exit _XcptFilter 7510->7512 7511->7512 7514 40a9d5 CreateThread 7513->7514 7515 40a9d1 7513->7515 7514->7515 7532 40a9f3 7514->7532 7516 401883 7515->7516 7517 40188c 7516->7517 7520 40189b 7516->7520 7540 40a81e 7517->7540 7519 4018b5 7522 4018cb 7519->7522 7524 40a7b1 4 API calls 7519->7524 7520->7519 7521 40a81e 10 API calls 7520->7521 7521->7519 7523 40a81e 10 API calls 7522->7523 7525 4018e2 #17 GetLastError 7523->7525 7524->7522 7525->7481 7527 40a904 FreeLibrary 7526->7527 7528 40190b 7526->7528 7527->7528 7528->7506 7530 4018f9 7529->7530 7531 40a7cd GetLastError sprintf OutputDebugStringA 7529->7531 7530->7500 7531->7530 7535 40a95b 7532->7535 7534 40a9fc 7536 40a968 WaitForSingleObject 7535->7536 7537 40a972 WaitForSingleObject 7536->7537 7537->7537 7538 40a989 7537->7538 7538->7536 7539 40a996 CloseHandle PostThreadMessageA 7538->7539 7539->7534 7549 40a797 VirtualQuery 7540->7549 7542 40a853 GetModuleFileNameA 7543 40a8c6 7542->7543 7544 40a868 strlen 7542->7544 7546 40a8f7 7543->7546 7547 40a8cb GetLastError sprintf OutputDebugStringA 7543->7547 7545 40a87c strcat strcat OutputDebugStringA LoadLibraryExA 7544->7545 7545->7543 7546->7520 7547->7546 7549->7542

              Executed Functions

              Function 0040AA42 Relevance: 40.4, APIs: 19, Strings: 4, Instructions: 127stringwindowsleepCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
                • Part of subcall function 0040160D: _strdup.MSVCRT(00000000,?,0040AA58,webException), ref: 00401624
                • Part of subcall function 0040160D: SetUnhandledExceptionFilter.KERNEL32(0040164D,?,0040AA58,webException), ref: 00401641
              • GetCommandLineA.KERNEL32(webException,?,?,00000000,?,?,?,?,?,0040E4C0,00000000,?,0000000A), ref: 0040AA58
              • CoInitialize.OLE32(00000000), ref: 0040AA63
              • #16.ATL(004DB258, dA,?,?,?,00000000,?,?,?,?,?,0040E4C0,00000000,?,0000000A), ref: 0040AA9B
              • memcpy.MSVCRT ref: 0040AAB4
              • GetCurrentThreadId.KERNEL32 ref: 0040AABC
              • lstrcmpiA.KERNEL32(00000000,UnregServer), ref: 0040AAF1
              • lstrcmpiA.KERNEL32(00000000,RegServer), ref: 0040AB01
              • #23.ATL(004DB258,00000064,00000000,00000000,00000000,?,?,00000000,?,?,?,?,?,0040E4C0,00000000), ref: 0040AB18
              • #57.ATL(004DB258,00000001,00000000,?,?,00000000,?,?,?,?,?,0040E4C0,00000000,?,0000000A), ref: 0040AB22
              • #23.ATL(004DB258,00000064,00000001,00000000,00000000,?,?,00000000,?,?,?,?,?,0040E4C0,00000000), ref: 0040AB34
              • #18.ATL(004DB258,00000001,00000000,?,?,00000000,?,?,?,?,?,0040E4C0,00000000,?,0000000A), ref: 0040AB3E
                • Part of subcall function 0040A9B6: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,004DB258,0040AB4D,?,?,00000000), ref: 0040A9C1
              • #17.ATL(004DB258,00000004,00000001,?,?,00000000,?,?,?,?,?,0040E4C0,00000000,?,0000000A), ref: 0040AB57
              • GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,0040E4C0,00000000,?,0000000A), ref: 0040AB5D
              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040AB70
              • DispatchMessageA.USER32(?), ref: 0040AB7A
              • #20.ATL(004DB258,?,?,00000000,?,?,?,?,?,0040E4C0,00000000,?,0000000A), ref: 0040AB8A
              • Sleep.KERNEL32(000003E8,?,?,00000000,?,?,?,?,?,0040E4C0,00000000,?,0000000A), ref: 0040AB95
              • #21.ATL(004DB258,?,?,00000000,?,?,?,?,?,0040E4C0,00000000,?,0000000A), ref: 0040AB9C
              • CoUninitialize.OLE32(?,?,00000000,?,?,?,?,?,0040E4C0,00000000,?,0000000A), ref: 0040ABA7
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: Messagelstrcmpi$CommandCreateCurrentDispatchErrorEventExceptionFilterInitializeLastLineSleepThreadUnhandledUninitialize_strdupmemcpy
              • String ID: dA$RegServer$UnregServer$webException
              • API String ID: 2945142977-1043302512
              • Opcode ID: fb03b83936a48a5b2e2ad9d03a4b105c401edadea771ad9d168e23d0d4255fe0
              • Instruction ID: 40bea367eb6ebdb8176ad2459f5a73ce98baefb69bba7ddc08388a8d228e9684
              • Opcode Fuzzy Hash: fb03b83936a48a5b2e2ad9d03a4b105c401edadea771ad9d168e23d0d4255fe0
              • Instruction Fuzzy Hash: B9418F71202204ABC710ABA1DD49EDF3F6CEF08795F12847AFA06A5191CB78D954CBA9
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040E38C Relevance: 16.6, APIs: 11, Instructions: 111COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
              • String ID:
              • API String ID: 801014965-0
              • Opcode ID: 4a1200f6319f218364a018a59b4636b49bc2fed39dd5790ddd10521176872c18
              • Instruction ID: dda74fb117b1dd59f4a5054ddeb0a2fd270080013e1c53135a8beea55e2f23fd
              • Opcode Fuzzy Hash: 4a1200f6319f218364a018a59b4636b49bc2fed39dd5790ddd10521176872c18
              • Instruction Fuzzy Hash: 2A41D671940308AFCB20DFA5DC45AAA7BB8FB09710F20497FF491A32D1C7788850DB59
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040AA01 Relevance: 3.8, APIs: 3, Instructions: 32COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 48 40aa01-40aa09 49 40aa38 48->49 50 40aa0b 48->50 51 40aa3a-40aa3c 49->51 52 40aa11-40aa14 50->52 52->49 53 40aa16-40aa1c 52->53 54 40aa1e-40aa22 53->54 55 40aa2f-40aa36 CharNextA 53->55 54->55 56 40aa24-40aa26 54->56 55->49 55->52 57 40aa28-40aa2d CharNextA 56->57 58 40aa3d-40aa40 CharNextA 56->58 57->54 57->55 58->51
              APIs
              • CharNextA.USER32(0000000A,0000000A,00000000,0040AAE3,0040E4C0,0000000A,?,?,00000000,?,?,?,?,?,0040E4C0,00000000), ref: 0040AA29
              • CharNextA.USER32(?,0000000A,00000000,0040AAE3,0040E4C0,0000000A,?,?,00000000,?,?,?,?,?,0040E4C0,00000000), ref: 0040AA30
              • CharNextA.USER32(?,0000000A,00000000,0040AAE3,0040E4C0,0000000A,?,?,00000000,?,?,?,?,?,0040E4C0,00000000), ref: 0040AA3E
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: CharNext
              • String ID:
              • API String ID: 3213498283-0
              • Opcode ID: 521557cc99f2e3dcb9fad77eda49d7e75f490e93880078cae95f359d436f0477
              • Instruction ID: 8221bea471fbb8912e89c6266a5f6aff99e2e375272c0dfd50f0750a7ffac1eb
              • Opcode Fuzzy Hash: 521557cc99f2e3dcb9fad77eda49d7e75f490e93880078cae95f359d436f0477
              • Instruction Fuzzy Hash: 26E030267043565BD72286295A1066B6BA94FC6664B69447BF440B73C0E738CC22CB56
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040A911 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 59 40a911-40a926 #23
              APIs
              • #23.ATL(004DB258,00000066,?,00000000,00000000), ref: 0040A920
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cf728201de3442fd120cc9b14287b83187bbcecef4964d23d0a4862b14a0df05
              • Instruction ID: 52d0b80e6fd12efa5d0d681c69748f31ac5f95d0850f24b650bc18f58c320bac
              • Opcode Fuzzy Hash: cf728201de3442fd120cc9b14287b83187bbcecef4964d23d0a4862b14a0df05
              • Instruction Fuzzy Hash: 6AB09232680300BAE9308B408C0AF0A7A51A794B00F22C012B301280D082F65020D61D
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Function 0040A81E Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 69stringlibraryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0040A797: VirtualQuery.KERNEL32(00000000,?,0000001C,?,0040A853,0040A797,00000000,00000104,00000000,00000000), ref: 0040A7A6
              • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,00000000,00000000), ref: 0040A855
              • strlen.MSVCRT ref: 0040A86F
              • strcat.MSVCRT(00000000,?), ref: 0040A891
              • strcat.MSVCRT(00000000,.dll,00000000,?), ref: 0040A8A2
              • OutputDebugStringA.KERNEL32(00000000), ref: 0040A8B1
              • LoadLibraryExA.KERNEL32(00000000,00000000,00000008), ref: 0040A8BE
              • GetLastError.KERNEL32 ref: 0040A8CB
              • sprintf.MSVCRT ref: 0040A8E5
              • OutputDebugStringA.KERNEL32(?), ref: 0040A8F5
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: DebugOutputStringstrcat$ErrorFileLastLibraryLoadModuleNameQueryVirtualsprintfstrlen
              • String ID: .dll$[ERROR]Load %s err: 0x%X
              • API String ID: 4028424399-3840510504
              • Opcode ID: 273976585034231d98b5bed524dce316a103f4f412f5b9251c2f5343d392ef6a
              • Instruction ID: 27286254bd94d73c31793fc86c91b078b72603948a6f0ae64fde7c734fc19042
              • Opcode Fuzzy Hash: 273976585034231d98b5bed524dce316a103f4f412f5b9251c2f5343d392ef6a
              • Instruction Fuzzy Hash: A62184769043186ADB50EB61DC09FCA7B7CAB14310F5044F6A685E21C1DBB8EAD48F59
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040C479 Relevance: 4.6, APIs: 3, Instructions: 63keyboardCOMMON
              Download Yara Rule
              APIs
              • GetKeyState.USER32(00000010), ref: 0040C4B4
              • GetKeyState.USER32(00000011), ref: 0040C4C0
              • GetKeyState.USER32(00000012), ref: 0040C4CB
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: State
              • String ID:
              • API String ID: 1649606143-0
              • Opcode ID: 8fb3d82c4c7daa8bcd9823c58975de1706c1f9097b2935737397d67150dad22a
              • Instruction ID: 30ba822be6306d6c5e4358a676d0eb064da13ba2098aeb5a14cf926c39a95499
              • Opcode Fuzzy Hash: 8fb3d82c4c7daa8bcd9823c58975de1706c1f9097b2935737397d67150dad22a
              • Instruction Fuzzy Hash: 53110635600205FBDF14DB95CD55FFA3768AB80754F10017BA801E71C0DAB49942D664
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040160D Relevance: 3.0, APIs: 2, Instructions: 17COMMON
              Download Yara Rule
              APIs
              • _strdup.MSVCRT(00000000,?,0040AA58,webException), ref: 00401624
              • SetUnhandledExceptionFilter.KERNEL32(0040164D,?,0040AA58,webException), ref: 00401641
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: ExceptionFilterUnhandled_strdup
              • String ID:
              • API String ID: 3710202437-0
              • Opcode ID: ac4028b123f25a9475d76ff5966b0504b4af9a6b2870deac1ab2094314057f7a
              • Instruction ID: d019885786627ad0fe3fa992a54c4ed78ec5982c9e0884e3ef736b30bc5222b6
              • Opcode Fuzzy Hash: ac4028b123f25a9475d76ff5966b0504b4af9a6b2870deac1ab2094314057f7a
              • Instruction Fuzzy Hash: 7FE0EC71514311EBCB104B54EC4C79A7AA0F724357F15897BF401A12B1C7798885CAAF
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00407D58 Relevance: 1.5, APIs: 1, Instructions: 31timeCOMMON
              Download Yara Rule
              APIs
              • GetTimeZoneInformation.KERNEL32(?), ref: 00407D69
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: InformationTimeZone
              • String ID:
              • API String ID: 565725191-0
              • Opcode ID: 83888436057ebf2006c927339df2a74a118e2dba8bb678be961618602cb2903f
              • Instruction ID: ac201fd0efb3965ab7df09a198dbfd71eedb870cf54c6f6a5ac5843e13c4b09a
              • Opcode Fuzzy Hash: 83888436057ebf2006c927339df2a74a118e2dba8bb678be961618602cb2903f
              • Instruction Fuzzy Hash: 4BE02B32300334AFDB14DA6CEC05F9577E59B4A224F124266B054C31C0D5B0ED00CA51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00404CDC Relevance: 135.2, APIs: 65, Strings: 12, Instructions: 433stringCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 318 404cdc-404d10 ??2@YAPAXI@Z memset 319 404d12 318->319 320 404d18-404d4f sprintf ??2@YAPAXI@Z memset 318->320 319->320 321 404d51 320->321 322 404d57-404db5 sprintf ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z memset strtok 320->322 321->322 323 404ee0-404f12 memset 322->323 324 404dbb-404dc1 322->324 326 404f14 323->326 327 404f19-404f5b sprintf 323->327 325 404dc4-404dc8 324->325 325->323 328 404dce-404de5 _strupr strcmp 325->328 326->327 329 404f62-404fa0 327->329 330 404f5d 327->330 331 404e37-404ea3 _strupr sprintf strlen ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z strlen ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z _strlwr strlen ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z 328->331 332 404de7-404e35 strlen ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z strlen ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z 328->332 333 404fa2-404fa7 GetSaveFileNameA 329->333 334 404fa9 GetOpenFileNameA 329->334 330->329 335 404ea9-404eda ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z sprintf strtok 331->335 332->335 336 404fae-404fb0 333->336 334->336 335->323 335->325 337 405201 336->337 338 404fb6-404fba 336->338 341 405203-405226 call 40e25e * 2 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z 337->341 339 404fc0-404ffe ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z 338->339 340 405195-4051a4 strlen 338->340 342 405002-40500d strlen 339->342 343 4051c1-4051ff strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z 340->343 344 4051a6-4051be memcpy 340->344 346 405013-40505b ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z strlen ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z 342->346 347 40518a-40518f ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z 342->347 343->341 344->343 349 405063-405076 ?rfind@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z 346->349 350 40505d 346->350 347->340 352 40507c-405080 349->352 353 40510f-40512e ?rfind@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z 349->353 350->349 357 405090 352->357 358 405082-40508e ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ 352->358 355 405130-405156 memcpy 353->355 356 405158-40517c memcpy 353->356 359 40517f-405184 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z 355->359 356->359 360 405095-4050b8 _strupr strlen ?rfind@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z 357->360 358->360 359->347 360->353 361 4050ba-4050bf 360->361 362 4050c1 361->362 363 4050c6-4050d5 strcmp 361->363 362->363 364 4050f0-40510d ?rfind@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z 363->364 365 4050d7-4050e5 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z 363->365 364->355 366 405000 365->366 367 4050eb 365->367 366->342 367->347
              APIs
              • ??2@YAPAXI@Z.MSVCRT ref: 00404CF3
              • memset.MSVCRT ref: 00404D03
              • sprintf.MSVCRT ref: 00404D28
              • ??2@YAPAXI@Z.MSVCRT ref: 00404D32
              • memset.MSVCRT ref: 00404D42
              • sprintf.MSVCRT ref: 00404D5C
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404D6C
              • strlen.MSVCRT ref: 00404D78
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0043B22C,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404D83
              • memset.MSVCRT ref: 00404D97
              • strtok.MSVCRT ref: 00404DA8
              • _strupr.MSVCRT ref: 00404DD4
              • strcmp.MSVCRT ref: 00404DDC
              • strlen.MSVCRT ref: 00404DEC
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(All Files(*.*),00000000), ref: 00404DFB
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,00000000), ref: 00404E08
              • strlen.MSVCRT ref: 00404E13
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(*.*,00000000), ref: 00404E22
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,00000000), ref: 00404E2F
              • _strupr.MSVCRT ref: 00404E39
              • sprintf.MSVCRT ref: 00404E49
              • strlen.MSVCRT ref: 00404E4E
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,00000000), ref: 00404E5D
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,00000000), ref: 00404E6A
              • strlen.MSVCRT ref: 00404E75
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0041A638,00000000), ref: 00404E84
              • _strlwr.MSVCRT ref: 00404E8B
              • strlen.MSVCRT ref: 00404E95
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,00000000), ref: 00404EA3
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,00000000), ref: 00404EB0
              • sprintf.MSVCRT ref: 00404EBB
              • strtok.MSVCRT ref: 00404EC7
              • memset.MSVCRT ref: 00404EEB
              • sprintf.MSVCRT ref: 00404F22
              • GetSaveFileNameA.COMDLG32(0000004C), ref: 00404FA2
              • GetOpenFileNameA.COMDLG32(0000004C), ref: 00404FA9
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,0000004C), ref: 00404FCC
              • strlen.MSVCRT ref: 00404FD9
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(00000000,00000000), ref: 00404FEA
              • strlen.MSVCRT ref: 00405005
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 0040501D
              • strlen.MSVCRT ref: 00405024
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0041A634,00000000), ref: 0040502F
              • strlen.MSVCRT ref: 0040503E
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(00000000,00000000), ref: 00405049
              • ?rfind@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z.MSVCP60(H#@,?,?), ref: 0040506B
              • ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60 ref: 00405085
              • _strupr.MSVCRT ref: 00405096
              • strlen.MSVCRT ref: 0040509F
              • ?rfind@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z.MSVCP60(00000000,00000000,00000000), ref: 004050AD
              • strcmp.MSVCRT ref: 004050CC
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 004050DC
              • ?rfind@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z.MSVCP60(0000002E,?,00000001), ref: 00405105
              • memcpy.MSVCRT ref: 00405146
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00405184
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 0040518F
              • strlen.MSVCRT ref: 0040519C
              • memcpy.MSVCRT ref: 004051B9
              • strlen.MSVCRT ref: 004051C8
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(00000000,00000000,0000004C), ref: 004051D9
              • strlen.MSVCRT ref: 004051E6
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(00000000,00000000), ref: 004051F7
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,0000004C), ref: 0040521A
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$V12@$strlen$?append@?$basic_string@$Tidy@?$basic_string@$?assign@?$basic_string@sprintf$memset$?rfind@?$basic_string@_strupr$??2@FileNamememcpystrcmpstrtok$Freeze@?$basic_string@OpenSave_strlwr
              • String ID: $ $ $%s File(*.%s)$*.*$.$.ALL$ALL$All Files(*.*)$H#@$H#@$L
              • API String ID: 1032499881-1030887753
              • Opcode ID: 83877329ed08c016536a0562bd1270883caaa18759629d37f7cc19d3adf77955
              • Instruction ID: 3a0b675ed6f482fd5a07c70b5d39bc5f16fe781ef3e9e7b306b38d9e20e32524
              • Opcode Fuzzy Hash: 83877329ed08c016536a0562bd1270883caaa18759629d37f7cc19d3adf77955
              • Instruction Fuzzy Hash: E8F1AD72901208BFEB14DBA0DC49BEE7B7CEF04310F15416AF909A71D1DB789A95CB58
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040164D Relevance: 66.7, APIs: 29, Strings: 9, Instructions: 182stringlibraryfileCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00401669
              • _mbsrchr.MSVCRT ref: 00401682
              • strcpy.MSVCRT(00000001,DBGHELP.DLL), ref: 00401695
              • LoadLibraryA.KERNEL32(?), ref: 004016A3
              • LoadLibraryA.KERNEL32(DBGHELP.DLL), ref: 004016B1
              • GetProcAddress.KERNEL32(?,MiniDumpWriteDump), ref: 004016C6
              • memset.MSVCRT ref: 004016E0
              • memset.MSVCRT ref: 004016EE
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 00401706
              • strlen.MSVCRT ref: 0040170D
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,00000000), ref: 00401718
              • strlen.MSVCRT ref: 00401724
              • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z.MSVCP60(0041A16C,00000000,00000000), ref: 00401730
              • strcpy.MSVCRT(?,c:\), ref: 00401747
              • strcat.MSVCRT(?), ref: 0040175B
              • strcat.MSVCRT(?,.dmp,?), ref: 0040176C
              • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 0040178B
              • GetCurrentThreadId.KERNEL32 ref: 00401798
              • GetCurrentProcessId.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004017B2
              • GetCurrentProcess.KERNEL32(00000000), ref: 004017B9
              • sprintf.MSVCRT ref: 004017DA
              • GetLastError.KERNEL32 ref: 004017E5
              • sprintf.MSVCRT ref: 004017FF
              • CloseHandle.KERNEL32(00000000), ref: 0040180F
              • GetLastError.KERNEL32 ref: 00401817
              • sprintf.MSVCRT ref: 00401831
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00401845
              • MessageBoxA.USER32(00000000,DBGHELP.DLL not found,00000000), ref: 00401866
              • FreeLibrary.KERNEL32(?), ref: 00401877
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$CurrentLibrarysprintf$ErrorFileLastLoadProcessTidy@?$basic_string@memsetstrcatstrcpystrlen$?assign@?$basic_string@?find@?$basic_string@AddressCloseCreateFreeHandleMessageModuleNameProcThreadV12@_mbsrchr
              • String ID: .dmp$DBGHELP.DLL$DBGHELP.DLL not found$DBGHELP.DLL too old$Failed to create dump file '%s' (error %d)$Failed to save dump file to '%s' (error %d)$MiniDumpWriteDump$Sorry, an error occur! please send "%s" to R&D for our analysis to solve the problem!$c:\
              • API String ID: 1627940307-3830376166
              • Opcode ID: 10cc38734b929fd417ce9e7acf425140800bf2ba8d0ebca697e91deadb3d0776
              • Instruction ID: c0343af9520a9d38cf2c181173419dbc78089cc5f1a65f239e5f8e7b8f8b364b
              • Opcode Fuzzy Hash: 10cc38734b929fd417ce9e7acf425140800bf2ba8d0ebca697e91deadb3d0776
              • Instruction Fuzzy Hash: 3D515E72901218BBCB10ABA19C49EDF7B7CEB08311F1585BAF505E2191DB38DB94CB69
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004032D6 Relevance: 54.6, APIs: 16, Strings: 15, Instructions: 315stringCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 634 4032d6-403300 call 411595 call 40ef0f 639 403302 634->639 640 403308-403353 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z call 41160e ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z 634->640 639->640 643 403355-403357 640->643 644 40335c-403404 call 410150 call 40fb3d call 410150 call 40fe89 call 410150 call 40fefb ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z 640->644 645 4036b8-4036d1 call 40f20f call 4014ce 643->645 662 40340a-403432 call 410150 call 410004 call 410150 call 40f6a2 644->662 663 4036ab-4036b6 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z 644->663 672 403434-403464 call 410150 call 40f7ad ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z 662->672 673 40346a-40347f call 410150 call 40f6a2 662->673 663->645 672->673 682 403481-403494 call 410150 call 40fb3d 673->682 683 403497-4034ac call 410150 call 40f6a2 673->683 682->683 692 4034c4-4034d9 call 410150 call 40f6a2 683->692 693 4034ae-4034c1 call 410150 call 40fb3d 683->693 702 4034f1-403506 call 410150 call 40f6a2 692->702 703 4034db-4034ee call 410150 call 40fb3d 692->703 693->692 712 403508-40351b call 410150 call 40fb3d 702->712 713 40351e-403533 call 410150 call 40f6a2 702->713 703->702 712->713 722 403535-403548 call 410150 call 40fb3d 713->722 723 40354b-403560 call 410150 call 40f6a2 713->723 722->723 732 403562-403575 call 410150 call 40fb3d 723->732 733 403578-40358d call 410150 call 40f6a2 723->733 732->733 742 4035a5-4035ba call 410150 call 40f6a2 733->742 743 40358f-4035a2 call 410150 call 40fb3d 733->743 752 4035d2-4035e7 call 410150 call 40f6a2 742->752 753 4035bc-4035cf call 410150 call 40fb3d 742->753 743->742 762 4035e9-4035fc call 410150 call 40fb3d 752->762 763 4035ff-403617 memset 752->763 753->752 762->763 765 403619 763->765 766 40361e-403655 sprintf 763->766 765->766 768 403657-403664 strlen 766->768 769 40366c-4036a5 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z 766->769 768->769 769->662 769->663
              APIs
                • Part of subcall function 00411595: __EH_prolog.LIBCMT ref: 0041159A
                • Part of subcall function 00411595: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,?,?,?,00401457), ref: 004115CE
                • Part of subcall function 00411595: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00401457), ref: 004115E5
                • Part of subcall function 0040EF0F: __EH_prolog.LIBCMT ref: 0040EF14
                • Part of subcall function 0040EF0F: ??2@YAPAXI@Z.MSVCRT ref: 0040EF5B
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,00000000,?,0043B22C,00000000), ref: 00403312
              • strlen.MSVCRT ref: 00403319
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,00000000,?,0043B22C,00000000), ref: 00403324
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,00000000,?,0043B22C,00000000), ref: 0040334B
                • Part of subcall function 0040FB3D: __EH_prolog.LIBCMT ref: 0040FB42
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,RecordFileInfo,LastInfo,Channel,?,0043B22C,00000000), ref: 004033B0
              • strlen.MSVCRT ref: 004033BC
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0043B22C,00000000,?,0043B22C,00000000), ref: 004033C7
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,0043B22C,00000000), ref: 004036B0
                • Part of subcall function 00410004: __EH_prolog.LIBCMT ref: 00410009
                • Part of subcall function 0040F7AD: __EH_prolog.LIBCMT ref: 0040F7B2
                • Part of subcall function 0040F7AD: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,opr_ocx.,00000000,?), ref: 0040F8C5
                • Part of subcall function 0040F7AD: strlen.MSVCRT ref: 0040F8D1
                • Part of subcall function 0040F7AD: ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0043B22C,00000000), ref: 0040F8DB
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(00000000,00000000,6CE35E04,time,?,time,RecordFileInfo,00000000,?,0043B22C,00000000), ref: 00403459
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,0043B22C,00000000), ref: 00403464
                • Part of subcall function 0040FB3D: fputs.MSVCRT ref: 0040FB91
                • Part of subcall function 0040FB3D: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 0040FB9E
                • Part of subcall function 0040FB3D: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 0040FBAF
                • Part of subcall function 0040FB3D: strlen.MSVCRT ref: 0040FBBB
                • Part of subcall function 0040FB3D: ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(Negative integer can not be converted to unsigned integer,00000000), ref: 0040FBC6
                • Part of subcall function 0040FB3D: ??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 0040FBDE
                • Part of subcall function 0040FB3D: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040FBEF
                • Part of subcall function 0040FB3D: _CxxThrowException.MSVCRT(?,00417910), ref: 0040FC0A
              • memset.MSVCRT ref: 0040360A
              • sprintf.MSVCRT ref: 00403646
              • strlen.MSVCRT ref: 0040365E
              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,00000000), ref: 0040367A
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(00000000,00000000,6CE35E04), ref: 00403690
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 0040369B
                • Part of subcall function 0040FB3D: _ftol.MSVCRT ref: 0040FC32
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$Tidy@?$basic_string@$V12@$?assign@?$basic_string@$H_prologstrlen$??0?$basic_string@??0exception@@??2@D@2@@0@ExceptionHstd@@ThrowV01@@V10@V?$basic_string@_ftolfputsmemsetsprintf
              • String ID: %s-%02d-%d-%d-%02d-%02d-%02d-%02d-%02d-%02d$:$Channel$LastInfo$RecordFileInfo$bHint$bImportantRecID$channel$driveno$index$size$startcluster$stream$time$type
              • API String ID: 3319055272-3382446669
              • Opcode ID: 95c7db208b394b23224e4874a2e4d9f3bb91a27c7c43802de406976236ef1aa0
              • Instruction ID: e5cf886f62750d60fe113776aff0884249505b59d9a89cfa3e30c952b582dc88
              • Opcode Fuzzy Hash: 95c7db208b394b23224e4874a2e4d9f3bb91a27c7c43802de406976236ef1aa0
              • Instruction Fuzzy Hash: 6CB19131A412087BCF15ABB2CC65AEE7B799F40704F00443EB416AB2D2DE7D8A95CB4D
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00408D64 Relevance: 51.0, APIs: 28, Strings: 1, Instructions: 243stringCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 772 408d64-408d76 773 408fd5-408fde 772->773 774 408d7c-408d81 772->774 775 408d82 call 40a7b1 774->775 776 408d87-408d8e 775->776 776->773 777 408d94-408d9d 776->777 778 408da3-408dc5 lstrlenW call 40e2b0 call 408fe1 777->778 779 408d9f-408da1 777->779 780 408dc7-408dec ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z 778->780 779->780 782 408df2-408e14 lstrlenW call 40e2b0 call 408fe1 780->782 783 408dee-408df0 780->783 785 408e16-408e41 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z 782->785 783->785 790 408e43-408e46 785->790 791 408e48-408e77 lstrlenW call 40e2b0 WideCharToMultiByte 785->791 793 408e7a-408ea3 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z 790->793 791->793 797 408ea5-408ea8 793->797 798 408eaa-408ed9 lstrlenW call 40e2b0 WideCharToMultiByte 793->798 800 408edc-408f05 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z 797->800 798->800 802 408f07-408f09 800->802 803 408f0b-408f32 lstrlenW call 40e2b0 WideCharToMultiByte 800->803 804 408f34-408f60 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z 802->804 803->804 807 408f62 804->807 808 408f64-408f69 804->808 807->808 809 408f6b 808->809 810 408f6d-408f72 808->810 809->810 811 408f74 810->811 812 408f76-408f7b 810->812 811->812 813 408f7d 812->813 814 408f7f-408f82 812->814 813->814 815 408f84 814->815 816 408f87-408fcf ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z * 5 814->816 815->816 816->773
              APIs
                • Part of subcall function 0040A7B1: GetProcAddress.KERNEL32(?,?), ref: 0040A7C1
                • Part of subcall function 0040A7B1: GetLastError.KERNEL32(00000000), ref: 0040A7CE
                • Part of subcall function 0040A7B1: sprintf.MSVCRT ref: 0040A802
                • Part of subcall function 0040A7B1: OutputDebugStringA.KERNEL32(?), ref: 0040A812
              • lstrlenW.KERNEL32(?), ref: 00408DA6
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00000002,00000000), ref: 00408DD1
              • strlen.MSVCRT ref: 00408DD8
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(00000000,00000000,?,?,00000002,00000000), ref: 00408DE3
              • lstrlenW.KERNEL32(?,?,?,00000002,00000000), ref: 00408DF5
                • Part of subcall function 00408FE1: WideCharToMultiByte.KERNEL32(?,00000000,00408DC5,000000FF,?,?,00000000,00000000,74DEE0B0,00408DC5,?,?,00000002,00000000), ref: 00408FFC
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00000002,00000000,?,?,00000002,00000000), ref: 00408E20
              • strlen.MSVCRT ref: 00408E27
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(00000000,00000000,?,?,00000002,00000000,?,?,00000002,00000000), ref: 00408E32
              • lstrlenW.KERNEL32(?,?,?,00000002,00000000,?,?,00000002,00000000), ref: 00408E4B
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000,?,?,00000002,00000000,?,?,00000002,00000000), ref: 00408E72
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00000000,00000000,?,?,00000002,00000000,?,?,00000002,00000000), ref: 00408E84
              • strlen.MSVCRT ref: 00408E8D
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,00000000,?,?,00000000,00000000,?,?,00000002,00000000,?,?,00000002,00000000), ref: 00408E9A
              • lstrlenW.KERNEL32(?,?,?,00000000,00000000,?,?,00000002,00000000,?,?,00000002,00000000), ref: 00408EAD
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00000002,00000000), ref: 00408ED4
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00000002,00000000,?,?,00000002), ref: 00408EE6
              • strlen.MSVCRT ref: 00408EEF
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,00000000,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00000002,00000000,?,?), ref: 00408EFC
              • lstrlenW.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00000002,00000000,?,?,00000002), ref: 00408F0E
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00000000,00000000), ref: 00408F32
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00000002), ref: 00408F3E
              • strlen.MSVCRT ref: 00408F45
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,00000000,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00408F50
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,00000000,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00000000,00000000), ref: 00408FA7
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,00000000,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00000000,00000000), ref: 00408FB1
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,00000000,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00000000,00000000), ref: 00408FBB
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,00000000,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00000000,00000000), ref: 00408FC5
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,00000000,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00000000,00000000), ref: 00408FCF
              Strings
              • CreateMainVideoAnalyseShape, xrefs: 00408D7C
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@$?assign@?$basic_string@V12@lstrlenstrlen$ByteCharMultiWide$AddressDebugErrorLastOutputProcStringsprintf
              • String ID: CreateMainVideoAnalyseShape
              • API String ID: 3229638477-2158393511
              • Opcode ID: 91292110760b7e386d8213c874352b0f4aa4b9ecac83913906f9f91d0c4e9858
              • Instruction ID: b09a3e185c2cd09b6c67c4db4b5b8001ed69ec0c10053c00467c42613b826e07
              • Opcode Fuzzy Hash: 91292110760b7e386d8213c874352b0f4aa4b9ecac83913906f9f91d0c4e9858
              • Instruction Fuzzy Hash: 30818CB240014AAFDF01DFA4DD85CEF7BB9EF59304B12452AF812A2291DB349E15CBA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004010AE Relevance: 51.0, APIs: 27, Strings: 2, Instructions: 213stringCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 818 4010ae-4010c8 call 40f6ac 821 4010d5-401109 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z 818->821 822 4010ca-4010d3 call 4103d9 818->822 824 40130d-401311 821->824 822->821 826 40110e-40114c ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z 822->826 827 4011c1-40120b ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z call 4102b8 call 40f7ad ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z 826->827 828 40114e-401187 call 4102b8 call 40f7ad ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z 826->828 839 401211-401279 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z call 4102b8 call 40f7ad ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z 827->839 840 4012c8-4012c9 827->840 837 4012d2-40130b ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z * 2 828->837 838 40118d-4011bc ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z 828->838 837->824 841 4012cc ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z 838->841 839->840 846 40127b-4012b1 call 4102b8 call 40f7ad ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z 839->846 840->841 841->837 846->840 851 4012b3-4012c2 ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z 846->851 851->840
              APIs
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,004FB330), ref: 004010E2
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04), ref: 004010F6
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00401101
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,004FB330), ref: 0040111A
              • strlen.MSVCRT ref: 00401126
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0043B22C,00000000), ref: 00401131
              • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z.MSVCP60(opr_ocx.,00000000,?), ref: 00401144
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(00000000,00000000,6CE35E04,?,?), ref: 00401171
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 0040117E
              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z.MSVCP60(?,0000000A,?,?), ref: 0040119D
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04), ref: 004011B2
              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,opr_ocx.,?), ref: 004011CA
                • Part of subcall function 0040F7AD: __EH_prolog.LIBCMT ref: 0040F7B2
                • Part of subcall function 0040F7AD: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,opr_ocx.,00000000,?), ref: 0040F8C5
                • Part of subcall function 0040F7AD: strlen.MSVCRT ref: 0040F8D1
                • Part of subcall function 0040F7AD: ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0043B22C,00000000), ref: 0040F8DB
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(00000000,00000000,6CE35E04,?,?), ref: 004011F5
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00401202
              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,opr_play.,?), ref: 0040121E
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(00000000,00000000,6CE35E04), ref: 00401233
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 0040123D
                • Part of subcall function 0040F7AD: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,opr_ocx.,00000000,?), ref: 0040F80F
                • Part of subcall function 0040F7AD: strlen.MSVCRT ref: 0040F816
                • Part of subcall function 0040F7AD: ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,00000000), ref: 0040F820
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(00000000,00000000,6CE35E04,?,?), ref: 00401266
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00401270
                • Part of subcall function 0040F7AD: fputs.MSVCRT ref: 0040F862
                • Part of subcall function 0040F7AD: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 0040F86F
                • Part of subcall function 0040F7AD: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 0040F87F
                • Part of subcall function 0040F7AD: strlen.MSVCRT ref: 0040F88B
                • Part of subcall function 0040F7AD: ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(Type is not convertible to string,00000000), ref: 0040F896
                • Part of subcall function 0040F7AD: ??0runtime_error@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z.MSVCP60(?), ref: 0040F8A6
                • Part of subcall function 0040F7AD: _CxxThrowException.MSVCRT(?,00417910), ref: 0040F8B5
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(00000000,00000000,6CE35E04,?,?), ref: 0040129E
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 004012A8
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04), ref: 004012C2
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 004012CC
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 004012DD
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04), ref: 004012F1
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 004012FB
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00401305
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$V12@$Tidy@?$basic_string@$?assign@?$basic_string@$strlen$V?$basic_string@$D@2@@0@Hstd@@V10@@$??0?$basic_string@??0runtime_error@std@@?find@?$basic_string@D@1@@D@2@@1@@ExceptionH_prologThrowV01@fputs
              • String ID: opr_ocx.$opr_play.
              • API String ID: 2439646726-52413243
              • Opcode ID: e041f7580faf8d3157dac6423b676caeae19cd5867de66005b7b4ddf1f6bff5f
              • Instruction ID: f89845577b573b8365dbc2172ae37648391f669d8779bd451c73e405a79b7ba7
              • Opcode Fuzzy Hash: e041f7580faf8d3157dac6423b676caeae19cd5867de66005b7b4ddf1f6bff5f
              • Instruction Fuzzy Hash: 18714836901148BFCF14DFA0D858CEE7BBDEF49314B15817AF906A62A1DB349A04CB68
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004140B3 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 254stringCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 852 4140b3-4140fe call 40e2f0 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z call 40f6a2 857 414104 852->857 858 41439d-4143ba ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z 852->858 859 414156-414167 call 40f8f4 call 413b0c 857->859 860 414196-4141a7 call 40f79f call 413c66 857->860 861 414169-41417a call 40fb3d call 413b90 857->861 862 4141a9-4141b5 call 40fe89 call 413c3f 857->862 863 4141d9-4141ed call 4102ea 857->863 864 41410b-414151 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z call 414712 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z 857->864 865 41417c-414194 call 40fd83 call 413bc3 857->865 866 4141cc-4141d4 call 4143dd 857->866 895 4141ba-4141bb 859->895 860->895 861->895 862->895 885 4141fd-41423c ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z call 414712 863->885 886 4141ef-4141fb 863->886 864->858 897 4141bc-4141c7 call 414712 865->897 866->858 901 41438b-414398 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z call 41076d 885->901 886->885 892 414241-41428d ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z call 41479c ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z call 4147be 886->892 907 414290-4142bb call 4102d1 call 414837 strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z 892->907 895->897 897->858 901->858 912 4142c2-414309 call 413c66 call 41479c strlen ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z call 4140b3 907->912 913 4142bd 907->913 920 41430b-414335 strlen ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z call 4148d2 912->920 921 41433a-414388 call 4148d2 call 414826 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z call 41479c 912->921 913->912 920->907 921->901
              APIs
              • __EH_prolog.LIBCMT ref: 004140B8
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,00000001,?,?), ref: 004140D0
              • strlen.MSVCRT ref: 004140DC
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0043B22C,00000000), ref: 004140E7
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 00414116
              • strlen.MSVCRT ref: 00414122
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(null,00000000), ref: 0041412D
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?), ref: 0041414B
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,?,00000000,?,00000000,?,?,?,?,?,?,?), ref: 00414207
              • strlen.MSVCRT ref: 00414213
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0041B1E8,00000000,?,?,00000000,?,00000000,?,?,?,?,?,?,?), ref: 0041421E
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,?,00000000,?,00000000,?,?,?,?,?,?,?), ref: 0041424B
              • strlen.MSVCRT ref: 00414257
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0041B1E4,00000000,?,?,00000000,?,00000000,?,?,?,?,?,?,?), ref: 00414262
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,00000000,?,00000000,?,?,?,?,?,?,?), ref: 00414280
              • strlen.MSVCRT ref: 004142A5
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,00000000,00000000,?,?,?,00000000,?,00000000,?,?,?,?,?,?,?), ref: 004142B0
              • strlen.MSVCRT ref: 004142E4
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60( : ,00000000,?,?,00000000,00000000,?,?,?,00000000,?,00000000), ref: 004142F3
              • strlen.MSVCRT ref: 00414316
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0041A664,00000000,?,00000000,00000000,?,?,?,00000000,?,00000000), ref: 00414325
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00000000,00000000,?,?,?,00000000,?,00000000), ref: 00414356
              • strlen.MSVCRT ref: 00414362
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0041B1E0,00000000,?,00000000,00000000,?,?,?,00000000,?,00000000), ref: 0041436D
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,00000000,?,00000000,?,?,?,?,?,?,?), ref: 0041438B
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 004143A6
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@$V12@strlen$?assign@?$basic_string@$?append@?$basic_string@$H_prolog
              • String ID: : $null
              • API String ID: 2305808220-2804279426
              • Opcode ID: 78a3542cf5f1e8529c402a2b5e0bae3dadbdd1e8ff734b2316c992a46bf0605a
              • Instruction ID: 94897df529ed4b8bfe04dead72eb5e9c76cb66bd29dc3cf116fcf166cc2ed3a0
              • Opcode Fuzzy Hash: 78a3542cf5f1e8529c402a2b5e0bae3dadbdd1e8ff734b2316c992a46bf0605a
              • Instruction Fuzzy Hash: BF91B571A00248BFDF04EBA1C959AED7BB8DF55304F20416EF416A7282DB385F85C769
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040F8F4 Relevance: 47.4, APIs: 24, Strings: 3, Instructions: 164stringCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 930 40f8f4-40f911 call 40e2f0 933 40f917 930->933 934 40fb0e 930->934 933->934 936 40f9d0-40f9db 933->936 937 40f925-40f92c 933->937 938 40fa85-40fa96 call 410529 933->938 939 40fa79-40fa80 933->939 940 40f91e-40f920 933->940 935 40fb10-40fb1c 934->935 941 40f9f6-40fa04 call 410529 936->941 942 40f9dd-40f9e8 936->942 937->935 944 40f932-40f940 call 410529 937->944 950 40fa98 938->950 951 40fa9d-40fb09 fputs ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z * 2 strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z ??0runtime_error@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z _CxxThrowException 938->951 939->935 940->935 955 40fa06 941->955 956 40fa0b-40fa74 fputs ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z * 2 strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z ??0runtime_error@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z _CxxThrowException 941->956 942->941 945 40f9ea-40f9f1 _ftol 942->945 953 40f942 944->953 954 40f947-40f9cb fputs ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z * 2 strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z ??0exception@@QAE@ABQBD@Z ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z _CxxThrowException 944->954 945->935 950->951 951->934 953->954 954->936 955->956 956->939
              APIs
              • __EH_prolog.LIBCMT ref: 0040F8F9
              • fputs.MSVCRT ref: 0040F952
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 0040F95F
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 0040F970
              • strlen.MSVCRT ref: 0040F97C
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(integer out of signed integer range,00000000), ref: 0040F987
              • ??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 0040F99F
              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040F9B0
              • _CxxThrowException.MSVCRT(?,00417910), ref: 0040F9CB
              • _ftol.MSVCRT ref: 0040F9EC
              • fputs.MSVCRT ref: 0040FA16
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 0040FA23
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 0040FA34
              • strlen.MSVCRT ref: 0040FA40
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(Real out of signed integer range,00000000), ref: 0040FA4B
              • ??0runtime_error@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z.MSVCP60(?), ref: 0040FA62
              • _CxxThrowException.MSVCRT(?,00417910), ref: 0040FA74
              • fputs.MSVCRT ref: 0040FAA8
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 0040FAB8
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 0040FAC9
              • strlen.MSVCRT ref: 0040FAD5
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(Type is not convertible to int,00000000), ref: 0040FAE0
              • ??0runtime_error@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z.MSVCP60(?), ref: 0040FAF7
              • _CxxThrowException.MSVCRT(?,00417910), ref: 0040FB09
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$Tidy@?$basic_string@$?assign@?$basic_string@ExceptionThrowV12@fputsstrlen$??0runtime_error@std@@D@2@@1@@V?$basic_string@$??0?$basic_string@??0exception@@H_prologV01@@_ftol
              • String ID: Real out of signed integer range$Type is not convertible to int$integer out of signed integer range
              • API String ID: 1757128735-3748601619
              • Opcode ID: 266daf22a981df9402a23367089147cd13c1d1dd10af69e2214a71acee306ee1
              • Instruction ID: 4ccb257a347973942b4814ddcf5d753b56a809d44a74e39c397571e3b43b6c51
              • Opcode Fuzzy Hash: 266daf22a981df9402a23367089147cd13c1d1dd10af69e2214a71acee306ee1
              • Instruction Fuzzy Hash: FB519F71901248FFEB04DBA0ED59BDD777CEF05304F1184BAE409A3292DB39AA49CB19
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040FB3D Relevance: 47.4, APIs: 24, Strings: 3, Instructions: 164stringCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 957 40fb3d-40fb5a call 40e2f0 960 40fb60 957->960 961 40fd54 957->961 960->961 962 40fc16-40fc21 960->962 963 40fb67-40fb6b 960->963 964 40fccb-40fcdc call 410529 960->964 965 40fc0f-40fc11 960->965 966 40fcbf-40fcc6 960->966 967 40fd56-40fd62 961->967 968 40fc23-40fc2e 962->968 969 40fc3c-40fc4a call 410529 962->969 963->967 970 40fb71-40fb7f call 410529 963->970 978 40fce3-40fd4f fputs ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z * 2 strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z ??0runtime_error@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z _CxxThrowException 964->978 979 40fcde 964->979 965->967 966->967 968->969 972 40fc30-40fc37 _ftol 968->972 980 40fc51-40fcba fputs ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z * 2 strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z ??0runtime_error@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z _CxxThrowException 969->980 981 40fc4c 969->981 982 40fb81 970->982 983 40fb86-40fc0a fputs ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z * 2 strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z ??0exception@@QAE@ABQBD@Z ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z _CxxThrowException 970->983 972->967 978->961 979->978 980->966 981->980 982->983 983->965
              APIs
              • __EH_prolog.LIBCMT ref: 0040FB42
              • fputs.MSVCRT ref: 0040FB91
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 0040FB9E
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 0040FBAF
              • strlen.MSVCRT ref: 0040FBBB
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(Negative integer can not be converted to unsigned integer,00000000), ref: 0040FBC6
              • ??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 0040FBDE
              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040FBEF
              • _CxxThrowException.MSVCRT(?,00417910), ref: 0040FC0A
              • _ftol.MSVCRT ref: 0040FC32
              • fputs.MSVCRT ref: 0040FC5C
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 0040FC69
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 0040FC7A
              • strlen.MSVCRT ref: 0040FC86
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(Real out of unsigned integer range,00000000), ref: 0040FC91
              • ??0runtime_error@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z.MSVCP60(?), ref: 0040FCA8
              • _CxxThrowException.MSVCRT(?,00417910), ref: 0040FCBA
              • fputs.MSVCRT ref: 0040FCEE
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 0040FCFE
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 0040FD0F
              • strlen.MSVCRT ref: 0040FD1B
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(Type is not convertible to uint,00000000), ref: 0040FD26
              • ??0runtime_error@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z.MSVCP60(?), ref: 0040FD3D
              • _CxxThrowException.MSVCRT(?,00417910), ref: 0040FD4F
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$Tidy@?$basic_string@$?assign@?$basic_string@ExceptionThrowV12@fputsstrlen$??0runtime_error@std@@D@2@@1@@V?$basic_string@$??0?$basic_string@??0exception@@H_prologV01@@_ftol
              • String ID: Negative integer can not be converted to unsigned integer$Real out of unsigned integer range$Type is not convertible to uint
              • API String ID: 1757128735-1738163505
              • Opcode ID: 2644043d235d2cc10f189f2bf0836e40f0b7b4e88a745295141e72636b943052
              • Instruction ID: bc63c85c4dfd9b1d1673ee0be0cfc82b02a636c040b35719646a18589195d2e8
              • Opcode Fuzzy Hash: 2644043d235d2cc10f189f2bf0836e40f0b7b4e88a745295141e72636b943052
              • Instruction Fuzzy Hash: 80518F31901248EFEB14DBA0ED49BDD7BB8EF05304F1140BAE805A7292DB35AA49CB1D
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004020B5 Relevance: 45.3, APIs: 30, Instructions: 303COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 984 4020b5-4020d2 GetWindowLongA 985 4020d4-4020d7 984->985 986 4020dc-4020e5 call 402470 984->986 987 4023f1-402400 DefWindowProcA 985->987 991 4020e7-4020e9 986->991 992 4020ee-4020fb 986->992 990 402429-40242d 987->990 991->990 993 402101-402103 992->993 994 4021df-4021e6 992->994 997 4021d3-4021da call 405965 993->997 998 402109-40210d 993->998 995 402402-402414 call 405977 994->995 996 4021ec-4021ef 994->996 1014 402416-402426 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z call 40e25e 995->1014 1015 402427 995->1015 1000 4021f5-4021f7 996->1000 1001 4022de-4022e0 996->1001 1006 4023f0 997->1006 1003 4021b1-4021ce call 40245c call 401925 call 40197b 998->1003 1004 402113-402116 998->1004 1000->1006 1007 4021fd-4021ff 1000->1007 1001->1006 1008 4022e6-40234a ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z call 404cdc 1001->1008 1003->1006 1004->997 1010 40211c-40211f 1004->1010 1006->987 1007->1006 1012 402205-402254 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z 1007->1012 1023 40239a-4023d1 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z call 405977 1008->1023 1024 40234c-402398 ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z call 402430 call 405977 1008->1024 1010->997 1016 402125-402128 1010->1016 1030 402256-402268 call 402430 call 405977 1012->1030 1031 40226a-4022ce call 402430 _itoa ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z call 405977 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z 1012->1031 1014->1015 1015->990 1016->1006 1020 40212e-402153 call 40197b call 402469 1016->1020 1045 402155-40215d 1020->1045 1046 402188-402190 1020->1046 1041 4023d4-4023e7 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z * 2 1023->1041 1024->1041 1056 4022d4-4022d9 1030->1056 1031->1056 1047 4023ea ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z 1041->1047 1052 402173-402176 1045->1052 1053 40215f-40216e call 401925 1045->1053 1046->1006 1055 402196-40219d 1046->1055 1047->1006 1052->1046 1058 402178-402186 GetCurrentThreadId PostThreadMessageA 1052->1058 1053->1006 1055->1006 1059 4021a3-4021ac GetCurrentThreadId PostThreadMessageA 1055->1059 1056->1047 1058->1046 1059->1006
              APIs
              • GetWindowLongA.USER32(?,000000EB), ref: 004020C3
              • DefWindowProcA.USER32(?,?,?,?), ref: 004023FA
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: Window$LongProc
              • String ID:
              • API String ID: 2275667008-0
              • Opcode ID: 2d9320be9e9e98558fa4daf8aadb8dfa5be20353990a7eb723880dece40d026b
              • Instruction ID: ea47235da73ce07f5d52f862243877c0627405f2b32d99e5f8158f5e47992296
              • Opcode Fuzzy Hash: 2d9320be9e9e98558fa4daf8aadb8dfa5be20353990a7eb723880dece40d026b
              • Instruction Fuzzy Hash: C4A19B71500149AFDF04DBA4EE49EFF7B69EB44300F10017AF902B62D2CAB89E45DB69
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00411CDB Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 238stringCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 00411CE0
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,00000000,?,?), ref: 00411CF9
                • Part of subcall function 0040EF0F: __EH_prolog.LIBCMT ref: 0040EF14
                • Part of subcall function 0040EF0F: ??2@YAPAXI@Z.MSVCRT ref: 0040EF5B
                • Part of subcall function 0040F26E: __EH_prolog.LIBCMT ref: 0040F273
                • Part of subcall function 0040F26E: strcmp.MSVCRT ref: 0040F329
              • strlen.MSVCRT ref: 00411D85
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0043B22C,00000000,?,00000000,00000007,?,?), ref: 00411D94
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,00000000,00000007,?,?), ref: 00411E6F
              • strlen.MSVCRT ref: 00411E7B
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(Missing '}' or object member name,00000000,?,?), ref: 00411E86
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,00000002,?,?), ref: 00411EAC
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?), ref: 00411EBB
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,00000002,00000005,?,?,?), ref: 00411EED
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,?,00000005,?,?,?), ref: 00411F01
              • strlen.MSVCRT ref: 00411F0D
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(Missing ',' or '}' in object declaration,00000000,?,?), ref: 00411F18
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,00000002,?,?), ref: 00411F3E
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?), ref: 00411F4D
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,00000005,?,?,?), ref: 00411F65
              • strlen.MSVCRT ref: 00411F71
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(Missing ':' after object member name,00000000,?,?), ref: 00411F7C
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,00000002,?,?), ref: 00411FA2
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?), ref: 00411FB1
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@$?assign@?$basic_string@V12@strlen$H_prolog$??2@strcmp
              • String ID: Missing ',' or '}' in object declaration$Missing ':' after object member name$Missing '}' or object member name
              • API String ID: 1887926336-3980781130
              • Opcode ID: c41f527f8a18029a96c41651bd3ca353331fe0fb2f6cce72d3591141d862b31a
              • Instruction ID: 7282b3ceed78138fe546e25218598505db31c4564c96f15bf7b7da3ba8ab68a1
              • Opcode Fuzzy Hash: c41f527f8a18029a96c41651bd3ca353331fe0fb2f6cce72d3591141d862b31a
              • Instruction Fuzzy Hash: C981E430D00388AEDF14DBE4C8159EEBB7D9F55310F04416BE956B7392DB784A89CB29
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004143DD Relevance: 31.7, APIs: 21, Instructions: 198stringCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 004143E2
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 0041440A
              • strlen.MSVCRT ref: 00414416
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0041B1F4,00000000), ref: 00414421
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?), ref: 0041443E
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?), ref: 00414465
              • strlen.MSVCRT ref: 00414471
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0041B1F0,00000000), ref: 0041447C
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?), ref: 0041449B
              • strlen.MSVCRT ref: 0041451E
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0041A664,00000000,00000000,?,?), ref: 00414529
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,00000000,00000000,?,?), ref: 00414553
              • strlen.MSVCRT ref: 0041455F
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0041B1EC,00000000), ref: 0041456A
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@$V12@strlen$?assign@?$basic_string@$?append@?$basic_string@H_prolog
              • String ID:
              • API String ID: 2673005829-0
              • Opcode ID: ed476f121f036b932b795341753bb6467496d55cb5782ca341ada9eeece13cce
              • Instruction ID: 1d1b2117f6f458e206ceaefd7c3f0c6a02e18bcb53e91a012e3a41a2d00c8afd
              • Opcode Fuzzy Hash: ed476f121f036b932b795341753bb6467496d55cb5782ca341ada9eeece13cce
              • Instruction Fuzzy Hash: 5A61B431A00104BFDF14EFA5D8549FEBBB9EF85714F10412EF816A3282CB389982CB59
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040F7AD Relevance: 31.6, APIs: 14, Strings: 4, Instructions: 114stringCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 0040F7B2
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,opr_ocx.,00000000,?), ref: 0040F80F
              • strlen.MSVCRT ref: 0040F816
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,00000000), ref: 0040F820
              • fputs.MSVCRT ref: 0040F862
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 0040F86F
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 0040F87F
              • strlen.MSVCRT ref: 0040F88B
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(Type is not convertible to string,00000000), ref: 0040F896
              • ??0runtime_error@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z.MSVCP60(?), ref: 0040F8A6
              • _CxxThrowException.MSVCRT(?,00417910), ref: 0040F8B5
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,opr_ocx.,00000000,?), ref: 0040F8C5
              • strlen.MSVCRT ref: 0040F8D1
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0043B22C,00000000), ref: 0040F8DB
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$Tidy@?$basic_string@$?assign@?$basic_string@V12@strlen$??0runtime_error@std@@D@2@@1@@ExceptionH_prologThrowV?$basic_string@fputs
              • String ID: Type is not convertible to string$false$opr_ocx.$true
              • API String ID: 375836627-3953249269
              • Opcode ID: e3048fa97f1b4a641e5177dcdcb5e6b85057db8f31164cc55dfc297a7d9cfafa
              • Instruction ID: 5327d30a26a9c6f24ceb2b21e7445144c7dfccccf195585894dc9cb9a03c09a8
              • Opcode Fuzzy Hash: e3048fa97f1b4a641e5177dcdcb5e6b85057db8f31164cc55dfc297a7d9cfafa
              • Instruction Fuzzy Hash: 0931D032900144AFDF14ABA4D8448EEBB78EF49314B15807BF805E7382C738ED86C7A9
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00413DDE Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 170stringCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 00413DE3
              • strlen.MSVCRT ref: 00413E82
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0041B1D4,00000000,?,00000000,?,00000000), ref: 00413E8C
              • strlen.MSVCRT ref: 00413EB2
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0041B1D0,00000000,?,00000000,?,00000000), ref: 00413EBD
              • strlen.MSVCRT ref: 00413EE2
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(null,00000000,0043B22C,?,00000000), ref: 00413EEC
              • strlen.MSVCRT ref: 00413F0E
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0041B1C8,00000000,?,00000000,?,00000000,?,00000000), ref: 00413F18
              • strlen.MSVCRT ref: 00413F3A
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0041B1D0,00000000,?,00000000,?,00000000), ref: 00413F49
              • strlen.MSVCRT ref: 00413F69
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60( : ,00000000,00000000,?,00000000), ref: 00413F76
              • strlen.MSVCRT ref: 00413F9D
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0041B1C0,00000000,?,00000000,?,00000000), ref: 00413FA7
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: ?append@?$basic_string@D@2@@std@@D@std@@U?$char_traits@V12@V?$allocator@strlen$H_prolog
              • String ID: : $null
              • API String ID: 3859172137-2804279426
              • Opcode ID: 31dcbbe075e987f41c2657b4c0338516b99ed810e97953d88560ffc3d2f7aeb5
              • Instruction ID: e42f3cc83e3473e49e8e39f960dcd34175c261043156004931896d9ee1190256
              • Opcode Fuzzy Hash: 31dcbbe075e987f41c2657b4c0338516b99ed810e97953d88560ffc3d2f7aeb5
              • Instruction Fuzzy Hash: 4451B671A00104AFDB14AF65C9958FEB379EF94305721453FF846A7292CB3C5E82879D
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00401314 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 164stringCOMMON
              Download Yara Rule
              APIs
              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000), ref: 00401365
              • ??2@YAPAXI@Z.MSVCRT ref: 00401377
              • memset.MSVCRT ref: 00401394
              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,?,?), ref: 004013AA
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 004013CC
              • ??2@YAPAXI@Z.MSVCRT ref: 004013D8
              • memset.MSVCRT ref: 004013ED
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 00401404
                • Part of subcall function 0040E25E: free.MSVCRT(00000000,00410DB9,00000000,?,?,00000000,00000000,?,0040F10D,?,?,?,?,004101FB,004FB330,?), ref: 0040E262
              • ??2@YAPAXI@Z.MSVCRT ref: 0040142E
              • memset.MSVCRT ref: 0040143A
              • memcpy.MSVCRT ref: 00401444
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 00401461
              • strlen.MSVCRT ref: 00401468
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(00000000,00000000), ref: 00401473
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,00000001), ref: 0040149F
              • OutputDebugStringA.KERNEL32(json::reader language failed), ref: 004014AF
              Strings
              • json::reader language failed, xrefs: 004014AA
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: ByteCharMultiWide$??2@D@2@@std@@D@std@@U?$char_traits@V?$allocator@memset$Tidy@?$basic_string@$?assign@?$basic_string@DebugOutputStringV12@freememcpystrlen
              • String ID: json::reader language failed
              • API String ID: 772221285-2031296474
              • Opcode ID: 8bfe391806b4e0d693cd0764ddcdff222849f27639900677502d6578d0b46493
              • Instruction ID: 84c33ed4a716a8934ec60a85f3d140e4e132ad8664c4ed42edba348058b0f109
              • Opcode Fuzzy Hash: 8bfe391806b4e0d693cd0764ddcdff222849f27639900677502d6578d0b46493
              • Instruction Fuzzy Hash: 3D51C372800109BEDF00AFA5CC81CEFBB7DEF45354B00817EF914A61A2D7389E559B64
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004122EB Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 127COMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 004122F0
              • memcpy.MSVCRT ref: 0041231C
              • sscanf.MSVCRT ref: 00412336
                • Part of subcall function 0040F26E: __EH_prolog.LIBCMT ref: 0040F273
                • Part of subcall function 0040F26E: strcmp.MSVCRT ref: 0040F329
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,-00000026), ref: 0041234E
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBD0@Z.MSVCP60(?,?), ref: 0041235B
              • sscanf.MSVCRT ref: 00412377
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00412387
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 004123A7
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBD0@Z.MSVCP60(?,?), ref: 004123B2
              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,0041B034,?), ref: 004123C9
              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,' is not a number.,?,0041B034,?), ref: 004123DC
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,00000000,?,00000000), ref: 004123FF
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 0041240E
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 0041241D
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$Tidy@?$basic_string@$?assign@?$basic_string@D@2@@0@H_prologHstd@@V12@V?$basic_string@sscanf$V10@V10@@memcpystrcmp
              • String ID: %lf$' is not a number.
              • API String ID: 462732276-357672074
              • Opcode ID: 46a60bc0a954cba9fe41eceda8a538f5e9d18066f56fb3935d3baf857ac02894
              • Instruction ID: 06a766ca5968e531cbc8a2bfe635ef64edb0060e976ca818026b468f99d69201
              • Opcode Fuzzy Hash: 46a60bc0a954cba9fe41eceda8a538f5e9d18066f56fb3935d3baf857ac02894
              • Instruction Fuzzy Hash: D641B172900248BFDB10DBA0D849BDEBB78EF18314F154169E556A3282DB749A88CB68
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004126F1 Relevance: 27.2, APIs: 18, Instructions: 182COMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 004126F6
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00000001,?,?,?,0000000C,00000000), ref: 00412710
              • ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z.MSVCP60(00000001,?,0000000C,00000000), ref: 00412728
              • ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,0000000C,00000000), ref: 00412736
              • ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z.MSVCP60(00000002,?,0000000C,00000000), ref: 0041275B
              • ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,0000000C,00000000), ref: 0041276E
              • ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,0000000C,00000000), ref: 00412791
              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,0000000C,00000000), ref: 00412907
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,0000000C,00000000), ref: 00412918
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Freeze@?$basic_string@$?resize@?$basic_string@Tidy@?$basic_string@$??0?$basic_string@H_prologV01@@
              • String ID:
              • API String ID: 328737002-0
              • Opcode ID: 80f250d3de5c16367371b14ba083dae25dcd4c466f08a9b260b74c88ae1b7713
              • Instruction ID: bc90bc5eca0c6343c8b27f0c1e589f09364f5ea73ca34b5c778e549fbcfc6247
              • Opcode Fuzzy Hash: 80f250d3de5c16367371b14ba083dae25dcd4c466f08a9b260b74c88ae1b7713
              • Instruction Fuzzy Hash: BE71CF31D10219EFCF00DB54CD949EEB774FB09711F15822AE812A22E2C7B89995CF9D
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004124F8 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 180stringCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 004124FD
              • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000000,?,0000000C,00000000), ref: 00412523
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,?,?,0000000C,00000000), ref: 00412619
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,0000000C,00000000), ref: 0041263E
              • strlen.MSVCRT ref: 0041264A
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(Empty escape sequence in string,00000000,?,0000000C,00000000), ref: 00412655
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,?,0000000C,00000000), ref: 0041267A
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,0000000C,00000000), ref: 00412690
              • strlen.MSVCRT ref: 0041269C
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(Bad escape sequence in string,00000000,?,0000000C,00000000), ref: 004126A7
                • Part of subcall function 00412B9C: __EH_prolog.LIBCMT ref: 00412BA1
                • Part of subcall function 00412B9C: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00000000,?,?,?,?,?,00000002,?,?), ref: 00412BB9
                • Part of subcall function 00412B9C: ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04,?,?,00000000,?,?,?,?,?,00000002,?,?), ref: 00412BDB
                • Part of subcall function 00412B9C: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,00000000,?,?,?,?,?,00000002,?,?), ref: 00412BFC
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,?,0000000C,00000000), ref: 004126CF
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@$V12@$?assign@?$basic_string@$H_prologstrlen$?append@?$basic_string@Grow@?$basic_string@
              • String ID: Bad escape sequence in string$Empty escape sequence in string
              • API String ID: 3229954372-928816353
              • Opcode ID: 879d8159166e86d37b5d1df245b5d4e0f698e3375b4443bd70a67e740ee27542
              • Instruction ID: d826af4320179a3b53f88d9b81e55327722a26ee4e615836d1a3e16265e3bc99
              • Opcode Fuzzy Hash: 879d8159166e86d37b5d1df245b5d4e0f698e3375b4443bd70a67e740ee27542
              • Instruction Fuzzy Hash: 91519135900248FFDF149F54CA99AEE7B74EB45320F108117F816E62D1C7B89AD1CB59
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00404B5E Relevance: 24.1, APIs: 16, Instructions: 128stringwindowCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?), ref: 00404B82
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 00404BA9
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00000000,00000000), ref: 00404BBB
              • strlen.MSVCRT ref: 00404BC4
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,00000000,?,?,00000000,00000000), ref: 00404BD1
              • lstrlenW.KERNEL32(?,?,?,00000000,00000000), ref: 00404BE3
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000,?,?,00000000,00000000), ref: 00404C07
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00000000,00000000,?,?,00000000,00000000), ref: 00404C13
              • strlen.MSVCRT ref: 00404C1A
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,00000000,?,?,00000000,00000000,?,?,00000000,00000000), ref: 00404C25
              • ??2@YAPAXI@Z.MSVCRT ref: 00404C2D
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04,?,00000000,?,?,00000000,00000000,?,?,00000000,00000000), ref: 00404C5B
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04,?,00000000,?,?,00000000,00000000,?,?,00000000,00000000), ref: 00404C70
              • PostMessageA.USER32(?,00000464,00000000,00000000), ref: 00404C83
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,00000000,?,?,00000000,00000000,?,?,00000000,00000000), ref: 00404C96
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,00000000,?,?,00000000,00000000,?,?,00000000,00000000), ref: 00404CA1
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$V12@$?assign@?$basic_string@Tidy@?$basic_string@$ByteCharMultiWidelstrlenstrlen$??2@MessagePost
              • String ID:
              • API String ID: 1766598892-0
              • Opcode ID: 6dc4d5961332c893f2525c87e82aa4aea4b62d0ef0d1518df2776291b44063fb
              • Instruction ID: 754f2723c7e170b0b0afcbef5d0fb6ae4afd6be8b1c99625a433743d20c5041f
              • Opcode Fuzzy Hash: 6dc4d5961332c893f2525c87e82aa4aea4b62d0ef0d1518df2776291b44063fb
              • Instruction Fuzzy Hash: FA416F72801149BFDF019FA4DC85CEEBBBCFF19314B06456AFA01A22A1D7349A54CBA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004095D8 Relevance: 24.1, APIs: 16, Instructions: 128stringwindowCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?), ref: 004095FC
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 00409623
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00000000,00000000), ref: 00409635
              • strlen.MSVCRT ref: 0040963E
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,00000000,?,?,00000000,00000000), ref: 0040964B
              • lstrlenW.KERNEL32(?,?,?,00000000,00000000), ref: 0040965D
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000,?,?,00000000,00000000), ref: 00409681
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00000000,00000000,?,?,00000000,00000000), ref: 0040968D
              • strlen.MSVCRT ref: 00409694
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,00000000,?,?,00000000,00000000,?,?,00000000,00000000), ref: 0040969F
              • ??2@YAPAXI@Z.MSVCRT ref: 004096A7
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04,?,00000000,?,?,00000000,00000000,?,?,00000000,00000000), ref: 004096CF
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04,?,00000000,?,?,00000000,00000000,?,?,00000000,00000000), ref: 004096E4
              • PostMessageA.USER32(?,00000466,?,00000000), ref: 00409702
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,00000000,?,?,00000000,00000000,?,?,00000000,00000000), ref: 00409715
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,00000000,?,?,00000000,00000000,?,?,00000000,00000000), ref: 00409720
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$V12@$?assign@?$basic_string@Tidy@?$basic_string@$ByteCharMultiWidelstrlenstrlen$??2@MessagePost
              • String ID:
              • API String ID: 1766598892-0
              • Opcode ID: dfa5cc3879d0f964ec79a72ec4a66017aaaf1e01d7ad65fb00acbb4f69274043
              • Instruction ID: 344a09ad5b82ccfdb2e5db761d195808171007360e4d4fa8aa98bfd8fca3b9cd
              • Opcode Fuzzy Hash: dfa5cc3879d0f964ec79a72ec4a66017aaaf1e01d7ad65fb00acbb4f69274043
              • Instruction Fuzzy Hash: 5441B072801109FFCF019FA4DC85CEE7BBCEF09310B05856AF905A72A2D7359A44CBA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040E52E Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 384stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(00000000,00000000,0043B22C,00000000,?,0040EA36,00000000,0041A44C,00000000,00000000,00000001,00000000,?,00000001,0043B22C), ref: 0040E55E
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: lstrlen
              • String ID: 6@$`<u`j>u$|i@$|i@
              • API String ID: 1659193697-2999284950
              • Opcode ID: e83184848dd97f09010af220572cac66e21020104f9a08f9c2ee5f06fad108c7
              • Instruction ID: 79e3cba1b9968779c3a6371b64e80be35af877d52fbfc14ffa3a88ec7201bb32
              • Opcode Fuzzy Hash: e83184848dd97f09010af220572cac66e21020104f9a08f9c2ee5f06fad108c7
              • Instruction Fuzzy Hash: 40E1B076D00204DBCB10CFA9C8849DEB7B1FF58310B29897AE801BB390D739AD56CB95
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00413C66 Relevance: 21.1, APIs: 14, Instructions: 107stringCOMMON
              Download Yara Rule
              APIs
              • strlen.MSVCRT ref: 00413C6F
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0041B1BC,00000000,?,?,?,004141A7,?,00000000,?,?,?,?,?,?,?), ref: 00413C7D
              • strlen.MSVCRT ref: 00413CB8
              • strlen.MSVCRT ref: 00413CCE
              • strlen.MSVCRT ref: 00413CE4
              • strlen.MSVCRT ref: 00413CF7
              • strlen.MSVCRT ref: 00413D0A
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,?,?,?,?,?,004141A7,?,00000000,?,?,?,?,?,?,?), ref: 00413D2C
              • strlen.MSVCRT ref: 00413D39
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0041B1B8,00000000,?,?,?,?,004141A7,?,00000000,?,?,?,?,?,?,?), ref: 00413D65
              • strlen.MSVCRT ref: 00413D77
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0041B1BC,00000000,?,?,?,004141A7,?,00000000,?,?,?,?,?,?,?), ref: 00413D81
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: strlen$?append@?$basic_string@D@2@@std@@D@std@@U?$char_traits@V12@V?$allocator@
              • String ID:
              • API String ID: 3160329171-0
              • Opcode ID: 25835d862269a3482678e29cf2674d1627747358167ce0611ca4d08d4b252e52
              • Instruction ID: c62b3ee8ff3792df6bbf1d181682680aa489dc2e91c52042fecdd1e869e589e9
              • Opcode Fuzzy Hash: 25835d862269a3482678e29cf2674d1627747358167ce0611ca4d08d4b252e52
              • Instruction Fuzzy Hash: 8F21B6712801447DB51C2A26BD5AAFA161CCA41B53BF5065FF802A51D1DA9C2EC342AE
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040CF9E Relevance: 19.6, APIs: 13, Instructions: 133COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: memset
              • String ID:
              • API String ID: 2221118986-0
              • Opcode ID: cb0e7096afcaa5cadb8c6603c5985d7d6d79075b208e69ae4d9bc394d193043d
              • Instruction ID: 1f43e91fee7a82c1bbcb9bc7d193e1d147effa56f2b6c8d0543030adf6697e69
              • Opcode Fuzzy Hash: cb0e7096afcaa5cadb8c6603c5985d7d6d79075b208e69ae4d9bc394d193043d
              • Instruction Fuzzy Hash: DE512871D00209EFCB20CF99D888A9EBFB9FF48310F11852AE91AA72A1D7359901CF55
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004148D2 Relevance: 19.6, APIs: 13, Instructions: 107stringCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 004148D7
              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,0041B1F8,00000000,?,00000000,?,00000001,00000001,00000000,0041A664), ref: 0041491B
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(00000000,00000000,6CE35E04,?,00000001,00000001,00000000,0041A664), ref: 00414935
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00414942
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00414950
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 0041495E
              • strlen.MSVCRT ref: 00414983
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0041A624,00000000,?,00000002,00000001,00000000,0041A664), ref: 0041498E
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(00000000,00000000,6CE35E04,?,00000002,?,00000002,00000001,00000000,0041A664), ref: 004149C7
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,00000002,00000001,00000000,0041A664), ref: 004149D5
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,00000002,00000001,00000000,0041A664), ref: 004149E3
              • strlen.MSVCRT ref: 004149ED
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0041A624,00000000,?,00000002,00000001,00000000,0041A664), ref: 004149F7
                • Part of subcall function 004104B3: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,00000000,00000001,?,?,?,00414865,?,00000000,00000001,00000000,?), ref: 004104DE
                • Part of subcall function 004104B3: strlen.MSVCRT ref: 004104E5
                • Part of subcall function 004104B3: ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(00000000,00000000,?,?,?,00414865,?,00000000,00000001,00000000,?), ref: 004104EF
                • Part of subcall function 00414A0E: __EH_prolog.LIBCMT ref: 00414A13
                • Part of subcall function 00414A0E: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,00000001,?,00000000,?,00000001,00000000,?,?), ref: 00414A2D
                • Part of subcall function 00414A0E: ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000000,?,00000000,?,00000001,00000000,?,?), ref: 00414A49
                • Part of subcall function 00414A0E: ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,?,?,00000000,?,00000001,00000000,?,?), ref: 00414A82
                • Part of subcall function 00414A0E: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,00000000,?,00000001,00000000,?,?), ref: 00414A98
                • Part of subcall function 00414A0E: ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04,?,00000000,?,00000001,00000000,?,?), ref: 00414AAD
                • Part of subcall function 00414A0E: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,00000000,?,00000001,00000000,?,?), ref: 00414ABE
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$V12@$Tidy@?$basic_string@$?append@?$basic_string@$strlen$?assign@?$basic_string@H_prolog$D@2@@0@Grow@?$basic_string@Hstd@@V10@@V?$basic_string@
              • String ID:
              • API String ID: 2615514798-0
              • Opcode ID: bdc43fdd2d5a46ffd0dd6c5bb476119f0b5097c264a8d265052211fcbe3af306
              • Instruction ID: 3481e5598b9fe2f15fd8be74f77d85e73e0fb66cbef022d21bb2e7f3712dfd45
              • Opcode Fuzzy Hash: bdc43fdd2d5a46ffd0dd6c5bb476119f0b5097c264a8d265052211fcbe3af306
              • Instruction Fuzzy Hash: BC417C71900258FBDB04DBA4DD89EEE777CAF48314F14856EF502A7282CB789A44CB28
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00412930 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 118stringCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 00412935
                • Part of subcall function 00412A78: __EH_prolog.LIBCMT ref: 00412A7D
                • Part of subcall function 00412A78: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?), ref: 00412AA2
                • Part of subcall function 00412A78: strlen.MSVCRT ref: 00412AAE
                • Part of subcall function 00412A78: ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(Bad unicode escape sequence in string: four digits expected.,00000000), ref: 00412AB9
                • Part of subcall function 00412A78: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,00000005,?,?), ref: 00412B92
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,?,?,?,?,00000001), ref: 0041298C
              • strlen.MSVCRT ref: 00412998
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(additional six characters expected to parse unicode surrogate pair.,00000000), ref: 004129A3
                • Part of subcall function 00412B9C: __EH_prolog.LIBCMT ref: 00412BA1
                • Part of subcall function 00412B9C: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00000000,?,?,?,?,?,00000002,?,?), ref: 00412BB9
                • Part of subcall function 00412B9C: ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04,?,?,00000000,?,?,?,?,?,00000002,?,?), ref: 00412BDB
                • Part of subcall function 00412B9C: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,00000000,?,?,?,?,?,00000002,?,?), ref: 00412BFC
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,?,?,?,?,00000001), ref: 00412A31
              • strlen.MSVCRT ref: 00412A3D
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(expecting another \u token to begin the second half of a unicode surrogate pair,00000000), ref: 00412A48
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,00000005,?,?), ref: 00412A6E
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@$V12@$?assign@?$basic_string@$H_prologstrlen
              • String ID: additional six characters expected to parse unicode surrogate pair.$expecting another \u token to begin the second half of a unicode surrogate pair
              • API String ID: 1550703880-1961466578
              • Opcode ID: 0bf5aa0e84e31826d43560771a21c7805576d663f3b5f83ce20bb99d99bcc670
              • Instruction ID: 4f65c3bd64ddf3fdd1d8861c2da88e0fb47ba782806f72038bb019fd9e2ad5ea
              • Opcode Fuzzy Hash: 0bf5aa0e84e31826d43560771a21c7805576d663f3b5f83ce20bb99d99bcc670
              • Instruction Fuzzy Hash: AC412435900148BFDF289F64D904AFE7B79EF09350F10812EF862D7291CB7899A5DB24
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00412A78 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 108stringCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 00412A7D
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?), ref: 00412AA2
              • strlen.MSVCRT ref: 00412AAE
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?), ref: 00412B55
              • strlen.MSVCRT ref: 00412B61
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(Bad unicode escape sequence in string: hexadecimal digit expected.,00000000), ref: 00412B6C
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(Bad unicode escape sequence in string: four digits expected.,00000000), ref: 00412AB9
                • Part of subcall function 00412B9C: __EH_prolog.LIBCMT ref: 00412BA1
                • Part of subcall function 00412B9C: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00000000,?,?,?,?,?,00000002,?,?), ref: 00412BB9
                • Part of subcall function 00412B9C: ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04,?,?,00000000,?,?,?,?,?,00000002,?,?), ref: 00412BDB
                • Part of subcall function 00412B9C: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,00000000,?,?,?,?,?,00000002,?,?), ref: 00412BFC
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,00000005,?,?), ref: 00412B92
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@$V12@$?assign@?$basic_string@$H_prologstrlen
              • String ID: Bad unicode escape sequence in string: four digits expected.$Bad unicode escape sequence in string: hexadecimal digit expected.
              • API String ID: 1550703880-3825735986
              • Opcode ID: a0e316f45ac9e56dd617e2cae97d2dcdbd6a742c41d073d9a0c8e7620580d59b
              • Instruction ID: e227b429b68bebaeab0ab4ddfff1cc301304b2e54017e0562953310ba3d97421
              • Opcode Fuzzy Hash: a0e316f45ac9e56dd617e2cae97d2dcdbd6a742c41d073d9a0c8e7620580d59b
              • Instruction Fuzzy Hash: 17411735900148AFEB14CF59C894BEEB7B9EF49310F10811FE412D7292C779A99ACB54
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00407E96 Relevance: 16.6, APIs: 11, Instructions: 99stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?), ref: 00407EB8
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000002,00000000,00000000), ref: 00407EDD
              • memset.MSVCRT ref: 00407EF3
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 00407F05
              • strlen.MSVCRT ref: 00407F0C
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0043B22C,00000000), ref: 00407F17
              • strlen.MSVCRT ref: 00407F23
              • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z.MSVCP60(0041A7F4,00000000,00000000), ref: 00407F2F
              • memcpy.MSVCRT ref: 00407F54
              • GetDiskFreeSpaceExA.KERNEL32(?,?,00000000,00000000), ref: 00407F66
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00407F84
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@strlen$?assign@?$basic_string@?find@?$basic_string@ByteCharDiskFreeMultiSpaceV12@Widelstrlenmemcpymemset
              • String ID:
              • API String ID: 2071960557-0
              • Opcode ID: 8e54359d49887003fd840ddd8980e9c1af9dd2fff647dce7891c39a63ee2ac86
              • Instruction ID: 86c8fda87b15f2ec139ea645a111bfd3d0a55a1328bc7ace3f641faac70256b5
              • Opcode Fuzzy Hash: 8e54359d49887003fd840ddd8980e9c1af9dd2fff647dce7891c39a63ee2ac86
              • Instruction Fuzzy Hash: F6318DB2900109BFDB00DFA0DC85DEF7B6CEF05318F11857AFA15A6291DA34AE45CBA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004120E0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 180COMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 004120E5
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,00000001,00000002,?,?), ref: 004121BD
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBD0@Z.MSVCP60(?,?,?,?), ref: 004121CA
              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,0041B034,?,?,?), ref: 004121E0
              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,' is not a number.,?,0041B034,?,?,?), ref: 004121F3
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,00000000,?,00000000,?,?,?,?,?,?), ref: 00412217
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,?,?,?), ref: 00412226
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,?,?,?), ref: 00412235
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$Tidy@?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$?assign@?$basic_string@H_prologV10@V10@@V12@
              • String ID: ' is not a number.
              • API String ID: 3384032380-698141950
              • Opcode ID: 2f4c46e8a9e8285397af806e39fc0671b364cd9c00dece18eb6c50f204bc96cd
              • Instruction ID: a8b2bdae1b8451ee2b139eca5e4d8cd9d4836f1934e820efe5b420bc0ab08dbd
              • Opcode Fuzzy Hash: 2f4c46e8a9e8285397af806e39fc0671b364cd9c00dece18eb6c50f204bc96cd
              • Instruction Fuzzy Hash: 83610130D00149AFCF28DBA4CA95BEEBB79AF05300F20805AE511F32D1D6B85A99CB59
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040FD83 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 70stringCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 0040FD88
              • fputs.MSVCRT ref: 0040FDFC
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 0040FE09
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 0040FE1A
              • strlen.MSVCRT ref: 0040FE26
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(Type is not convertible to double,00000000), ref: 0040FE31
              • ??0runtime_error@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z.MSVCP60(?), ref: 0040FE42
              • _CxxThrowException.MSVCRT(?,00417910), ref: 0040FE51
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$Tidy@?$basic_string@$??0runtime_error@std@@?assign@?$basic_string@D@2@@1@@ExceptionH_prologThrowV12@V?$basic_string@fputsstrlen
              • String ID: Type is not convertible to double
              • API String ID: 1438101501-279886761
              • Opcode ID: dcf59d540c8277220200793ab45eeb2b923e23d39b5c2a665d6534bfc66850b4
              • Instruction ID: a137f9e8e199a4e82eb1dc1238a41072c4a02d0ba36ce1dc96afcd25846f82c6
              • Opcode Fuzzy Hash: dcf59d540c8277220200793ab45eeb2b923e23d39b5c2a665d6534bfc66850b4
              • Instruction Fuzzy Hash: 8F21D771904148EFDF24DB94EC48BED7B78FF05700F11847AE402B66A2CB38A949CB99
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040ADF3 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 27COMMON
              Download Yara Rule
              APIs
              • InterlockedIncrement.KERNEL32 ref: 0040AEA5
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: IncrementInterlocked
              • String ID: (eA$8eA$`eA$teA$tfA$xdA$dA$eA
              • API String ID: 3508698243-278714472
              • Opcode ID: 0d3e67c88f796a0c8962d65ea1f2dcd4e11bf4587349b302e23d0a8171a87d8d
              • Instruction ID: 198ee4f473ac136582e66eb9b37c914974e2facebd2e415e3f93fad78d3d97fa
              • Opcode Fuzzy Hash: 0d3e67c88f796a0c8962d65ea1f2dcd4e11bf4587349b302e23d0a8171a87d8d
              • Instruction Fuzzy Hash: 070117B1101B509ED7609F21A1097C3BAF5AB11748F52CD1E91EA4A729CBB9E088CF9C
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00408364 Relevance: 15.1, APIs: 10, Instructions: 107stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?), ref: 0040838A
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000002,00000000,00000000), ref: 004083AF
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 004083C4
              • strlen.MSVCRT ref: 004083CB
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,00000000), ref: 004083D5
              • ??2@YAPAXI@Z.MSVCRT ref: 004083F6
              • memset.MSVCRT ref: 00408405
              • strlen.MSVCRT ref: 00408429
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00408434
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,00000000), ref: 00408461
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$?assign@?$basic_string@Tidy@?$basic_string@V12@strlen$??2@ByteCharMultiWidelstrlenmemset
              • String ID:
              • API String ID: 3286739526-0
              • Opcode ID: 2be8783471f103a2e7b0a3247782e31649c80c4bfdaa3e3ef5bb478742f3fd3b
              • Instruction ID: 754467957dc56d63a7fd7ce937fafa321311116707e8ebd77b0f52a86e0d1c1e
              • Opcode Fuzzy Hash: 2be8783471f103a2e7b0a3247782e31649c80c4bfdaa3e3ef5bb478742f3fd3b
              • Instruction Fuzzy Hash: 2A31F232600015BFDB00ABA9CC85CFF7BBCEF45318B05857EF815A7292DA349D018BA8
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00409418 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
              Download Yara Rule
              APIs
              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,00000000,?,00000000,00408428,?,00000000,?), ref: 00409440
              • malloc.MSVCRT ref: 00409456
              • memset.MSVCRT ref: 00409461
              • memcpy.MSVCRT ref: 0040946C
              • ??2@YAPAXI@Z.MSVCRT ref: 00409478
              • memset.MSVCRT ref: 00409485
              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00408428,?,00000000,?,?,?,?,00000000), ref: 004094A2
              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 004094B7
              • memset.MSVCRT ref: 004094E0
              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,?,?,00000000,00000000), ref: 004094F7
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: ByteCharMultiWide$memset$??2@mallocmemcpy
              • String ID:
              • API String ID: 2183845050-0
              • Opcode ID: b95907cfd1c81cb6068a7f26a08dd3af572009c5c8c64f4c9a32cad7615d6864
              • Instruction ID: bf4fb12a83a6a644ac51ec1bff87fe5b53c3366d5bd799ad73759d3de0013a38
              • Opcode Fuzzy Hash: b95907cfd1c81cb6068a7f26a08dd3af572009c5c8c64f4c9a32cad7615d6864
              • Instruction Fuzzy Hash: BB21FB3200E224BBC621AF578D88CAB7EACEF86774B14066EF45C611D2D639CD15C6F6
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040872D Relevance: 15.1, APIs: 10, Instructions: 97COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 433d27f7aa49e2ebf3f3feed35aa32e831c674a7c8f43311c6b53ec231a19035
              • Instruction ID: c78e5ecdf3608869ecdb14f678f354650e522e4a7e2167c422a0ea67726b7be8
              • Opcode Fuzzy Hash: 433d27f7aa49e2ebf3f3feed35aa32e831c674a7c8f43311c6b53ec231a19035
              • Instruction Fuzzy Hash: B5313E7290020A9FCF05DFFAC68598E7FB5AF05354B14886AFD04FB241D675EA218B90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004111C9 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 225COMMON
              Download Yara Rule
              APIs
              • ??2@YAPAXI@Z.MSVCRT ref: 0041121A
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,null,?,?,?,00414142,?), ref: 004112A4
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04,null,?,?,?,00414142,?), ref: 00411373
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04,null,?,?,?,00414142,?), ref: 004113D6
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04,null,?,?,?,00414142,?), ref: 004113FE
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: V12@$D@2@@std@@D@std@@U?$char_traits@V?$allocator@$?assign@?$basic_string@$??2@Tidy@?$basic_string@
              • String ID: BAA$BAA$null
              • API String ID: 377232485-1663065629
              • Opcode ID: b72e696ecfb4e41f0e429cc825819585dc4f96bca9c0c3fdc999b13eeb55c6a5
              • Instruction ID: ff7171748b27d35aa2cf279c7dc19e48ea115381f9a4b81e3869b4849d88fb5d
              • Opcode Fuzzy Hash: b72e696ecfb4e41f0e429cc825819585dc4f96bca9c0c3fdc999b13eeb55c6a5
              • Instruction Fuzzy Hash: 24716031600309AFEF14CF59D8C09EE77A2FB84364B24C52EEA5697765D735ED808B08
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00411720 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149stringCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 00411725
              • strlen.MSVCRT ref: 0041176E
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0043B22C,00000000,?,00000000,?,00000000,?,?), ref: 00411778
                • Part of subcall function 0040F26E: __EH_prolog.LIBCMT ref: 0040F273
                • Part of subcall function 0040F26E: strcmp.MSVCRT ref: 0040F329
                • Part of subcall function 0040F26E: ??2@YAPAXI@Z.MSVCRT ref: 0040F552
                • Part of subcall function 004120E0: __EH_prolog.LIBCMT ref: 004120E5
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,00000000,?,?), ref: 004117BE
              • strlen.MSVCRT ref: 004117CA
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(Syntax error: value, object or array expected.,00000000), ref: 004117D5
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,00000000), ref: 004117FE
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$H_prolog$?assign@?$basic_string@Tidy@?$basic_string@V12@strlen$??2@strcmp
              • String ID: Syntax error: value, object or array expected.
              • API String ID: 1188988102-2056301242
              • Opcode ID: 38aeed347784a829ee8228125b619df2e19e10772ec8134dbb5ba74b9b112af3
              • Instruction ID: f3426f9662a0dea6e1e808c237ca9ad3d0c5b80bf0bcb4b84f9e714d84500a18
              • Opcode Fuzzy Hash: 38aeed347784a829ee8228125b619df2e19e10772ec8134dbb5ba74b9b112af3
              • Instruction Fuzzy Hash: CC519170E00208AADF28EBB5C455BEEB7B89B04354F00812FE626E32D1DF785A46C75D
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00404456 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 78COMMON
              Download Yara Rule
              APIs
              • vsprintf.MSVCRT ref: 00404493
              • time.MSVCRT ref: 0040449B
              • ctime.MSVCRT ref: 004044D5
              • sprintf.MSVCRT ref: 004044E9
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 00404500
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04), ref: 00404512
              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?), ref: 00404528
                • Part of subcall function 004045A7: fopen.MSVCRT ref: 004045CA
                • Part of subcall function 004045A7: fprintf.MSVCRT ref: 004045ED
                • Part of subcall function 004045A7: fprintf.MSVCRT ref: 004045F5
                • Part of subcall function 004045A7: fclose.MSVCRT ref: 004045F8
                • Part of subcall function 004045A7: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,00404535), ref: 00404606
                • Part of subcall function 004045A7: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,00404535), ref: 00404610
              Strings
              • -%s[[%-5s]:%-5s] %s:%d [%ld] , xrefs: 004044E3
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$Tidy@?$basic_string@$V12@fprintf$??0?$basic_string@?assign@?$basic_string@D@1@@ctimefclosefopensprintftimevsprintf
              • String ID: -%s[[%-5s]:%-5s] %s:%d [%ld]
              • API String ID: 3660491776-2065196863
              • Opcode ID: 301a8259933dd7e5619c316ddb8fafddafa4810b733ccbbb29c076f63a9c575c
              • Instruction ID: 01495c8083dd4c3aabfb1b7f45cab9ed4c0ae6910017e02b3ff9ea0eb1716110
              • Opcode Fuzzy Hash: 301a8259933dd7e5619c316ddb8fafddafa4810b733ccbbb29c076f63a9c575c
              • Instruction Fuzzy Hash: 6E21F176900208BBDF029F64DC49BDA7BBDEB48300F0140A5F60597192DB74DB94CB95
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00410529 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 65COMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 0041052E
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,opr_ocx.,00000000,00000000), ref: 0041054A
              • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(00000400,00000000), ref: 00410565
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?), ref: 0041058F
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04,?,?), ref: 004105A3
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?), ref: 004105B4
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?), ref: 004105CD
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@$V12@$?assign@?$basic_string@Grow@?$basic_string@H_prolog
              • String ID: opr_ocx.
              • API String ID: 2424781354-1858872728
              • Opcode ID: 0021c0527b40d181cb31055ceded9d4e3d4ddad26d2169de52d9f71158828582
              • Instruction ID: 755e17ae5dbdbda09aacbbe26277ec200646a74d99ff14d7a26e031c08dfd7c5
              • Opcode Fuzzy Hash: 0021c0527b40d181cb31055ceded9d4e3d4ddad26d2169de52d9f71158828582
              • Instruction Fuzzy Hash: 8A217F72900199BFDF01DBE5CC589DEBB78FF59305F05406EE902A3252CA789A48CB28
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040AEB1 Relevance: 13.6, APIs: 9, Instructions: 83COMMON
              Download Yara Rule
              APIs
              • #26.ATL(?,?), ref: 0040AECE
              • GetDeviceCaps.GDI32(?,00000002), ref: 0040AEF3
              • LPtoDP.GDI32(?,?,00000002), ref: 0040AF0E
              • SaveDC.GDI32(?), ref: 0040AF17
              • SetMapMode.GDI32(?,00000001), ref: 0040AF22
              • SetWindowOrgEx.GDI32(?,00000000,00000000,00000000), ref: 0040AF30
              • SetViewportOrgEx.GDI32(?,00000000,00000000,00000000), ref: 0040AF3C
              • DeleteDC.GDI32(?), ref: 0040AF70
              • RestoreDC.GDI32(?,000000FF), ref: 0040AF81
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: CapsDeleteDeviceModeRestoreSaveViewportWindow
              • String ID:
              • API String ID: 2747499312-0
              • Opcode ID: fe9cb193b3b03caad306438264f590dd530948572fa76d3852ceb571f43e93b7
              • Instruction ID: 221aa5c28c9c904d07d2c2d1b8e32e26405d02073efefd6b12fb836ceb520d57
              • Opcode Fuzzy Hash: fe9cb193b3b03caad306438264f590dd530948572fa76d3852ceb571f43e93b7
              • Instruction Fuzzy Hash: CD317871800204EBCF14DF64DC89E9B7FBAFF89311F1181A9F901AA1A5C770C960CBA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00411B49 Relevance: 13.6, APIs: 9, Instructions: 68stringCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 00411B4E
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,00000000,?,00000000,?,0041173B,?,00000000,?,?), ref: 00411B6D
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBD0@Z.MSVCP60(?,?,?,00000000,?,00000000,?,0041173B,?,00000000,?,?), ref: 00411B7C
              • strlen.MSVCRT ref: 00411BB0
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0041A624,00000000,?,?,00000000,?,00000000,?,0041173B,?,00000000,?,?), ref: 00411BBE
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,00000000,?,00000000,?,0041173B,?,00000000,?,?), ref: 00411BD0
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBD0@Z.MSVCP60(?,?,?,00000000,?,00000000,?,0041173B,?,00000000,?,?), ref: 00411BDF
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(-0000002C,00000000,6CE35E04,?,00000000,?,00000000,?,0041173B,?,00000000,?,?), ref: 00411BFB
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,00000000,?,00000000,?,0041173B,?,00000000,?,?), ref: 00411C09
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$V12@$Tidy@?$basic_string@$?append@?$basic_string@?assign@?$basic_string@$H_prologstrlen
              • String ID:
              • API String ID: 2996055543-0
              • Opcode ID: 1e3907449511c4bcfc517fabea2eb39f5269dea10f7ee8eb02db78fb88ed877f
              • Instruction ID: 7fb74fbd4a97c4995c56fd44a9f7e1913052300974bc2c0416555ac77a8b0b7a
              • Opcode Fuzzy Hash: 1e3907449511c4bcfc517fabea2eb39f5269dea10f7ee8eb02db78fb88ed877f
              • Instruction Fuzzy Hash: BF213D31800149FFDF05DFA4D889BEEBB78EB15315F00C12AE966A62A1DB349A45CB24
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040F26E Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 304stringCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: strlen$??2@H_prologmemcpystrcmp
              • String ID: opr_ocx.
              • API String ID: 2669343690-1858872728
              • Opcode ID: 865aa216096be9f74924bce55e62e9e6c219682afaa331b02ab74f4558a5f818
              • Instruction ID: 6e6d3c1c01287180d2aeb6fa5e2e07f5cd62273c233d64ba9db98436bdf5a6e4
              • Opcode Fuzzy Hash: 865aa216096be9f74924bce55e62e9e6c219682afaa331b02ab74f4558a5f818
              • Instruction Fuzzy Hash: CCB19170600205DFCB24DF59C8919AEB7B5FF44314B24853EE816A76D2DB38ED49CB58
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00408C7D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71stringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0040A7B1: GetProcAddress.KERNEL32(?,?), ref: 0040A7C1
                • Part of subcall function 0040A7B1: GetLastError.KERNEL32(00000000), ref: 0040A7CE
                • Part of subcall function 0040A7B1: sprintf.MSVCRT ref: 0040A802
                • Part of subcall function 0040A7B1: OutputDebugStringA.KERNEL32(?), ref: 0040A812
              • lstrlenW.KERNEL32(?), ref: 00408CB9
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000002,00000000,00000000), ref: 00408CDE
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,00000002,00000000,00000000), ref: 00408CEE
              • strlen.MSVCRT ref: 00408CF5
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,00000000,?,00000002,00000000,00000000), ref: 00408D00
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,00000000,?,00000002,00000000,00000000), ref: 00408D27
              Strings
              • SetVideoAnalyseShapeShowName, xrefs: 00408C95
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@$?assign@?$basic_string@AddressByteCharDebugErrorLastMultiOutputProcStringV12@Widelstrlensprintfstrlen
              • String ID: SetVideoAnalyseShapeShowName
              • API String ID: 3031943547-3041944349
              • Opcode ID: 025b9fccfe8cacfe9cb9e47a0c235ff9e9a14ef3df077f2752e291563825fff7
              • Instruction ID: 98c728e7c754dfd432231011f11a2356523446399ec1adce931c6bbc7f0f7ab9
              • Opcode Fuzzy Hash: 025b9fccfe8cacfe9cb9e47a0c235ff9e9a14ef3df077f2752e291563825fff7
              • Instruction Fuzzy Hash: B821ACB2505149BFDF009FA4DD85CEFBB78EF14304B12453AF941A2291CA348E54CB69
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00409732 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71stringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0040A7B1: GetProcAddress.KERNEL32(?,?), ref: 0040A7C1
                • Part of subcall function 0040A7B1: GetLastError.KERNEL32(00000000), ref: 0040A7CE
                • Part of subcall function 0040A7B1: sprintf.MSVCRT ref: 0040A802
                • Part of subcall function 0040A7B1: OutputDebugStringA.KERNEL32(?), ref: 0040A812
              • lstrlenW.KERNEL32(?), ref: 0040976E
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000002,00000000,00000000), ref: 00409793
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,00000002,00000000,00000000), ref: 004097A3
              • strlen.MSVCRT ref: 004097AA
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,00000000,?,00000002,00000000,00000000), ref: 004097B5
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,00000000,?,00000002,00000000,00000000), ref: 004097DC
              Strings
              • SetVideoAnalyseContainerTip, xrefs: 0040974A
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@$?assign@?$basic_string@AddressByteCharDebugErrorLastMultiOutputProcStringV12@Widelstrlensprintfstrlen
              • String ID: SetVideoAnalyseContainerTip
              • API String ID: 3031943547-2667745567
              • Opcode ID: 86fd1a779827ec59ab8d1950a7c6577f80c702d3305bde67240acdb88c859045
              • Instruction ID: 689d53851a862ae7f99ce3f196465836cd919318441b2479c5f70e7dd592d88a
              • Opcode Fuzzy Hash: 86fd1a779827ec59ab8d1950a7c6577f80c702d3305bde67240acdb88c859045
              • Instruction Fuzzy Hash: 4F219076500149BFDF009FA4DC85CEFBB7CEB05318B12453AF901A3292D6349D55CB65
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00404071 Relevance: 12.1, APIs: 8, Instructions: 129stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?), ref: 004040A3
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 004040CA
              • lstrlenW.KERNEL32(?,?,?,00000000,00000000), ref: 004040DF
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000,?,?,00000000,00000000), ref: 00404106
              • lstrlenW.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,00000000), ref: 0040411B
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00000000,00000000), ref: 00404142
              • lstrlenW.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00000000,00000000), ref: 00404156
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00000000,00000000), ref: 0040417A
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: ByteCharMultiWidelstrlen
              • String ID:
              • API String ID: 3109718747-0
              • Opcode ID: 01d821c1a5714e0dd29c05d4e6d0b033802cedddaa8df0636db640b8ee5df0cc
              • Instruction ID: 2220a9907b4bd8fd3e86d3e65863b39e15a3a2824153fec79beaaa9618314e0b
              • Opcode Fuzzy Hash: 01d821c1a5714e0dd29c05d4e6d0b033802cedddaa8df0636db640b8ee5df0cc
              • Instruction Fuzzy Hash: 68414BB180010DEFCF01DFA5DC81CEFBBA8EF59354B11456AFA00A72A1C6358E60DBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00403F37 Relevance: 12.1, APIs: 8, Instructions: 128stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?), ref: 00403F69
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 00403F90
              • lstrlenW.KERNEL32(?,?,?,00000000,00000000), ref: 00403FA5
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000,?,?,00000000,00000000), ref: 00403FCC
              • lstrlenW.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,00000000), ref: 00403FE1
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00000000,00000000), ref: 00404008
              • lstrlenW.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00000000,00000000), ref: 0040401C
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00000000,00000000), ref: 00404040
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: ByteCharMultiWidelstrlen
              • String ID:
              • API String ID: 3109718747-0
              • Opcode ID: f04a9d629c259117bc4980a11857f28aa70fbedc71fe8df593221be173ef6b63
              • Instruction ID: 59551c69a86fede333c1926dc57022830697d4d2aae05d3b7d44e3f6b45345e2
              • Opcode Fuzzy Hash: f04a9d629c259117bc4980a11857f28aa70fbedc71fe8df593221be173ef6b63
              • Instruction Fuzzy Hash: A9412BB180020AEFCB019F95DC81CAFBBA8EF45354B11456AF910A32A1C6358E60DBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00407986 Relevance: 12.1, APIs: 8, Instructions: 75stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?), ref: 004079AC
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000002,00000000,00000000), ref: 004079D1
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,00000002,00000000,00000000), ref: 004079E1
              • strlen.MSVCRT ref: 004079E8
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,00000000,?,00000002,00000000,00000000), ref: 004079F3
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,00000000), ref: 00407A06
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04), ref: 00407A1A
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00407A3E
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@V12@$?assign@?$basic_string@$ByteCharMultiWidelstrlenstrlen
              • String ID:
              • API String ID: 1228629106-0
              • Opcode ID: 86184fb5647d3b477f581c9322028ca4181bd05806cda228a8a1da7f8760005c
              • Instruction ID: 07420ebc8712073ecc0167915188ae3103c972519c75e5ea29071eb95f0c5278
              • Opcode Fuzzy Hash: 86184fb5647d3b477f581c9322028ca4181bd05806cda228a8a1da7f8760005c
              • Instruction Fuzzy Hash: DD21CF35500159BFDB009FA8CC88CFFBBBCEF09314B06856AF815972A2CA309905CBA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004045A7 Relevance: 12.1, APIs: 8, Instructions: 68fileCOMMON
              Download Yara Rule
              APIs
              • fopen.MSVCRT ref: 004045CA
              • fprintf.MSVCRT ref: 004045ED
              • fprintf.MSVCRT ref: 004045F5
              • fclose.MSVCRT ref: 004045F8
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,00404535), ref: 00404606
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,00404535), ref: 00404610
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,00404535), ref: 00404639
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,00404535), ref: 00404643
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@Tidy@?$basic_string@U?$char_traits@V?$allocator@$fprintf$fclosefopen
              • String ID:
              • API String ID: 395384274-0
              • Opcode ID: 3a9b1915a5f60ee0e9baaf96112270636f31cce9b03de535f1e0a275ea30c63a
              • Instruction ID: 55e767c5c003a76bbc318cd56ded92ad1e5ac149e85f1e23de28757cfcbb1775
              • Opcode Fuzzy Hash: 3a9b1915a5f60ee0e9baaf96112270636f31cce9b03de535f1e0a275ea30c63a
              • Instruction Fuzzy Hash: 991181B1200105BFDB049F65DC94EFB3B68EB95755B06843AFA0687291EB39D841CB58
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00401EE1 Relevance: 10.6, APIs: 7, Instructions: 112stringthreadCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?), ref: 00401F18
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 00401F3F
              • lstrlenW.KERNEL32(?), ref: 00401F5A
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 00401F81
              • lstrlenW.KERNEL32(?), ref: 00401F9C
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 00401FC0
              • GetCurrentThreadId.KERNEL32 ref: 00401FCB
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: ByteCharMultiWidelstrlen$CurrentThread
              • String ID:
              • API String ID: 573374358-0
              • Opcode ID: c6d0bedc4733cfb5d5703da3d1db1d4b166ecdf15e5d1406a6c951b2f6708cfd
              • Instruction ID: 9d10071a2c40a507ae6b6672fd72a5c47dca7f5552b712d162fadb977389f772
              • Opcode Fuzzy Hash: c6d0bedc4733cfb5d5703da3d1db1d4b166ecdf15e5d1406a6c951b2f6708cfd
              • Instruction Fuzzy Hash: EA411BB1900109FFCF11DF95CC81CEE7BA8EF05364B1185AAF914A72A1D7359E51DBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00411FBF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104stringCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 00411FC4
                • Part of subcall function 0040EF0F: __EH_prolog.LIBCMT ref: 0040EF14
                • Part of subcall function 0040EF0F: ??2@YAPAXI@Z.MSVCRT ref: 0040EF5B
                • Part of subcall function 0040F26E: __EH_prolog.LIBCMT ref: 0040F273
                • Part of subcall function 0040F26E: strcmp.MSVCRT ref: 0040F329
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00000000,00000000,00000006,00000002,?,?), ref: 00412095
              • strlen.MSVCRT ref: 004120A1
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(Missing ',' or ']' in array declaration,00000000,?,?), ref: 004120AC
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,0000000C,00000004,?,?), ref: 004120D3
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@H_prologU?$char_traits@V?$allocator@$Tidy@?$basic_string@$??2@?assign@?$basic_string@V12@strcmpstrlen
              • String ID: Missing ',' or ']' in array declaration
              • API String ID: 3528417768-1780669529
              • Opcode ID: bc0ee38bc8a4e2dfa8fc03c40d9942e5211d6686ab848af4aa16fedac03aa34c
              • Instruction ID: c21a2237ddbc1bf7752ff516433ecb530ece281df4aa681836defa784da3ed3a
              • Opcode Fuzzy Hash: bc0ee38bc8a4e2dfa8fc03c40d9942e5211d6686ab848af4aa16fedac03aa34c
              • Instruction Fuzzy Hash: B5312870A00114EBCF24EB658915AEE7BB9AF49304F00022FE612E72D1DBBC4D86D75D
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00414A0E Relevance: 10.6, APIs: 7, Instructions: 75COMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 00414A13
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,00000001,?,00000000,?,00000001,00000000,?,?), ref: 00414A2D
              • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000000,?,00000000,?,00000001,00000000,?,?), ref: 00414A49
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,?,?,00000000,?,00000001,00000000,?,?), ref: 00414A82
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,00000000,?,00000001,00000000,?,?), ref: 00414A98
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04,?,00000000,?,00000001,00000000,?,?), ref: 00414AAD
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,00000000,?,00000001,00000000,?,?), ref: 00414ABE
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@V12@$?append@?$basic_string@?assign@?$basic_string@Grow@?$basic_string@H_prolog
              • String ID:
              • API String ID: 997563325-0
              • Opcode ID: 0b6b49e40f08733e555804992b2205f4286a6df6a04e72e0cccf43a6ba6cf277
              • Instruction ID: 5407f698c38b8d4ba821a6b16b27b293fb69a5982d4eb0ad26a56cf718ec91de
              • Opcode Fuzzy Hash: 0b6b49e40f08733e555804992b2205f4286a6df6a04e72e0cccf43a6ba6cf277
              • Instruction Fuzzy Hash: D621A636940254EFCF218F94CC44ADEBBB4FF49751F05846AE896A7351C7389940CB58
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00407A50 Relevance: 10.6, APIs: 7, Instructions: 71stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?), ref: 00407A67
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000002,00000000,00000000), ref: 00407A8C
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,00000002,00000000,00000000), ref: 00407AA2
              • strlen.MSVCRT ref: 00407AA9
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0041A194,00000000,?,00000002,00000000,00000000), ref: 00407AB4
              • strcmp.MSVCRT ref: 00407AD4
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,00000002,00000000,00000000), ref: 00407AEC
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@$?assign@?$basic_string@ByteCharMultiV12@Widelstrlenstrcmpstrlen
              • String ID:
              • API String ID: 1058162529-0
              • Opcode ID: 86fee3eece4506d29e54261549d72b418134119b3d2fe91e2c74f6636afd96ef
              • Instruction ID: 5a38519f13580b7c6feb697ee540e8ca7ec18bb5e5fbfe35874ca049bc2a669e
              • Opcode Fuzzy Hash: 86fee3eece4506d29e54261549d72b418134119b3d2fe91e2c74f6636afd96ef
              • Instruction Fuzzy Hash: 20210F32A08109BFDB009FA4DC84CEF7B78FB01324B12853AF811A7291D634AE10CB69
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405229 Relevance: 9.1, APIs: 6, Instructions: 105stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?), ref: 00405256
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 0040527D
              • lstrlenW.KERNEL32(?), ref: 00405298
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 004052BF
              • lstrlenW.KERNEL32(?), ref: 004052DA
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 004052FE
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: ByteCharMultiWidelstrlen
              • String ID:
              • API String ID: 3109718747-0
              • Opcode ID: b22de90d61c4be30a0f46ec7dc0fdbd591d134a116f78e1946ac97c5a1b8c78f
              • Instruction ID: 090dba652bca40b475d60cb8f877eceda36f78a484d1e69671993c4b6a335ba9
              • Opcode Fuzzy Hash: b22de90d61c4be30a0f46ec7dc0fdbd591d134a116f78e1946ac97c5a1b8c78f
              • Instruction Fuzzy Hash: D23138B1800109FFCB019F95DC81CAFBBA8EF05364B1585AAF914AB2A1D7359E54CFA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040535F Relevance: 9.1, APIs: 6, Instructions: 105stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?), ref: 0040538C
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 004053B3
              • lstrlenW.KERNEL32(?), ref: 004053CE
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 004053F5
              • lstrlenW.KERNEL32(?), ref: 00405410
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 00405434
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: ByteCharMultiWidelstrlen
              • String ID:
              • API String ID: 3109718747-0
              • Opcode ID: a48cd8f2843703f26224f3c1b8fafee420564c13c87807a6484589b4cebc316e
              • Instruction ID: ffda2c20290496d33bd06f5bffd4ac28ceb971cd38a17118d5e505768752184c
              • Opcode Fuzzy Hash: a48cd8f2843703f26224f3c1b8fafee420564c13c87807a6484589b4cebc316e
              • Instruction Fuzzy Hash: 753138B1800109BFCB019FA5DC81CEFBBA8EF05364B1585AAF914A72A1D7359E54CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00403E37 Relevance: 9.1, APIs: 6, Instructions: 105stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?), ref: 00403E69
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 00403E90
              • lstrlenW.KERNEL32(?,?,?,00000000,00000000), ref: 00403EA5
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000,?,?,00000000,00000000), ref: 00403ECC
              • lstrlenW.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,00000000), ref: 00403EE0
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00000000,00000000), ref: 00403F04
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: ByteCharMultiWidelstrlen
              • String ID:
              • API String ID: 3109718747-0
              • Opcode ID: f27aa322afd130f5f7e6f42c0a62a196933db06edfe60f745a47332dde233057
              • Instruction ID: 7b2ae5a8138393dbc5ddbfcb7b9fa4a652157bcb7cec5b3fc28ac0fd86126430
              • Opcode Fuzzy Hash: f27aa322afd130f5f7e6f42c0a62a196933db06edfe60f745a47332dde233057
              • Instruction Fuzzy Hash: 533137B1804109FFCB01DFA5CC81CAEBBACEF15364B1185AAF915A72A1D6359E10DBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00407720 Relevance: 9.1, APIs: 6, Instructions: 102stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?), ref: 00407752
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 00407779
              • lstrlenW.KERNEL32(?,?,?,00000000,00000000), ref: 0040778E
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000,?,?,00000000,00000000), ref: 004077B5
              • lstrlenW.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,00000000), ref: 004077C9
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00000000,00000000), ref: 004077ED
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: ByteCharMultiWidelstrlen
              • String ID:
              • API String ID: 3109718747-0
              • Opcode ID: eb4e16a6c33d963ce0904d7ac3eea0100e6020fbdeff4697403f88fa3bdb5524
              • Instruction ID: f6d811184cfd023f81741450958c2996578f8329ce3e87fd63945fc5fa87036b
              • Opcode Fuzzy Hash: eb4e16a6c33d963ce0904d7ac3eea0100e6020fbdeff4697403f88fa3bdb5524
              • Instruction Fuzzy Hash: 32315BB580410DFFCB01DF95CC81CAEBBA8EF05364B1185AAF914A72A1C635AE50DF61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00403D3F Relevance: 9.1, APIs: 6, Instructions: 101stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?), ref: 00403D71
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 00403D98
              • lstrlenW.KERNEL32(?,?,?,00000000,00000000), ref: 00403DAD
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000,?,?,00000000,00000000), ref: 00403DD4
              • lstrlenW.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,00000000), ref: 00403DE8
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00000000,00000000), ref: 00403E0C
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: ByteCharMultiWidelstrlen
              • String ID:
              • API String ID: 3109718747-0
              • Opcode ID: 3f048baafaed0fa1b0762ae202be9ca54eb0a8387023f80ba3ebe635e1670276
              • Instruction ID: bc79fea1762bf7826b63b5d28d3d583ce80a8af403ff92d4ef53ad435bd88629
              • Opcode Fuzzy Hash: 3f048baafaed0fa1b0762ae202be9ca54eb0a8387023f80ba3ebe635e1670276
              • Instruction Fuzzy Hash: 053146B1800109FFCB01DFA5CC81CAEBFACEF05364B1185AAF814A72A1C6359E50DBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040C908 Relevance: 9.1, APIs: 6, Instructions: 77COMMON
              Download Yara Rule
              APIs
              • IntersectRect.USER32(?,?,00000000), ref: 0040C944
              • EqualRect.USER32(?,?), ref: 0040C953
              • OffsetRect.USER32(?,?,?), ref: 0040C96C
              • CreateRectRgnIndirect.GDI32(?), ref: 0040C976
              • SetWindowRgn.USER32(?,00000000,00000001), ref: 0040C989
              • SetWindowPos.USER32(?,00000000,?,?,?,00000000,00000014), ref: 0040C9AB
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: Rect$Window$CreateEqualIndirectIntersectOffset
              • String ID:
              • API String ID: 3762251641-0
              • Opcode ID: 16fc1d836777b1c228eab15fe8e9602db32c6136c0f720c4023f2b5def680f02
              • Instruction ID: f994b6bf29377aa6d7d9c250cce781d36a5770a9e9e9fc530182c33481968a6c
              • Opcode Fuzzy Hash: 16fc1d836777b1c228eab15fe8e9602db32c6136c0f720c4023f2b5def680f02
              • Instruction Fuzzy Hash: 97211AB1600209EFDB11DFA8C9C8EABB7BCEB09314F058266BD05EB251D674ED04CB64
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405711 Relevance: 9.1, APIs: 6, Instructions: 75stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?), ref: 00405738
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 00405760
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 00405776
              • strlen.MSVCRT ref: 0040577D
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0043B22C,00000000), ref: 00405788
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 004057C6
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@$?assign@?$basic_string@ByteCharMultiV12@Widelstrlenstrlen
              • String ID:
              • API String ID: 2916416124-0
              • Opcode ID: e66a429601e6d7aa39e43a9e07bb11fbc5d1d3283f6b8430e9ff701432a916ee
              • Instruction ID: 56c1ccdd30f8ed9a39a8fbd3ee449b9d69956eb4b5a4cbaf7cb5e38e10cc1d50
              • Opcode Fuzzy Hash: e66a429601e6d7aa39e43a9e07bb11fbc5d1d3283f6b8430e9ff701432a916ee
              • Instruction Fuzzy Hash: D721AC32500109EFDB00DFA4DC88CEF77B8EB04314F11817AF915AB2A1DA359E44CB64
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00414837 Relevance: 9.1, APIs: 6, Instructions: 56stringCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 0041483C
                • Part of subcall function 004104B3: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,00000000,00000001,?,?,?,00414865,?,00000000,00000001,00000000,?), ref: 004104DE
                • Part of subcall function 004104B3: strlen.MSVCRT ref: 004104E5
                • Part of subcall function 004104B3: ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(00000000,00000000,?,?,?,00414865,?,00000000,00000001,00000000,?), ref: 004104EF
                • Part of subcall function 00414A0E: __EH_prolog.LIBCMT ref: 00414A13
                • Part of subcall function 00414A0E: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,00000001,?,00000000,?,00000001,00000000,?,?), ref: 00414A2D
                • Part of subcall function 00414A0E: ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000000,?,00000000,?,00000001,00000000,?,?), ref: 00414A49
                • Part of subcall function 00414A0E: ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,?,?,00000000,?,00000001,00000000,?,?), ref: 00414A82
                • Part of subcall function 00414A0E: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,00000000,?,00000001,00000000,?,?), ref: 00414A98
                • Part of subcall function 00414A0E: ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04,?,00000000,?,00000001,00000000,?,?), ref: 00414AAD
                • Part of subcall function 00414A0E: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,00000000,?,00000001,00000000,?,?), ref: 00414ABE
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(00000000,00000000,6CE35E04,?,00000000,00000001,00000000,?,?), ref: 00414885
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00414893
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 004148A2
              • strlen.MSVCRT ref: 004148B1
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0041A624,00000000), ref: 004148BB
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$V12@$Tidy@?$basic_string@$?append@?$basic_string@$?assign@?$basic_string@H_prologstrlen$Grow@?$basic_string@
              • String ID:
              • API String ID: 3514380549-0
              • Opcode ID: dc9f91bf99ed985fbea12c4de236591e324fab80e3338289630fa8d9a23bfa33
              • Instruction ID: 64aca35458da4f6fc2fd25b280d09221b801835a712db6f2d29489da08fad543
              • Opcode Fuzzy Hash: dc9f91bf99ed985fbea12c4de236591e324fab80e3338289630fa8d9a23bfa33
              • Instruction Fuzzy Hash: 1311C672901204FFDB04DFA4D9859EEB77CEF49314F00856EF912A3281CB789984C768
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004104B3 Relevance: 9.0, APIs: 6, Instructions: 48stringCOMMON
              Download Yara Rule
              APIs
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,00000000,00000001,?,?,?,00414865,?,00000000,00000001,00000000,?), ref: 004104DE
              • strlen.MSVCRT ref: 004104E5
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(00000000,00000000,?,?,?,00414865,?,00000000,00000001,00000000,?), ref: 004104EF
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,00000000,00000001,?,?,?,00414865,?,00000000,00000001,00000000,?), ref: 00410505
              • strlen.MSVCRT ref: 00410511
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0043B22C,00000000,?,?,?,00414865,?,00000000,00000001,00000000,?), ref: 0041051B
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$?assign@?$basic_string@Tidy@?$basic_string@V12@strlen
              • String ID:
              • API String ID: 3576993065-0
              • Opcode ID: b8992a3fe93f37ac6783ec7503310d1e8ef81d7579b2885d2a36a8d72c8f7b75
              • Instruction ID: 19832b8d9be52c298ef8372dbf8dce202dd4819a3390cf5f945fb1318c00ed01
              • Opcode Fuzzy Hash: b8992a3fe93f37ac6783ec7503310d1e8ef81d7579b2885d2a36a8d72c8f7b75
              • Instruction Fuzzy Hash: 9301B535200150BFDB045B159805AEEBB6DDF89221F05815FFD4597342C7B8ED4287A8
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00414042 Relevance: 9.0, APIs: 6, Instructions: 45stringCOMMON
              Download Yara Rule
              APIs
              • strlen.MSVCRT ref: 00414050
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0043B22C,00000000,00000000,?,00000001,00410584,?,?), ref: 0041405A
              • strlen.MSVCRT ref: 00414065
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0043B22C,00000000,?,00000001,00410584,?,?), ref: 00414070
                • Part of subcall function 00414837: __EH_prolog.LIBCMT ref: 0041483C
                • Part of subcall function 00414837: ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(00000000,00000000,6CE35E04,?,00000000,00000001,00000000,?,?), ref: 00414885
                • Part of subcall function 00414837: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00414893
                • Part of subcall function 00414837: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 004148A2
                • Part of subcall function 00414837: strlen.MSVCRT ref: 004148B1
                • Part of subcall function 00414837: ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0041A624,00000000), ref: 004148BB
                • Part of subcall function 004140B3: __EH_prolog.LIBCMT ref: 004140B8
                • Part of subcall function 004140B3: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,00000001,?,?), ref: 004140D0
                • Part of subcall function 004140B3: strlen.MSVCRT ref: 004140DC
                • Part of subcall function 004140B3: ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0043B22C,00000000), ref: 004140E7
                • Part of subcall function 004148D2: __EH_prolog.LIBCMT ref: 004148D7
                • Part of subcall function 004148D2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,0041B1F8,00000000,?,00000000,?,00000001,00000001,00000000,0041A664), ref: 0041491B
                • Part of subcall function 004148D2: ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(00000000,00000000,6CE35E04,?,00000001,00000001,00000000,0041A664), ref: 00414935
                • Part of subcall function 004148D2: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00414942
                • Part of subcall function 004148D2: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00414950
                • Part of subcall function 004148D2: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 0041495E
                • Part of subcall function 004148D2: strlen.MSVCRT ref: 00414983
                • Part of subcall function 004148D2: ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0041A624,00000000,?,00000002,00000001,00000000,0041A664), ref: 0041498E
                • Part of subcall function 004148D2: ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(00000000,00000000,6CE35E04,?,00000002,?,00000002,00000001,00000000,0041A664), ref: 004149C7
                • Part of subcall function 004148D2: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,00000002,00000001,00000000,0041A664), ref: 004149D5
                • Part of subcall function 004148D2: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,00000002,00000001,00000000,0041A664), ref: 004149E3
                • Part of subcall function 004148D2: strlen.MSVCRT ref: 004149ED
                • Part of subcall function 004148D2: ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0041A624,00000000,?,00000002,00000001,00000000,0041A664), ref: 004149F7
              • strlen.MSVCRT ref: 0041409B
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0041A624,00000000,00000001,00000001,00000001,?,00000001,00410584,?,?), ref: 004140A5
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$V12@$Tidy@?$basic_string@$?append@?$basic_string@strlen$?assign@?$basic_string@H_prolog$D@2@@0@Hstd@@V10@@V?$basic_string@
              • String ID:
              • API String ID: 2527418902-0
              • Opcode ID: a3019196785749955d31b3d56ed0568bd33449cb48fd39cb5dcc6ba3c65d4508
              • Instruction ID: ff87d5a74dd160a0628fbce07063c7df7d02865908edc0d787a235f7ef9ce788
              • Opcode Fuzzy Hash: a3019196785749955d31b3d56ed0568bd33449cb48fd39cb5dcc6ba3c65d4508
              • Instruction Fuzzy Hash: EEF0CD362001102B96197727AC4987FA7BCDFD6B15750462FF84697291CF686C13857D
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040A36E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97COMMON
              Download Yara Rule
              APIs
              • ??2@YAPAXI@Z.MSVCRT ref: 0040A38C
              • InterlockedIncrement.KERNEL32(004DB26C), ref: 0040A3AD
              • ??2@YAPAXI@Z.MSVCRT ref: 0040A3E0
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: ??2@$IncrementInterlocked
              • String ID: @qA
              • API String ID: 4270603835-3089395043
              • Opcode ID: aaf0e2f2e8682076d3817b92b8539007f76af57e732432755cefc8f56a163610
              • Instruction ID: c7cf176ce6a6cf9688f9364073a31f093a4f4413f2b2bd1989ae5aaa6e39e24a
              • Opcode Fuzzy Hash: aaf0e2f2e8682076d3817b92b8539007f76af57e732432755cefc8f56a163610
              • Instruction Fuzzy Hash: 4331D135600304EBCB11DFA5C885A5DB7A1EB44784B20807AE905BB381C7B8DE52DB9A
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040B8B6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: Paint$BeginClientRectmemset
              • String ID: <
              • API String ID: 3731648824-4251816714
              • Opcode ID: 7ca7fb9d541f63e562b110749feac407f4ac938680cbea10ca535ee06bb35434
              • Instruction ID: dfa057967a99309623e3b7c36728067c34b32820e43caadfd57f1b09edd34b8d
              • Opcode Fuzzy Hash: 7ca7fb9d541f63e562b110749feac407f4ac938680cbea10ca535ee06bb35434
              • Instruction Fuzzy Hash: 88111C72900208DFDB10DF98D844B9EBBF8FF48310F50842AE965E72A0EB74AA05CF54
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00413BC3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50stringCOMMON
              Download Yara Rule
              APIs
              • sprintf.MSVCRT ref: 00413BDA
              • strlen.MSVCRT ref: 00413BE4
              • strlen.MSVCRT ref: 00413C29
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00414191,?), ref: 00413C37
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: strlen$?append@?$basic_string@D@2@@std@@D@std@@U?$char_traits@V12@V?$allocator@sprintf
              • String ID: %#.16g
              • API String ID: 314243773-1598837462
              • Opcode ID: 2a3f58862fea6f32e8382656f449b7cc0911af53a55ca78faf28d83dfbb93ba1
              • Instruction ID: 2027033645b1b377e6a0549342e554a6d114a314a22caea5d87607f2ed626cde
              • Opcode Fuzzy Hash: 2a3f58862fea6f32e8382656f449b7cc0911af53a55ca78faf28d83dfbb93ba1
              • Instruction Fuzzy Hash: DA01DB7290414DAEDF15DF94D855AEBB7BDAB08301F444557E043F2182E63CDA84C7A9
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040B182 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38stringCOMMON
              Download Yara Rule
              APIs
              • Rectangle.GDI32(?,?,?,?,?), ref: 0040B19A
              • SetTextAlign.GDI32(?,0000001E), ref: 0040B1A5
              • lstrlenA.KERNEL32(ATL 3.0 : Plugin), ref: 0040B1B1
              • TextOutA.GDI32(?,?,?,ATL 3.0 : Plugin,00000000), ref: 0040B1D3
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: Text$AlignRectanglelstrlen
              • String ID: ATL 3.0 : Plugin
              • API String ID: 3833488612-1771386320
              • Opcode ID: aa4e5bfc8610f677e52275a39a2d6f51621abbcabb9a61f72eba017dbefc2280
              • Instruction ID: ea43059f3483d79ef399655e42493708b3eb366bb791efa7031a29fdf4eef1ab
              • Opcode Fuzzy Hash: aa4e5bfc8610f677e52275a39a2d6f51621abbcabb9a61f72eba017dbefc2280
              • Instruction Fuzzy Hash: 69F0E776100A02EFC711CF68ED49D86BBBAFF4C3113058929F696C2561C731F860DB64
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040A7B1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36libraryloaderCOMMON
              Download Yara Rule
              APIs
              • GetProcAddress.KERNEL32(?,?), ref: 0040A7C1
              • GetLastError.KERNEL32(00000000), ref: 0040A7CE
              • sprintf.MSVCRT ref: 0040A802
              • OutputDebugStringA.KERNEL32(?), ref: 0040A812
              Strings
              • [FAILED]GetProcAddress(Handle = 0x%X, szName = %s), err = 0x%X, xrefs: 0040A7FC
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: AddressDebugErrorLastOutputProcStringsprintf
              • String ID: [FAILED]GetProcAddress(Handle = 0x%X, szName = %s), err = 0x%X
              • API String ID: 3797803845-565564598
              • Opcode ID: 357663db4c0ed52415c6ecadb754ff89fc7d60bc1505aa0546f5d3ec55cc63ff
              • Instruction ID: 9f9c18faec76b0a95021408d4e44f8e9992e2198c41105231fe814f028105796
              • Opcode Fuzzy Hash: 357663db4c0ed52415c6ecadb754ff89fc7d60bc1505aa0546f5d3ec55cc63ff
              • Instruction Fuzzy Hash: D3F062769002297BCF12AB68DC08BEA7F79EF44744F01C0B5FB05A6151D735CA158B89
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00413D96 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
              Download Yara Rule
              APIs
              • strlen.MSVCRT ref: 00413DA3
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0043B22C,00000000,Point,0043B22C,00000000,00402C0E,?,?), ref: 00413DAD
                • Part of subcall function 00413DDE: __EH_prolog.LIBCMT ref: 00413DE3
              • strlen.MSVCRT ref: 00413DC6
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0041A624,00000000,?), ref: 00413DD0
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V12@V?$allocator@strlen$?append@?$basic_string@?assign@?$basic_string@H_prolog
              • String ID: Point
              • API String ID: 363111783-1986321440
              • Opcode ID: 29561e25647fd0a883c0d8e147ba4b29a1c12a434872d3704731c8235e3e1d0a
              • Instruction ID: d6154a8598a6097bc26724d412197633fa02cad14a911f6deba1fec295f7ce07
              • Opcode Fuzzy Hash: 29561e25647fd0a883c0d8e147ba4b29a1c12a434872d3704731c8235e3e1d0a
              • Instruction Fuzzy Hash: 4BE0D8323010107FAA082B16AC48CBFB7ADDFE9725351453FF54597251CB695C53467D
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040BC67 Relevance: 7.6, APIs: 5, Instructions: 148comCOMMON
              Download Yara Rule
              APIs
              • #31.ATL(?,?,004171C0), ref: 0040BCF8
              • #31.ATL(?,?,00417180), ref: 0040BD26
              • OleCreatePropertyFrame.OLEAUT32(?,?,?,?,00000001,?,?,?,?,00000000,00000000), ref: 0040BD77
              • CoTaskMemFree.OLE32(?), ref: 0040BD83
              • CoTaskMemFree.OLE32(?), ref: 0040BD91
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: FreeTask$CreateFrameProperty
              • String ID:
              • API String ID: 1721221822-0
              • Opcode ID: 808a19d633bcc69cbce375a1c90a354674d3768161cdd8330270fa4f28cfa600
              • Instruction ID: 1db372b4e93d79b962bc5a8b7fd0d9088e232606294fc530847fc5226d67d9cd
              • Opcode Fuzzy Hash: 808a19d633bcc69cbce375a1c90a354674d3768161cdd8330270fa4f28cfa600
              • Instruction Fuzzy Hash: 6B51AB75A00209AFCF00DFD4C8889AEBBB9FF88304B244479E505EB250D779ED45DB98
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040B240 Relevance: 7.6, APIs: 5, Instructions: 102COMMON
              Download Yara Rule
              APIs
              • EnterCriticalSection.KERNEL32(004DB274), ref: 0040B25E
              • LoadRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0040B281
              • #30.ATL(?,?,?,?), ref: 0040B2D8
              • LeaveCriticalSection.KERNEL32(004DB274), ref: 0040B32A
              • #58.ATL(004DB258,0040B34A), ref: 0040B33B
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: CriticalSection$EnterLeaveLoadType
              • String ID:
              • API String ID: 178205823-0
              • Opcode ID: 41fd4ef754dc568bcd80cfd91a1a51473228a42548cab5c71c6ae285ba72def3
              • Instruction ID: 78636f7d47f4c7d6c64e9b627faa5ea6f0f999686f76918642f8f1443356c42b
              • Opcode Fuzzy Hash: 41fd4ef754dc568bcd80cfd91a1a51473228a42548cab5c71c6ae285ba72def3
              • Instruction Fuzzy Hash: 2D312175600604EFCB10DFA5C888C9EBBBAEF88714720846AF94AD7250D775DE41CF98
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040D96A Relevance: 7.6, APIs: 5, Instructions: 81COMMON
              Download Yara Rule
              APIs
              • CallWindowProcA.USER32(?,?,00000082,?,?), ref: 0040D9D2
              • GetWindowLongA.USER32(?,000000FC), ref: 0040D9E8
              • CallWindowProcA.USER32(?,?,00000082,?,?), ref: 0040D9FC
              • GetWindowLongA.USER32(?,000000FC), ref: 0040DA15
              • SetWindowLongA.USER32(?,000000FC,?), ref: 0040DA24
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: Window$Long$CallProc
              • String ID:
              • API String ID: 513923721-0
              • Opcode ID: cd04a1a1eaa52453d14ca6b5fc510f45f51153d43a2dee736fb28aaecd5c655f
              • Instruction ID: 3eff57f1387d7edcac15222de6d75ed9a511ca31c867c84817ccbe341bb360ed
              • Opcode Fuzzy Hash: cd04a1a1eaa52453d14ca6b5fc510f45f51153d43a2dee736fb28aaecd5c655f
              • Instruction Fuzzy Hash: 41310875900609AFCB21DF59D94489BBBB5FF48320B10C62EF86AA76A0D731EA14DF50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004102EA Relevance: 7.6, APIs: 5, Instructions: 81stringCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 004102EF
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?), ref: 00410364
              • strlen.MSVCRT ref: 0041036D
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,00000000), ref: 0041037A
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?), ref: 00410398
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@$?assign@?$basic_string@H_prologV12@strlen
              • String ID:
              • API String ID: 4019369772-0
              • Opcode ID: 6f325f757b9481fabddcef8a9b1624a1f463339fd45b5373ac3da3cc926d120f
              • Instruction ID: df92e3638f27d0ec2fe105dbcbd1d53dce97e7901431b0d11b964e472b138dfd
              • Opcode Fuzzy Hash: 6f325f757b9481fabddcef8a9b1624a1f463339fd45b5373ac3da3cc926d120f
              • Instruction Fuzzy Hash: C5317675800249EFCB04EFA9C4908EDFFB4AF18314F1480AEE45AA7292C7749A84CB64
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00403A3B Relevance: 7.6, APIs: 5, Instructions: 60stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?), ref: 00403A5A
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 00403A82
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 00403AA3
              • strlen.MSVCRT ref: 00403AAC
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0043B22C,00000000), ref: 00403AB8
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$?assign@?$basic_string@ByteCharMultiTidy@?$basic_string@V12@Widelstrlenstrlen
              • String ID:
              • API String ID: 2299216912-0
              • Opcode ID: b010387a07ca37a163e58e9858799910c45edd7f1e17b635614ccd77031cea1c
              • Instruction ID: 35031079f58b6e1e66056209feab9c0805181ff5b4178aff79d32142b0470797
              • Opcode Fuzzy Hash: b010387a07ca37a163e58e9858799910c45edd7f1e17b635614ccd77031cea1c
              • Instruction Fuzzy Hash: 27119D31200049BFCF109FA6DC488DEBFADEF04365B01C62AF9699A261C7359A14CFA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040EA8B Relevance: 7.6, APIs: 5, Instructions: 51COMMON
              Download Yara Rule
              APIs
              • wcslen.MSVCRT ref: 0040EA9E
              • ??2@YAPAXI@Z.MSVCRT ref: 0040EAA8
              • WideCharToMultiByte.KERNEL32(00000000,00000000,0043B22C,000000FF,00000000,00000002,00000000,00000000,74DEDFF0,0043B22C,?,00000000,0040587E,?), ref: 0040EACA
              • GetLastError.KERNEL32(?,00000000,0040587E,?), ref: 0040EADA
              • GetLastError.KERNEL32(?,00000000,0040587E,?), ref: 0040EAE0
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: ErrorLast$??2@ByteCharMultiWidewcslen
              • String ID:
              • API String ID: 4023285909-0
              • Opcode ID: 418a82768bb3a5c87f16d8ddd2d09abeb71f371b98a30b11bfb0e214ba8a2b01
              • Instruction ID: 777755f961715681d875360416b720029b5bef3fc5e0d88beeb632e70889923f
              • Opcode Fuzzy Hash: 418a82768bb3a5c87f16d8ddd2d09abeb71f371b98a30b11bfb0e214ba8a2b01
              • Instruction Fuzzy Hash: B2F0D1322041167DD62066B75C84D7BBA4CEA893A83164E3EF511E21C2E82CDC208579
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00402032 Relevance: 7.5, APIs: 5, Instructions: 48windowCOMMON
              Download Yara Rule
              APIs
              • sprintf.MSVCRT ref: 00402047
              • ??2@YAPAXI@Z.MSVCRT ref: 00402059
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 0040206E
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04), ref: 00402086
              • PostMessageA.USER32(?,00000401,?,00000000), ref: 00402098
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V12@V?$allocator@$??2@?assign@?$basic_string@MessagePostTidy@?$basic_string@sprintf
              • String ID:
              • API String ID: 3481793210-0
              • Opcode ID: aba2b519b78d8ad47a56343a6d8f3fa28e205d71a1ba39d60d3118e0f67b572f
              • Instruction ID: 74e10affc24d163e0163441c6fc412ab83be71af63aef7567402c80617cc8976
              • Opcode Fuzzy Hash: aba2b519b78d8ad47a56343a6d8f3fa28e205d71a1ba39d60d3118e0f67b572f
              • Instruction Fuzzy Hash: AA01B135501254BBCF211F64DC09FDE7F69AB04710F048036FD456A2E1C6B58960DB89
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004147BE Relevance: 7.5, APIs: 5, Instructions: 34COMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 004147C3
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,00000001), ref: 004147DD
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(?,00000020), ref: 004147E9
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04), ref: 00414803
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00414812
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$V12@$Tidy@?$basic_string@$?append@?$basic_string@?assign@?$basic_string@H_prolog
              • String ID:
              • API String ID: 1152215417-0
              • Opcode ID: 358ac6ca0abf98a60e828ad49ad76bd9249a18cb9794ea672d0964b1dbad1235
              • Instruction ID: 7d5023c683be9641664d7dfc62903cf31792e57eb622c25001495d2b3037c096
              • Opcode Fuzzy Hash: 358ac6ca0abf98a60e828ad49ad76bd9249a18cb9794ea672d0964b1dbad1235
              • Instruction Fuzzy Hash: E9016D36900258EFDF10DB94DC09BDD7B78FB49710F014269E512A32A1CB74A504CB24
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040B376 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: String$??2@Free
              • String ID: `<u`j>u
              • API String ID: 3858531411-3301984005
              • Opcode ID: 56e917dd1601fde0b889653784d041811d1ae811b844fd381d37061ed67937ae
              • Instruction ID: 7792516886fff402a01b6298623eda2c5c0bba1310f845ec314fa6a4843ccee3
              • Opcode Fuzzy Hash: 56e917dd1601fde0b889653784d041811d1ae811b844fd381d37061ed67937ae
              • Instruction Fuzzy Hash: 30415275600205EFCB14CFA9D884D9AB7F9FF88304710856EE806D7351D735EA45CBA8
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00404565 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30stringCOMMON
              Download Yara Rule
              APIs
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,?,004FB360,00404554,00404436,Plugin-Info,D:\jk_win7\workspace\NVR_DH3.1373_X86_64_Windows\tmp_build_dir\webplugin\WebActiveEXE\Plugin.cpp,00000619,00000000), ref: 00404579
              • strlen.MSVCRT ref: 00404590
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(C:\pluin-log.txt,00000000,?,?,?,004FB360,00404554,00404436,Plugin-Info,D:\jk_win7\workspace\NVR_DH3.1373_X86_64_Windows\tmp_build_dir\webplugin\WebActiveEXE\Plugin.cpp,00000619,00000000), ref: 0040459A
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$?assign@?$basic_string@Tidy@?$basic_string@V12@strlen
              • String ID: C:\pluin-log.txt
              • API String ID: 3576993065-3013558404
              • Opcode ID: 37860a0cf28218f1109ace50f13412653f96adce603d988340bce38bcd8dacdd
              • Instruction ID: c4090dc84fc881747e8f76891c8c3b3fc6721705b47ec01cb0afca2d9e8ab063
              • Opcode Fuzzy Hash: 37860a0cf28218f1109ace50f13412653f96adce603d988340bce38bcd8dacdd
              • Instruction Fuzzy Hash: FEE065B62053406F97140F5E98844A7FBECEE99211395497FF58AC3202C67098458764
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00404408 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 22threadCOMMON
              Download Yara Rule
              APIs
              • GetCurrentThreadId.KERNEL32 ref: 0040441B
                • Part of subcall function 00404456: vsprintf.MSVCRT ref: 00404493
                • Part of subcall function 00404456: time.MSVCRT ref: 0040449B
                • Part of subcall function 00404456: ctime.MSVCRT ref: 004044D5
                • Part of subcall function 00404456: sprintf.MSVCRT ref: 004044E9
                • Part of subcall function 00404456: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 00404500
                • Part of subcall function 00404456: ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04), ref: 00404512
                • Part of subcall function 00404456: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?), ref: 00404528
              Strings
              • CPlugin::LogoutDevice, xrefs: 00404416
              • Plugin-Info, xrefs: 0040442C
              • D:\jk_win7\workspace\NVR_DH3.1373_X86_64_Windows\tmp_build_dir\webplugin\WebActiveEXE\Plugin.cpp, xrefs: 00404427
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$V12@$??0?$basic_string@?assign@?$basic_string@CurrentD@1@@ThreadTidy@?$basic_string@ctimesprintftimevsprintf
              • String ID: CPlugin::LogoutDevice$D:\jk_win7\workspace\NVR_DH3.1373_X86_64_Windows\tmp_build_dir\webplugin\WebActiveEXE\Plugin.cpp$Plugin-Info
              • API String ID: 2994755218-4264486950
              • Opcode ID: 82f86c1e6cdae272c4de8736d293076c2a0a88f71fa9873a20409f3e862b800d
              • Instruction ID: c6a66f0237d29460550db1781a9c51db4e00fcf9726827f7744cea0fe38e3f68
              • Opcode Fuzzy Hash: 82f86c1e6cdae272c4de8736d293076c2a0a88f71fa9873a20409f3e862b800d
              • Instruction Fuzzy Hash: 80E0D8F1705300BBC600EB30CC09FA637A5AFD0709B5180AAB54AA72D2C638C950C72F
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00413C3F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14stringCOMMON
              Download Yara Rule
              APIs
              • strlen.MSVCRT ref: 00413C52
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(true,00000000,?,004141BA,?,00000000), ref: 00413C5E
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: ?append@?$basic_string@D@2@@std@@D@std@@U?$char_traits@V12@V?$allocator@strlen
              • String ID: false$true
              • API String ID: 188033960-2658103896
              • Opcode ID: 09608899c677f36e583d51aa7e79c18a22096e1a4f82df748b5b4a1bab745e2d
              • Instruction ID: 285b43018d5f48faee3db2c42cbe9b84d2fedcc083da800add6f83d925406a7c
              • Opcode Fuzzy Hash: 09608899c677f36e583d51aa7e79c18a22096e1a4f82df748b5b4a1bab745e2d
              • Instruction Fuzzy Hash: 4ED0223284B2203AEB041310F808AEB2B8C8FC9328F0180AFF80C66141C72C4CD243DE
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040BE1F Relevance: 6.3, APIs: 4, Instructions: 278windowCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: Focus$ChildShowWindow
              • String ID:
              • API String ID: 2299317540-0
              • Opcode ID: 0d3ebbdf302155febb654ab361858526502686c81fc91f73a9badd6ac960dd3f
              • Instruction ID: 6af457c1eb50e7ec685381e32115ebcbdc35fc08bd818a55b966036efe8dfaab
              • Opcode Fuzzy Hash: 0d3ebbdf302155febb654ab361858526502686c81fc91f73a9badd6ac960dd3f
              • Instruction Fuzzy Hash: EEA11B71600205EFCB24DF94C8889ABB7B9EF88704B14496EF656EB290C735EC45CB98
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004057D8 Relevance: 6.1, APIs: 4, Instructions: 90stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?), ref: 00405805
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 0040582C
              • lstrlenW.KERNEL32(?), ref: 00405847
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 0040586B
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: ByteCharMultiWidelstrlen
              • String ID:
              • API String ID: 3109718747-0
              • Opcode ID: b8702ec5aafcd76b66127a9c0240f30eadaca85776beeef7903d5b1b1a84fd60
              • Instruction ID: 471e8e9e16c3e85aa2cf98b8a802412e063d33dc62f9e08e1e7d11ea79568c66
              • Opcode Fuzzy Hash: b8702ec5aafcd76b66127a9c0240f30eadaca85776beeef7903d5b1b1a84fd60
              • Instruction Fuzzy Hash: 7F31A072900008BFDB01AF55DC81CAF7BA9EF45364B11857AFD04AB291C7358E50CFA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00404917 Relevance: 6.1, APIs: 4, Instructions: 84stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?), ref: 00404944
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 0040496B
              • lstrlenW.KERNEL32(?), ref: 00404986
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 004049AA
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: ByteCharMultiWidelstrlen
              • String ID:
              • API String ID: 3109718747-0
              • Opcode ID: 3b6b9fe25fae935c8d177943fc785477ad8b70fad4ed40e94d83fb7c71b74553
              • Instruction ID: 548fdead7774c51d16992b13bdbf504fa6314fd114eeaedb9ed0f618461a95b5
              • Opcode Fuzzy Hash: 3b6b9fe25fae935c8d177943fc785477ad8b70fad4ed40e94d83fb7c71b74553
              • Instruction Fuzzy Hash: 962157B1800109AFCF11DFA5DC81CEF7BA8EF59354B1145BAF904A72A1C7369E60CBA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00404254 Relevance: 6.1, APIs: 4, Instructions: 84stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?), ref: 00404277
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 0040429E
              • lstrlenW.KERNEL32(?,?,?,00000000,00000000), ref: 004042B2
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000,?,?,00000000,00000000), ref: 004042D6
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: ByteCharMultiWidelstrlen
              • String ID:
              • API String ID: 3109718747-0
              • Opcode ID: afeec3c865a03277f3c7810d1b943373e2c0bda5318b6aa648c9c19abfaaf7e0
              • Instruction ID: c88a29b9c463f6b1d4506d06117b4ebb6f32c9da4c27a16bd6f64772ff1ceaaa
              • Opcode Fuzzy Hash: afeec3c865a03277f3c7810d1b943373e2c0bda5318b6aa648c9c19abfaaf7e0
              • Instruction Fuzzy Hash: D2217EB190011AEFCB00DF95DC81C9FBBA8EF54394B11457AF900A7290D3359E61CBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004074BE Relevance: 6.1, APIs: 4, Instructions: 80stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?), ref: 004074EB
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 00407512
              • lstrlenW.KERNEL32(?), ref: 0040752D
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 00407551
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: ByteCharMultiWidelstrlen
              • String ID:
              • API String ID: 3109718747-0
              • Opcode ID: 15f9d2d2f8e3852494d4d6fe6816772a7568c24550eb1e46f8ddce99b84b27d8
              • Instruction ID: 1e823c9c65368b85680ec6cb4680a25b78d086d690703c5468c38511dcabaab2
              • Opcode Fuzzy Hash: 15f9d2d2f8e3852494d4d6fe6816772a7568c24550eb1e46f8ddce99b84b27d8
              • Instruction Fuzzy Hash: 5A215A71800209BFCF019F94DC81CEF7BA9FF09354B1545AAF914A7261D7359E60CBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00409511 Relevance: 6.1, APIs: 4, Instructions: 79stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?), ref: 00409543
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 0040956A
              • lstrlenW.KERNEL32(?,?,?,00000000,00000000), ref: 0040957E
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000,?,?,00000000,00000000), ref: 004095A2
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: ByteCharMultiWidelstrlen
              • String ID:
              • API String ID: 3109718747-0
              • Opcode ID: fb41746706baf5f4f9d2da203092dd4b3c3dcad9bf6520d7c702832de1e32371
              • Instruction ID: 8a5f17a8df33602a160e1f04a5a4e4f53de17c5ff48b0b2f4ae9f566b06fa931
              • Opcode Fuzzy Hash: fb41746706baf5f4f9d2da203092dd4b3c3dcad9bf6520d7c702832de1e32371
              • Instruction Fuzzy Hash: 48216BB6800109FFCF029F95CC81CEFBBA8EF19354B11456AF811A32A1C6359E61DBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405647 Relevance: 6.1, APIs: 4, Instructions: 79stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?), ref: 00405674
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 0040569B
              • lstrlenW.KERNEL32(?), ref: 004056B6
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 004056DA
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: ByteCharMultiWidelstrlen
              • String ID:
              • API String ID: 3109718747-0
              • Opcode ID: a96aad1fbdf982fdbff8a74122af4585dacb95da8a8a050cf3c28364e8511153
              • Instruction ID: 1bcba83e9121b4f478547ab44e3f79fa2516e4adbfeb0aca7bb8048ed4793c91
              • Opcode Fuzzy Hash: a96aad1fbdf982fdbff8a74122af4585dacb95da8a8a050cf3c28364e8511153
              • Instruction Fuzzy Hash: DF2148B1400109EFCB11DF94DC81CAF7BA8EB09354B1145BAF904A7251C6369E60CFA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00408145 Relevance: 6.1, APIs: 4, Instructions: 78stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?), ref: 00408172
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 00408199
              • lstrlenW.KERNEL32(?), ref: 004081B4
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 004081D8
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: ByteCharMultiWidelstrlen
              • String ID:
              • API String ID: 3109718747-0
              • Opcode ID: bfbccbb69b3b81dd5929d901be43b7afe8c285bb63f2a5e9a1e266066a40245c
              • Instruction ID: 3af8ac516efd560f2b21a796320be4009d2019a90454e799a3aacea03a8d894d
              • Opcode Fuzzy Hash: bfbccbb69b3b81dd5929d901be43b7afe8c285bb63f2a5e9a1e266066a40245c
              • Instruction Fuzzy Hash: 552169B2800109BFDB018F95CC80CAFBBA8EF05364B1585BAF914AB261C7359E10CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00407DCD Relevance: 6.1, APIs: 4, Instructions: 78stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?), ref: 00407DFA
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 00407E21
              • lstrlenW.KERNEL32(?), ref: 00407E3C
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 00407E60
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: ByteCharMultiWidelstrlen
              • String ID:
              • API String ID: 3109718747-0
              • Opcode ID: 6e1e319c95ed763ce2f9c883d515ad0e3ce793329d7c28f8f647bb2f20a06db0
              • Instruction ID: 819d6e5981728367dbe2d98a52906b990c04b77d11a2e08c49989595991ce1c5
              • Opcode Fuzzy Hash: 6e1e319c95ed763ce2f9c883d515ad0e3ce793329d7c28f8f647bb2f20a06db0
              • Instruction Fuzzy Hash: 712169B1801109FFCB11CFA5CC80CAEBBA8EF05364B1585BAF914AB291D7359E10CBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004085DC Relevance: 6.1, APIs: 4, Instructions: 78stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?), ref: 00408609
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 00408630
              • lstrlenW.KERNEL32(?), ref: 0040864B
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 0040866F
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: ByteCharMultiWidelstrlen
              • String ID:
              • API String ID: 3109718747-0
              • Opcode ID: 7366a59ce817d099d75daf7e136db08df90d1b2202977b1b6730d9dd09ab3797
              • Instruction ID: 81b48ec8f8749d815059fdb1a9e0617d307ce5ac633db0f281eeac510b747df2
              • Opcode Fuzzy Hash: 7366a59ce817d099d75daf7e136db08df90d1b2202977b1b6730d9dd09ab3797
              • Instruction Fuzzy Hash: 4C217F71400108FFCB019F95CC84CEE7BA8EF05364B1689BAF914A7351C7359E10CBA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00403773 Relevance: 6.1, APIs: 4, Instructions: 78stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?), ref: 004037A0
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 004037C7
              • lstrlenW.KERNEL32(?), ref: 004037E2
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 00403806
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: ByteCharMultiWidelstrlen
              • String ID:
              • API String ID: 3109718747-0
              • Opcode ID: 9d10dc6e43db149ec5810bbcc8c62c4e55c61443cd438a1753af4ee83fc920ae
              • Instruction ID: f8abff15c0916db9db9ac7446ffcb5b2aeefc06bc5be9e949edf67210da8b367
              • Opcode Fuzzy Hash: 9d10dc6e43db149ec5810bbcc8c62c4e55c61443cd438a1753af4ee83fc920ae
              • Instruction Fuzzy Hash: F32139B2900108BFCB119F95DC80CAFBBACEB05364B1585BAF914AB291D7359E54CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040781D Relevance: 6.1, APIs: 4, Instructions: 76stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?), ref: 0040784F
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 00407876
              • lstrlenW.KERNEL32(?,?,?,00000000,00000000), ref: 0040788A
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000,?,?,00000000,00000000), ref: 004078AE
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: ByteCharMultiWidelstrlen
              • String ID:
              • API String ID: 3109718747-0
              • Opcode ID: 6cc6dfbd34a8685195d5abbe148ac13774457910539757f27e93b8482e840553
              • Instruction ID: e77b37c74069250bc3f7d59c715c703d4786920e4a415ebafc9f950d99e4eab7
              • Opcode Fuzzy Hash: 6cc6dfbd34a8685195d5abbe148ac13774457910539757f27e93b8482e840553
              • Instruction Fuzzy Hash: C0216D76804108FFDB01DFA5CC84CAEBBACEF05364B11857AF915A72A1C6359E10CB61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00406FEC Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?), ref: 00407019
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 00407040
              • lstrlenW.KERNEL32(?), ref: 0040705B
              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 0040707F
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: ByteCharMultiWidelstrlen
              • String ID:
              • API String ID: 3109718747-0
              • Opcode ID: 1094909827becde74a59ebb9ee5a3387517b209c2680ee3ee040d6d386b025fd
              • Instruction ID: f0fd39c79707de949794a49687cbc224d50d6b9f6abe0a8bbabceb8707303719
              • Opcode Fuzzy Hash: 1094909827becde74a59ebb9ee5a3387517b209c2680ee3ee040d6d386b025fd
              • Instruction Fuzzy Hash: 47216D71804109FFCB119F95CC80CAFBBA8EF05364B1586BAF914A7251D3359E50CBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040A22D Relevance: 6.1, APIs: 4, Instructions: 72COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: mallocmemset
              • String ID:
              • API String ID: 2882185209-0
              • Opcode ID: f809a49eb223a6900fbc1ddb32ad083804584716ea8dd74eaef04e5a694979db
              • Instruction ID: 24373b80315c0e2aa5a466fa8c56c4a2fbd219fd11271cac2c899c16feca1124
              • Opcode Fuzzy Hash: f809a49eb223a6900fbc1ddb32ad083804584716ea8dd74eaef04e5a694979db
              • Instruction Fuzzy Hash: E8215B712007029FD7208F18C900A26B7E4EFA4754F20897EE8D6A73C0E776A8618B4A
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040C0ED Relevance: 6.1, APIs: 4, Instructions: 62windowCOMMON
              Download Yara Rule
              APIs
              • GetParent.USER32(?), ref: 0040C138
              • GetFocus.USER32 ref: 0040C163
              • IsChild.USER32(00000000,00000000), ref: 0040C16B
              • SetFocus.USER32(00000000), ref: 0040C176
                • Part of subcall function 0040BE1F: ShowWindow.USER32(?,00000005,?,?), ref: 0040BF64
                • Part of subcall function 0040BE1F: GetFocus.USER32 ref: 0040BF6A
                • Part of subcall function 0040BE1F: IsChild.USER32(?,00000000), ref: 0040BF76
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: Focus$Child$ParentShowWindow
              • String ID:
              • API String ID: 4211443192-0
              • Opcode ID: a18ef1171e005e6cad577b26a98d6103a1f705d52fad9e9cb30c64d667081ac7
              • Instruction ID: aa9722354853f757ca5681f0eda5ddce6220f1d2410fd20eda32e836117c080f
              • Opcode Fuzzy Hash: a18ef1171e005e6cad577b26a98d6103a1f705d52fad9e9cb30c64d667081ac7
              • Instruction Fuzzy Hash: B211B631204211EBD7205B35C885B6B73A4AF45714F14863AF962EA2E2C738D846CF9D
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00410D56 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
              Download Yara Rule
              APIs
              • ??2@YAPAXI@Z.MSVCRT ref: 00410D62
              • ??0_Lockit@std@@QAE@XZ.MSVCP60(00000000,?,?,00000000,00000000,?,0040F10D,?,?,?,?,004101FB,004FB330,?,?,00000000), ref: 00410D7C
              • ??1_Lockit@std@@QAE@XZ.MSVCP60(?,?,00000000,00000000,?,0040F10D,?,?,?,?,004101FB,004FB330,?,?,00000000,?), ref: 00410DA6
              • ??2@YAPAXI@Z.MSVCRT ref: 00410DC2
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: ??2@Lockit@std@@$??0_??1_
              • String ID:
              • API String ID: 1660098694-0
              • Opcode ID: 5b7e8384a25dbb9db5c66ad0ca93a3be8353cfb06f756ccdd48219a95c3b7a3a
              • Instruction ID: de1a7593b03fb65718de2d4defbedc32203f40e0c4862f470e5b077bfb8e20dd
              • Opcode Fuzzy Hash: 5b7e8384a25dbb9db5c66ad0ca93a3be8353cfb06f756ccdd48219a95c3b7a3a
              • Instruction Fuzzy Hash: A91121B1801304EFC700DF9AE98599AFBF8FB09715B51807FE44997261D770AD90CB98
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00409E40 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
              Download Yara Rule
              APIs
              • ??2@YAPAXI@Z.MSVCRT ref: 00409E4C
              • ??0_Lockit@std@@QAE@XZ.MSVCP60(?,?,00000000,?,?,?,00401C66), ref: 00409E66
              • ??1_Lockit@std@@QAE@XZ.MSVCP60(?,?,00000000,?,?,?,00401C66), ref: 00409E90
              • ??2@YAPAXI@Z.MSVCRT ref: 00409EAC
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: ??2@Lockit@std@@$??0_??1_
              • String ID:
              • API String ID: 1660098694-0
              • Opcode ID: 15367acf6c1186032e80efd11d8ad03bae14996d32ba51267aafdcd7b4635fbf
              • Instruction ID: 26fe7c0a08827161e32e62335925bba6f7b001d12da8e857ba4fcd4f11dd1a4e
              • Opcode Fuzzy Hash: 15367acf6c1186032e80efd11d8ad03bae14996d32ba51267aafdcd7b4635fbf
              • Instruction Fuzzy Hash: 29110CB1801204EFC710DF9AEA89899FBF5FB58714B5180BFE409976A1D770AE40CF98
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00404709 Relevance: 6.0, APIs: 4, Instructions: 46stringCOMMON
              Download Yara Rule
              APIs
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 00404728
              • strlen.MSVCRT ref: 00404734
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0043B22C,00000000), ref: 0040473F
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 0040477B
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@$?assign@?$basic_string@V12@strlen
              • String ID:
              • API String ID: 3300155527-0
              • Opcode ID: 86547ea48ba028fb5c8b39a22db13f1086d1aa2c64eaf1b3d64d40909695952c
              • Instruction ID: c88cd1a84b9c80f473050b602d5c59012bea53d9d61c73816aa5f1ac7853b45e
              • Opcode Fuzzy Hash: 86547ea48ba028fb5c8b39a22db13f1086d1aa2c64eaf1b3d64d40909695952c
              • Instruction Fuzzy Hash: A301D231500255BFDB04EB64DC08EEEB7B8FF45324F008669F825A72D1DB30A901CB94
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00404788 Relevance: 6.0, APIs: 4, Instructions: 45stringCOMMON
              Download Yara Rule
              APIs
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 004047A7
              • strlen.MSVCRT ref: 004047B3
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(0043B22C,00000000), ref: 004047BE
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 004047F7
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@$?assign@?$basic_string@V12@strlen
              • String ID:
              • API String ID: 3300155527-0
              • Opcode ID: b115c44d260a508d27614f12fe46fc339dba4a193b1810b491415a875245133f
              • Instruction ID: 77be1da2a85362b567e41064b03051ddae897e36be7f62de74359b40f2469920
              • Opcode Fuzzy Hash: b115c44d260a508d27614f12fe46fc339dba4a193b1810b491415a875245133f
              • Instruction Fuzzy Hash: 3101B535500155BFDB04EB64DC08EEEB7B8FF45314F018669E826A72D1DB70A901CBA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00412B9C Relevance: 6.0, APIs: 4, Instructions: 42COMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 00412BA1
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00000000,?,?,?,?,?,00000002,?,?), ref: 00412BB9
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04,?,?,00000000,?,?,?,?,?,00000002,?,?), ref: 00412BDB
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,00000000,?,?,?,?,?,00000002,?,?), ref: 00412BFC
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@V12@$?assign@?$basic_string@H_prolog
              • String ID:
              • API String ID: 1625498910-0
              • Opcode ID: 535d85b4a5b899a158f7b356c5469920505eb093d278a9818185a64433e0e7ff
              • Instruction ID: 7c80cc2c56689e8c6b8cd0a272f9740b5b1204ce99ed68c93bd78b75f35b4d36
              • Opcode Fuzzy Hash: 535d85b4a5b899a158f7b356c5469920505eb093d278a9818185a64433e0e7ff
              • Instruction Fuzzy Hash: 63015A32900259EFCF01DFA4D885BDEBB78FF09315F00816AE811AB292C7B49604CB64
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00406E48 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
              Download Yara Rule
              APIs
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 00406E59
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(00000000,00000000,6CE35E04), ref: 00406E86
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00406E91
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00406EB7
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@$V12@$?assign@?$basic_string@
              • String ID:
              • API String ID: 2539282270-0
              • Opcode ID: b64fb7e9badfe1c9206ea0039ae8a41a7651a7a3274c19dd75a090e1e208a8c7
              • Instruction ID: abefaf98e132a856634870b93a29a911f4bd137e60dc654dc47ad66431e16fac
              • Opcode Fuzzy Hash: b64fb7e9badfe1c9206ea0039ae8a41a7651a7a3274c19dd75a090e1e208a8c7
              • Instruction Fuzzy Hash: A7014C35600245AFDF04DFA0DC98EEE37B4BF08314F058568E916AB2E1DB74A544CB58
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00402477 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
              Download Yara Rule
              APIs
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 00402492
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04), ref: 004024A4
                • Part of subcall function 004010AE: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,004FB330), ref: 004010E2
                • Part of subcall function 004010AE: ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04), ref: 004010F6
                • Part of subcall function 004010AE: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00401101
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(00000000,00000000,6CE35E04), ref: 004024C6
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 004024D1
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$V12@$Tidy@?$basic_string@$?assign@?$basic_string@
              • String ID:
              • API String ID: 4029889826-0
              • Opcode ID: a15ef7a70342e1780236632a218846f5438bb8780c9a78a2874e1ddc87a9f0ab
              • Instruction ID: 098c79656d93c343b3e93505e414c6c70910fceed5dbabfdab5e297e90cacf25
              • Opcode Fuzzy Hash: a15ef7a70342e1780236632a218846f5438bb8780c9a78a2874e1ddc87a9f0ab
              • Instruction Fuzzy Hash: 7EF0C231700144BFDB00ABA8DC59FEA7F7CEB85711F05402AF601972E2CA719800CBA8
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00408AC8 Relevance: 6.0, APIs: 4, Instructions: 37stringCOMMON
              Download Yara Rule
              APIs
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 00408AEF
              • strlen.MSVCRT ref: 00408AF6
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(6CE36092,00000000), ref: 00408B01
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00408B1B
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@$?assign@?$basic_string@V12@strlen
              • String ID:
              • API String ID: 3300155527-0
              • Opcode ID: 06d0e8fce4c3cfcab90b72c4524e2cb180cc2eaf3b303f0be03e5583504c14e0
              • Instruction ID: 8b41241d84d778499d9116eab9ac67131b19d255b3f2532550a95c04c52e4062
              • Opcode Fuzzy Hash: 06d0e8fce4c3cfcab90b72c4524e2cb180cc2eaf3b303f0be03e5583504c14e0
              • Instruction Fuzzy Hash: ABF0AF326001197FEF44EB54DC05AFE77BCAB55310F45402AF911A72C1DAB09905C7A4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040A95B Relevance: 6.0, APIs: 4, Instructions: 30synchronizationthreadwindowCOMMON
              Download Yara Rule
              APIs
              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,0040A9FC), ref: 0040A970
              • WaitForSingleObject.KERNEL32(?,00001388,?,?,?,0040A9FC), ref: 0040A983
              • CloseHandle.KERNEL32(?,?,?,?,0040A9FC), ref: 0040A99C
              • PostThreadMessageA.USER32(?,00000012,00000000,00000000), ref: 0040A9AC
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: ObjectSingleWait$CloseHandleMessagePostThread
              • String ID:
              • API String ID: 3386540786-0
              • Opcode ID: eea31c2ed0687ccd3f06dab9a5f2e2dbafe8309546e90f9beccb3ffa9ec3cee1
              • Instruction ID: 56ccbbe1e0829ef216e9194611047eb88da632908b9016921f995fb1a52ddcc9
              • Opcode Fuzzy Hash: eea31c2ed0687ccd3f06dab9a5f2e2dbafe8309546e90f9beccb3ffa9ec3cee1
              • Instruction Fuzzy Hash: 7BF082B1100705ABEB302B359C40FD7BA64EF41351F06C53AF1E9A21A0CE315C15DB35
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00401DDA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON
              Download Yara Rule
              APIs
              • SetWindowLongA.USER32(?,000000FC,004020B5), ref: 00401EC6
              • SetWindowLongA.USER32(?,000000EB), ref: 00401ED3
                • Part of subcall function 0040A7B1: GetProcAddress.KERNEL32(?,?), ref: 0040A7C1
                • Part of subcall function 0040A7B1: GetLastError.KERNEL32(00000000), ref: 0040A7CE
                • Part of subcall function 0040A7B1: sprintf.MSVCRT ref: 0040A802
                • Part of subcall function 0040A7B1: OutputDebugStringA.KERNEL32(?), ref: 0040A812
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: LongWindow$AddressDebugErrorLastOutputProcStringsprintf
              • String ID: CreateVideoWindow
              • API String ID: 1107554337-1361831524
              • Opcode ID: 2f4140a647caeccdf0fafc5cc6ac0e3d8285692db7020e92163a25d642997327
              • Instruction ID: 1be2e7de61af14f13dc3bd6ad1162517ad80c67c04d496e4e2d72ea9a2684cae
              • Opcode Fuzzy Hash: 2f4140a647caeccdf0fafc5cc6ac0e3d8285692db7020e92163a25d642997327
              • Instruction Fuzzy Hash: F0313C75600704AFC711DF64C848A9EBBF9FF88714F10896EE81AA73A0DB74A940CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040EF0F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 0040EF14
              • ??2@YAPAXI@Z.MSVCRT ref: 0040EF5B
                • Part of subcall function 00410D56: ??2@YAPAXI@Z.MSVCRT ref: 00410D62
                • Part of subcall function 00410D56: ??0_Lockit@std@@QAE@XZ.MSVCP60(00000000,?,?,00000000,00000000,?,0040F10D,?,?,?,?,004101FB,004FB330,?,?,00000000), ref: 00410D7C
                • Part of subcall function 00410D56: ??1_Lockit@std@@QAE@XZ.MSVCP60(?,?,00000000,00000000,?,0040F10D,?,?,?,?,004101FB,004FB330,?,?,00000000,?), ref: 00410DA6
                • Part of subcall function 00410D56: ??2@YAPAXI@Z.MSVCRT ref: 00410DC2
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: ??2@$Lockit@std@@$??0_??1_H_prolog
              • String ID: opr_ocx.
              • API String ID: 2778559348-1858872728
              • Opcode ID: 19c660dde8d70fa6c25e0195c8b761e6ecdb3e0484fff719ad79a14fcc400cf3
              • Instruction ID: 8c71158cc0fb2796c27a2fd84584671fa44360c79fdfadd6bea3cd8c6de2404e
              • Opcode Fuzzy Hash: 19c660dde8d70fa6c25e0195c8b761e6ecdb3e0484fff719ad79a14fcc400cf3
              • Instruction Fuzzy Hash: 9111C871604283AEC7259E5F80915BEFFA1EF45314B24883FD6D5E3BC1C6388891D71A
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040DA43 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
              Download Yara Rule
              APIs
              • #43.ATL(004DB258,?), ref: 0040DA5E
              • CreateWindowExA.USER32(?,00000000,?,?,?,?,?,?,?,00000000,?,?), ref: 0040DAA7
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: CreateWindow
              • String ID: @
              • API String ID: 716092398-2766056989
              • Opcode ID: 11bce7290ba27d8597b57bb5be0c596f0cb04b8ecbf16b793f67155d87baf917
              • Instruction ID: d79e4b196ba401c32dd5e6492ecd7ca6e424c2026e5b4e7ca707213b8b6045fb
              • Opcode Fuzzy Hash: 11bce7290ba27d8597b57bb5be0c596f0cb04b8ecbf16b793f67155d87baf917
              • Instruction Fuzzy Hash: 6501E976500119AFCF108F55CC08EEB7BA9EB48350F068166FD19672A0D378DC64DBA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00401000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.1650148058.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.1650093324.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650223517.0000000000416000.00000002.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650236708.000000000041A000.00000004.00000001.01000000.00000006.sdmpDownload File
              • Associated: 00000005.00000002.1650268406.00000000004FC000.00000002.00000001.01000000.00000006.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_400000_WebActiveEXE.jbxd
              Similarity
              • API ID: FreeString
              • String ID: `<u`j>u
              • API String ID: 3341692771-3301984005
              • Opcode ID: 2605a54924d90b2517a4a373d16bccb3eaea786a5e9737d377c2d570ec90464d
              • Instruction ID: e68626cdce94133752e28d987f90eb3bdcef18df549c455a0c506c41f37b3fce
              • Opcode Fuzzy Hash: 2605a54924d90b2517a4a373d16bccb3eaea786a5e9737d377c2d570ec90464d
              • Instruction Fuzzy Hash: A8F0C2332400505AC7362A58A848ADAB7A89F95390B0A047FF5C9A35F1CA7A59D4875C
              Uniqueness

              Uniqueness Score: -1.00%

              Execution Graph

              Execution Coverage:0.9%
              Dynamic/Decrypted Code Coverage:0%
              Signature Coverage:0%
              Total number of Nodes:75
              Total number of Limit Nodes:4
              execution_graph 8335 403232 #23 8336 407694 __set_app_type __p__fmode __p__commode 8337 407703 8336->8337 8338 407717 8337->8338 8339 40770b __setusermatherr 8337->8339 8348 407820 _controlfp 8338->8348 8339->8338 8341 40771c _initterm __getmainargs _initterm 8342 407770 GetStartupInfoA 8341->8342 8344 4077a4 GetModuleHandleA 8342->8344 8349 403363 GetCommandLineA CoInitialize #16 8344->8349 8347 4077c8 exit _XcptFilter 8348->8341 8350 4033d0 GetCurrentThreadId 8349->8350 8351 4033c0 memcpy 8349->8351 8353 4033f2 8350->8353 8351->8350 8354 40345a 8353->8354 8355 4033ff lstrcmpiA 8353->8355 8366 403322 8353->8366 8372 4032d7 CreateEventA 8354->8372 8357 403426 #23 #57 8355->8357 8358 40340f lstrcmpiA 8355->8358 8359 40343c 8357->8359 8358->8353 8361 403441 #23 #18 8358->8361 8362 4034a4 #21 CoUninitialize 8359->8362 8361->8359 8362->8347 8363 403479 GetMessageA 8364 403492 #20 Sleep 8363->8364 8365 40347f DispatchMessageA 8363->8365 8364->8362 8365->8363 8367 403359 8366->8367 8368 40332c 8366->8368 8367->8353 8368->8367 8369 403350 CharNextA 8368->8369 8370 403349 CharNextA 8368->8370 8371 40335e CharNextA 8368->8371 8369->8367 8369->8368 8370->8368 8370->8369 8371->8367 8373 4032f2 #17 8372->8373 8374 4032f6 CreateThread 8372->8374 8373->8363 8374->8373 8375 403314 8374->8375 8378 40327c 8375->8378 8377 40331d 8379 403289 WaitForSingleObject 8378->8379 8380 403293 WaitForSingleObject 8379->8380 8380->8380 8381 4032aa 8380->8381 8381->8379 8382 4032b7 CloseHandle PostThreadMessageA 8381->8382 8382->8377 8383 10009bfd 8384 10009c10 8383->8384 8391 10009c19 8383->8391 8385 10009c41 8384->8385 8398 10009969 8384->8398 8386 10009c35 8415 10009b52 8386->8415 8391->8384 8391->8385 8391->8386 8392 10009c61 8392->8385 8394 10009c6a 8392->8394 8393 10009c59 8395 10009b52 3 API calls 8393->8395 8396 10009b52 3 API calls 8394->8396 8395->8392 8397 10009c72 8396->8397 8397->8385 8399 10009979 #1116 #1176 #1575 8398->8399 8400 10009a0c 8398->8400 8401 100099c0 #1577 8399->8401 8402 100099a2 #1168 8399->8402 8403 10009a12 #1243 #1176 #1168 8400->8403 8404 10009a58 8400->8404 8409 100099f5 #1176 #1243 8401->8409 8405 100099c7 #1182 #823 8402->8405 8406 100099ae 8402->8406 8410 10009a32 8403->8410 8411 10009a39 #1197 #1570 #1577 #1253 8403->8411 8407 10009a88 8404->8407 8408 10009a5e #6467 #1197 #1570 #1255 8404->8408 8412 100099e4 #342 8405->8412 8413 100099ee 8405->8413 8406->8405 8414 100099b9 8406->8414 8407->8385 8407->8392 8407->8393 8408->8407 8409->8407 8410->8411 8411->8407 8412->8413 8413->8409 8414->8401 8416 10009b5a 8415->8416 8417 10009b90 8416->8417 8418 10009b7b malloc 8416->8418 8420 10009bba 8416->8420 8417->8384 8418->8417 8419 10009b94 _initterm 8418->8419 8419->8417 8420->8417 8421 10009be7 free 8420->8421 8421->8417

              Executed Functions

              Function 00403363 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 119stringwindowsleepCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetCommandLineA.KERNEL32(?,?,00000000,?,?,?,?,004077C8,00000000,?,0000000A), ref: 0040336C
              • CoInitialize.OLE32(00000000), ref: 00403377
              • #16.ATL(0042A710,0040A380,?,?,?,00000000,?,?,?,?,004077C8,00000000,?,0000000A), ref: 004033AF
              • memcpy.MSVCRT ref: 004033C8
              • GetCurrentThreadId.KERNEL32 ref: 004033D0
              • lstrcmpiA.KERNEL32(00000000,UnregServer), ref: 00403405
              • lstrcmpiA.KERNEL32(00000000,RegServer), ref: 00403415
              • #23.ATL(0042A710,00000064,00000000,00000000,00000000,?,?,00000000,?,?,?,?,004077C8,00000000,?,0000000A), ref: 0040342C
              • #57.ATL(0042A710,00000001,00000000,?,?,00000000,?,?,?,?,004077C8,00000000,?,0000000A), ref: 00403436
              • #23.ATL(0042A710,00000064,00000001,00000000,00000000,?,?,00000000,?,?,?,?,004077C8,00000000,?,0000000A), ref: 00403448
              • #18.ATL(0042A710,00000001,00000000,?,?,00000000,?,?,?,?,004077C8,00000000,?,0000000A), ref: 00403452
                • Part of subcall function 004032D7: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,0042A710,00403461,?,?,00000000,?,?,?,?,004077C8), ref: 004032E2
              • #17.ATL(0042A710,00000004,00000001,?,?,00000000,?,?,?,?,004077C8,00000000,?,0000000A), ref: 00403466
              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00403479
              • DispatchMessageA.USER32(?), ref: 00403483
              • #20.ATL(0042A710,?,?,00000000,?,?,?,?,004077C8,00000000,?,0000000A), ref: 00403493
              • Sleep.KERNEL32(000003E8,?,?,00000000,?,?,?,?,004077C8,00000000,?,0000000A), ref: 0040349E
              • #21.ATL(0042A710,?,?,00000000,?,?,?,?,004077C8,00000000,?,0000000A), ref: 004034A5
              • CoUninitialize.OLE32(?,?,00000000,?,?,?,?,004077C8,00000000,?,0000000A), ref: 004034AB
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.1650700156.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000006.00000002.1650684384.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650716727.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650734298.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650757098.000000000042B000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_400000_TimeGridEXE.jbxd
              Similarity
              • API ID: Messagelstrcmpi$CommandCreateCurrentDispatchEventInitializeLineSleepThreadUninitializememcpy
              • String ID: RegServer$UnregServer
              • API String ID: 3768304277-1360048911
              • Opcode ID: 37ca2987d480284219432321686f43c704cb923013f8a19ec2c83e4b92248826
              • Instruction ID: 35c2de9df25bc321c15bc9a066ec378d068fb9d6a3c7278882ce79e5ad700868
              • Opcode Fuzzy Hash: 37ca2987d480284219432321686f43c704cb923013f8a19ec2c83e4b92248826
              • Instruction Fuzzy Hash: 9231A271601314BBD7109F61AE88E9B3E7CEF44792F01443AFA46B61D1CBB88505CBAD
              Uniqueness

              Uniqueness Score: -1.00%

              Function 10009969 Relevance: 31.6, APIs: 21, Instructions: 99COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • #1116.MFC42(?,?,?,?,?,?,10009C4D,?,?,?,?,?,?), ref: 10009980
              • #1176.MFC42(?,?,?,?,?,?,10009C4D,?,?,?,?,?,?), ref: 10009985
              • #1575.MFC42(?,00000000,100146A8,00000000,?,?,?,?,?,?,10009C4D,?,?,?,?,?), ref: 10009999
              • #1168.MFC42(?,00000000,100146A8,00000000,?,?,?,?,?,?,10009C4D,?,?,?,?,?), ref: 100099A2
              • #1577.MFC42(?,00000000,100146A8,00000000,?,?,?,?,?,?,10009C4D,?,?,?,?,?), ref: 100099C0
              • #1182.MFC42(10015818,?,?,00000000,100146A8,00000000,?,?,?,?,?,?,10009C4D,?,?,?), ref: 100099D3
              • #823.MFC42(00000040,10015818,?,?,00000000,100146A8,00000000,?,?,?,?,?,?,10009C4D,?,?), ref: 100099DA
              • #342.MFC42(10015818,00000000,10015818,?,?,00000000,100146A8,00000000,?,?,?,?,?,?,10009C4D,?), ref: 100099E9
              • #1176.MFC42(?,00000000,100146A8,00000000,?,?,?,?,?,?,10009C4D,?,?,?,?,?), ref: 100099F8
              • #1243.MFC42(?,?,00000000,100146A8,00000000,?,?,?,?,?,?,10009C4D,?,?,?,?), ref: 10009A00
              • #1243.MFC42(10014788,?,?,?,?,10009C4D,?,?,?,?,?,?), ref: 10009A17
              • #1176.MFC42(10014788,?,?,?,?,10009C4D,?,?,?,?,?,?), ref: 10009A1E
              • #1168.MFC42(10014788,?,?,?,?,10009C4D,?,?,?,?,?,?), ref: 10009A26
              • #1197.MFC42(10014788,?,?,?,?,10009C4D,?,?,?,?,?,?), ref: 10009A39
              • #1570.MFC42(000000FF,10014788,?,?,?,?,10009C4D,?,?,?,?,?,?), ref: 10009A40
              • #1577.MFC42(000000FF,10014788,?,?,?,?,10009C4D,?,?,?,?,?,?), ref: 10009A45
              • #1253.MFC42(10015818,00000001,000000FF,10014788,?,?,?,?,10009C4D,?,?,?,?,?,?), ref: 10009A51
              • #6467.MFC42(10014788,?,?,?,?,10009C4D,?,?,?,?,?,?), ref: 10009A66
              • #1197.MFC42(10014788,?,?,?,?,10009C4D,?,?,?,?,?,?), ref: 10009A6B
              • #1570.MFC42(000000FF,10014788,?,?,?,?,10009C4D,?,?,?,?,?,?), ref: 10009A72
              • #1255.MFC42(?,000000FF,10014788,?,?,?,?,10009C4D,?,?,?,?,?,?), ref: 10009A7A
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: #1176$#1168#1197#1243#1570#1577$#1116#1182#1253#1255#1575#342#6467#823
              • String ID:
              • API String ID: 2007088025-0
              • Opcode ID: 94bd283153c02a3dc6d51381ccdb4ef0adf95074709a207324888a0c84ff1d2f
              • Instruction ID: 42d277a46881edfe1b3e0c7f7a13674643067f0ebe192110d1df46b65cd45dd6
              • Opcode Fuzzy Hash: 94bd283153c02a3dc6d51381ccdb4ef0adf95074709a207324888a0c84ff1d2f
              • Instruction Fuzzy Hash: AB318039200201BFEB00EF65C846B6E77A4EF812E0B12811DF5145B6AADB74E841AB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00407694 Relevance: 16.6, APIs: 11, Instructions: 111COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              Memory Dump Source
              • Source File: 00000006.00000002.1650700156.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000006.00000002.1650684384.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650716727.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650734298.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650757098.000000000042B000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_400000_TimeGridEXE.jbxd
              Similarity
              • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
              • String ID:
              • API String ID: 801014965-0
              • Opcode ID: 8035e171e2d92617fc0f785749cbf1d14baed5ad9c4693008f397805df15f388
              • Instruction ID: 2cab60af51431c95479ac17960bdd69817c5c6388e9b41a2bd0064f6e5b52a6a
              • Opcode Fuzzy Hash: 8035e171e2d92617fc0f785749cbf1d14baed5ad9c4693008f397805df15f388
              • Instruction Fuzzy Hash: F04180B1D04308AFD7249FA4D949A697BB8FB09710F20413FE881B72D1D7786842CB5E
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00403322 Relevance: 3.8, APIs: 3, Instructions: 32COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 59 403322-40332a 60 403359 59->60 61 40332c 59->61 63 40335b-40335d 60->63 62 403332-403335 61->62 62->60 64 403337-40333d 62->64 65 403350-403357 CharNextA 64->65 66 40333f-403343 64->66 65->60 65->62 66->65 67 403345-403347 66->67 68 403349-40334e CharNextA 67->68 69 40335e-403361 CharNextA 67->69 68->65 68->66 69->63
              APIs
              • CharNextA.USER32(0000000A,0000000A,00000000,004033F7,004077C8,0000000A,?,?,00000000,?,?,?,?,004077C8,00000000), ref: 0040334A
              • CharNextA.USER32(?,0000000A,00000000,004033F7,004077C8,0000000A,?,?,00000000,?,?,?,?,004077C8,00000000), ref: 00403351
              • CharNextA.USER32(?,0000000A,00000000,004033F7,004077C8,0000000A,?,?,00000000,?,?,?,?,004077C8,00000000), ref: 0040335F
              Memory Dump Source
              • Source File: 00000006.00000002.1650700156.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000006.00000002.1650684384.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650716727.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650734298.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650757098.000000000042B000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_400000_TimeGridEXE.jbxd
              Similarity
              • API ID: CharNext
              • String ID:
              • API String ID: 3213498283-0
              • Opcode ID: baf08e98635e3eecfeca14d8e4628d33b8a5ea97a34ffd75b1aaba5ded54f05a
              • Instruction ID: 6647c2e3f89048baf71832f1353e3ebbf81337cf4af33af49e986f3fc4a2b2f2
              • Opcode Fuzzy Hash: baf08e98635e3eecfeca14d8e4628d33b8a5ea97a34ffd75b1aaba5ded54f05a
              • Instruction Fuzzy Hash: 1CE0652550425297D712AE35588077B6F9D4FC1762B2D447BDC54F7380DF39CD028659
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00403232 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 70 403232-403247 #23
              APIs
              • #23.ATL(0042A710,00000066,?,00000000,00000000), ref: 00403241
              Memory Dump Source
              • Source File: 00000006.00000002.1650700156.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000006.00000002.1650684384.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650716727.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650734298.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650757098.000000000042B000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_400000_TimeGridEXE.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 291b74582a494d543c8a8d3d8ff99fc647f6b3e80f99a55ad05cf32ea7cebff5
              • Instruction ID: fe415aa11dd61ad0e2f9f7b1c92a70de936159d478a7d18b563c2a4d1b8ffaf9
              • Opcode Fuzzy Hash: 291b74582a494d543c8a8d3d8ff99fc647f6b3e80f99a55ad05cf32ea7cebff5
              • Instruction Fuzzy Hash: 05B012317C0300BBF9304B405E0BF0676716790F80F21C425B340780D045F25030C62E
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Function 1000403D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80timeCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: SystemTimememcmp
              • String ID: d
              • API String ID: 2392500102-2564639436
              • Opcode ID: 51deb8df5fdc19a92ab4ac4be0bb657aca5605a300559009d0d4237773e23703
              • Instruction ID: dddfd3784a1c714f10f0163e154df3274f5ea3d29865eaf1e4e0509835865844
              • Opcode Fuzzy Hash: 51deb8df5fdc19a92ab4ac4be0bb657aca5605a300559009d0d4237773e23703
              • Instruction Fuzzy Hash: 852185715001196AEF5DCF68C9C56F97BF9EB14344F01006AEA01D90AAE67AC5C4D314
              Uniqueness

              Uniqueness Score: -1.00%

              Function 100057A4 Relevance: 105.4, APIs: 70, Instructions: 445stringCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 443 100057a4-1000581c ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z 444 1000581d-10005871 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z strlen ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z 443->444 445 10005877-100058be ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z 444->445 446 10005d1d-10005d44 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z * 3 444->446 447 100058c0-100058c1 445->447 448 100058e2-100058e6 445->448 449 100058c7-100058cc 447->449 450 10005d0b-10005d18 447->450 448->450 451 100058ec-1000590c ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z 448->451 452 100058d3-100058dd atoi 449->452 453 100058ce 449->453 450->444 454 10005913-1000594a atoi ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z 451->454 455 1000590e 451->455 452->450 453->452 456 10005951-10005988 atoi ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z 454->456 457 1000594c 454->457 455->454 458 1000598a 456->458 459 1000598f-100059c6 atoi ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z 456->459 457->456 458->459 460 100059c8 459->460 461 100059cd-10005a04 atoi ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z 459->461 460->461 462 10005a06 461->462 463 10005a0b-10005a42 atoi ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z 461->463 462->463 464 10005a44 463->464 465 10005a49-10005a80 atoi ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z 463->465 464->465 466 10005a82 465->466 467 10005a87-10005aa6 atoi ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z 465->467 466->467 468 10005b83-10005ba3 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z 467->468 469 10005aac-10005acc ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z 467->469 470 10005ba5 468->470 471 10005baa-10005be8 atoi ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z * 2 ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z 468->471 472 10005ad3-10005b0a atoi ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z 469->472 473 10005ace 469->473 470->471 474 10005bea 471->474 475 10005bef-10005c2a atoi ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z * 2 ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z 471->475 476 10005b11-10005b48 atoi ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z 472->476 477 10005b0c 472->477 473->472 474->475 478 10005c31-10005c6c atoi ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z * 2 ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z 475->478 479 10005c2c 475->479 480 10005b4a 476->480 481 10005b4f-10005b7e atoi ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z 476->481 477->476 482 10005c73-10005cae atoi ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z * 2 ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z 478->482 483 10005c6e 478->483 479->478 480->481 481->450 484 10005cb0 482->484 485 10005cb5-10005cf0 atoi ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z * 2 ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z 482->485 483->482 484->485 486 10005cf2 485->486 487 10005cf7-10005d05 atoi ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z 485->487 486->487 487->450
              APIs
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00000000), ref: 100057C5
              • strlen.MSVCRT ref: 100057D1
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(100146A8,00000000,?,?,00000000), ref: 100057DC
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00000000), ref: 100057F6
              • strlen.MSVCRT ref: 100057FD
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(100146A8,00000000,?,?,00000000), ref: 1000580B
              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?,?,?,?,00000000), ref: 10005831
              • strlen.MSVCRT ref: 1000583C
              • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z.MSVCP60(10014054,00000000,00000000,?,?,00000000), ref: 10005850
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,00000000), ref: 10005860
              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?,?,?,?,00000000), ref: 10005889
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04,?,?,00000000), ref: 100058A2
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,00000000), ref: 100058AF
              • atoi.MSVCRT ref: 100058D4
              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z.MSVCP60(000000C4,00000000,00000004,?,?,?,00000000), ref: 100058FE
              • atoi.MSVCRT ref: 10005914
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,00000000), ref: 10005924
              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z.MSVCP60(000000C4,00000004,00000002,?), ref: 1000593C
              • atoi.MSVCRT ref: 10005952
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 10005962
              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z.MSVCP60(000000C4,00000006,00000002,?), ref: 1000597A
              • atoi.MSVCRT ref: 10005990
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 100059A0
              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z.MSVCP60(000000C4,00000008,00000002,?), ref: 100059B8
              • atoi.MSVCRT ref: 100059CE
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 100059DE
              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z.MSVCP60(000000C4,0000000A,00000002,?), ref: 100059F6
              • atoi.MSVCRT ref: 10005A0C
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 10005A1C
              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z.MSVCP60(000000C4,0000000C,00000002,?), ref: 10005A34
              • atoi.MSVCRT ref: 10005A4A
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 10005A5A
              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z.MSVCP60(000000C4,00000014,00000002,?), ref: 10005A72
              • atoi.MSVCRT ref: 10005A88
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(?,00000001), ref: 10005A9C
              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z.MSVCP60(000000C4,00000000,00000004,?), ref: 10005ABE
              • atoi.MSVCRT ref: 10005AD4
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 10005AE4
              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z.MSVCP60(000000C4,00000004,00000002,?), ref: 10005AFC
              • atoi.MSVCRT ref: 10005B12
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 10005B22
              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z.MSVCP60(000000C4,00000006,00000002,?), ref: 10005B3A
              • atoi.MSVCRT ref: 10005B50
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 10005B60
              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z.MSVCP60(000000C4,0000000E,00000004,?), ref: 10005B95
              • atoi.MSVCRT ref: 10005BAB
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 10005BBB
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 10005BCC
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(000000C4,00000012,00000002), ref: 10005BDD
              • atoi.MSVCRT ref: 10005BF0
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 10005BFD
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 10005C0E
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(000000C4,00000014,00000002), ref: 10005C1F
              • atoi.MSVCRT ref: 10005C32
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 10005C3F
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 10005C50
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(000000C4,00000016,00000002), ref: 10005C61
              • atoi.MSVCRT ref: 10005C74
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 10005C81
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 10005C92
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(000000C4,00000018,00000002), ref: 10005CA3
              • atoi.MSVCRT ref: 10005CB6
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 10005CC3
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 10005CD4
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(000000C4,0000001A,00000002), ref: 10005CE5
              • atoi.MSVCRT ref: 10005CF8
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 10005D05
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,00000000), ref: 10005D24
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,00000000), ref: 10005D2E
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,00000000), ref: 10005D38
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$Tidy@?$basic_string@$atoi$V12@$??0?$basic_string@D@1@@V01@$?assign@?$basic_string@$strlen$?find@?$basic_string@
              • String ID:
              • API String ID: 300726941-0
              • Opcode ID: 8721285d96960239e1d27155e83fee797a51e5c2e3797d078b43e69e26b433a3
              • Instruction ID: 64ddb9365ac1f46b1eef56fe5080993ac88bd30dbc38ac7ba90f2923f402f031
              • Opcode Fuzzy Hash: 8721285d96960239e1d27155e83fee797a51e5c2e3797d078b43e69e26b433a3
              • Instruction Fuzzy Hash: 8502F071A00269AFEB19DFA4CC89FEEB7B8FB08341F004559E516E7190EB74AA54CF50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004014CB Relevance: 67.8, APIs: 45, Instructions: 294COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 488 4014cb-4014e8 GetWindowLongA 489 4016f9-40170b DefWindowProcA 488->489 490 4014ee-4014f7 call 402679 488->490 492 4018c9-4018cd 489->492 494 401500-40150a 490->494 495 4014f9-4014fb 490->495 496 401510 494->496 497 4016db-4016e2 494->497 495->492 498 401516-401518 496->498 499 40166f-4016d6 ??0?$basic_stringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@H@Z ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z ?str@?$basic_stringbuf@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@2@XZ call 401b1f ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z 496->499 500 4016e8-4016e9 497->500 501 40185a-4018bb ??0?$basic_stringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@H@Z ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z ?str@?$basic_stringbuf@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@2@XZ call 401b1f ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z 497->501 503 40164b-40166a call 402665 call 40105d call 4019ba 498->503 504 40151e-401521 498->504 519 4018c1 ??_D?$basic_stringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXXZ 499->519 506 4017d7-401858 ??0?$basic_stringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@H@Z ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z ?str@?$basic_stringbuf@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@2@XZ call 401b1f ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z 500->506 507 4016ef-4016f0 500->507 501->519 503->489 511 401527-40152a 504->511 512 40163f-401646 call 4024f2 504->512 506->519 514 401780-4017d2 ??0?$basic_stringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@H@Z ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z ?str@?$basic_stringbuf@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@2@XZ call 401b1f ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z 507->514 515 4016f6-4016f7 507->515 520 401530-401535 511->520 521 4015bd-4015e4 call 4019ba call 402672 511->521 512->489 514->519 515->489 523 401710-40177b ??0?$basic_stringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@H@Z ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z ?str@?$basic_stringbuf@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@2@XZ call 401b1f ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z 515->523 528 4018c7 519->528 520->489 529 40153b-4015b8 ??0?$basic_stringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@H@Z ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z ?str@?$basic_stringbuf@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@2@XZ call 401b1f ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z ??1?$basic_stringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@UAE@XZ ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ 520->529 540 4015e6-4015ee 521->540 541 401618-40161e 521->541 523->519 528->492 529->528 542 4015f0-4015ff call 40105d 540->542 543 401604-401607 540->543 541->489 544 401624-40162b 541->544 542->489 543->541 546 401609-401616 GetCurrentThreadId PostThreadMessageA 543->546 544->489 547 401631-40163a GetCurrentThreadId PostThreadMessageA 544->547 546->541 547->489
              APIs
              • GetWindowLongA.USER32(?,000000EB), ref: 004014DC
              • ??0?$basic_stringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@H@Z.MSVCP60(00000003,00000001), ref: 00401545
              • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP60(?,0040A26C,?), ref: 0040155C
              • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 00401563
              • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP60 ref: 0040156D
              • ?str@?$basic_stringbuf@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@2@XZ.MSVCP60(?), ref: 0040157D
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,00000466,?), ref: 0040159A
              • ??1?$basic_stringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@UAE@XZ.MSVCP60 ref: 004015A6
              • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP60 ref: 004015B2
              • DefWindowProcA.USER32(?,?,?,?), ref: 00401705
              Memory Dump Source
              • Source File: 00000006.00000002.1650700156.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000006.00000002.1650684384.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650716727.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650734298.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650757098.000000000042B000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_400000_TimeGridEXE.jbxd
              Similarity
              • API ID: U?$char_traits@$D@std@@V?$allocator@$D@2@@std@@$D@std@@@std@@$??6?$basic_ostream@V01@Window$??0?$basic_stringstream@??1?$basic_ios@??1?$basic_stringstream@??6std@@?str@?$basic_stringbuf@D@2@@2@D@std@@@0@LongProcTidy@?$basic_string@V10@V?$basic_ostream@V?$basic_string@
              • String ID:
              • API String ID: 3520579391-0
              • Opcode ID: 9af81da463828a73f6f96e1d51c0cf2f6a40a70d09fc3585eff316cd120fd515
              • Instruction ID: 84f159e3f9d252a31eb5b739df941e5280b2a625148955ad29b74c3f7c7bdb74
              • Opcode Fuzzy Hash: 9af81da463828a73f6f96e1d51c0cf2f6a40a70d09fc3585eff316cd120fd515
              • Instruction Fuzzy Hash: 01B1CC31A0024A9BCF14AFA0EE49EAD3779FF44304F04447EF542B61E1EE759A46CB59
              Uniqueness

              Uniqueness Score: -1.00%

              Function 100028B9 Relevance: 61.6, APIs: 33, Strings: 2, Instructions: 317stringCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • SelectObject.GDI32(?,?), ref: 10002915
              • SelectObject.GDI32(?,?), ref: 10002920
              • Polygon.GDI32(?,?,00000005), ref: 10002969
              • SelectObject.GDI32(?,?), ref: 10002975
              • SelectObject.GDI32(?,?), ref: 100029D6
              • SetTextColor.GDI32(?,?), ref: 100029E8
              • SetBkMode.GDI32(?,00000001), ref: 100029F3
              • SelectObject.GDI32(?,?), ref: 100029FF
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 10002A0F
              • strlen.MSVCRT ref: 10002A1B
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(100146A8,00000000), ref: 10002A26
              • memset.MSVCRT ref: 10002A34
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: ObjectSelect$D@2@@std@@D@std@@U?$char_traits@V?$allocator@$?assign@?$basic_string@ColorModePolygonTextTidy@?$basic_string@V12@memsetstrlen
              • String ID: %d:%02d:%02d$2
              • API String ID: 2514488463-3051803528
              • Opcode ID: 2ed3e09824c0b2a7b9d9f76a173ced07c760604a7740a1daf41c257f343608bb
              • Instruction ID: 38830ebf29fb29036a63ce0232a4d8685dbc148e758549d1083d5b9a4acd67d0
              • Opcode Fuzzy Hash: 2ed3e09824c0b2a7b9d9f76a173ced07c760604a7740a1daf41c257f343608bb
              • Instruction Fuzzy Hash: 60D1F0B6D00218AFEF15CFA4CD85AEEBBB5FF08340F108069E505A6260DB75AA95DF50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 10006F18 Relevance: 52.9, APIs: 35, Instructions: 395windowstringCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 584 10006f18-10007043 BeginPaint GetClientRect CreateCompatibleDC CreateCompatibleBitmap SelectObject * 2 FillRect SelectObject CreateCompatibleDC CreateCompatibleBitmap SelectObject * 2 FillRect SelectObject SetTextColor SetBkMode SelectObject * 2 call 1000105c 587 10007394-100073a0 call 10001bfc 584->587 588 10007049-10007056 call 10001175 584->588 588->587 593 1000705c-100070b7 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z call 10007630 588->593 596 100070b9 593->596 597 100070be-100070d3 DrawTextA 593->597 596->597 598 100070d5-100070da 597->598 599 100070dc-100070e8 597->599 600 100070eb-100070ee 598->600 599->600 601 100070f0-100070f8 600->601 602 10007152-10007179 call 10007630 600->602 603 100070fb-1000712c call 10007630 601->603 607 10007180-100071aa DrawTextA SelectObject * 2 602->607 608 1000717b 602->608 612 10007133-1000714d DrawTextA 603->612 613 1000712e 603->613 610 100071cb-100071d0 607->610 611 100071ac-100071bd call 10001075 607->611 608->607 615 100071f2-1000721d BitBlt 610->615 616 100071d2-100071e0 call 10001075 610->616 611->615 625 100071bf-100071c9 call 10002601 611->625 612->603 617 1000714f 612->617 613->612 618 10007282-10007288 615->618 619 1000721f-10007231 call 10001075 615->619 632 100071e2-100071e7 call 10002601 616->632 633 100071ec-100071f0 616->633 617->602 622 1000728a-1000729c call 10001075 618->622 623 100072ef-100072f3 618->623 636 10007233-10007238 call 10002601 619->636 637 1000723d-1000724f call 10001075 619->637 642 100072a8-100072ba call 10001075 622->642 643 1000729e-100072a3 call 10002601 622->643 628 10007312-10007369 BitBlt DeleteObject DeleteDC DeleteObject DeleteDC EndPaint ReleaseDC 623->628 629 100072f5-10007302 call 1000455e 623->629 625->615 639 10007389-1000738e ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z 628->639 640 1000736b-10007379 628->640 629->628 649 10007304-1000730d call 100043bb 629->649 632->633 633->615 633->616 636->637 655 10007251-10007256 call 10002601 637->655 656 1000725b-1000726d call 10001075 637->656 639->587 640->639 647 1000737b-10007384 call 10001c9b 640->647 657 100072c6-100072d8 call 10001075 642->657 658 100072bc-100072c1 call 10002601 642->658 643->642 647->639 649->628 655->656 656->628 665 10007273-1000727d call 10002601 656->665 666 100072e4-100072ed 657->666 667 100072da-100072df call 10002601 657->667 658->657 665->628 666->622 666->623 667->666
              APIs
              • BeginPaint.USER32(?,?), ref: 10006F30
              • GetClientRect.USER32(?,?), ref: 10006F40
              • CreateCompatibleDC.GDI32(?), ref: 10006F5B
              • CreateCompatibleBitmap.GDI32(?,?,?), ref: 10006F69
              • SelectObject.GDI32(?,00000000), ref: 10006F7D
              • SelectObject.GDI32(?,?), ref: 10006F83
              • FillRect.USER32(?,?,?), ref: 10006F90
              • SelectObject.GDI32(?,?), ref: 10006F9A
              • CreateCompatibleDC.GDI32(?), ref: 10006FA6
              • CreateCompatibleBitmap.GDI32(?,?,?), ref: 10006FB6
              • SelectObject.GDI32(?,00000000), ref: 10006FC3
              • SelectObject.GDI32(?,?), ref: 10006FCB
              • FillRect.USER32(?,00000000,?), ref: 10006FF2
              • SelectObject.GDI32(?,?), ref: 10006FFC
              • SetTextColor.GDI32(?,?), ref: 10007005
              • SetBkMode.GDI32(?,00000001), ref: 1000700E
              • SelectObject.GDI32(?,?), ref: 10007018
              • SelectObject.GDI32(?,?), ref: 10007021
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 10007066
              • strlen.MSVCRT ref: 10007071
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(100146A8,00000000), ref: 10007080
                • Part of subcall function 10007630: sprintf.MSVCRT ref: 100076A5
                • Part of subcall function 10007630: strlen.MSVCRT ref: 100076DD
                • Part of subcall function 10007630: ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,00000000), ref: 100076EB
              • DrawTextA.USER32(?,?,?,?,00000000), ref: 100070CA
              • DrawTextA.USER32(?,?,?,?,00000001), ref: 10007140
              • DrawTextA.USER32(?,?,?,?,00000002), ref: 1000718D
              • SelectObject.GDI32(?,?), ref: 10007199
              • SelectObject.GDI32(?,?), ref: 100071A1
              • BitBlt.GDI32(?,?,00000000,00000000,?,?,?,00000000,00CC0020), ref: 10007214
              • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 10007327
              • DeleteObject.GDI32(?), ref: 10007332
              • DeleteDC.GDI32(?), ref: 1000733D
              • DeleteObject.GDI32(?), ref: 10007342
              • DeleteDC.GDI32(?), ref: 10007347
              • EndPaint.USER32(?,?), ref: 10007353
              • ReleaseDC.USER32(?,?), ref: 1000735F
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000738E
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: Object$Select$CompatibleCreateD@2@@std@@D@std@@DeleteTextU?$char_traits@V?$allocator@$DrawRect$?assign@?$basic_string@BitmapFillPaintTidy@?$basic_string@V12@strlen$BeginClientColorModeReleasesprintf
              • String ID:
              • API String ID: 2574845443-0
              • Opcode ID: 5888305b2929526d2e02f138a5a9453c7f9ce581756569eaf058bc5d100bdba5
              • Instruction ID: b00126ce7e06819be3815c57b87a870fca58334f6560f84029f8d37d09fba13c
              • Opcode Fuzzy Hash: 5888305b2929526d2e02f138a5a9453c7f9ce581756569eaf058bc5d100bdba5
              • Instruction Fuzzy Hash: 2BF10375D00248AFEF15DFA4CD849EEBBB6FF48340F104469E646A7265CB36AE50DB10
              Uniqueness

              Uniqueness Score: -1.00%

              Function 1000EEFB Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 254stringCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 671 1000eefb-1000ef46 call 10009cbc ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z call 1000a738 676 1000f1e5-1000f202 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z 671->676 677 1000ef4c 671->677 678 1000efb1-1000efc2 call 1000abe4 call 1000ec37 677->678 679 1000eff1-1000effd call 1000af30 call 1000ece6 677->679 680 1000f021-1000f035 call 1000b391 677->680 681 1000ef53-1000ef99 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z call 1000f55a ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z 677->681 682 1000efc4-1000efdc call 1000ae2a call 1000ec6a 677->682 683 1000f014-1000f01c call 1000f225 677->683 684 1000ef9e-1000efaf call 1000a99b call 1000ebb3 677->684 685 1000efde-1000efef call 1000a846 call 1000ed0d 677->685 714 1000f002-1000f003 678->714 679->714 702 1000f045-1000f084 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z call 1000f55a 680->702 703 1000f037-1000f043 680->703 681->676 716 1000f004-1000f00f call 1000f55a 682->716 683->676 684->714 685->714 719 1000f1d3-1000f1e0 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z call 1000b814 702->719 703->702 710 1000f089-1000f0d5 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z call 1000f5e4 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z call 1000f606 703->710 726 1000f0d8-1000f103 call 1000b378 call 1000f67f strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z 710->726 714->716 716->676 719->676 731 1000f105 726->731 732 1000f10a-1000f151 call 1000ed0d call 1000f5e4 strlen ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z call 1000eefb 726->732 731->732 739 1000f182-1000f1d0 call 1000f71a call 1000f66e ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z call 1000f5e4 732->739 740 1000f153-1000f17d strlen ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z call 1000f71a 732->740 739->719 740->726
              APIs
              • __EH_prolog.LIBCMT ref: 1000EF00
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,?), ref: 1000EF18
              • strlen.MSVCRT ref: 1000EF24
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(100146A8,00000000), ref: 1000EF2F
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 1000EF5E
              • strlen.MSVCRT ref: 1000EF6A
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(null,00000000), ref: 1000EF75
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?), ref: 1000EF93
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,?,00000000,?,00000000,?,?,?,?,?,?,?), ref: 1000F04F
              • strlen.MSVCRT ref: 1000F05B
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(10014690,00000000,?,?,00000000,?,00000000,?,?,?,?,?,?,?), ref: 1000F066
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,?,00000000,?,00000000,?,?,?,?,?,?,?), ref: 1000F093
              • strlen.MSVCRT ref: 1000F09F
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(1001468C,00000000,?,?,00000000,?,00000000,?,?,?,?,?,?,?), ref: 1000F0AA
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,00000000,?,00000000,?,?,?,?,?,?,?), ref: 1000F0C8
              • strlen.MSVCRT ref: 1000F0ED
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,00000000,00000000,?,?,?,00000000,?,00000000,?,?,?,?,?,?,?), ref: 1000F0F8
              • strlen.MSVCRT ref: 1000F12C
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60( : ,00000000,?,?,00000000,00000000,?,?,?,00000000,?,00000000), ref: 1000F13B
              • strlen.MSVCRT ref: 1000F15E
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(10014688,00000000,?,00000000,00000000,?,?,?,00000000,?,00000000), ref: 1000F16D
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00000000,00000000,?,?,?,00000000,?,00000000), ref: 1000F19E
              • strlen.MSVCRT ref: 1000F1AA
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(10014684,00000000,?,00000000,00000000,?,?,?,00000000,?,00000000), ref: 1000F1B5
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,00000000,?,00000000,?,?,?,?,?,?,?), ref: 1000F1D3
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000F1EE
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@$V12@strlen$?assign@?$basic_string@$?append@?$basic_string@$H_prolog
              • String ID: : $null
              • API String ID: 2305808220-2804279426
              • Opcode ID: 1166eb0e8781f730ec9532ebb696029bfd9b30c7a1ba077e20b40d579644f633
              • Instruction ID: 62b315a66865ae595197ce3cfcb2ff87f6ad618b14b60eed39bd7106b0ab8ab9
              • Opcode Fuzzy Hash: 1166eb0e8781f730ec9532ebb696029bfd9b30c7a1ba077e20b40d579644f633
              • Instruction Fuzzy Hash: FD918379900248ABEB15DBA4CD95AFE77B8EB09380F20411DF512E7286DF74AF04D761
              Uniqueness

              Uniqueness Score: -1.00%

              Function 1000A99B Relevance: 47.4, APIs: 24, Strings: 3, Instructions: 164stringCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 749 1000a99b-1000a9b8 call 10009cbc 752 1000abb5 749->752 753 1000a9be 749->753 759 1000abb7-1000abc3 752->759 753->752 754 1000ab20-1000ab27 753->754 755 1000a9c5-1000a9c7 753->755 756 1000aa77-1000aa82 753->756 757 1000a9cc-1000a9d3 753->757 758 1000ab2c-1000ab3d call 1000b5d0 753->758 754->759 755->759 762 1000aa84-1000aa8f 756->762 763 1000aa9d-1000aaab call 1000b5d0 756->763 757->759 761 1000a9d9-1000a9e7 call 1000b5d0 757->761 769 1000ab44-1000abb0 fputs ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z * 2 strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z ??0runtime_error@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z _CxxThrowException 758->769 770 1000ab3f 758->770 774 1000a9e9 761->774 775 1000a9ee-1000aa72 fputs ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z * 2 strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z ??0exception@@QAE@ABQBD@Z ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z _CxxThrowException 761->775 762->763 767 1000aa91-1000aa98 _ftol 762->767 772 1000aab2-1000ab1b fputs ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z * 2 strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z ??0runtime_error@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z _CxxThrowException 763->772 773 1000aaad 763->773 767->759 769->752 770->769 772->754 773->772 774->775 775->756
              APIs
              • __EH_prolog.LIBCMT ref: 1000A9A0
              • fputs.MSVCRT ref: 1000A9F9
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000AA06
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 1000AA17
              • strlen.MSVCRT ref: 1000AA23
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(integer out of signed integer range,00000000), ref: 1000AA2E
              • ??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 1000AA46
              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 1000AA57
              • _CxxThrowException.MSVCRT(?,10011B50), ref: 1000AA72
              • _ftol.MSVCRT ref: 1000AA93
              • fputs.MSVCRT ref: 1000AABD
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000AACA
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 1000AADB
              • strlen.MSVCRT ref: 1000AAE7
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(Real out of signed integer range,00000000), ref: 1000AAF2
              • ??0runtime_error@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z.MSVCP60(?), ref: 1000AB09
              • _CxxThrowException.MSVCRT(?,10011B50), ref: 1000AB1B
              • fputs.MSVCRT ref: 1000AB4F
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000AB5F
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 1000AB70
              • strlen.MSVCRT ref: 1000AB7C
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(Type is not convertible to int,00000000), ref: 1000AB87
              • ??0runtime_error@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z.MSVCP60(?), ref: 1000AB9E
              • _CxxThrowException.MSVCRT(?,10011B50), ref: 1000ABB0
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$Tidy@?$basic_string@$?assign@?$basic_string@ExceptionThrowV12@fputsstrlen$??0runtime_error@std@@D@2@@1@@V?$basic_string@$??0?$basic_string@??0exception@@H_prologV01@@_ftol
              • String ID: Real out of signed integer range$Type is not convertible to int$integer out of signed integer range
              • API String ID: 1757128735-3748601619
              • Opcode ID: b62fd90c39a8f2e82b80cb867c850108d40309352f6ec5ef04f176efb288a0d1
              • Instruction ID: 17dc17d008c2c35cf6b71e0043e2a8eb4f705c9d842a78d15bc8dbbfea79f7b9
              • Opcode Fuzzy Hash: b62fd90c39a8f2e82b80cb867c850108d40309352f6ec5ef04f176efb288a0d1
              • Instruction Fuzzy Hash: FC518D35901259EFFB08DBA4CD99BDD7BB8FB09340F104189E005E72A1DB74EA94CB65
              Uniqueness

              Uniqueness Score: -1.00%

              Function 1000ABE4 Relevance: 47.4, APIs: 24, Strings: 3, Instructions: 164stringCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 776 1000abe4-1000ac01 call 10009cbc 779 1000ac07 776->779 780 1000adfb 776->780 779->780 781 1000ad72-1000ad83 call 1000b5d0 779->781 782 1000acb6-1000acb8 779->782 783 1000ad66-1000ad6d 779->783 784 1000acbd-1000acc8 779->784 785 1000ac0e-1000ac12 779->785 786 1000adfd-1000ae09 780->786 796 1000ad85 781->796 797 1000ad8a-1000adf6 fputs ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z * 2 strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z ??0runtime_error@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z _CxxThrowException 781->797 782->786 783->786 789 1000ace3-1000acf1 call 1000b5d0 784->789 790 1000acca-1000acd5 784->790 785->786 788 1000ac18-1000ac26 call 1000b5d0 785->788 801 1000ac28 788->801 802 1000ac2d-1000acb1 fputs ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z * 2 strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z ??0exception@@QAE@ABQBD@Z ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z _CxxThrowException 788->802 799 1000acf3 789->799 800 1000acf8-1000ad61 fputs ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z * 2 strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z ??0runtime_error@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z _CxxThrowException 789->800 790->789 794 1000acd7-1000acde _ftol 790->794 794->786 796->797 797->780 799->800 800->783 801->802 802->782
              APIs
              • __EH_prolog.LIBCMT ref: 1000ABE9
              • fputs.MSVCRT ref: 1000AC38
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000AC45
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 1000AC56
              • strlen.MSVCRT ref: 1000AC62
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(Negative integer can not be converted to unsigned integer,00000000), ref: 1000AC6D
              • ??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 1000AC85
              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 1000AC96
              • _CxxThrowException.MSVCRT(?,10011B50), ref: 1000ACB1
              • _ftol.MSVCRT ref: 1000ACD9
              • fputs.MSVCRT ref: 1000AD03
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000AD10
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 1000AD21
              • strlen.MSVCRT ref: 1000AD2D
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(Real out of unsigned integer range,00000000), ref: 1000AD38
              • ??0runtime_error@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z.MSVCP60(?), ref: 1000AD4F
              • _CxxThrowException.MSVCRT(?,10011B50), ref: 1000AD61
              • fputs.MSVCRT ref: 1000AD95
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000ADA5
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 1000ADB6
              • strlen.MSVCRT ref: 1000ADC2
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(Type is not convertible to uint,00000000), ref: 1000ADCD
              • ??0runtime_error@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z.MSVCP60(?), ref: 1000ADE4
              • _CxxThrowException.MSVCRT(?,10011B50), ref: 1000ADF6
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$Tidy@?$basic_string@$?assign@?$basic_string@ExceptionThrowV12@fputsstrlen$??0runtime_error@std@@D@2@@1@@V?$basic_string@$??0?$basic_string@??0exception@@H_prologV01@@_ftol
              • String ID: Negative integer can not be converted to unsigned integer$Real out of unsigned integer range$Type is not convertible to uint
              • API String ID: 1757128735-1738163505
              • Opcode ID: c0ddf426eb0284de7da0faa8b2847941eda8fd5df05b3a01e58094de68b872f4
              • Instruction ID: a07cce283c9c7855acac58e76a56a22a1161548933f9613df765ecc0b38f46a4
              • Opcode Fuzzy Hash: c0ddf426eb0284de7da0faa8b2847941eda8fd5df05b3a01e58094de68b872f4
              • Instruction Fuzzy Hash: 14518C35901259AFFB08CBA4CC99BDD7BB8FB09344F104199E406E72A1DB74EA94CB64
              Uniqueness

              Uniqueness Score: -1.00%

              Function 10005E6A Relevance: 46.7, APIs: 31, Instructions: 232stringCOMMON
              Download Yara Rule
              APIs
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 10005E84
              • strlen.MSVCRT ref: 10005E8D
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,00000000), ref: 10005E9A
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 10005EB3
              • strlen.MSVCRT ref: 10005EBF
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(100146A8,00000000), ref: 10005ECA
              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?), ref: 10005EE7
              • strlen.MSVCRT ref: 10005EF3
              • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z.MSVCP60(10014078,00000000,00000000), ref: 10005F00
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 10005F0D
              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z.MSVCP60(?,?,00000000,?), ref: 10005F32
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04), ref: 10005F4B
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 10005F59
              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z.MSVCP60(?,00000000,00000002,?), ref: 10005F85
              • atoi.MSVCRT ref: 10005F9B
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 10005FA9
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 10005FBA
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000002,00000002), ref: 10005FCB
              • atoi.MSVCRT ref: 10005FDE
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 10005FE8
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 10005FF9
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000004,00000002), ref: 1000600A
              • atoi.MSVCRT ref: 1000601D
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 10006028
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 10006039
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000006,00000002), ref: 1000604A
              • atoi.MSVCRT ref: 1000605D
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 10006068
              • InvalidateRect.USER32(?,00000000,00000001), ref: 1000610E
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 10006119
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 10006124
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$Tidy@?$basic_string@$V12@$?assign@?$basic_string@$atoi$??0?$basic_string@D@1@@V01@strlen$?find@?$basic_string@InvalidateRect
              • String ID:
              • API String ID: 2248121034-0
              • Opcode ID: 36ff8809da159fe88a2030b9cab39fc6c2baa87e7f20220c9b9293fc48eac4bb
              • Instruction ID: 71a24ce6053ecbcbd3299ac70d6efc6b83806403e142a2effb289651c999decb
              • Opcode Fuzzy Hash: 36ff8809da159fe88a2030b9cab39fc6c2baa87e7f20220c9b9293fc48eac4bb
              • Instruction Fuzzy Hash: AF913B36900259AFEB14DFA0CC95BEEBBB8FF08340F148055F905EB191DB75AA95CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 1000CD82 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 238stringCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 1000CD87
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,00000000,?,?), ref: 1000CDA0
                • Part of subcall function 10009FD4: __EH_prolog.LIBCMT ref: 10009FD9
                • Part of subcall function 10009FD4: #823.MFC42(00000010,?,00000000,?,100062CD,00000000), ref: 1000A020
                • Part of subcall function 1000A304: __EH_prolog.LIBCMT ref: 1000A309
                • Part of subcall function 1000A304: strcmp.MSVCRT ref: 1000A3BF
                • Part of subcall function 1000A2A5: #825.MFC42(?,?,?,1000A66E,?,?), ref: 1000A2D1
              • strlen.MSVCRT ref: 1000CE2C
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(100146A8,00000000,?,00000000,00000007,?,?), ref: 1000CE3B
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,00000000,00000007,?,?), ref: 1000CF16
              • strlen.MSVCRT ref: 1000CF22
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(Missing '}' or object member name,00000000,?,?), ref: 1000CF2D
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,00000002,?,?), ref: 1000CF53
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?), ref: 1000CF62
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,00000002,00000005,?,?,?), ref: 1000CF94
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,?,00000005,?,?,?), ref: 1000CFA8
              • strlen.MSVCRT ref: 1000CFB4
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(Missing ',' or '}' in object declaration,00000000,?,?), ref: 1000CFBF
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,00000002,?,?), ref: 1000CFE5
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?), ref: 1000CFF4
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,00000005,?,?,?), ref: 1000D00C
              • strlen.MSVCRT ref: 1000D018
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(Missing ':' after object member name,00000000,?,?), ref: 1000D023
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,00000002,?,?), ref: 1000D049
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?), ref: 1000D058
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@$?assign@?$basic_string@V12@strlen$H_prolog$#823#825strcmp
              • String ID: Missing ',' or '}' in object declaration$Missing ':' after object member name$Missing '}' or object member name
              • API String ID: 3171322426-3980781130
              • Opcode ID: c217843432585fbe31d2d6d7922ca177313769d71fb2d5bb7d636256725b7bfd
              • Instruction ID: bc608d5575c9d4ee50799e2507189d5d67a0d1e2625b138474b9a73960e3bcf7
              • Opcode Fuzzy Hash: c217843432585fbe31d2d6d7922ca177313769d71fb2d5bb7d636256725b7bfd
              • Instruction Fuzzy Hash: D681C334D0038CAFEF15DBE4C859EEDBBB9EF55380F04405AE452A729ACB345A49CB21
              Uniqueness

              Uniqueness Score: -1.00%

              Function 1000F225 Relevance: 31.7, APIs: 21, Instructions: 198stringCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 1000F22A
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 1000F252
              • strlen.MSVCRT ref: 1000F25E
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(1001469C,00000000), ref: 1000F269
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?), ref: 1000F286
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?), ref: 1000F2AD
              • strlen.MSVCRT ref: 1000F2B9
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(10014698,00000000), ref: 1000F2C4
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?), ref: 1000F2E3
              • strlen.MSVCRT ref: 1000F366
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(10014688,00000000,00000000,?,?), ref: 1000F371
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,00000000,00000000,?,?), ref: 1000F39B
              • strlen.MSVCRT ref: 1000F3A7
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(10014694,00000000), ref: 1000F3B2
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@$V12@strlen$?assign@?$basic_string@$?append@?$basic_string@H_prolog
              • String ID:
              • API String ID: 2673005829-0
              • Opcode ID: b852321c3524d4456c11d4841889dd55462923147345b91757e556b0f6de3504
              • Instruction ID: 08f5b629be7f023f7a1a7559091d467804772e29f6e6738d3ccfc7166482e6f7
              • Opcode Fuzzy Hash: b852321c3524d4456c11d4841889dd55462923147345b91757e556b0f6de3504
              • Instruction Fuzzy Hash: 9561B038A00214AFEB18DFA8C8949BEBBB8FF45790F00411DF912E7295CB74AE41DB51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 100062A9 Relevance: 31.7, APIs: 10, Strings: 8, Instructions: 191stringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 1000C63C: __EH_prolog.LIBCMT ref: 1000C641
                • Part of subcall function 1000C63C: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,?,?,?,100062C2), ref: 1000C675
                • Part of subcall function 1000C63C: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,?,100062C2), ref: 1000C68C
                • Part of subcall function 10009FD4: __EH_prolog.LIBCMT ref: 10009FD9
                • Part of subcall function 10009FD4: #823.MFC42(00000010,?,00000000,?,100062CD,00000000), ref: 1000A020
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,00000000), ref: 100062D7
              • strlen.MSVCRT ref: 100062E0
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,00000000), ref: 100062ED
                • Part of subcall function 1000C6B5: ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04,?,00000000,10006307,?,?,00000000), ref: 1000C6CB
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,00000000), ref: 10006314
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@$V12@$?assign@?$basic_string@H_prolog$#823strlen
              • String ID: BlankClick$ClearBeforeAdd$Enable$Flag$HoldingMousehandle$Params$Protocol$TimeAxesHolding
              • API String ID: 2014430763-3098657040
              • Opcode ID: 26fc4ce090e4292c974379bfc8117cf29b9655fe214fd415149d707e85cc9715
              • Instruction ID: d4270ca157f01c408c4d7a610fdefdfd49148e6ac4f3462b5935f185135d9ca7
              • Opcode Fuzzy Hash: 26fc4ce090e4292c974379bfc8117cf29b9655fe214fd415149d707e85cc9715
              • Instruction Fuzzy Hash: 3251B4369011496AFF04DBB0CDA6DFE77B9EF15280F504129F502A719AEE35AF48C760
              Uniqueness

              Uniqueness Score: -1.00%

              Function 1000A854 Relevance: 31.6, APIs: 14, Strings: 4, Instructions: 114stringCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 1000A859
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,Protocol,00000000), ref: 1000A8B6
              • strlen.MSVCRT ref: 1000A8BD
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,00000000,?,Protocol,00000000), ref: 1000A8C7
              • fputs.MSVCRT ref: 1000A909
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,00000000), ref: 1000A916
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 1000A926
              • strlen.MSVCRT ref: 1000A932
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(Type is not convertible to string,00000000), ref: 1000A93D
              • ??0runtime_error@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z.MSVCP60(?), ref: 1000A94D
              • _CxxThrowException.MSVCRT(?,10011B50), ref: 1000A95C
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,Protocol,00000000), ref: 1000A96C
              • strlen.MSVCRT ref: 1000A978
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(100146A8,00000000,?,Protocol,00000000), ref: 1000A982
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$Tidy@?$basic_string@$?assign@?$basic_string@V12@strlen$??0runtime_error@std@@D@2@@1@@ExceptionH_prologThrowV?$basic_string@fputs
              • String ID: Protocol$Type is not convertible to string$false$true
              • API String ID: 375836627-1723942614
              • Opcode ID: 4336c76b27b1a15f03fb4698db5ad986991277cd4e87538b93c88e59dd432e7d
              • Instruction ID: 076726355bffdda36d586a03d691fc7adb2cf6a89e79c7bb640e52660b645fee
              • Opcode Fuzzy Hash: 4336c76b27b1a15f03fb4698db5ad986991277cd4e87538b93c88e59dd432e7d
              • Instruction Fuzzy Hash: 1131C435900158AFEB05DF94CCD48EDBBB8EF4A290B15811AF851E7215CF78ED82C765
              Uniqueness

              Uniqueness Score: -1.00%

              Function 1000952A Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 148windowCOMMON
              Download Yara Rule
              APIs
              • SetTextColor.GDI32(?,?), ref: 10009559
              • SetBkMode.GDI32(?,00000001), ref: 10009562
              • SelectObject.GDI32(?,?), ref: 10009572
              • GetTextExtentPointA.GDI32(?,?,?,?), ref: 1000958D
              • CreateCompatibleDC.GDI32(?), ref: 100095D2
              • CreateCompatibleBitmap.GDI32(?,?,?), ref: 100095E2
              • SelectObject.GDI32(?,00000000), ref: 100095EF
              • SelectObject.GDI32(?,?), ref: 100095F7
              • FillRect.USER32(?,00000000,?), ref: 10009617
              • SelectObject.GDI32(?,?), ref: 10009623
              • AlphaBlend.MSIMG32(?,?,?,?,?,?,00000000,00000000,?,?,00000000), ref: 10009650
              • memset.MSVCRT ref: 1000965E
              • DrawTextA.USER32(?,?,00000000,?,00000001), ref: 100096A9
              • SelectObject.GDI32(?,?), ref: 100096B5
              • DeleteObject.GDI32(?), ref: 100096BE
              • DeleteDC.GDI32(?), ref: 100096C7
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: Object$Select$Text$CompatibleCreateDelete$AlphaBitmapBlendColorDrawExtentFillModePointRectmemset
              • String ID: 2
              • API String ID: 2784704163-450215437
              • Opcode ID: a54b2b4c38ecb843fbf8a6b1a48686754bc0dc02f5c9960f5f946450768aa6db
              • Instruction ID: e78a028be37eaf0f78c521219be1610d2170771de5064a6025292840434ee47c
              • Opcode Fuzzy Hash: a54b2b4c38ecb843fbf8a6b1a48686754bc0dc02f5c9960f5f946450768aa6db
              • Instruction Fuzzy Hash: 3F511376D00218EFEF16DFA4CD85AEEBBB9FF08340F008459E501A6261D775AA54DF60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 10005546 Relevance: 28.7, APIs: 19, Instructions: 169stringCOMMON
              Download Yara Rule
              APIs
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 10005561
              • strlen.MSVCRT ref: 1000556A
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,00000000), ref: 10005577
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 10005587
              • strlen.MSVCRT ref: 10005593
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(100146A8,00000000), ref: 1000559E
              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?,?), ref: 100055CA
              • strlen.MSVCRT ref: 100055D6
              • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z.MSVCP60(10014050,00000000,00000000), ref: 100055E2
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 100055EF
              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z.MSVCP60(?,00000000,00000000,?), ref: 1000560F
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04), ref: 10005624
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000562F
              • memset.MSVCRT ref: 10005646
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00000000,000000C4), ref: 10005656
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04,?,?,00000000,000000C4), ref: 1000566A
                • Part of subcall function 100057A4: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00000000), ref: 100057C5
                • Part of subcall function 100057A4: strlen.MSVCRT ref: 100057D1
                • Part of subcall function 100057A4: ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(100146A8,00000000,?,?,00000000), ref: 100057DC
                • Part of subcall function 100057A4: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00000000), ref: 100057F6
                • Part of subcall function 100057A4: strlen.MSVCRT ref: 100057FD
                • Part of subcall function 100057A4: ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(100146A8,00000000,?,?,00000000), ref: 1000580B
                • Part of subcall function 100057A4: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?,?,?,?,00000000), ref: 10005831
                • Part of subcall function 100057A4: strlen.MSVCRT ref: 1000583C
                • Part of subcall function 100057A4: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z.MSVCP60(10014054,00000000,00000000,?,?,00000000), ref: 10005850
                • Part of subcall function 100057A4: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,00000000), ref: 10005860
                • Part of subcall function 100057A4: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?,?,?,?,00000000), ref: 10005889
                • Part of subcall function 100057A4: ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04,?,?,00000000), ref: 100058A2
                • Part of subcall function 100057A4: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,00000000), ref: 100058AF
                • Part of subcall function 100057A4: atoi.MSVCRT ref: 100058D4
              • InvalidateRect.USER32(?,00000000,00000000,?,?), ref: 10005720
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 10005733
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000573E
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$Tidy@?$basic_string@$V12@$?assign@?$basic_string@$strlen$??0?$basic_string@D@1@@V01@$?find@?$basic_string@$InvalidateRectatoimemset
              • String ID:
              • API String ID: 1946292974-0
              • Opcode ID: 9334078e7facf05aac47efb7915ef3f295724117f89e1da87c0400a8dd8ebaff
              • Instruction ID: c73365b77281acc8110e19452b33af843ba47685c33c8e76cac5b87a5bdb7dd9
              • Opcode Fuzzy Hash: 9334078e7facf05aac47efb7915ef3f295724117f89e1da87c0400a8dd8ebaff
              • Instruction Fuzzy Hash: 4B515A7580115AAFEF05CFE4CC94CEEBBB9EF08381F00801AF516A7165DB31AA55CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 1000D392 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 127COMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 1000D397
              • memcpy.MSVCRT ref: 1000D3C3
              • sscanf.MSVCRT ref: 1000D3DD
                • Part of subcall function 1000A304: __EH_prolog.LIBCMT ref: 1000A309
                • Part of subcall function 1000A304: strcmp.MSVCRT ref: 1000A3BF
                • Part of subcall function 1000A2A5: #825.MFC42(?,?,?,1000A66E,?,?), ref: 1000A2D1
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,-00000026), ref: 1000D3F5
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBD0@Z.MSVCP60(?,?), ref: 1000D402
              • sscanf.MSVCRT ref: 1000D41E
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000D42E
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 1000D44E
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBD0@Z.MSVCP60(?,?), ref: 1000D459
              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,100144E0,?), ref: 1000D470
              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,' is not a number.,?,100144E0,?), ref: 1000D483
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,00000000,?,00000000), ref: 1000D4A6
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000D4B5
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000D4C4
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$Tidy@?$basic_string@$?assign@?$basic_string@D@2@@0@H_prologHstd@@V12@V?$basic_string@sscanf$#825V10@V10@@memcpystrcmp
              • String ID: %lf$' is not a number.
              • API String ID: 4204887023-357672074
              • Opcode ID: 19f881cd909b2ee175daf4d60f29e4324d2fcd640a69463435f3538581d08e46
              • Instruction ID: 5b2ab89ad2f31ac64a73fb087f23b6a503478a2f7e368bd9e277c64564ee3baf
              • Opcode Fuzzy Hash: 19f881cd909b2ee175daf4d60f29e4324d2fcd640a69463435f3538581d08e46
              • Instruction Fuzzy Hash: 7D41A176900249EFEB04DBE0CC95BDEBBB8EF08354F044119F556E7295DB74AA88CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 1000D798 Relevance: 27.2, APIs: 18, Instructions: 182COMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 1000D79D
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00000001,?,?,?,0000000C,00000000), ref: 1000D7B7
              • ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z.MSVCP60(00000001,?,0000000C,00000000), ref: 1000D7CF
              • ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,0000000C,00000000), ref: 1000D7DD
              • ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z.MSVCP60(00000002,?,0000000C,00000000), ref: 1000D802
              • ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,0000000C,00000000), ref: 1000D815
              • ?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,0000000C,00000000), ref: 1000D838
              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,0000000C,00000000), ref: 1000D9AE
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,0000000C,00000000), ref: 1000D9BF
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Freeze@?$basic_string@$?resize@?$basic_string@Tidy@?$basic_string@$??0?$basic_string@H_prologV01@@
              • String ID:
              • API String ID: 328737002-0
              • Opcode ID: 6ebb9cc603930feb627a4beb35367b9f3e26d87cda4153e55eb9b29f7d4f0d82
              • Instruction ID: 60fe5fbd45a5e486606f67182bad0858c95fa4a41fb2499553df8a6f9bc00120
              • Opcode Fuzzy Hash: 6ebb9cc603930feb627a4beb35367b9f3e26d87cda4153e55eb9b29f7d4f0d82
              • Instruction Fuzzy Hash: 39718231D11226DFEF05EB94CCD59EDB7B0FB09791F10822AE522A72A5C7389945CFA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 1000D59F Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 180stringCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 1000D5A4
              • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000000,?,0000000C,00000000), ref: 1000D5CA
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,?,?,0000000C,00000000), ref: 1000D6C0
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,0000000C,00000000), ref: 1000D6E5
              • strlen.MSVCRT ref: 1000D6F1
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(Empty escape sequence in string,00000000,?,0000000C,00000000), ref: 1000D6FC
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,?,0000000C,00000000), ref: 1000D721
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,0000000C,00000000), ref: 1000D737
              • strlen.MSVCRT ref: 1000D743
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(Bad escape sequence in string,00000000,?,0000000C,00000000), ref: 1000D74E
                • Part of subcall function 1000DC43: __EH_prolog.LIBCMT ref: 1000DC48
                • Part of subcall function 1000DC43: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00000000,?,?,?,?,?,00000002,?,?), ref: 1000DC60
                • Part of subcall function 1000DC43: ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04,?,?,00000000,?,?,?,?,?,00000002,?,?), ref: 1000DC82
                • Part of subcall function 1000DC43: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,00000000,?,?,?,?,?,00000002,?,?), ref: 1000DCA3
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,?,0000000C,00000000), ref: 1000D776
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@$V12@$?assign@?$basic_string@$H_prologstrlen$?append@?$basic_string@Grow@?$basic_string@
              • String ID: Bad escape sequence in string$Empty escape sequence in string
              • API String ID: 3229954372-928816353
              • Opcode ID: 069b5fa91d06e15c12a688a3c2a8a155cfba4b71d98e45665f5c8f645dd4644a
              • Instruction ID: 317381466a77d711fe03797c2047b72bdeb99255afd0bade8d3ff88a8cc6ede5
              • Opcode Fuzzy Hash: 069b5fa91d06e15c12a688a3c2a8a155cfba4b71d98e45665f5c8f645dd4644a
              • Instruction Fuzzy Hash: CF51A635904249EFFB14EF94C899AED7BB4EB453A0F108007F85AEB194DB349A85DB70
              Uniqueness

              Uniqueness Score: -1.00%

              Function 10005545 Relevance: 24.1, APIs: 16, Instructions: 128stringCOMMON
              Download Yara Rule
              APIs
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 10005561
              • strlen.MSVCRT ref: 1000556A
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,00000000), ref: 10005577
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 10005587
              • strlen.MSVCRT ref: 10005593
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(100146A8,00000000), ref: 1000559E
              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?,?), ref: 100055CA
              • strlen.MSVCRT ref: 100055D6
              • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z.MSVCP60(10014050,00000000,00000000), ref: 100055E2
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 100055EF
              • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z.MSVCP60(?,00000000,00000000,?), ref: 1000560F
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04), ref: 10005624
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000562F
              • memset.MSVCRT ref: 10005646
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00000000,000000C4), ref: 10005656
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04,?,?,00000000,000000C4), ref: 1000566A
                • Part of subcall function 100057A4: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00000000), ref: 100057C5
                • Part of subcall function 100057A4: strlen.MSVCRT ref: 100057D1
                • Part of subcall function 100057A4: ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(100146A8,00000000,?,?,00000000), ref: 100057DC
                • Part of subcall function 100057A4: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00000000), ref: 100057F6
                • Part of subcall function 100057A4: strlen.MSVCRT ref: 100057FD
                • Part of subcall function 100057A4: ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(100146A8,00000000,?,?,00000000), ref: 1000580B
                • Part of subcall function 100057A4: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?,?,?,?,00000000), ref: 10005831
                • Part of subcall function 100057A4: strlen.MSVCRT ref: 1000583C
                • Part of subcall function 100057A4: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z.MSVCP60(10014054,00000000,00000000,?,?,00000000), ref: 10005850
                • Part of subcall function 100057A4: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,00000000), ref: 10005860
                • Part of subcall function 100057A4: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?,?,?,?,00000000), ref: 10005889
                • Part of subcall function 100057A4: ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04,?,?,00000000), ref: 100058A2
                • Part of subcall function 100057A4: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,00000000), ref: 100058AF
                • Part of subcall function 100057A4: atoi.MSVCRT ref: 100058D4
              • InvalidateRect.USER32(?,00000000,00000000,?,?), ref: 10005720
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 10005733
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000573E
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$Tidy@?$basic_string@$V12@$?assign@?$basic_string@$strlen$??0?$basic_string@D@1@@V01@$?find@?$basic_string@$InvalidateRectatoimemset
              • String ID:
              • API String ID: 1946292974-0
              • Opcode ID: 9691942d0c8a03d8efe295a97e97825e23e0c6fac7980ac8708ae9453596c67f
              • Instruction ID: ee7feb244357500a2d4bc573dff50d45fce8efe065c0c22d4c00b48c943511bf
              • Opcode Fuzzy Hash: 9691942d0c8a03d8efe295a97e97825e23e0c6fac7980ac8708ae9453596c67f
              • Instruction Fuzzy Hash: 38412775C01159AFEF05CBE4CC98CEEBB79EF09341F00805AE911A7255DB75AA15CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 1000ED0D Relevance: 21.1, APIs: 14, Instructions: 107stringCOMMON
              Download Yara Rule
              APIs
              • strlen.MSVCRT ref: 1000ED16
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(10014668,00000000,?,?,?,1000EFEF,?,00000000,?,?,?,?,?,?,?), ref: 1000ED24
              • strlen.MSVCRT ref: 1000ED5F
              • strlen.MSVCRT ref: 1000ED75
              • strlen.MSVCRT ref: 1000ED8B
              • strlen.MSVCRT ref: 1000ED9E
              • strlen.MSVCRT ref: 1000EDB1
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,?,?,?,?,?,1000EFEF,?,00000000,?,?,?,?,?,?,?), ref: 1000EDD3
              • strlen.MSVCRT ref: 1000EDE0
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(10014664,00000000,?,?,?,?,1000EFEF,?,00000000,?,?,?,?,?,?,?), ref: 1000EE0C
              • strlen.MSVCRT ref: 1000EE1E
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(10014668,00000000,?,?,?,1000EFEF,?,00000000,?,?,?,?,?,?,?), ref: 1000EE28
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: strlen$?append@?$basic_string@D@2@@std@@D@std@@U?$char_traits@V12@V?$allocator@
              • String ID:
              • API String ID: 3160329171-0
              • Opcode ID: a80e97a95713ae230f3d1891c0d46978919b9926e729998c03f4d0dd5be7f0c7
              • Instruction ID: b67f6cc6be5c44effaaf14352ec393d11df7dde4be3c3cdff441df2926b2f5a5
              • Opcode Fuzzy Hash: a80e97a95713ae230f3d1891c0d46978919b9926e729998c03f4d0dd5be7f0c7
              • Instruction Fuzzy Hash: AF21B0A56001CC79F514D2559CDADBF129CDB533D9B23002BFE12ED169DEA4ACC050A3
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00407029 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 384stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?,00000000,00000000,0000003C,?,?,?,L$@,00407531,?,?,?,?,L$@,?,00000000), ref: 00407059
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.1650700156.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000006.00000002.1650684384.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650716727.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650734298.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650757098.000000000042B000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_400000_TimeGridEXE.jbxd
              Similarity
              • API ID: lstrlen
              • String ID: L$@$`<u`j>up=<u
              • API String ID: 1659193697-198597148
              • Opcode ID: 1e26ed0cbc8b29ae34f018ab8d41f3ddea94a8ef61d41ef370ce32ffacb8c183
              • Instruction ID: 4c756eac2e39c833e173788bc3c619002151299c16291616e501ad2176066af9
              • Opcode Fuzzy Hash: 1e26ed0cbc8b29ae34f018ab8d41f3ddea94a8ef61d41ef370ce32ffacb8c183
              • Instruction Fuzzy Hash: E7E19F72D04205DBCB10CFA8C88459EBBB5FF49310B29817AE901BB390D739BD46DB96
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004057CF Relevance: 19.6, APIs: 13, Instructions: 133COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000006.00000002.1650700156.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000006.00000002.1650684384.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650716727.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650734298.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650757098.000000000042B000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_400000_TimeGridEXE.jbxd
              Similarity
              • API ID: memset
              • String ID:
              • API String ID: 2221118986-0
              • Opcode ID: dcb80b62fcab9d61982a1c05c0073d71a5c250e443b75543c58208a7cd5df996
              • Instruction ID: 5c970bb4f7a36f11344f2ca0d45f982c4aadf87a229cd14049e41da6554b302a
              • Opcode Fuzzy Hash: dcb80b62fcab9d61982a1c05c0073d71a5c250e443b75543c58208a7cd5df996
              • Instruction Fuzzy Hash: A7510671D00608EFCB10DF99D948AAEBBB4FF48310F11852EE95AAB2A0D7359945CF58
              Uniqueness

              Uniqueness Score: -1.00%

              Function 1000F71A Relevance: 19.6, APIs: 13, Instructions: 107stringCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 1000F71F
              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,100146A0,00000000,?,00000000,?,00000001,00000001,00000000,10014688), ref: 1000F763
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(00000000,00000000,6CE35E04,?,00000001,00000001,00000000,10014688), ref: 1000F77D
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000F78A
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000F798
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000F7A6
              • strlen.MSVCRT ref: 1000F7CB
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(10014428,00000000,?,00000002,00000001,00000000,10014688), ref: 1000F7D6
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(00000000,00000000,6CE35E04,?,00000002,?,00000002,00000001,00000000,10014688), ref: 1000F80F
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,00000002,00000001,00000000,10014688), ref: 1000F81D
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,00000002,00000001,00000000,10014688), ref: 1000F82B
              • strlen.MSVCRT ref: 1000F835
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(10014428,00000000,?,00000002,00000001,00000000,10014688), ref: 1000F83F
                • Part of subcall function 1000B55A: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,00000000,?,?,?,?,1000F6AD,?,00000000,?,00000000,?), ref: 1000B585
                • Part of subcall function 1000B55A: strlen.MSVCRT ref: 1000B58C
                • Part of subcall function 1000B55A: ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(00000000,00000000,?,?,?,1000F6AD,?,00000000,?,00000000,?), ref: 1000B596
                • Part of subcall function 1000F856: __EH_prolog.LIBCMT ref: 1000F85B
                • Part of subcall function 1000F856: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00000000,?,?,00000000,?,?,?,?,?,?,?,?,Protocol), ref: 1000F875
                • Part of subcall function 1000F856: ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,?,?,Protocol), ref: 1000F891
                • Part of subcall function 1000F856: ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,?,?,00000000,?,?,00000000,?,?,?,?,?,?,?,?,Protocol), ref: 1000F8CA
                • Part of subcall function 1000F856: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,?,?,Protocol,00000000), ref: 1000F8E0
                • Part of subcall function 1000F856: ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04,?,00000000,?,?,00000000,?,?), ref: 1000F8F5
                • Part of subcall function 1000F856: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,00000000,?,?,00000000,?,?,?,?,?,?,?,?,Protocol,00000000), ref: 1000F906
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$V12@$Tidy@?$basic_string@$?append@?$basic_string@$strlen$?assign@?$basic_string@H_prolog$D@2@@0@Grow@?$basic_string@Hstd@@V10@@V?$basic_string@
              • String ID:
              • API String ID: 2615514798-0
              • Opcode ID: 0e38dc48d6d220ad77f33c0c1afb964f26372ce4980c4c6253a61bf60d34fbc1
              • Instruction ID: 79cc85a9a7fecdc5b72e680450f056f1277c9cb3f613da2b8782287ae5818862
              • Opcode Fuzzy Hash: 0e38dc48d6d220ad77f33c0c1afb964f26372ce4980c4c6253a61bf60d34fbc1
              • Instruction Fuzzy Hash: 25418D75900218EBEB09DFA4CC99EEE777DFF08391F104149F512A7291DB74AA04CB64
              Uniqueness

              Uniqueness Score: -1.00%

              Function 10003D07 Relevance: 18.2, APIs: 12, Instructions: 194COMMON
              Download Yara Rule
              APIs
              • SelectObject.GDI32(?,?), ref: 10003D7A
              • SelectObject.GDI32(?,?), ref: 10003DA0
              • FillRect.USER32(?,?,?), ref: 10003DC4
              • SelectObject.GDI32(?,?), ref: 10003DD0
              • MoveToEx.GDI32(?,?,?,00000000), ref: 10003DDF
              • LineTo.GDI32(?,?,?), ref: 10003DEC
              • MoveToEx.GDI32(?,?,?,00000000), ref: 10003E0E
              • LineTo.GDI32(?,?,?), ref: 10003E1B
                • Part of subcall function 10001BFC: #825.MFC42(?,0000000C,?,10004303,0000002C,00000000,00000000), ref: 10001C08
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: ObjectSelect$LineMove$#825FillRect
              • String ID:
              • API String ID: 1846123918-0
              • Opcode ID: 6caa3e351f4c0b9f0caa71cfb22b462c9f03c663dade5fb3011f321f9d4c1e18
              • Instruction ID: 32c309bc9f6efb2ede8d81cf3cf4bd15e3dd6e5056bf73c5f76960bdcf381643
              • Opcode Fuzzy Hash: 6caa3e351f4c0b9f0caa71cfb22b462c9f03c663dade5fb3011f321f9d4c1e18
              • Instruction Fuzzy Hash: 3381E175D00219EFDF05CFE8C9809EEBBB5FF08380F10812AE614A6265D771AA51DF60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 1000D9D7 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 118stringCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 1000D9DC
                • Part of subcall function 1000DB1F: __EH_prolog.LIBCMT ref: 1000DB24
                • Part of subcall function 1000DB1F: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?), ref: 1000DB49
                • Part of subcall function 1000DB1F: strlen.MSVCRT ref: 1000DB55
                • Part of subcall function 1000DB1F: ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(Bad unicode escape sequence in string: four digits expected.,00000000), ref: 1000DB60
                • Part of subcall function 1000DB1F: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,00000005,?,?), ref: 1000DC39
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,?,?,?,?,00000001), ref: 1000DA33
              • strlen.MSVCRT ref: 1000DA3F
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(additional six characters expected to parse unicode surrogate pair.,00000000), ref: 1000DA4A
                • Part of subcall function 1000DC43: __EH_prolog.LIBCMT ref: 1000DC48
                • Part of subcall function 1000DC43: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00000000,?,?,?,?,?,00000002,?,?), ref: 1000DC60
                • Part of subcall function 1000DC43: ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04,?,?,00000000,?,?,?,?,?,00000002,?,?), ref: 1000DC82
                • Part of subcall function 1000DC43: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,00000000,?,?,?,?,?,00000002,?,?), ref: 1000DCA3
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,?,?,?,?,00000001), ref: 1000DAD8
              • strlen.MSVCRT ref: 1000DAE4
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(expecting another \u token to begin the second half of a unicode surrogate pair,00000000), ref: 1000DAEF
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,00000005,?,?), ref: 1000DB15
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@$V12@$?assign@?$basic_string@$H_prologstrlen
              • String ID: additional six characters expected to parse unicode surrogate pair.$expecting another \u token to begin the second half of a unicode surrogate pair
              • API String ID: 1550703880-1961466578
              • Opcode ID: 4bea8a49e459ce72ad3e946d3ca6157c4950a3e1efc6bc6fd7adba58f9c2bd0c
              • Instruction ID: d5a8bd16044713dd40945d9d6e78ca186049c3466763bb70166d11a042bb7bc9
              • Opcode Fuzzy Hash: 4bea8a49e459ce72ad3e946d3ca6157c4950a3e1efc6bc6fd7adba58f9c2bd0c
              • Instruction Fuzzy Hash: 32413B35A00149EFEF04DFA4C854AFE7BB5EF4A390F10802AF96197291CB349A15DB30
              Uniqueness

              Uniqueness Score: -1.00%

              Function 1000DB1F Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 108stringCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 1000DB24
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?), ref: 1000DB49
              • strlen.MSVCRT ref: 1000DB55
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?), ref: 1000DBFC
              • strlen.MSVCRT ref: 1000DC08
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(Bad unicode escape sequence in string: hexadecimal digit expected.,00000000), ref: 1000DC13
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(Bad unicode escape sequence in string: four digits expected.,00000000), ref: 1000DB60
                • Part of subcall function 1000DC43: __EH_prolog.LIBCMT ref: 1000DC48
                • Part of subcall function 1000DC43: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00000000,?,?,?,?,?,00000002,?,?), ref: 1000DC60
                • Part of subcall function 1000DC43: ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04,?,?,00000000,?,?,?,?,?,00000002,?,?), ref: 1000DC82
                • Part of subcall function 1000DC43: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,00000000,?,?,?,?,?,00000002,?,?), ref: 1000DCA3
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,00000005,?,?), ref: 1000DC39
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@$V12@$?assign@?$basic_string@$H_prologstrlen
              • String ID: Bad unicode escape sequence in string: four digits expected.$Bad unicode escape sequence in string: hexadecimal digit expected.
              • API String ID: 1550703880-3825735986
              • Opcode ID: 4bdbd284c72754491896b11c65e863333b171361bde45fddb430ff86178e1d9b
              • Instruction ID: 5fd4a9da256643b2ed7e01ba9f4aee3f47e6269f33080cd48b990aa09685c845
              • Opcode Fuzzy Hash: 4bdbd284c72754491896b11c65e863333b171361bde45fddb430ff86178e1d9b
              • Instruction Fuzzy Hash: 5941F535900148DFFB14EF58C891AEDB7BAFF49390F10801BE861DB295C7799A49DB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 1000D187 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 180COMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 1000D18C
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,00000001,00000002,?,?), ref: 1000D264
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBD0@Z.MSVCP60(?,?,?,?), ref: 1000D271
              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,100144E0,?,?,?), ref: 1000D287
              • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,' is not a number.,?,100144E0,?,?,?), ref: 1000D29A
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,00000000,?,00000000,?,?,?,?,?,?), ref: 1000D2BE
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,?,?,?), ref: 1000D2CD
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,?,?,?), ref: 1000D2DC
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$Tidy@?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$?assign@?$basic_string@H_prologV10@V10@@V12@
              • String ID: ' is not a number.
              • API String ID: 3384032380-698141950
              • Opcode ID: a6cbbe458d948d367e05c233918024d646bf75921a4c682e7c15e6e726a9e233
              • Instruction ID: 20d94b9a588d6dc846c67ab5bf32ff1a8b172104e5d2f9f408d84099c3bf07b2
              • Opcode Fuzzy Hash: a6cbbe458d948d367e05c233918024d646bf75921a4c682e7c15e6e726a9e233
              • Instruction Fuzzy Hash: 2561F535D00149EFFF18EBA4C895BEDBBB6EF053D0F10810AE462A3199DB355A48CB21
              Uniqueness

              Uniqueness Score: -1.00%

              Function 1000AE2A Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 70stringCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 1000AE2F
              • fputs.MSVCRT ref: 1000AEA3
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000AEB0
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 1000AEC1
              • strlen.MSVCRT ref: 1000AECD
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(Type is not convertible to double,00000000), ref: 1000AED8
              • ??0runtime_error@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z.MSVCP60(?), ref: 1000AEE9
              • _CxxThrowException.MSVCRT(?,10011B50), ref: 1000AEF8
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$Tidy@?$basic_string@$??0runtime_error@std@@?assign@?$basic_string@D@2@@1@@ExceptionH_prologThrowV12@V?$basic_string@fputsstrlen
              • String ID: Type is not convertible to double
              • API String ID: 1438101501-279886761
              • Opcode ID: d2371925bac898d95816f248b64a23caed0dd1fab0d593e15227d63a2e226e18
              • Instruction ID: 9f854d5330be740d69bb267f0f03d2ce4493c49773a7df0b7232abae2679018d
              • Opcode Fuzzy Hash: d2371925bac898d95816f248b64a23caed0dd1fab0d593e15227d63a2e226e18
              • Instruction Fuzzy Hash: EF21CF71904259EBFB08CBA4CC99EED7B78FB09385F104259E502E6165DB38E984CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 1000C7C7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149stringCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 1000C7CC
              • strlen.MSVCRT ref: 1000C815
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(100146A8,00000000,?,00000000,?,00000000,?,?), ref: 1000C81F
                • Part of subcall function 1000A304: __EH_prolog.LIBCMT ref: 1000A309
                • Part of subcall function 1000A304: strcmp.MSVCRT ref: 1000A3BF
                • Part of subcall function 1000A304: #823.MFC42(00000010,00000000), ref: 1000A5E8
                • Part of subcall function 1000D187: __EH_prolog.LIBCMT ref: 1000D18C
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,00000000,?,?), ref: 1000C865
              • strlen.MSVCRT ref: 1000C871
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(Syntax error: value, object or array expected.,00000000), ref: 1000C87C
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,00000000), ref: 1000C8A5
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$H_prolog$?assign@?$basic_string@Tidy@?$basic_string@V12@strlen$#823strcmp
              • String ID: Syntax error: value, object or array expected.
              • API String ID: 3266134751-2056301242
              • Opcode ID: eb5822a95d26a89ef1917220fdfd821f8c31db98903d0c4e85188349980fec4e
              • Instruction ID: a401eaed221061da68c315245f656e713baf6dd660ac48e9ec10201dd4ddb23e
              • Opcode Fuzzy Hash: eb5822a95d26a89ef1917220fdfd821f8c31db98903d0c4e85188349980fec4e
              • Instruction Fuzzy Hash: 1251B474D00608ABFB14DBB4C459FEDB7B8EB45390F10811AE526E32D9DF746A05CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 1000B5D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 65COMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 1000B5D5
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,Protocol,00000000), ref: 1000B5F1
              • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(00000400,00000000,?,Protocol,00000000), ref: 1000B60C
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,?,Protocol,00000000), ref: 1000B636
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04,?,?,?,Protocol,00000000), ref: 1000B64A
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,Protocol,00000000), ref: 1000B65B
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,Protocol,00000000), ref: 1000B674
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@$V12@$?assign@?$basic_string@Grow@?$basic_string@H_prolog
              • String ID: Protocol
              • API String ID: 2424781354-834067994
              • Opcode ID: a23f77a40b3fb22b3c4b12f9a66910887c3edb5354bf9491f10fe33cc7aefe39
              • Instruction ID: bce3dbd1d7b1b67e81df53eea5b2f7d246106d6e64c32f0dac73852e079641bf
              • Opcode Fuzzy Hash: a23f77a40b3fb22b3c4b12f9a66910887c3edb5354bf9491f10fe33cc7aefe39
              • Instruction Fuzzy Hash: 8E2150769011A9ABDF05DFE8CC989DEFB78FF59344F04805EE542B3255CA789A08CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040598E Relevance: 13.6, APIs: 9, Instructions: 83COMMON
              Download Yara Rule
              APIs
              • #26.ATL(?,?), ref: 004059AB
              • GetDeviceCaps.GDI32(?,00000002), ref: 004059D0
              • LPtoDP.GDI32(?,?,00000002), ref: 004059EB
              • SaveDC.GDI32(?), ref: 004059F4
              • SetMapMode.GDI32(?,00000001), ref: 004059FF
              • SetWindowOrgEx.GDI32(?,00000000,00000000,00000000), ref: 00405A0D
              • SetViewportOrgEx.GDI32(?,00000000,00000000,00000000), ref: 00405A19
              • DeleteDC.GDI32(?), ref: 00405A4D
              • RestoreDC.GDI32(?,000000FF), ref: 00405A5E
              Memory Dump Source
              • Source File: 00000006.00000002.1650700156.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000006.00000002.1650684384.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650716727.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650734298.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650757098.000000000042B000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_400000_TimeGridEXE.jbxd
              Similarity
              • API ID: CapsDeleteDeviceModeRestoreSaveViewportWindow
              • String ID:
              • API String ID: 2747499312-0
              • Opcode ID: 574ab1c063b1674a8d9837d607e6dc0480f3ec85425870293825b37399e95e3b
              • Instruction ID: 06f1755f0770647291c2328536709616ffc9b8fc78b948468782c9634e1cc7a4
              • Opcode Fuzzy Hash: 574ab1c063b1674a8d9837d607e6dc0480f3ec85425870293825b37399e95e3b
              • Instruction Fuzzy Hash: 4A315671900204EBCF149F65EE89E9B7FB5FF85311F0141A9F941AA1A5CB70C964CFA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 1000CBF0 Relevance: 13.6, APIs: 9, Instructions: 68stringCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 1000CBF5
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,00000000,?,00000000,?,1000C7E2,?,00000000,?,?), ref: 1000CC14
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBD0@Z.MSVCP60(?,?,?,00000000,?,00000000,?,1000C7E2,?,00000000,?,?), ref: 1000CC23
              • strlen.MSVCRT ref: 1000CC57
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(10014428,00000000,?,?,00000000,?,00000000,?,1000C7E2,?,00000000,?,?), ref: 1000CC65
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,00000000,?,00000000,?,1000C7E2,?,00000000,?,?), ref: 1000CC77
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBD0@Z.MSVCP60(?,?,?,00000000,?,00000000,?,1000C7E2,?,00000000,?,?), ref: 1000CC86
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(-0000002C,00000000,6CE35E04,?,00000000,?,00000000,?,1000C7E2,?,00000000,?,?), ref: 1000CCA2
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,00000000,?,00000000,?,1000C7E2,?,00000000,?,?), ref: 1000CCB0
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$V12@$Tidy@?$basic_string@$?append@?$basic_string@?assign@?$basic_string@$H_prologstrlen
              • String ID:
              • API String ID: 2996055543-0
              • Opcode ID: 764e75628c7d5caff93066c98017439abe86bf9fafc2ad0f9cd747d7d49d67b2
              • Instruction ID: 74780509c04e7ebfa2f3082f4f9e5063b4739b970c29c180b43f6d58fe0f39fb
              • Opcode Fuzzy Hash: 764e75628c7d5caff93066c98017439abe86bf9fafc2ad0f9cd747d7d49d67b2
              • Instruction Fuzzy Hash: CA214C35800249EFEB09DFA4C885FEEBB78FF18355F00C119F562A61A0DB749A15CB20
              Uniqueness

              Uniqueness Score: -1.00%

              Function 1000C270 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 225COMMON
              Download Yara Rule
              APIs
              • #823.MFC42(?,null,?,?,?,1000EF8A,?), ref: 1000C2C1
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,null,?,?,?,1000EF8A,?), ref: 1000C34B
              • #825.MFC42(00000001,null,?,?,?,1000EF8A,?), ref: 1000C35C
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04,null,?,?,?,1000EF8A,?), ref: 1000C41A
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04,null,?,?,?,1000EF8A,?), ref: 1000C47D
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04,null,?,?,?,1000EF8A,?), ref: 1000C4A5
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: V12@$D@2@@std@@D@std@@U?$char_traits@V?$allocator@$?assign@?$basic_string@$#823#825Tidy@?$basic_string@
              • String ID: null
              • API String ID: 2405360707-634125391
              • Opcode ID: 2c4e414d66d9a9d361faae3e68b87c99be64f4d0a2ecf1ef477077a0a8eee4a3
              • Instruction ID: 15aaea103e59835ec63bcaf74a39f39d6ea17117076b36a42264106258ddfe41
              • Opcode Fuzzy Hash: 2c4e414d66d9a9d361faae3e68b87c99be64f4d0a2ecf1ef477077a0a8eee4a3
              • Instruction Fuzzy Hash: 28715C76600709AFFB18CF58DCC099D7BA2FB842D4B21C52EE8169B259D771FE508B40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 10007630 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 90stringCOMMON
              Download Yara Rule
              APIs
              • sprintf.MSVCRT ref: 100076A5
              • sprintf.MSVCRT ref: 100076BB
              • sprintf.MSVCRT ref: 100076D0
              • strlen.MSVCRT ref: 100076DD
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,00000000), ref: 100076EB
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: sprintf$?assign@?$basic_string@D@2@@std@@D@std@@U?$char_traits@V12@V?$allocator@strlen
              • String ID: %d:%02d$%d:%02d:%02d
              • API String ID: 143310023-1969281770
              • Opcode ID: e8d795d1e1c394013c8357614367dce22733e90549e83ac8639399f001fa6b82
              • Instruction ID: 46f191dbd6d80c571dbc13fbfbee2fb20698f06fd4b215a18fdc20b3cca58cae
              • Opcode Fuzzy Hash: e8d795d1e1c394013c8357614367dce22733e90549e83ac8639399f001fa6b82
              • Instruction Fuzzy Hash: 602134B2F005153BF718D6ACDC45ADAB79EFBC82C0F158422F907D6148E936EE108290
              Uniqueness

              Uniqueness Score: -1.00%

              Function 100069C9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 77COMMON
              Download Yara Rule
              APIs
              • #567.MFC42(00000000,?,00000004,100052B4,?,?,100069B6), ref: 100069CE
              • CreatePen.GDI32(00000000,00000001,00A3A3A3), ref: 10006A40
              • CreateFontA.GDI32(0000000C,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,fahoma), ref: 10006A61
              • CreateSolidBrush.GDI32(00373737), ref: 10006A6F
              • #823.MFC42(0000004C), ref: 10006A7A
              • memset.MSVCRT ref: 10006A9F
                • Part of subcall function 10004273: CreatePen.GDI32(00000000,00000001,001EABD9), ref: 100042A9
                • Part of subcall function 10004273: CreateSolidBrush.GDI32(001EABD9), ref: 100042B3
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: Create$BrushSolid$#567#823Fontmemset
              • String ID: fahoma
              • API String ID: 1576586355-2629960908
              • Opcode ID: b3470fc9a8bf93813c88413b726a2375de445ff078ca36eeb6f7d57058323f35
              • Instruction ID: be99f08e4f33b4fbe602db714a6d47902c35b94fbadf23dc4ca19b504fad5573
              • Opcode Fuzzy Hash: b3470fc9a8bf93813c88413b726a2375de445ff078ca36eeb6f7d57058323f35
              • Instruction Fuzzy Hash: A32151B0905B409EF324CF758885B93BBE4FB08354F504D2EE2EAC6691C774A844CB14
              Uniqueness

              Uniqueness Score: -1.00%

              Function 10005443 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: #800$#2818#540#924
              • String ID: %.2d$000000|
              • API String ID: 1980276660-1620389115
              • Opcode ID: 713e73103ba0dab1fb3c153e323753650233e7dd7d62ef596eb0b3f51ed5d4d4
              • Instruction ID: f46d91d69e946ef479488b5b0c4cc021739328128dccdac0734776b190038fb7
              • Opcode Fuzzy Hash: 713e73103ba0dab1fb3c153e323753650233e7dd7d62ef596eb0b3f51ed5d4d4
              • Instruction Fuzzy Hash: 6E014B7A814109BBDF11DF90CC81DCE7B68EF14284B004154F509A7155EB75EB44DB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 10007A4C Relevance: 12.0, APIs: 8, Instructions: 50windowCOMMON
              Download Yara Rule
              APIs
              • GetParent.USER32(?), ref: 10007A6E
              • #2864.MFC42(00000000), ref: 10007A71
              • GetParent.USER32(?), ref: 10007A8A
              • #2864.MFC42(00000000), ref: 10007A8D
              • PostMessageA.USER32(00000000,00000468,?,?), ref: 10007AA5
              • GetParent.USER32(?), ref: 10007AAE
              • #2864.MFC42(00000000), ref: 10007AB1
              • SendMessageA.USER32(00000000,0000046B,00000000,00000000), ref: 10007AC7
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: #2864Parent$Message$PostSend
              • String ID:
              • API String ID: 57722276-0
              • Opcode ID: e0a3443f6e34c144d1fddfe0566001ffe915f79618da7b3fa2322f8f8112ba74
              • Instruction ID: e3a725a4f8ebcf0fbe7faa39048daee92897ac79f206a1c045b2ad832875018b
              • Opcode Fuzzy Hash: e0a3443f6e34c144d1fddfe0566001ffe915f79618da7b3fa2322f8f8112ba74
              • Instruction Fuzzy Hash: D4019E71600345BBFF10EBA18C04E8E3BA9FF8A790F018455FA08861A5CB76E420CB22
              Uniqueness

              Uniqueness Score: -1.00%

              Function 10003BCA Relevance: 12.0, APIs: 8, Instructions: 43COMMON
              Download Yara Rule
              APIs
              • CreateSolidBrush.GDI32(00454545), ref: 10003C00
              • CreateSolidBrush.GDI32(0017D042), ref: 10003C0A
              • CreateSolidBrush.GDI32(000000FF), ref: 10003C14
              • CreateSolidBrush.GDI32(0013E6DA), ref: 10003C1E
              • CreateSolidBrush.GDI32(00F7EB7D), ref: 10003C28
              • CreateSolidBrush.GDI32(000097FF), ref: 10003C32
              • CreateSolidBrush.GDI32(00FFFF57), ref: 10003C3C
              • CreatePen.GDI32(00000000,00000001,00646464), ref: 10003C4A
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: Create$BrushSolid
              • String ID:
              • API String ID: 959564993-0
              • Opcode ID: fdab1efde7c3f3943daa058a4c373ac817fae72586ca6ef59e0359e67faa0e94
              • Instruction ID: 75f9e545ccbba191e4299ffbfbc5bef4f3366b9fa66c7337390732098428aa85
              • Opcode Fuzzy Hash: fdab1efde7c3f3943daa058a4c373ac817fae72586ca6ef59e0359e67faa0e94
              • Instruction Fuzzy Hash: B8010571A40794ABD730AF668C49B07BEF1EF84B51F01482EE1814A9A1D7B9E085CF41
              Uniqueness

              Uniqueness Score: -1.00%

              Function 10003C76 Relevance: 12.0, APIs: 8, Instructions: 26COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: DeleteObject
              • String ID:
              • API String ID: 1531683806-0
              • Opcode ID: 02f310227c4e74a78b5900df35aa6d1e293ad055345fe02476b51ee5bcd5f8a5
              • Instruction ID: 5ae0f8644051ebd3e697863598ce32ef754558e38ba0d3a9ee0a735f8e02807c
              • Opcode Fuzzy Hash: 02f310227c4e74a78b5900df35aa6d1e293ad055345fe02476b51ee5bcd5f8a5
              • Instruction Fuzzy Hash: 3CE07D35110BA4AFCB363B26DD09C4BFFB6EFC47103024869E19242934CAB2A855DE51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 1000D066 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104stringCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 1000D06B
                • Part of subcall function 10009FD4: __EH_prolog.LIBCMT ref: 10009FD9
                • Part of subcall function 10009FD4: #823.MFC42(00000010,?,00000000,?,100062CD,00000000), ref: 1000A020
                • Part of subcall function 1000A304: __EH_prolog.LIBCMT ref: 1000A309
                • Part of subcall function 1000A304: strcmp.MSVCRT ref: 1000A3BF
                • Part of subcall function 1000A2A5: #825.MFC42(?,?,?,1000A66E,?,?), ref: 1000A2D1
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00000000,00000000,00000006,00000002,?,?), ref: 1000D13C
              • strlen.MSVCRT ref: 1000D148
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(Missing ',' or ']' in array declaration,00000000,?,?), ref: 1000D153
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,0000000C,00000004,?,?), ref: 1000D17A
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@H_prologU?$char_traits@V?$allocator@$Tidy@?$basic_string@$#823#825?assign@?$basic_string@V12@strcmpstrlen
              • String ID: Missing ',' or ']' in array declaration
              • API String ID: 591590476-1780669529
              • Opcode ID: 1210c95bc25dbd26e7cd1ec50106768328407a27b85b3a1d7916f64c8a8bfdb8
              • Instruction ID: ea700925e0ba1215354e4fd108a999e5537e0aa4375abe3f59ee42714b88085c
              • Opcode Fuzzy Hash: 1210c95bc25dbd26e7cd1ec50106768328407a27b85b3a1d7916f64c8a8bfdb8
              • Instruction Fuzzy Hash: AF31D675A00254EBFF14EBA4C855AEE7BB9EF856D0F00011BE412A7299CF745E06C761
              Uniqueness

              Uniqueness Score: -1.00%

              Function 1000F856 Relevance: 10.6, APIs: 7, Instructions: 75COMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 1000F85B
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00000000,?,?,00000000,?,?,?,?,?,?,?,?,Protocol), ref: 1000F875
              • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,?,?,Protocol), ref: 1000F891
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,?,?,00000000,?,?,00000000,?,?,?,?,?,?,?,?,Protocol), ref: 1000F8CA
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,?,?,Protocol,00000000), ref: 1000F8E0
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04,?,00000000,?,?,00000000,?,?), ref: 1000F8F5
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,00000000,?,?,00000000,?,?,?,?,?,?,?,?,Protocol,00000000), ref: 1000F906
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@V12@$?append@?$basic_string@?assign@?$basic_string@Grow@?$basic_string@H_prolog
              • String ID:
              • API String ID: 997563325-0
              • Opcode ID: b23eb8c04326edabaccc77cf73eb287e5296645f70a992e4d54e13716f26bf68
              • Instruction ID: 2e6155a1d139b489b8cf372b89792f214d3652b80122751c6531fbe9ecf1fe46
              • Opcode Fuzzy Hash: b23eb8c04326edabaccc77cf73eb287e5296645f70a992e4d54e13716f26bf68
              • Instruction Fuzzy Hash: A321C436A002A5AFEF15CF94CC84AEDBBB4FB48390F04845EE892E7650C7749944CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 100026AF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65COMMON
              Download Yara Rule
              APIs
              • CreatePen.GDI32 ref: 100026F9
              • CreatePen.GDI32(00000000,00000001,00FFFFFF), ref: 10002706
              • CreateSolidBrush.GDI32(00E8E8E8), ref: 10002716
              • CreateSolidBrush.GDI32(00FFFFFF), ref: 10002720
              • CreateFontA.GDI32(0000000C,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,fahoma), ref: 1000273D
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: Create$BrushSolid$Font
              • String ID: fahoma
              • API String ID: 1614976225-2629960908
              • Opcode ID: 54e878f6108a8b9a8389acdaad2d61753d1ead898f960b3a7b03e1173ee88758
              • Instruction ID: f4a221a8f86338686aa45d5020bffebabaffe939114f98eb4d83fcd58c178cc3
              • Opcode Fuzzy Hash: 54e878f6108a8b9a8389acdaad2d61753d1ead898f960b3a7b03e1173ee88758
              • Instruction Fuzzy Hash: 311130B1900798AFE7209F668C85E97BBE8FF44754F40492EF68587A90C3B1E844CF60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 1000939D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54stringCOMMON
              Download Yara Rule
              APIs
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,?,?,00000000,?,10007A31,?,10007C8B,00000000,00000000,?,?,?,?), ref: 100093C6
              • strlen.MSVCRT ref: 100093D1
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(100146A8,00000000,?,10007C8B,00000000,00000000,?,?,?,?), ref: 100093DF
              • CreateSolidBrush.GDI32 ref: 100093F7
              • CreateFontA.GDI32(0000000C,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000020,fahoma), ref: 1000941F
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: CreateD@2@@std@@D@std@@U?$char_traits@V?$allocator@$?assign@?$basic_string@BrushFontSolidTidy@?$basic_string@V12@strlen
              • String ID: fahoma
              • API String ID: 2949723018-2629960908
              • Opcode ID: 8a707222a91cc39ff7aa3d0590f01be38e5bc717eeab1d99194619993ede4829
              • Instruction ID: b10fb22661f7abf42de1f6b169cbbcf2f8f5267c686023c42cf17f00b8556bef
              • Opcode Fuzzy Hash: 8a707222a91cc39ff7aa3d0590f01be38e5bc717eeab1d99194619993ede4829
              • Instruction Fuzzy Hash: 9301B171201348BFE7158F958C88EABBFA9FF49394F00441AF6419A6A1CBB0E8548B61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 10006ACF Relevance: 10.5, APIs: 7, Instructions: 49COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • #2446.MFC42(?,?,1000538A,?,10005365), ref: 10006AD9
              • DeleteObject.GDI32(?), ref: 10006AE7
              • DeleteObject.GDI32(?), ref: 10006AEC
              • DeleteObject.GDI32(?), ref: 10006AF1
              • #825.MFC42(?,?,?,1000538A,?,10005365), ref: 10006B05
              • #825.MFC42(?,?,?,?,1000538A,?,10005365), ref: 10006B29
              • #818.MFC42(?,?,1000538A,?,10005365), ref: 10006B51
                • Part of subcall function 10004316: DeleteObject.GDI32(?), ref: 10004323
                • Part of subcall function 10004316: DeleteObject.GDI32(?), ref: 10004328
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: DeleteObject$#825$#2446#818
              • String ID:
              • API String ID: 833147213-0
              • Opcode ID: 599ce7163a371070dc0d893d391b8bf562eea3f80f3e30fcdebe1627df3c4610
              • Instruction ID: 5e50b0ed968cb3b52def0ac4c6588c126de63c4938bfe65bd5cfa74f4f21f994
              • Opcode Fuzzy Hash: 599ce7163a371070dc0d893d391b8bf562eea3f80f3e30fcdebe1627df3c4610
              • Instruction Fuzzy Hash: 3201B1362007009BE725EB29DC92A6EB7E7FFC5390726442DE08617225CFB5BC819B51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 1000A304 Relevance: 9.3, APIs: 6, Instructions: 304stringCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: strlen$#823H_prologmemcpystrcmp
              • String ID:
              • API String ID: 2114997918-0
              • Opcode ID: c11342e6b66dbeb224e5f076b54e847762efc0f1d2d55b77c6774e9aa4200f0a
              • Instruction ID: affac501b46827e3247234faa122ac02540aea8fb1b88d61f49b8fe3015201b5
              • Opcode Fuzzy Hash: c11342e6b66dbeb224e5f076b54e847762efc0f1d2d55b77c6774e9aa4200f0a
              • Instruction Fuzzy Hash: D6B1B274A00206DFEB14CF68C891AAEB7F5FF453D0F208629E51697299DB71EE81CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 10007C10 Relevance: 9.1, APIs: 6, Instructions: 144COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: #823
              • String ID:
              • API String ID: 3944439427-0
              • Opcode ID: e62acb52e337c10ecd7d8d75138856e3e620cbf3b58514958ea3a5bcdcae43a5
              • Instruction ID: 2b913cc038b9d0d26ef9a3d33959b68638032e2abe12ac3722b4af78761be178
              • Opcode Fuzzy Hash: e62acb52e337c10ecd7d8d75138856e3e620cbf3b58514958ea3a5bcdcae43a5
              • Instruction Fuzzy Hash: 43517C75900605FFFB11CF61C941EAEFBF6FF84290F20801EE50996659DB75AA10DB80
              Uniqueness

              Uniqueness Score: -1.00%

              Function 10004DB6 Relevance: 9.1, APIs: 6, Instructions: 100COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: ObjectSelect$Polygon
              • String ID:
              • API String ID: 2359164318-0
              • Opcode ID: b798de84ce386ec924f9fa007b52434dd49f9b0523398805d35adcf4ecefec21
              • Instruction ID: 14a89dff52fbf1e56722b80729eb431ae61e354c8683e759e5c61fe40edfce30
              • Opcode Fuzzy Hash: b798de84ce386ec924f9fa007b52434dd49f9b0523398805d35adcf4ecefec21
              • Instruction Fuzzy Hash: FC4127B5D00248EFDB15CFA8C9849DEBBF9FF48350F14852AE515A7254EB31AA46CF10
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405553 Relevance: 9.1, APIs: 6, Instructions: 77COMMON
              Download Yara Rule
              APIs
              • IntersectRect.USER32(?,?,00000000), ref: 0040558F
              • EqualRect.USER32(?,?), ref: 0040559E
              • OffsetRect.USER32(?,?,?), ref: 004055B7
              • CreateRectRgnIndirect.GDI32(?), ref: 004055C1
              • SetWindowRgn.USER32(?,00000000,00000001), ref: 004055D4
              • SetWindowPos.USER32(?,00000000,?,?,?,00000000,00000014), ref: 004055F6
              Memory Dump Source
              • Source File: 00000006.00000002.1650700156.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000006.00000002.1650684384.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650716727.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650734298.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650757098.000000000042B000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_400000_TimeGridEXE.jbxd
              Similarity
              • API ID: Rect$Window$CreateEqualIndirectIntersectOffset
              • String ID:
              • API String ID: 3762251641-0
              • Opcode ID: 4363ac2563547d067efa385a9e6f20c9743f1f4db8967cadebd7b1da89943a1c
              • Instruction ID: 4980950233f5db751a05a46507166720e746d4ca14b2b3f1fae58a9d278f9c18
              • Opcode Fuzzy Hash: 4363ac2563547d067efa385a9e6f20c9743f1f4db8967cadebd7b1da89943a1c
              • Instruction Fuzzy Hash: 47213A71600609AFDB10DF68CA88EABB7B8EF09304B0485A9F905EB254C775ED04CF65
              Uniqueness

              Uniqueness Score: -1.00%

              Function 1000F67F Relevance: 9.1, APIs: 6, Instructions: 56stringCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 1000F684
                • Part of subcall function 1000B55A: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,00000000,?,?,?,?,1000F6AD,?,00000000,?,00000000,?), ref: 1000B585
                • Part of subcall function 1000B55A: strlen.MSVCRT ref: 1000B58C
                • Part of subcall function 1000B55A: ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(00000000,00000000,?,?,?,1000F6AD,?,00000000,?,00000000,?), ref: 1000B596
                • Part of subcall function 1000F856: __EH_prolog.LIBCMT ref: 1000F85B
                • Part of subcall function 1000F856: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00000000,?,?,00000000,?,?,?,?,?,?,?,?,Protocol), ref: 1000F875
                • Part of subcall function 1000F856: ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,?,?,Protocol), ref: 1000F891
                • Part of subcall function 1000F856: ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(00000001,?,?,00000000,?,?,00000000,?,?,?,?,?,?,?,?,Protocol), ref: 1000F8CA
                • Part of subcall function 1000F856: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,?,?,Protocol,00000000), ref: 1000F8E0
                • Part of subcall function 1000F856: ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04,?,00000000,?,?,00000000,?,?), ref: 1000F8F5
                • Part of subcall function 1000F856: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,00000000,?,?,00000000,?,?,?,?,?,?,?,?,Protocol,00000000), ref: 1000F906
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(00000000,00000000,6CE35E04,?,00000000,?,00000000,?,?,?,?,?,?,?,?,Protocol), ref: 1000F6CD
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,?,?,?,Protocol,00000000), ref: 1000F6DB
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,?,?,?,Protocol,00000000), ref: 1000F6EA
              • strlen.MSVCRT ref: 1000F6F9
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(10014428,00000000,?,?,?,?,?,?,Protocol,00000000), ref: 1000F703
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$V12@$Tidy@?$basic_string@$?append@?$basic_string@$?assign@?$basic_string@H_prologstrlen$Grow@?$basic_string@
              • String ID:
              • API String ID: 3514380549-0
              • Opcode ID: 93d0f06aedb77af4d91d2345894302281da1929ac8b4444f2a8b4b01c4f19612
              • Instruction ID: a79bdb7719a18972a029ca958434a733eed3fe698dd40cf3d1d3efabd3d22faa
              • Opcode Fuzzy Hash: 93d0f06aedb77af4d91d2345894302281da1929ac8b4444f2a8b4b01c4f19612
              • Instruction Fuzzy Hash: 19117376900604AFE718DFA8D8D5AEEB7B9EF48391F108159F512E3290CB78A944C760
              Uniqueness

              Uniqueness Score: -1.00%

              Function 1000B55A Relevance: 9.0, APIs: 6, Instructions: 48stringCOMMON
              Download Yara Rule
              APIs
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,00000000,?,?,?,?,1000F6AD,?,00000000,?,00000000,?), ref: 1000B585
              • strlen.MSVCRT ref: 1000B58C
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(00000000,00000000,?,?,?,1000F6AD,?,00000000,?,00000000,?), ref: 1000B596
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,00000000,?,?,?,?,1000F6AD,?,00000000,?,00000000,?), ref: 1000B5AC
              • strlen.MSVCRT ref: 1000B5B8
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(100146A8,00000000,?,?,?,1000F6AD,?,00000000,?,00000000,?), ref: 1000B5C2
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$?assign@?$basic_string@Tidy@?$basic_string@V12@strlen
              • String ID:
              • API String ID: 3576993065-0
              • Opcode ID: 23aee548bfde49bc0f5a19a17f252ed3f2bad3054e04f5d4132d779b8f7b7e3d
              • Instruction ID: f253606d90fd3bd0a86cfdc98e141143df99c0ff8175cfbc3fb6a23b7cfb80d7
              • Opcode Fuzzy Hash: 23aee548bfde49bc0f5a19a17f252ed3f2bad3054e04f5d4132d779b8f7b7e3d
              • Instruction Fuzzy Hash: A901D43A2011546FEB049F158C15AFEBBA9DF8A761F18804AFD519B341CAB8ED0187E1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 1000EE8A Relevance: 9.0, APIs: 6, Instructions: 45stringCOMMON
              Download Yara Rule
              APIs
              • strlen.MSVCRT ref: 1000EE98
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(100146A8,00000000,00000000,?,00000001,1000B62B,?,?,?,Protocol,00000000), ref: 1000EEA2
              • strlen.MSVCRT ref: 1000EEAD
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(100146A8,00000000,?,00000001,1000B62B,?,?,?,Protocol,00000000), ref: 1000EEB8
                • Part of subcall function 1000F67F: __EH_prolog.LIBCMT ref: 1000F684
                • Part of subcall function 1000F67F: ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(00000000,00000000,6CE35E04,?,00000000,?,00000000,?,?,?,?,?,?,?,?,Protocol), ref: 1000F6CD
                • Part of subcall function 1000F67F: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,?,?,?,Protocol,00000000), ref: 1000F6DB
                • Part of subcall function 1000F67F: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,?,?,?,Protocol,00000000), ref: 1000F6EA
                • Part of subcall function 1000F67F: strlen.MSVCRT ref: 1000F6F9
                • Part of subcall function 1000F67F: ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(10014428,00000000,?,?,?,?,?,?,Protocol,00000000), ref: 1000F703
                • Part of subcall function 1000EEFB: __EH_prolog.LIBCMT ref: 1000EF00
                • Part of subcall function 1000EEFB: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,?), ref: 1000EF18
                • Part of subcall function 1000EEFB: strlen.MSVCRT ref: 1000EF24
                • Part of subcall function 1000EEFB: ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(100146A8,00000000), ref: 1000EF2F
                • Part of subcall function 1000F71A: __EH_prolog.LIBCMT ref: 1000F71F
                • Part of subcall function 1000F71A: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,100146A0,00000000,?,00000000,?,00000001,00000001,00000000,10014688), ref: 1000F763
                • Part of subcall function 1000F71A: ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(00000000,00000000,6CE35E04,?,00000001,00000001,00000000,10014688), ref: 1000F77D
                • Part of subcall function 1000F71A: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000F78A
                • Part of subcall function 1000F71A: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000F798
                • Part of subcall function 1000F71A: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000F7A6
                • Part of subcall function 1000F71A: strlen.MSVCRT ref: 1000F7CB
                • Part of subcall function 1000F71A: ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(10014428,00000000,?,00000002,00000001,00000000,10014688), ref: 1000F7D6
                • Part of subcall function 1000F71A: ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(00000000,00000000,6CE35E04,?,00000002,?,00000002,00000001,00000000,10014688), ref: 1000F80F
                • Part of subcall function 1000F71A: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,00000002,00000001,00000000,10014688), ref: 1000F81D
                • Part of subcall function 1000F71A: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,00000002,00000001,00000000,10014688), ref: 1000F82B
                • Part of subcall function 1000F71A: strlen.MSVCRT ref: 1000F835
                • Part of subcall function 1000F71A: ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(10014428,00000000,?,00000002,00000001,00000000,10014688), ref: 1000F83F
              • strlen.MSVCRT ref: 1000EEE3
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(10014428,00000000,?,?,?,?,00000001,1000B62B,?,?,?,Protocol,00000000), ref: 1000EEED
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$V12@$Tidy@?$basic_string@$?append@?$basic_string@strlen$?assign@?$basic_string@H_prolog$D@2@@0@Hstd@@V10@@V?$basic_string@
              • String ID:
              • API String ID: 2527418902-0
              • Opcode ID: 9aae9984a1af9419277e1c005321a01bb5c54954dd23546237e362df8421d858
              • Instruction ID: ab6e8cbdc96d940c70c5fa0085150602b9ea4bd41210eaf526382830c982138d
              • Opcode Fuzzy Hash: 9aae9984a1af9419277e1c005321a01bb5c54954dd23546237e362df8421d858
              • Instruction Fuzzy Hash: B2F0FC3A2002106BF225DB2A9C99C7FA7BCEFD6A51711451EF412D7351CFB8BC064676
              Uniqueness

              Uniqueness Score: -1.00%

              Function 10007B6E Relevance: 9.0, APIs: 6, Instructions: 38windowCOMMON
              Download Yara Rule
              APIs
              • GetParent.USER32(?), ref: 10007B89
              • #2864.MFC42(00000000,?,?,?), ref: 10007B8C
              • SendMessageA.USER32(00000000,00000466,?,?), ref: 10007BAC
              • GetParent.USER32(?), ref: 10007BB1
              • #2864.MFC42(00000000,?,?,?), ref: 10007BB4
              • SendMessageA.USER32(00000000,0000046B,00000000,00000000), ref: 10007BCA
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: #2864MessageParentSend
              • String ID:
              • API String ID: 1747806277-0
              • Opcode ID: 376c82547a2dda125747f920630aee555c0e9bc981f036b076d241ae2b173458
              • Instruction ID: 4751fde3db31a0815a0575e93d1c1f8ef4eaf1d65b02ffdca4197ce6367c5097
              • Opcode Fuzzy Hash: 376c82547a2dda125747f920630aee555c0e9bc981f036b076d241ae2b173458
              • Instruction Fuzzy Hash: 29F090B2A00211ABEB10ABA1CD45F4B3BA9FF89790F128455FA48E7165C776E810CB61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 10009A90 Relevance: 9.0, APIs: 6, Instructions: 25memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: #1176#1243Local$AllocFree
              • String ID:
              • API String ID: 2308495640-0
              • Opcode ID: 2b01aaf01d3e0891407358dc9bc2db2d8c9ec8a9a76c8f86cbe62a56970d91a4
              • Instruction ID: d8c6934d40a96b44377980430814b4eb65e0f0390fb89f6a298ac4a36a8a9f53
              • Opcode Fuzzy Hash: 2b01aaf01d3e0891407358dc9bc2db2d8c9ec8a9a76c8f86cbe62a56970d91a4
              • Instruction Fuzzy Hash: 1FE01235A05311BAF610D770DD4DB5A66D4DB013D5F23C419F545A98B9CB70E880D7E2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405B03 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.1650700156.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000006.00000002.1650684384.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650716727.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650734298.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650757098.000000000042B000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_400000_TimeGridEXE.jbxd
              Similarity
              • API ID: Paint$BeginClientRectmemset
              • String ID: <
              • API String ID: 3731648824-4251816714
              • Opcode ID: 2850909523c749cced3f4308f562a236eb6ac6b6b77c43256d2d7960cc7c0c81
              • Instruction ID: 4889c06cee4ec790136e6d711d2c9ea406b40a3f0842a2509289cf55fd3200c2
              • Opcode Fuzzy Hash: 2850909523c749cced3f4308f562a236eb6ac6b6b77c43256d2d7960cc7c0c81
              • Instruction Fuzzy Hash: 85110A72900508AFDB10DF98D944F9EBBF8FF48320F50846AE955E7290DBB4A905CF64
              Uniqueness

              Uniqueness Score: -1.00%

              Function 1000EC6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50stringCOMMON
              Download Yara Rule
              APIs
              • sprintf.MSVCRT ref: 1000EC81
              • strlen.MSVCRT ref: 1000EC8B
              • strlen.MSVCRT ref: 1000ECD0
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,1000EFD9,?), ref: 1000ECDE
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: strlen$?append@?$basic_string@D@2@@std@@D@std@@U?$char_traits@V12@V?$allocator@sprintf
              • String ID: %#.16g
              • API String ID: 314243773-1598837462
              • Opcode ID: 7cbcd1186600686358d137341759cb326cb5a4f5a490d2c4a80f2ae50bbcc200
              • Instruction ID: a4008e6a9734a5b609532f0ab4180f503ac29c28918a3082fe96abdd88db8139
              • Opcode Fuzzy Hash: 7cbcd1186600686358d137341759cb326cb5a4f5a490d2c4a80f2ae50bbcc200
              • Instruction Fuzzy Hash: 0101227190018E9EFF04CBA0DC59EDE77BDEB083C4F540465E006E2086CA38ED45C362
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004038D6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38stringCOMMON
              Download Yara Rule
              APIs
              • Rectangle.GDI32(?,?,?,?,?), ref: 004038EE
              • SetTextAlign.GDI32(?,0000001E), ref: 004038F9
              • lstrlenA.KERNEL32(ATL 3.0 : Plugin), ref: 00403905
              • TextOutA.GDI32(?,?,?,ATL 3.0 : Plugin,00000000), ref: 00403927
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.1650700156.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000006.00000002.1650684384.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650716727.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650734298.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650757098.000000000042B000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_400000_TimeGridEXE.jbxd
              Similarity
              • API ID: Text$AlignRectanglelstrlen
              • String ID: ATL 3.0 : Plugin
              • API String ID: 3833488612-1771386320
              • Opcode ID: fe842cc958422468173fc6052aa42cf41bf1c2937d3bcff5540ce89c067f4f3b
              • Instruction ID: 8800c70889eb8fa0abeddbd6fee0f83196f408a23362534557cb867a1233fde6
              • Opcode Fuzzy Hash: fe842cc958422468173fc6052aa42cf41bf1c2937d3bcff5540ce89c067f4f3b
              • Instruction Fuzzy Hash: CDF0F976100A02AFC7118F68EE49D47BBBAFF483113058929F696E2561C731F864DF64
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00404DA9 Relevance: 7.6, APIs: 5, Instructions: 148comCOMMON
              Download Yara Rule
              APIs
              • #31.ATL(?,?,00408AA8), ref: 00404E3A
              • #31.ATL(?,?,00408A48), ref: 00404E68
              • OleCreatePropertyFrame.OLEAUT32(?,?,?,?,00000001,?,?,?,?,00000000,00000000), ref: 00404EB9
              • CoTaskMemFree.OLE32(?), ref: 00404EC5
              • CoTaskMemFree.OLE32(?), ref: 00404ED3
              Memory Dump Source
              • Source File: 00000006.00000002.1650700156.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000006.00000002.1650684384.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650716727.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650734298.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650757098.000000000042B000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_400000_TimeGridEXE.jbxd
              Similarity
              • API ID: FreeTask$CreateFrameProperty
              • String ID:
              • API String ID: 1721221822-0
              • Opcode ID: ede879c220b433454bf9cc28453ed137ef9f08b0e557d60f1087559d34452b06
              • Instruction ID: 2bdc4b2ab73a5c4588edffedde3f15932fb12ca7a530dcf6551b6deef28615bb
              • Opcode Fuzzy Hash: ede879c220b433454bf9cc28453ed137ef9f08b0e557d60f1087559d34452b06
              • Instruction Fuzzy Hash: 1851ABB5A00209AFCF10DFD4C9889AEB7B9FF88304B64447AE605FB290C7799D45DB54
              Uniqueness

              Uniqueness Score: -1.00%

              Function 100043BB Relevance: 7.6, APIs: 5, Instructions: 110COMMON
              Download Yara Rule
              APIs
              • SelectObject.GDI32(?,?), ref: 10004440
              • SelectObject.GDI32(?,?), ref: 1000444B
              • Polygon.GDI32(?,?,00000003), ref: 100044BD
              • SelectObject.GDI32(?,00000001), ref: 100044DD
              • SelectObject.GDI32(?,?), ref: 100044E5
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: ObjectSelect$Polygon
              • String ID:
              • API String ID: 2359164318-0
              • Opcode ID: 8a4ecdc1c4c2b12cca76e2e705e15715935956facc24268044a274e39893ce51
              • Instruction ID: 6fc7269ee816e8f996e188b8c705ba3f91b6303ba80f97253b588c48afcaf901
              • Opcode Fuzzy Hash: 8a4ecdc1c4c2b12cca76e2e705e15715935956facc24268044a274e39893ce51
              • Instruction Fuzzy Hash: 60415B75D00209EFDB15DFA8C980AEEBBF1FF48384F128429E805A7215DB31AA55DF54
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00403994 Relevance: 7.6, APIs: 5, Instructions: 102COMMON
              Download Yara Rule
              APIs
              • EnterCriticalSection.KERNEL32(0042A72C), ref: 004039B2
              • LoadRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 004039D5
              • #30.ATL(?,?,?,?), ref: 00403A2C
              • LeaveCriticalSection.KERNEL32(0042A72C), ref: 00403A7E
              • #58.ATL(0042A710,00403A9E), ref: 00403A8F
              Memory Dump Source
              • Source File: 00000006.00000002.1650700156.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000006.00000002.1650684384.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650716727.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650734298.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650757098.000000000042B000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_400000_TimeGridEXE.jbxd
              Similarity
              • API ID: CriticalSection$EnterLeaveLoadType
              • String ID:
              • API String ID: 178205823-0
              • Opcode ID: af46fb47a9ae73d49cb2453a25e7f712f361b41966adbf0d36b135ef7ac2d7eb
              • Instruction ID: 816b9577b4c5ef524b411b563d7ee22de72b87f40fc1843742ee72ff783b0ac9
              • Opcode Fuzzy Hash: af46fb47a9ae73d49cb2453a25e7f712f361b41966adbf0d36b135ef7ac2d7eb
              • Instruction Fuzzy Hash: 4F312C74B00208EFCB00DFA5C988D5ABBBAEF88745724846AF44AE7250D775DE41CF58
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00406217 Relevance: 7.6, APIs: 5, Instructions: 81COMMON
              Download Yara Rule
              APIs
              • CallWindowProcA.USER32(?,?,00000082,?,?), ref: 0040627F
              • GetWindowLongA.USER32(?,000000FC), ref: 00406295
              • CallWindowProcA.USER32(?,?,00000082,?,?), ref: 004062A9
              • GetWindowLongA.USER32(?,000000FC), ref: 004062C2
              • SetWindowLongA.USER32(?,000000FC,?), ref: 004062D1
              Memory Dump Source
              • Source File: 00000006.00000002.1650700156.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000006.00000002.1650684384.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650716727.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650734298.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650757098.000000000042B000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_400000_TimeGridEXE.jbxd
              Similarity
              • API ID: Window$Long$CallProc
              • String ID:
              • API String ID: 513923721-0
              • Opcode ID: c1f8a630223b0dd7d6d7e8a17a5620c64ae9860803a039d53032eb5db19240ae
              • Instruction ID: acba594f74b53fc9cf627038c303f4e695c70a176b149c832386ca66daf67895
              • Opcode Fuzzy Hash: c1f8a630223b0dd7d6d7e8a17a5620c64ae9860803a039d53032eb5db19240ae
              • Instruction Fuzzy Hash: 64312075500609EFCF21DF44D94489BBBB5FF48320B10862EF89AA76A0D730EA51DF54
              Uniqueness

              Uniqueness Score: -1.00%

              Function 1000B391 Relevance: 7.6, APIs: 5, Instructions: 81stringCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 1000B396
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?), ref: 1000B40B
              • strlen.MSVCRT ref: 1000B414
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,00000000), ref: 1000B421
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?), ref: 1000B43F
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@$?assign@?$basic_string@H_prologV12@strlen
              • String ID:
              • API String ID: 4019369772-0
              • Opcode ID: 307e27bb2d79934ab3e6ac2d97fb74daec7558809b6dff9029912ff4bc3ec97d
              • Instruction ID: d79f3383d96a4383c982437aa78d0087cf6ce64f92de056f5aa36b7c3cd800f4
              • Opcode Fuzzy Hash: 307e27bb2d79934ab3e6ac2d97fb74daec7558809b6dff9029912ff4bc3ec97d
              • Instruction Fuzzy Hash: 9D312575901189EFDB05DFA8C4909EDFFB4FF18250F14805EE545A7266CB30AA84CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 10006D87 Relevance: 7.6, APIs: 5, Instructions: 72windowCOMMON
              Download Yara Rule
              APIs
              • #2379.MFC42 ref: 10006D8F
              • GetParent.USER32(?), ref: 10006D97
              • #2864.MFC42(00000000), ref: 10006D9E
              • SendMessageA.USER32(?,0000046B,00000000,00000000), ref: 10006DB8
              • InvalidateRect.USER32(?,00000000,00000001), ref: 10006E3E
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: #2379#2864InvalidateMessageParentRectSend
              • String ID:
              • API String ID: 4185294222-0
              • Opcode ID: 3a6cc22956311152a48e983a5315f82ca508f0b651369bd65ef45f8d6029e97d
              • Instruction ID: 718c70957cefc39b658402927c3025b7bdf8b1140069fb760300f3c513fde2c9
              • Opcode Fuzzy Hash: 3a6cc22956311152a48e983a5315f82ca508f0b651369bd65ef45f8d6029e97d
              • Instruction Fuzzy Hash: 15214C79600355AFEB14DF60CC94CAE77ABFF49280B104829F942472A9DA32FC61DB10
              Uniqueness

              Uniqueness Score: -1.00%

              Function 1000903F Relevance: 7.5, APIs: 5, Instructions: 49COMMON
              Download Yara Rule
              APIs
              • #823.MFC42(00000024,?,?,00000000,?,?,?,100089FF,?,10007EE7,?,00000000,?), ref: 1000904B
              • ??0_Lockit@std@@QAE@XZ.MSVCP60(?,?,00000000,?,?,?,100089FF,?,10007EE7,?,00000000,?), ref: 10009065
              • ??1_Lockit@std@@QAE@XZ.MSVCP60(?,?,00000000,?,?,?,100089FF,?,10007EE7,?,00000000,?), ref: 1000908F
              • #825.MFC42(?,?,?,00000000,?,?,?,100089FF,?,10007EE7,?,00000000,?), ref: 1000909D
              • #823.MFC42(00000024,?,?,00000000,?,?,?,100089FF,?,10007EE7,?,00000000,?), ref: 100090AB
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: #823Lockit@std@@$#825??0_??1_
              • String ID:
              • API String ID: 2469163743-0
              • Opcode ID: 11ecbe2db2fd6be9408a2daa280ca8b09dd6c60cdc6806eb3a6d78fd78ae5b5c
              • Instruction ID: cf7c8d0e6364c1f50b7c1e045f95b1488f817a4416beec8168ab02ad5c765d14
              • Opcode Fuzzy Hash: 11ecbe2db2fd6be9408a2daa280ca8b09dd6c60cdc6806eb3a6d78fd78ae5b5c
              • Instruction Fuzzy Hash: A31169B2804315EFE700CF99D9C9989FBF4FB09351B52C16EE009972A0EBB1A940CF80
              Uniqueness

              Uniqueness Score: -1.00%

              Function 1000387E Relevance: 7.5, APIs: 5, Instructions: 49COMMON
              Download Yara Rule
              APIs
              • #823.MFC42(00000018,?,?,00000000,?,?,?,10003090), ref: 1000388A
              • ??0_Lockit@std@@QAE@XZ.MSVCP60(?,?,00000000,?,?,?,10003090), ref: 100038A4
              • ??1_Lockit@std@@QAE@XZ.MSVCP60(?,?,00000000,?,?,?,10003090), ref: 100038CE
              • #825.MFC42(?,?,?,00000000,?,?,?,10003090), ref: 100038DC
              • #823.MFC42(00000018,?,?,00000000,?,?,?,10003090), ref: 100038EA
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: #823Lockit@std@@$#825??0_??1_
              • String ID:
              • API String ID: 2469163743-0
              • Opcode ID: 59922e297b7b059e3e9fee0e211d155b6e41137bed9f488b9a95504750482a9f
              • Instruction ID: 1bbc358bd1f36699c8849435843264dbb4cde955b713690948e4ce10f4a5efb4
              • Opcode Fuzzy Hash: 59922e297b7b059e3e9fee0e211d155b6e41137bed9f488b9a95504750482a9f
              • Instruction Fuzzy Hash: 85111BB1810615EFE704CF99D9C5999BBF8FB05354B21C16EE00997265DBB0AA40CF91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 1000BDFD Relevance: 7.5, APIs: 5, Instructions: 49COMMON
              Download Yara Rule
              APIs
              • #823.MFC42(00000030,00000000,?,00000000,00000000,00000000,?,1000A047,?,00000000,?,100062CD,00000000), ref: 1000BE09
              • ??0_Lockit@std@@QAE@XZ.MSVCP60(00000000,?,00000000,00000000,00000000,?,1000A047,?,00000000,?,100062CD,00000000), ref: 1000BE23
              • ??1_Lockit@std@@QAE@XZ.MSVCP60(?,00000000,00000000,00000000,?,1000A047,?,00000000,?,100062CD,00000000), ref: 1000BE4D
              • #825.MFC42(?,?,00000000,00000000,00000000,?,1000A047,?,00000000,?,100062CD,00000000), ref: 1000BE5B
              • #823.MFC42(00000030,?,00000000,00000000,00000000,?,1000A047,?,00000000,?,100062CD,00000000), ref: 1000BE69
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: #823Lockit@std@@$#825??0_??1_
              • String ID:
              • API String ID: 2469163743-0
              • Opcode ID: 33cb63c086c00c850e6be600382d1e4fee9c9e70e004caa1fece9ba3dcd9fcab
              • Instruction ID: 9311f66f2eb31389f21a8d839a7e2d7f585c7dfc52dd35ca93f860874d338b65
              • Opcode Fuzzy Hash: 33cb63c086c00c850e6be600382d1e4fee9c9e70e004caa1fece9ba3dcd9fcab
              • Instruction Fuzzy Hash: 5D1121B1820255EFE704CF99D9C5989BBF4FB08361B25C16FE10997261EB71AD40CF54
              Uniqueness

              Uniqueness Score: -1.00%

              Function 1000F606 Relevance: 7.5, APIs: 5, Instructions: 34COMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 1000F60B
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,00000001), ref: 1000F625
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z.MSVCP60(?,00000020), ref: 1000F631
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04), ref: 1000F64B
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000F65A
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$V12@$Tidy@?$basic_string@$?append@?$basic_string@?assign@?$basic_string@H_prolog
              • String ID:
              • API String ID: 1152215417-0
              • Opcode ID: 18b5c9c22de95bc83b17e6b91c950efa944afeb8c56a33c2fb66d07456e06071
              • Instruction ID: b89ea757d0b2b8a50dbdd65179562990ed5427e4e63152a583e1d22b3918cc32
              • Opcode Fuzzy Hash: 18b5c9c22de95bc83b17e6b91c950efa944afeb8c56a33c2fb66d07456e06071
              • Instruction Fuzzy Hash: B7018136900258EFEF18DB94CC89BDCBBB4FB48710F004158E152E32E0CB78A504CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 10002771 Relevance: 7.5, APIs: 5, Instructions: 20COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: DeleteObject
              • String ID:
              • API String ID: 1531683806-0
              • Opcode ID: 78934d3e5e6261d00cea73b685990a0bd95bf8cc792443889fc90ea1f70aa763
              • Instruction ID: b2daaaf8d97dec45f2534d4a01817eb52a5de6ad1174fd666270faea0c4c3e49
              • Opcode Fuzzy Hash: 78934d3e5e6261d00cea73b685990a0bd95bf8cc792443889fc90ea1f70aa763
              • Instruction Fuzzy Hash: B8E0EC351006A49BCB363B26DD05C4BBFA6EFC47103020429F18242934CAB2A851DE50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00403ACA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.1650700156.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000006.00000002.1650684384.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650716727.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650734298.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650757098.000000000042B000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_400000_TimeGridEXE.jbxd
              Similarity
              • API ID: String$??2@Free
              • String ID: `<u`j>up=<u
              • API String ID: 3858531411-1785617870
              • Opcode ID: 3480721a1dc3eef5b1de57fd6aa442ba199ec56abf562f6f6ff2539834e3966e
              • Instruction ID: ecef6b9a86d87025ee4ca0ca29bfbe18a36e8ac1640fd05991f607fc61e2b0e1
              • Opcode Fuzzy Hash: 3480721a1dc3eef5b1de57fd6aa442ba199ec56abf562f6f6ff2539834e3966e
              • Instruction Fuzzy Hash: 70418F75600605EFCB14CF99D884DAABBB9FF8830971046AEE806DB351D735FA05CB64
              Uniqueness

              Uniqueness Score: -1.00%

              Function 1000947C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73stringCOMMON
              Download Yara Rule
              APIs
              • sprintf.MSVCRT ref: 10009501
              • strlen.MSVCRT ref: 1000950B
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(00000000,00000000,?,?,?,?), ref: 1000951B
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: ?assign@?$basic_string@D@2@@std@@D@std@@U?$char_traits@V12@V?$allocator@sprintfstrlen
              • String ID: %d:%02d:%02d
              • API String ID: 2365837166-2047876065
              • Opcode ID: 62675475e4ce9c4414f1d0d1522380b554b4ce2130c3d62fc66c24ff39dada19
              • Instruction ID: a770490737f76fbf2ed895702726a3e70e600aeb593d5a6068379e9a2eb69d35
              • Opcode Fuzzy Hash: 62675475e4ce9c4414f1d0d1522380b554b4ce2130c3d62fc66c24ff39dada19
              • Instruction Fuzzy Hash: EA11E477A001046FE704DAB8CD55AEAB7AFEB8D250F144436E202D71A4D671E9158761
              Uniqueness

              Uniqueness Score: -1.00%

              Function 100088ED Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
              Download Yara Rule
              APIs
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,grid,00000000,?,?,10007F1A,?), ref: 10008904
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04,?,?,10007F1A,?), ref: 10008917
                • Part of subcall function 10008C90: ??Mstd@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z.MSVCP60(10008930,?,?,?,?,?,?,?,10008930,?,?,?,?,10007F1A,?), ref: 10008CB5
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,?,10007F1A,?), ref: 1000893D
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$Tidy@?$basic_string@V12@$?assign@?$basic_string@D@2@@0@0@Mstd@@V?$basic_string@
              • String ID: grid
              • API String ID: 1152675676-773904695
              • Opcode ID: 656235b49419d539869ed5f4cc2c56939e67047bb8e7f38fc7a472c840b5cfae
              • Instruction ID: 8aefa052788c609a40502180a4019439bc4c93ee0d44bb606b86b17fed2d630a
              • Opcode Fuzzy Hash: 656235b49419d539869ed5f4cc2c56939e67047bb8e7f38fc7a472c840b5cfae
              • Instruction Fuzzy Hash: 1E013C35900219AFDB04DF94C885FEEBBB8EF18340F008055E551E7291D778AA15CFA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 1000ECE6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14stringCOMMON
              Download Yara Rule
              APIs
              • strlen.MSVCRT ref: 1000ECF9
              • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(true,00000000,?,1000F002,?,00000000), ref: 1000ED05
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: ?append@?$basic_string@D@2@@std@@D@std@@U?$char_traits@V12@V?$allocator@strlen
              • String ID: false$true
              • API String ID: 188033960-2658103896
              • Opcode ID: 5c4e6bcf9516ffe8a04f91e5bf467046514ca3ca8c01fa731fadb6c37e42d869
              • Instruction ID: e52ce2ca248375c5ce0a3a09473732fc6cf7e9bdb706dda4e61231f896433fda
              • Opcode Fuzzy Hash: 5c4e6bcf9516ffe8a04f91e5bf467046514ca3ca8c01fa731fadb6c37e42d869
              • Instruction Fuzzy Hash: 68D012369092F176F305D258E888ADF2A88DF4A3E0F9640A9F854A7165CE789DC143DA
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00404F61 Relevance: 6.3, APIs: 4, Instructions: 278windowCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000006.00000002.1650700156.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000006.00000002.1650684384.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650716727.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650734298.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650757098.000000000042B000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_400000_TimeGridEXE.jbxd
              Similarity
              • API ID: Focus$ChildShowWindow
              • String ID:
              • API String ID: 2299317540-0
              • Opcode ID: d62b16eae0e7e72b5695b89486190ded03821304acff081350c2b3e5dd62e7a7
              • Instruction ID: 3171bff0368a30ec3c4e0e62d8ae9f22c23680cbc1314456e4990d118ff9754b
              • Opcode Fuzzy Hash: d62b16eae0e7e72b5695b89486190ded03821304acff081350c2b3e5dd62e7a7
              • Instruction Fuzzy Hash: B2A12B71A00605AFCB24DF94C988A6FB7B9FF89704B14486DE646EB290CB35ED41CF54
              Uniqueness

              Uniqueness Score: -1.00%

              Function 1000B9D4 Relevance: 6.2, APIs: 4, Instructions: 243COMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 1000B9D9
              • ??0_Lockit@std@@QAE@XZ.MSVCP60(?,?,00000000,?,?), ref: 1000BA29
              • ??1_Lockit@std@@QAE@XZ.MSVCP60 ref: 1000BC40
              • #825.MFC42(?,?), ref: 1000BC53
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: Lockit@std@@$#825??0_??1_H_prolog
              • String ID:
              • API String ID: 1282909303-0
              • Opcode ID: 50eda951138ece4d1c46575ab9914ee6cfaf3c63c4f7f77911beb151b9b01a4e
              • Instruction ID: 637dd82a389aa2b111a10acd0a45b7635919d4987ae441ac073eb0eab38e79b0
              • Opcode Fuzzy Hash: 50eda951138ece4d1c46575ab9914ee6cfaf3c63c4f7f77911beb151b9b01a4e
              • Instruction Fuzzy Hash: 22B103B4A00A06CFD715CF04C190969B7F2FF893A0B2185ADD45A9B76AD771EC82CF44
              Uniqueness

              Uniqueness Score: -1.00%

              Function 10008D75 Relevance: 6.2, APIs: 4, Instructions: 238COMMON
              Download Yara Rule
              APIs
              • ??0_Lockit@std@@QAE@XZ.MSVCP60(10008851,?,00000000,10008851), ref: 10008DC3
              • ??1_Lockit@std@@QAE@XZ.MSVCP60 ref: 10008FD2
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 10008FDF
              • #825.MFC42(?), ref: 10008FE6
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: Lockit@std@@$#825??0_??1_D@2@@std@@D@std@@Tidy@?$basic_string@U?$char_traits@V?$allocator@
              • String ID:
              • API String ID: 1729743287-0
              • Opcode ID: e9fc79abcf05b28f1f95ecef6e2dcc8b41ede5e11e44a8072a344142300eabf3
              • Instruction ID: 3c0019a44c9292e9c1e98aa0f8b2b80e80f2527c86046a2721dc54975e657be1
              • Opcode Fuzzy Hash: e9fc79abcf05b28f1f95ecef6e2dcc8b41ede5e11e44a8072a344142300eabf3
              • Instruction Fuzzy Hash: 90B103B4600642DFD715CF14C190919BBF2FF8838572186ADD49A8B76ADB31EE42CF44
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040656C Relevance: 6.1, APIs: 4, Instructions: 97COMMON
              Download Yara Rule
              APIs
              • ??2@YAPAXI@Z.MSVCRT ref: 0040658A
              • InterlockedIncrement.KERNEL32(0042A724), ref: 004065AB
              • ??2@YAPAXI@Z.MSVCRT ref: 004065DE
              Memory Dump Source
              • Source File: 00000006.00000002.1650700156.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000006.00000002.1650684384.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650716727.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650734298.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650757098.000000000042B000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_400000_TimeGridEXE.jbxd
              Similarity
              • API ID: ??2@$IncrementInterlocked
              • String ID:
              • API String ID: 4270603835-0
              • Opcode ID: d9c199939269fda27c3394f6f65bb0933be5f79195f3c3dbfa81259a77eaec7b
              • Instruction ID: c12b31144ee1561667aec5ce3b4bc8eab83bffe9ede3d7ab695e04ff4cf3f143
              • Opcode Fuzzy Hash: d9c199939269fda27c3394f6f65bb0933be5f79195f3c3dbfa81259a77eaec7b
              • Instruction Fuzzy Hash: 3031E171600200EFCB11EF99DA41A1DBBA0EB84754B22843FF502BB3C1CA79DE11CB99
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040642B Relevance: 6.1, APIs: 4, Instructions: 72COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000006.00000002.1650700156.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000006.00000002.1650684384.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650716727.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650734298.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650757098.000000000042B000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_400000_TimeGridEXE.jbxd
              Similarity
              • API ID: mallocmemset
              • String ID:
              • API String ID: 2882185209-0
              • Opcode ID: f85a3cf82cb868b592c7a7e4619c55ebed77ff714ea4343218fe1d41f4c75a11
              • Instruction ID: 527830cd513fb068f2aa82ff188fe9001129d65574cc2687624450e401c20578
              • Opcode Fuzzy Hash: f85a3cf82cb868b592c7a7e4619c55ebed77ff714ea4343218fe1d41f4c75a11
              • Instruction Fuzzy Hash: 11215B716006019FD7308F18C901B26B7E5EF94B54F22883EE5D7AB380E679A8658B5D
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040522F Relevance: 6.1, APIs: 4, Instructions: 62windowCOMMON
              Download Yara Rule
              APIs
              • GetParent.USER32(?), ref: 0040527A
              • GetFocus.USER32 ref: 004052A5
              • IsChild.USER32(00000000,00000000), ref: 004052AD
              • SetFocus.USER32(00000000), ref: 004052B8
                • Part of subcall function 00404F61: ShowWindow.USER32(?,00000005,?,?), ref: 004050A6
                • Part of subcall function 00404F61: GetFocus.USER32 ref: 004050AC
                • Part of subcall function 00404F61: IsChild.USER32(?,00000000), ref: 004050B8
              Memory Dump Source
              • Source File: 00000006.00000002.1650700156.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000006.00000002.1650684384.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650716727.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650734298.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650757098.000000000042B000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_400000_TimeGridEXE.jbxd
              Similarity
              • API ID: Focus$Child$ParentShowWindow
              • String ID:
              • API String ID: 4211443192-0
              • Opcode ID: e17280f7c3652306f15e7b521fb9aecfc4ae9168862636c4bd6c350d1c0a9503
              • Instruction ID: 4be0fbea81a77fa42287c90ae6cd823c9b7455ecafce768389c6b113fad8e96b
              • Opcode Fuzzy Hash: e17280f7c3652306f15e7b521fb9aecfc4ae9168862636c4bd6c350d1c0a9503
              • Instruction Fuzzy Hash: BD119435204E119FDB205628CD09B2B77A4DF86725F1489BEF952F22E0C778E8418F19
              Uniqueness

              Uniqueness Score: -1.00%

              Function 10005DC3 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 58stringCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: sprintf$strcmp
              • String ID: %04ld%02ld%02ld%02ld%02ld%02ld
              • API String ID: 3685447290-3710984312
              • Opcode ID: 90d6b730ae3f23679963324e895847e542a4b3e9763843b50409db42207681dc
              • Instruction ID: 77b69bb67926f112fcdbb3c5e0aa72c8a0e90b98b57e1093a7c6fe8bba84dfd5
              • Opcode Fuzzy Hash: 90d6b730ae3f23679963324e895847e542a4b3e9763843b50409db42207681dc
              • Instruction Fuzzy Hash: 9F115432400214BEEF028B98CC09FEB7BBAFF48304F1905B9E208AB022D7339115DB51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00402EB3 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
              Download Yara Rule
              APIs
              • ??2@YAPAXI@Z.MSVCRT ref: 00402EBF
              • ??0_Lockit@std@@QAE@XZ.MSVCP60(?,?,00000000,?,?,?,004010C3), ref: 00402ED9
              • ??1_Lockit@std@@QAE@XZ.MSVCP60(?,?,00000000,?,?,?,004010C3), ref: 00402F03
              • ??2@YAPAXI@Z.MSVCRT ref: 00402F1F
              Memory Dump Source
              • Source File: 00000006.00000002.1650700156.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000006.00000002.1650684384.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650716727.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650734298.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650757098.000000000042B000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_400000_TimeGridEXE.jbxd
              Similarity
              • API ID: ??2@Lockit@std@@$??0_??1_
              • String ID:
              • API String ID: 1660098694-0
              • Opcode ID: d186df8fc6f1b530ddc8b7dbd51471534866938baa0e95728f60e5d9912ff5e3
              • Instruction ID: 7d8da64078a1881ab9edde71d85fffdcea330956737a8d79d7f61b058d0534a6
              • Opcode Fuzzy Hash: d186df8fc6f1b530ddc8b7dbd51471534866938baa0e95728f60e5d9912ff5e3
              • Instruction Fuzzy Hash: 1C115BB1900204EFC710DF4AEA85959FBF8FB08354B54817FE449A72A1DBB0AA41DF99
              Uniqueness

              Uniqueness Score: -1.00%

              Function 1000DC43 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 1000DC48
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000,?,?,00000000,?,?,?,?,?,00000002,?,?), ref: 1000DC60
              • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z.MSVCP60(?,00000000,6CE35E04,?,?,00000000,?,?,?,?,?,00000002,?,?), ref: 1000DC82
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,00000000,?,?,?,?,?,00000002,?,?), ref: 1000DCA3
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@V12@$?assign@?$basic_string@H_prolog
              • String ID:
              • API String ID: 1625498910-0
              • Opcode ID: f2c0ca352ba1f3de1caca0daca94403fc10dfafccd786ea63eaff1741b366426
              • Instruction ID: ccb8abbb9e6ce8f5716975a8ffe5ec81414a2b8f267c8dc7027e69a42b0f4451
              • Opcode Fuzzy Hash: f2c0ca352ba1f3de1caca0daca94403fc10dfafccd786ea63eaff1741b366426
              • Instruction Fuzzy Hash: BE011A36901259EFDF05DFA8CC85BDEBB74FF09314F008159E911AB291DB74AA19CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040144D Relevance: 6.0, APIs: 4, Instructions: 38timeCOMMON
              Download Yara Rule
              APIs
              • GetTimeAxesModule.TIMEAXESDLL ref: 00401469
              • SetWindowLongA.USER32(?,000000FC,Function_000014CB), ref: 004014A2
              • SetWindowLongA.USER32(?,000000EB,?), ref: 004014AF
              • DefWindowProcA.USER32(?,?,?,?), ref: 004014C0
              Memory Dump Source
              • Source File: 00000006.00000002.1650700156.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000006.00000002.1650684384.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650716727.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650734298.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650757098.000000000042B000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_400000_TimeGridEXE.jbxd
              Similarity
              • API ID: Window$Long$AxesModuleProcTime
              • String ID:
              • API String ID: 3096039173-0
              • Opcode ID: 7f3c411ccfa527f74a745a814a7c0598591d53245cd7dd167391d62de40386e6
              • Instruction ID: eb9f1d08d7a92c7a4e143ea2409bacc92631914ba4c517d0687a6ef1244aa8b5
              • Opcode Fuzzy Hash: 7f3c411ccfa527f74a745a814a7c0598591d53245cd7dd167391d62de40386e6
              • Instruction Fuzzy Hash: 5F011A31104700EFDB619F61DD08F46BBE2EF85314F11492EF696561B0CBB16810CF16
              Uniqueness

              Uniqueness Score: -1.00%

              Function 10003F18 Relevance: 6.0, APIs: 4, Instructions: 38COMMON
              Download Yara Rule
              APIs
              • DeleteObject.GDI32(?), ref: 10003F32
              • CreateSolidBrush.GDI32(?), ref: 10003F4A
              • DeleteObject.GDI32(?), ref: 10003F57
              • CreatePen.GDI32(00000000,00000001,?), ref: 10003F73
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: CreateDeleteObject$BrushSolid
              • String ID:
              • API String ID: 3774184680-0
              • Opcode ID: 6ff37b3ce1d2b53eb69c67946819f41dcf2c5fd07d25b7467af558a26d5eda01
              • Instruction ID: ac6b4594936dc9b2cf88e7eb33951a361f9579c44cca44b3af7378679e74dab0
              • Opcode Fuzzy Hash: 6ff37b3ce1d2b53eb69c67946819f41dcf2c5fd07d25b7467af558a26d5eda01
              • Instruction Fuzzy Hash: 2B01A4349043D95FEB568F68CC486EBBFE8EF0C282F008865FD95D2211D1B0D5919B30
              Uniqueness

              Uniqueness Score: -1.00%

              Function 1000A2FF Relevance: 6.0, APIs: 4, Instructions: 36COMMON
              Download Yara Rule
              APIs
              • #825.MFC42(?,?,?,?,?,?,?,1000A2D0,?,?,1000A66E,?,?), ref: 1000B767
              • ??0_Lockit@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,1000A2D0,?,?,1000A66E,?,?), ref: 1000B77A
              • ??1_Lockit@std@@QAE@XZ.MSVCP60(?,1000A2D0,?,?,1000A66E,?,?), ref: 1000B798
              • #825.MFC42(00000000,?,1000A2D0,?,?,1000A66E,?,?), ref: 1000B7A3
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: #825Lockit@std@@$??0_??1_
              • String ID:
              • API String ID: 2095439190-0
              • Opcode ID: a5489e42aa34ebdda60e5cfed8e9436e8575ce6938907e6fc27a863fc38f9e24
              • Instruction ID: dbc7289bed9c185f08fd79d083aa71b208a61bba8ce75de0701f23993e77d1f6
              • Opcode Fuzzy Hash: a5489e42aa34ebdda60e5cfed8e9436e8575ce6938907e6fc27a863fc38f9e24
              • Instruction Fuzzy Hash: 82F04F72424A20DFE718DF44D989A9A73E8EB40762F10811DE40AA6154EF71AE00CB94
              Uniqueness

              Uniqueness Score: -1.00%

              Function 1000894C Relevance: 6.0, APIs: 4, Instructions: 35COMMON
              Download Yara Rule
              APIs
              • #825.MFC42(?,?,?,?,00000001,?,?,10008851), ref: 10008968
              • ??0_Lockit@std@@QAE@XZ.MSVCP60(?,?,?,00000001,?,?,10008851), ref: 1000897B
              • ??1_Lockit@std@@QAE@XZ.MSVCP60(?,10008851), ref: 10008999
              • #825.MFC42(00000000,?,10008851), ref: 100089A4
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: #825Lockit@std@@$??0_??1_
              • String ID:
              • API String ID: 2095439190-0
              • Opcode ID: e6c60dd0eadfeaf28a8661eae1aef14f8bc602b73fd7af2c445be9a719784e80
              • Instruction ID: 36cbfe30bcc3ac6e01ff9e0179a4d562bf746918f6737b1ffc6ee8240bd53c25
              • Opcode Fuzzy Hash: e6c60dd0eadfeaf28a8661eae1aef14f8bc602b73fd7af2c445be9a719784e80
              • Instruction Fuzzy Hash: A5F06272514620DFE719DB54DD49B9A73ECFB15752F018019E44AA31A4EB70BE00CF95
              Uniqueness

              Uniqueness Score: -1.00%

              Function 100033B0 Relevance: 6.0, APIs: 4, Instructions: 35COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 1000368F: #825.MFC42(?,?,?,?,?,?,?,10003738,?,?,?,?,10003130), ref: 100036C8
              • #825.MFC42(?,?,?,?,?,?,?,1000313F), ref: 100033CC
              • ??0_Lockit@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,1000313F), ref: 100033DF
              • ??1_Lockit@std@@QAE@XZ.MSVCP60(?,?,?,1000313F), ref: 100033FD
              • #825.MFC42(00000000,?,?,?,1000313F), ref: 10003408
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: #825$Lockit@std@@$??0_??1_
              • String ID:
              • API String ID: 3320149174-0
              • Opcode ID: d254dd5cab9412aa4132176437cbe4312682ce3dd1b0e5f6ae8adb4a0c2fddb7
              • Instruction ID: 4313f3a88cde15716c70df5f2dbd0bcdf60aac7c999fade4a6463f7e439482a8
              • Opcode Fuzzy Hash: d254dd5cab9412aa4132176437cbe4312682ce3dd1b0e5f6ae8adb4a0c2fddb7
              • Instruction Fuzzy Hash: C3F06D72510A24AFE719DB84D986B9A73ECEB05765F11C118E40AA7168DFB0BE00CB94
              Uniqueness

              Uniqueness Score: -1.00%

              Function 10007AD3 Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: #2864MessageParentPostmemset
              • String ID:
              • API String ID: 2555467147-0
              • Opcode ID: 8c25a24e9e084d74d98a6a3a4555b074efa5a90f32438ff592cc55fa06279293
              • Instruction ID: a4ac74b26f4dbfde6045f9d43be96d747c561cc46b8a09f9c578d63706a24a65
              • Opcode Fuzzy Hash: 8c25a24e9e084d74d98a6a3a4555b074efa5a90f32438ff592cc55fa06279293
              • Instruction Fuzzy Hash: 53F05476600701ABE6109B649C85F8777ECFF49741F008819F68997145C775E411C762
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040327C Relevance: 6.0, APIs: 4, Instructions: 30synchronizationthreadwindowCOMMON
              Download Yara Rule
              APIs
              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,0040331D), ref: 00403291
              • WaitForSingleObject.KERNEL32(?,00001388,?,?,?,0040331D), ref: 004032A4
              • CloseHandle.KERNEL32(?,?,?,?,0040331D), ref: 004032BD
              • PostThreadMessageA.USER32(?,00000012,00000000,00000000), ref: 004032CD
              Memory Dump Source
              • Source File: 00000006.00000002.1650700156.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000006.00000002.1650684384.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650716727.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650734298.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650757098.000000000042B000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_400000_TimeGridEXE.jbxd
              Similarity
              • API ID: ObjectSingleWait$CloseHandleMessagePostThread
              • String ID:
              • API String ID: 3386540786-0
              • Opcode ID: e950fce8a980abd223abc0c9ee82fb67b8a670460436aa5b42a613a94b3e6da9
              • Instruction ID: d711ac2ae9573446c438a4d6838b626cfb2819bcc43f4998cc7ddbd90d8c4ad1
              • Opcode Fuzzy Hash: e950fce8a980abd223abc0c9ee82fb67b8a670460436aa5b42a613a94b3e6da9
              • Instruction Fuzzy Hash: 74F08C71101704AFEB302B21AD44E97BF68EB81365F00C67EE1EAA21A0CE311D59EB64
              Uniqueness

              Uniqueness Score: -1.00%

              Function 10006234 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 24stringCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: strcmp
              • String ID: HidePolygon$ShowOneTime
              • API String ID: 1004003707-2429807990
              • Opcode ID: ba4dd61b778ba8f8c616046cfcc715b266228d2224f52fa611dc4458e3d22cde
              • Instruction ID: 704328dc23784157c66d0eec09aa7aa7b41ae5a8be1182b8f8ca986d489a2896
              • Opcode Fuzzy Hash: ba4dd61b778ba8f8c616046cfcc715b266228d2224f52fa611dc4458e3d22cde
              • Instruction Fuzzy Hash: 87E0D83200CF8194F731D2B0AC14BC7AFC1DB552B4F31085FE59D65096DBB5E4848221
              Uniqueness

              Uniqueness Score: -1.00%

              Function 10006D53 Relevance: 6.0, APIs: 4, Instructions: 18windowCOMMON
              Download Yara Rule
              APIs
              • GetParent.USER32(?), ref: 10006D59
              • #2864.MFC42(00000000), ref: 10006D60
              • SendMessageA.USER32(00000000,0000046B,00000000,00000000), ref: 10006D76
              • #2379.MFC42 ref: 10006D7E
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: #2379#2864MessageParentSend
              • String ID:
              • API String ID: 283253294-0
              • Opcode ID: 48a99d7ba1a157c4ae2d140d36697d30cadbaf277ab390b9da5c6786ddf4111d
              • Instruction ID: 6a580764b877646c6a2ac37ed85858c38657261e0c01755c943513c021e553cb
              • Opcode Fuzzy Hash: 48a99d7ba1a157c4ae2d140d36697d30cadbaf277ab390b9da5c6786ddf4111d
              • Instruction Fuzzy Hash: 14D05E76600221ABF6149770CC0AF5A3669EB09B40F028516F641DB2A8DEB1E8518759
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004062F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
              Download Yara Rule
              APIs
              • #43.ATL(0042A710,?), ref: 0040630B
              • CreateWindowExA.USER32(?,00000000,?,?,?,?,?,?,?,00000000,?,?), ref: 00406354
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.1650700156.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000006.00000002.1650684384.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650716727.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650734298.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650757098.000000000042B000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_400000_TimeGridEXE.jbxd
              Similarity
              • API ID: CreateWindow
              • String ID: @
              • API String ID: 716092398-2766056989
              • Opcode ID: 129c1e61318cc5de5b1c52829c531ffa865653debea165b6d076cb3aa1eb497a
              • Instruction ID: 292e4cb849a55f570ca124aa9eb9d87d47a46365aabfc82a6f80a8f896bca783
              • Opcode Fuzzy Hash: 129c1e61318cc5de5b1c52829c531ffa865653debea165b6d076cb3aa1eb497a
              • Instruction Fuzzy Hash: 8F010C75100119AFDF148F55DD08EAB3FA9EB48314F058169FD09632A0C778DC65DBA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00401000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.1650700156.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000006.00000002.1650684384.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650716727.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650734298.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
              • Associated: 00000006.00000002.1650757098.000000000042B000.00000002.00000001.01000000.00000007.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_400000_TimeGridEXE.jbxd
              Similarity
              • API ID: FreeString
              • String ID: `<u`j>up=<u
              • API String ID: 3341692771-1785617870
              • Opcode ID: b57ab5ad67703d76ec35459278e08de42f7f8c828fe4480fd0ef7504d8ed89d2
              • Instruction ID: b07d2f5f188e0ca733bd3347cd6e4179d51dc749ff33ed7dfec438d93583f71c
              • Opcode Fuzzy Hash: b57ab5ad67703d76ec35459278e08de42f7f8c828fe4480fd0ef7504d8ed89d2
              • Instruction Fuzzy Hash: 05F046333401804AC3322A48E908BDBB7A89F95380B04043FF9C5B31F1CA796885831C
              Uniqueness

              Uniqueness Score: -1.00%

              Function 10008FFE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: #825D@2@@std@@D@std@@Tidy@?$basic_string@U?$char_traits@V?$allocator@
              • String ID: FramePen
              • API String ID: 1946397132-2179547198
              • Opcode ID: 07fe2e05ea1f5b6da5b8c2ccaeb4bdde49969d9f00aa5c7e3b86f2ee289e1ac3
              • Instruction ID: 1fbe2e9d2f917f40e6c3cc7cdc0f23068e3a4702b2daafe00eb5f78c1eb76457
              • Opcode Fuzzy Hash: 07fe2e05ea1f5b6da5b8c2ccaeb4bdde49969d9f00aa5c7e3b86f2ee289e1ac3
              • Instruction Fuzzy Hash: 97E0D8372042219FE324CB58DCC489DF365FB8D3F1712802AF5A5931A5CB71BC408B90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 100064E1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
              Download Yara Rule
              APIs
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,Protocol,100064D9,Protocol), ref: 100064ED
              • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,Protocol,100064D9,Protocol), ref: 100064F8
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.1659612064.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
              • Associated: 00000006.00000002.1659590126.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659635364.0000000010011000.00000002.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659648882.0000000010014000.00000004.00000001.01000000.00000008.sdmpDownload File
              • Associated: 00000006.00000002.1659690378.0000000010016000.00000002.00000001.01000000.00000008.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_10000000_TimeGridEXE.jbxd
              Similarity
              • API ID: D@2@@std@@D@std@@Tidy@?$basic_string@U?$char_traits@V?$allocator@
              • String ID: Protocol
              • API String ID: 208242559-834067994
              • Opcode ID: 0ecd3a6dcb7e6464a1a575dafdaa8fd8274565e32d87175cecbc44b6e67ad4c3
              • Instruction ID: 5d4972481ce8c30d1cbd0abcde5a8dfceb254a4ae52871ad0da2d53cce06b143
              • Opcode Fuzzy Hash: 0ecd3a6dcb7e6464a1a575dafdaa8fd8274565e32d87175cecbc44b6e67ad4c3
              • Instruction Fuzzy Hash: DBE01A31200E108BF664D721DC597EA73A2FB89786F20441DE1438A9DCDFB4B9C5CB86
              Uniqueness

              Uniqueness Score: -1.00%